b' Enterprise-aligned. Professionally deployed; governed by written policies and procedures; periodic,framework-based security risk assessments that expressly address a self-managed GAI deployment (see CIS, Appendix 6).Business-aligned.ManagedbyindividualsreasonablyskilledinGAIdeployment,systemadministration, and security configuration; uses business-class hardware, operating systems, andapplications; employs prudent safeguards (e.g., strong authentication, encryption, regular updates); may lack a formal written security program or independent assessments.Consumer-aligned. Operated by individuals with limited security and administration experience;relies on default settings; lacks rigorous access controls or encryption; often uses personal-gradehardware/software not intended for client information.These examples illustrate a method to evaluate and document how client information is processed and how client communications are managed in a self-managed environment. In summary, while self-managed GAI tools avoid the risk of allowing a third-party to process and store client data, they also carry the heaviest operational burden. Firms that choose this path must be prepared to treat the GAI tool as part of their critical infrastructure, subject to the same rigor as their other on-premise servers and related network equipment. With the right planning, governance, and support, self-managed GAI tools can be a safe and effective option for processing highly sensitive client information, but they are not risk free. Managing Client Rights By this point, you should have a basic understanding of how GAI tools work, and you should be capable of choosing appropriate GAI tools for all types of data weve discussed, including Confidential Information and Sensitive Personal Information. The next important idea is how best to communicate with clients when using GAI tools to process their matters, Confidential Information, and Sensitive Personal Information.Taken as a whole, the approach presented in this Guide is a notice and opt-out paradigm, with enhanced protection for highly sensitive information. There are analogous examples within Illinois public policy. In the contextofhealthinformationexchangesystems,forexample,theIllinoisHealthInformationExchange Authority determined that a notice and opt-out system would afford patients a greater degree of choice withouttherelativelyburdensomedocumentationrequirementsofamoreformalpatient-by-patient consentsystem. 39WhilenotdirectlyapplicabletotheuseofGAItoolsandthepracticeoflaw,the relationships described in this report (between technology, healthcare providers, and patients) parallel the relationships between artificial intelligence, lawyers, and their clients. Client communication, including client notice, client opt-out rights, and informed client consent, should be understood as an additional safeguard that a lawyer might employ when using GAI tools, and not as a method of shifting risk from the lawyer to the client. In other words, lawyers must be reasonable when selecting and 39Ill. Health Info. Exch. Auth., Data Sec. & Privacy Comm.,Report of Preliminary Findings and Recommendations(Sept. 19, 2012).Page | 18'