EVE AI Core
EVE AI Core
Attorney-client privilege protection, contract review policy enforcement, and legal AI compliance at the decision layer. CoreGuard governs every AI-generated legal output before it reaches clients, opposing counsel, or your contract management system.
AI adoption in legal workflows is accelerating faster than governance frameworks. Law firms and legal departments face a set of risks that are distinct from other regulated industries — and that most AI governance tools are not built to address.
Attorney-client privilege and work product doctrine protect legal advice and litigation strategy. When privileged materials are passed to AI models — particularly third-party LLM APIs — privilege can be waived or materials can be inadvertently exposed. Law firm AI governance must address both the transmission risk (who has access to the model context) and the output risk (does the AI reproduce privileged content in ways that reach unintended parties).
AI systems that provide legal advice to clients without adequate supervision by a licensed attorney may constitute unauthorized practice of law. Client-facing legal AI must stay within defined scope of practice boundaries — providing information rather than advice, flagging matters that require attorney review, and not forming attorney-client relationships through automated responses. These boundaries are not reliably maintained by model instructions alone.
Legal departments maintain contract playbooks that define acceptable and unacceptable terms for each contract type. AI contract review tools frequently miss playbook violations, accept terms outside negotiated ranges, or apply the wrong playbook to a contract type. The result is contracts that bind the organization to terms that were supposed to be rejected — at a scale that manual review would have caught.
AI models regularly hallucinate case citations, regulatory references, and statutory text. In legal contexts, fabricated citations in briefs or client advice have resulted in sanctions, malpractice exposure, and professional discipline. CoreGuard's hallucination detection layer specifically targets legal citation fabrication and flags outputs that cite legal authority that cannot be verified against a known citation database.
AI contract review and drafting tools can encode bias from training data into contract term recommendations — accepting unfavorable terms in certain counterparty categories or recommending protective provisions inconsistently. For employment agreements and consumer contracts, disparate AI recommendations can create discrimination exposure under employment law and consumer protection statutes.
When AI is used in document review or legal hold processes, opposing counsel and courts expect the review process to be defensible. AI-assisted review must be documented, the AI's decisions must be auditable, and quality controls must be demonstrable. Without a decision-level audit trail, technology-assisted review is hard to defend in contested discovery disputes.
Privilege protection in AI legal workflows requires more than contractual assurances from LLM providers. It requires enforcement at the request level — before privileged materials are exposed to unauthorized systems — and at the output level — before privileged content is reproduced in outputs that reach unintended parties.
CoreGuard enforces role-based access at the AI request layer. Legal AI requests that include privileged matter materials are checked against the requesting user's matter access authorization. Requests from systems or users without privilege access to the relevant matter are blocked before the privileged material is transmitted to the model.
AI models can reproduce privileged content from their context window in unexpected outputs. CoreGuard scans AI-generated legal content for patterns that indicate reproduction of privileged material — specific matter identifiers, confidential strategy language, and client-specific legal advice — and blocks outputs that would constitute a waiver before they are delivered.
For legal workflows using cloud-hosted LLM APIs, CoreGuard enforces data classification rules that prevent privileged material from being transmitted to LLM providers that are not covered by appropriate privilege protection agreements. Requests are evaluated before the LLM call; privileged content is blocked from transmission to unauthorized providers.
Attorney work product doctrine protects legal strategy, mental impressions, and litigation preparation materials. CoreGuard's legal policy pack identifies work product materials by classification markers and context signals, and enforces access controls and output constraints that protect work product from inadvertent disclosure in AI-generated summaries, search results, and communications.
CoreGuard converts your legal department's contract playbook into deterministic enforcement rules that run on every AI contract review, at any volume, consistently.
CoreGuard maintains a prohibited terms registry specific to your organization's playbook. Contract review AI outputs that include prohibited terms — unlimited liability provisions, unilateral amendment clauses, mandatory arbitration in disfavored forums, IP assignment overreach — are flagged and the reviewer is alerted before the output is acted upon. The certificate documents which rule triggered, the relevant contract language, and the playbook provision it violates.
Legal departments and law firms operating in regulated jurisdictions have requirements around governing law, venue, and dispute resolution. CoreGuard enforces jurisdiction policy rules on contract review AI outputs — rejecting governing law clauses for jurisdictions that are not approved for specific contract types, flagging international arbitration requirements for domestic-only contracts, and ensuring required local law clauses are present in contracts for specific jurisdictions.
For employment agreements, consumer contracts, and supplier agreements where counterparty demographics may influence AI recommendations, CoreGuard monitors for disparate recommendation patterns across counterparty categories. When the AI recommends different terms for similarly situated counterparties in ways that correlate with protected characteristics, the disparity is flagged and logged. This protects against both inadvertent discrimination exposure and adversarial manipulation of AI contract review tools.
AI contract review tools can miss absent required clauses as readily as they accept prohibited terms. CoreGuard's required clauses registry checks contract review outputs for the presence of provisions that must appear — data processing agreements for contracts involving personal data, insurance requirements for service agreements, confidentiality terms for disclosure arrangements, and regulatory compliance certifications. Missing required clauses trigger a certificate violation before the review is considered complete.
CoreGuard's legal citation detection layer identifies citations to cases, statutes, and regulations in AI-generated legal content and flags citations that do not match patterns from verified legal databases. For legal opinions, brief drafts, and regulatory guidance summaries, this prevents fabricated authority from reaching clients or courts. The policy pack can require attorney review before delivery for any output containing legal citations, regardless of whether a specific citation is flagged.
