How to Govern CoCounsel Inputs and Outputs
CoCounsel is transforming legal operations, but governance must evolve alongside it. This article explores the risks of unmanaged AI inputs and outputs, why acceptable use policies are no longer enough, and how J-10 provides enforceable governance, continuous audit evidence and real-time control across the Thomson Reuters legal technology ecosystem.
This article is published by J-10, Jalubro's proprietary governance enforcement platform. It is part of a series exploring how regulated enterprises can enforce compliance inside operational workflows. To learn how Jalubro's advisory and implementation services support governed enterprise operations, visit our services page.
CoCounsel is transforming legal operations. The question is whether your governance is keeping up.
Thomson Reuters CoCounsel is one of the most significant technology shifts in legal operations in a decade. Legal teams across regulated industries are using it for contract review, clause drafting, legal research, document summarisation and deposition preparation. It is fast, capable and deeply integrated into the Thomson Reuters legal technology stack, including Legal Tracker and HighQ.
The adoption case is clear. The governance case is not.
Most enterprises deploying CoCounsel have an acceptable use policy. Some have internal guidance on what types of work CoCounsel should and should not be used for. Very few have enforceable controls that govern what data users can feed into CoCounsel and what CoCounsel produces before it influences a legal decision, a contract or a downstream business process.
This article covers both sides of the governance challenge and sets out what enforceable CoCounsel governance looks like in a regulated enterprise.
The input problem: what your people are putting into CoCounsel
CoCounsel operates within the Thomson Reuters security model. The platform itself has enterprise-grade data handling. That is not the issue.
The issue is what your users choose to provide to it.
CoCounsel is designed to be useful. It accepts documents, text, questions and instructions from users and processes them to generate outputs. In a legal department, the data that users provide to CoCounsel can include some of the most sensitive information the enterprise holds.
Privileged legal advice. A lawyer pastes a memorandum containing privileged strategy on an ongoing dispute into CoCounsel for summarisation. The privilege status of that document is a legal protection that depends on how the information is handled. Feeding it into an AI tool without controls does not automatically waive privilege, but it introduces risk that most General Counsels would want governed, not left to individual judgment.
Client-confidential information. A contract manager uploads a client's financial statements, term sheets or commercial proposals into CoCounsel to assist with contract drafting. The client's engagement letter may restrict how their confidential information is processed. There is no control preventing this from happening.
Draft settlement terms. A litigator working on a dispute pastes draft settlement positions into CoCounsel for analysis. These are among the most commercially sensitive documents in the enterprise. Their exposure, even within an AI tool operating inside the enterprise perimeter, may conflict with the organisation's information handling policies.
Board and executive materials. A company secretary or in-house counsel uses CoCounsel to summarise board papers or executive committee materials. These documents typically carry the highest data classification in the enterprise.
Personal data. Employment matters, HR disputes, data subject access requests. Legal teams routinely handle personal data that is subject to GDPR and UK data protection requirements. Feeding this data into an AI tool may create processing activities that have not been documented in the enterprise's data processing records.
In every case, the risk is not that CoCounsel mishandles the data. The risk is that the enterprise has no enforceable control over whether the data should have been provided in the first place. The acceptable use policy says "exercise judgment." Judgment varies. Governance should not.
The output problem: what CoCounsel produces and where it goes
The output side is more commonly discussed, but still rarely governed in practice.
CoCounsel generates a range of outputs: contract clause suggestions, legal research summaries, document review analyses, deposition preparation materials and risk assessments. These outputs are useful. They are also, in many cases, the starting point for decisions that have contractual, financial and regulatory consequences.
Clause generation without policy validation. CoCounsel drafts a limitation of liability clause for a vendor contract. The clause is well-constructed but uses language that deviates from the enterprise's approved clause library. Without governance, the clause enters the contract workflow, passes through review by a lawyer who may not check it against the library, and ends up in an executed agreement. The deviation is discovered months later during a contract audit.
Research outputs without accuracy verification. CoCounsel produces a legal research summary citing case law and regulatory provisions. One of the citations is inaccurate or relates to a jurisdiction that does not apply. Without governance, the summary informs a legal opinion that is provided to a client or to the business. The error surfaces when the opinion is challenged.
Summaries flowing into downstream decisions. CoCounsel summarises a set of supplier contracts to identify risk concentrations. The summary is used by procurement to make decisions about supplier panel composition. The summary omits a material clause in one contract because the AI's analysis weighted it as low relevance. The procurement decision is made on incomplete information.
Outputs entering workflows without traceability. A CoCounsel-generated output is copied from the AI interface and pasted into an email, a Legal Tracker matter record, a HighQ collaboration space or a contract in the CLM. At that point, the output looks like any other piece of content. There is no record that it was AI-generated, no evidence of whether it was validated, and no traceability to the governance policies it should have been checked against.
In each case, the issue is the same. CoCounsel produces an output. The output enters a workflow or a decision. Nothing between those two steps enforces the enterprise's governance policies.
What enforceable CoCounsel governance looks like
Enforceable governance means that policy is applied at the point of interaction, not reviewed afterwards. For CoCounsel, that means governance on both the input and the output side, operating in real time inside the workflows where CoCounsel is used.
Governing inputs
Data classification gates. Before any document or data is provided to CoCounsel, it is validated against the enterprise's data classification policy. Documents classified as "Board Privileged", "Restricted" or "Client Confidential" are blocked from AI processing unless an authorised exception is granted. The classification check is automated, not reliant on the user's judgment.
Matter-level permissions. Not all matters carry the same sensitivity. A routine commercial contract review may be appropriate for CoCounsel assistance. A hostile takeover defence or a regulatory investigation may not. Input governance can enforce matter-level rules that determine whether CoCounsel can be used on a given matter, based on matter type, client restrictions or regulatory sensitivity.
Personal data detection. Inputs are scanned for personal data that would create a processing activity under GDPR or UK data protection law. If personal data is detected and the relevant processing activity has not been documented, the input is blocked and the data protection team is notified.
Full audit trail on every input. Every interaction is logged: what was submitted, by whom, on which matter, at what time, what classification the data carried, and whether the input was permitted or blocked. This evidence is captured automatically and cannot be modified after the fact.
Governing outputs
Clause library validation. CoCounsel-generated clauses are validated against the enterprise's approved clause library before they can enter a contract workflow. Deviations are identified, categorised by severity, and either blocked or routed for approval by an authorised reviewer.
Citation and reference verification. Legal research outputs are checked for accuracy against available source materials. Hallucinated citations, superseded regulations and jurisdictional mismatches are flagged before the output reaches a lawyer's workstream.
Downstream flow control. AI-generated outputs that pass governance checks flow into Legal Tracker, HighQ, the CLM or any connected system automatically. Outputs that fail governance checks are held. They do not progress until the issue is resolved. The governance layer, not the user, controls whether an AI output enters a business workflow.
AI provenance tagging. Every CoCounsel-generated output that enters a downstream system carries a provenance tag identifying it as AI-generated, recording the governance checks it passed (or the exceptions that were granted), and linking it to the full audit trail. Six months later, when a contract is under review, the enterprise can trace exactly which clauses were AI-generated and what governance was applied.
Governance across the Thomson Reuters stack
CoCounsel does not operate in isolation. It is part of an ecosystem that includes Legal Tracker for matter management and eBilling, HighQ for collaboration and knowledge management, and potentially a CLM platform for contract lifecycle management. In many enterprises, these systems also connect to ERPs, procurement platforms and financial reporting tools.
Governance that only applies within CoCounsel's interface is incomplete. A clause generated by CoCounsel that enters a contract in the CLM, which then triggers a procurement commitment, which then creates a financial exposure, must be governed at every step. The governance controls applied at the point of AI generation must travel with the data through every system it touches.
The evidence requirement
Regulators are increasingly asking enterprises to demonstrate how AI is governed in practice, not in policy. The FCA has signalled expectations around AI use in financial services. The EU AI Act introduces obligations for high-risk AI systems. Sector regulators across healthcare, energy and insurance are developing their own guidance.
When the question comes, and it will, the enterprise needs to produce evidence. Not a policy document. Not a training record. Timestamped, tamper-proof evidence showing: what data was provided to CoCounsel, whether it was permitted under governance policies, what CoCounsel produced, whether the output was validated, what the validation result was, and how the output flowed into downstream decisions.
Enterprises that deploy CoCounsel without enforceable governance are building an evidence gap that grows with every interaction. The longer the gap exists, the harder it becomes to close retrospectively.
How J-10 governs CoCounsel in regulated enterprises
J-10 is a business-side governance enforcement platform that provides enforceable, two-way governance for CoCounsel and the wider Thomson Reuters legal technology stack.
On the input side, J-10 enforces data classification policies, matter-level permissions and personal data detection at the point of interaction, before any data reaches CoCounsel. On the output side, J-10 validates CoCounsel-generated content against the enterprise's clause library, governance policies and accuracy standards before outputs enter Legal Tracker, HighQ, the CLM or any downstream system.
J-10 captures continuous, audit-grade evidence of every governed CoCounsel interaction. Every input, every output, every validation, every exception, every approval. The evidence is produced automatically as part of governed operations, not assembled after the fact.
For enterprises that have already deployed CoCounsel, J-10 adds the governance layer that should have been there from day one. For enterprises planning their CoCounsel deployment, J-10 ensures governance is embedded from the start.
Jalubro is a global strategic partner of Thomson Reuters and the leading implementation team for Legal Tracker, HighQ and CoCounsel. We have more experience deploying and governing the Thomson Reuters legal technology stack than any other consulting firm in the market.
To learn more about governing CoCounsel with J-10, visit j10.ai or contact the Jalubro team to book a briefing.
Let's build your connected enterprise
Share your priorities and we'll show you how Jalubro can unify your operations.
Book a discovery call →