When AI is used in legal workflows, the AI's decisions become part of the record. CoreGuard's hash-chained certificate trail is designed to be defensible in discovery. Every certificate is tamper-evident, timestamped, and linked to both the model version and the policy version active at the time of the decision.
{
"certificate_id": "cert_4a9f2d1e-7b3c-45e8-a1f0-2d8c9b6e3a4f",
"issued_at": "2026-05-05T16:04:51.204Z",
"policy_set": "legal_review_v1",
"policy_pack_hash": "sha256:7c4e9b1d3f8a2...",
"decision": {
"status": "BLOCKED",
"risk_level": "HIGH",
"action_type": "contract_review_output",
"block_reason": "playbook_violation"
},
"policy_evaluation": {
"rules_evaluated": 22,
"rules_triggered": 2,
"violations": [
{
"rule_id": "legal.contract.no_unlimited_liability",
"severity": "high",
"flagged_text": "Vendor's total liability shall be unlimited...",
"action_taken": "BLOCKED — attorney review required"
},
{
"rule_id": "legal.contract.governing_law_approved_only",
"severity": "medium",
"flagged_text": "...governed by the laws of the Cayman Islands",
"action_taken": "BLOCKED — jurisdiction not in approved list"
}
],
"privilege_check": "PASS — no privilege leakage detected",
"citation_check": "PASS — no legal citations in output"
},
"context": {
"requester_role": "contract_manager",
"contract_type": "vendor_services_agreement",
"matter_id": "matter_40291"
},
"legal_hold": {
"preservation_flag": false,
"tamper_evident": true,
"chain_position": 19847
},
"signature": "HMAC-SHA256:2e4f9a1c7b3d..."
}Any certificate can be placed on legal hold, making it immutable until the hold is released. Legal hold flags are applied via the API and are reflected in the certificate record with timestamp and requesting party.
Certificate records can be exported in JSONL format for discovery production. The export includes chain integrity verification — a verifiable proof that no certificates were added, removed, or modified in the production set.
CoreGuard integrates into the legal technology stack without requiring changes to your existing workflow. Enforcement runs transparently in the AI call path.
CoreGuard integrates with Ironclad's AI review features through webhook-based API integration. Contract review outputs are evaluated by CoreGuard before they are surfaced to Ironclad users. Playbook violations are returned as structured comments that appear in the Ironclad review workflow.
For DocuSign CLM deployments using AI-powered agreement intelligence, CoreGuard inserts into the AI analysis call path. Policy violations are returned as structured metadata that DocuSign CLM can display in the reviewer interface, with the relevant clause text and the playbook rule that was violated.
For law firms using Clio Manage with AI-assisted drafting and document review, CoreGuard governs AI outputs within matter and client access boundaries. Matter-level access controls prevent AI requests from crossing client boundaries, and privilege protection rules are enforced at the output layer.
For law firms and legal departments that have built or are building custom AI tools on top of LLM APIs, CoreGuard's REST API and SDK provide the governance layer. The Python, JavaScript, and Java SDKs support integration into any legal AI application. Policy packs are configured by the EVE Core policy engineering team to match your playbook.
CoreGuard enforces privilege protection through two mechanisms. First, the legal policy pack includes access controls that prevent privileged materials from being passed to AI models that are not operating within a privilege-protected workflow — blocking inadvertent disclosure to systems that might expose the content. Second, CoreGuard monitors AI outputs for content that would constitute privilege waiver, including unauthorized disclosure of legal advice or confidential client information, and blocks such outputs before they reach unintended recipients. For law firms, matter-level access controls ensure that AI requests cannot inadvertently surface information from matters the requester is not authorized to access.
CoreGuard's contract review policy pack supports enforcement of any rule that can be expressed as a pattern match, clause presence or absence check, or structured field comparison. Common enforcement rules include: prohibited indemnification terms, unlimited liability provisions, jurisdiction requirements for governing law, required clauses (data processing agreements, confidentiality provisions, insurance requirements), and commercial terms outside pre-approved ranges. Enterprise customers work with our policy engineering team to convert their standard playbook into CoreGuard policy rules. The policy pack can vary by contract type, counterparty category, and jurisdiction.
CoreGuard's hash-chained decision certificate record is designed to support legal hold and discovery obligations. Certificates are append-only and tamper-evident — any modification to a certificate record is detectable through chain verification. The certificate for any AI-assisted legal decision includes the complete evaluation record, the policy version active at the time, the identity of the requesting user, and the full decision output. This satisfies the authenticity and completeness requirements for electronically stored information (ESI) under Federal Rules of Civil Procedure Rule 34. Legal hold flags can be applied to individual certificates or to ranges of certificates via the API.
Yes. CoreGuard integrates with contract management and CLM platforms through its REST API. For platforms that support webhook-based AI integration, including Ironclad, DocuSign CLM, and Clio Manage, CoreGuard can be inserted into the AI call path to govern contract review outputs before they are displayed to users. We provide pre-built connectors and integration documentation for major CLM platforms. For custom integrations, the CoreGuard SDK is available in Python, JavaScript, and Java with full documentation and reference implementations.
Talk to our legal technology team about a CoreGuard deployment built around your contract playbook, privilege requirements, and matter management workflows. We start with a 30-minute playbook review at no cost.
Also see: Financial Services AI Governance | Healthcare AI Governance