The progress is real. So is the ceiling.

If your legal and compliance teams are already running on Claude, Copilot or Gemini, you have done more than most. You bought the licences, ran the training, set the policy, and got the first wave of sceptics to admit the drafts come back faster.

That work is real. It is also where most companies are about to plateau.

Publicly reported figures put the time savings from generative AI for legal professionals at anywhere from 5 to 15 hours per week per user as adoption matures — roughly the value of one extra working day a week, recovered. Estimates show that 44% of legal task hours are exposable to large language models, the second-highest share of any white-collar function after administrative work.

Those numbers describe an enormous productivity gain for the lawyer. They do not describe a faster company. The lawyer types faster. The queue at the lawyer’s inbox does not move.

That is the gap worth talking about.

The holy grail is organisation-level automation. Not individual productivity.

A copilot is a productivity tool. It makes one person faster at one task. Whatever it saves the lawyer, it saves in the lawyer’s day.

The thing the business actually needs is different. It needs the request from the salesperson, the vendor manager, the new hire, the engineer — none of whom are lawyers — to be answered at organisation speed. The metric that matters is not “minutes saved per lawyer.” It is “how many of the company’s questions got resolved this week without anyone in legal touching them.”

Doing that at the individual level is easy. Every modern copilot ships ready for it.

Doing it at the organisation level is the hard part — and it is where almost every legal AI deployment we have seen stalls. Four reasons it stalls:

1. The policy is in the lawyer’s head, not in writing. A copilot will draft against a prompt. Routing requests to AI without a lawyer in the loop requires the positions of the legal team to be codified — sometimes for the first time.

2. The end user is not a lawyer. A salesperson asking an LLM for a contract review is one hallucinated clause away from a problem they cannot detect. The interface that works for the lawyer is the wrong interface for everyone else.

3. Governance has to be designed in, not added later. Audit trail, access control, regional data residency, exception escalation — these are the entire job once requests are running without a human reviewer in the path.

4. There is no single owner. Productivity tools have an obvious user. Organisation-level automation has a designer (legal), a runner (the AI), an audience (the rest of the business), and an auditor (GC, DPO, security). Getting those four roles into one system is the work.

This is why the next layer is harder than the first. And why getting it right is worth far more.

When the end user is not a lawyer, you do not want a probabilistic LLM. You want a deterministic answer.

LLMs are extraordinary at language. They are also probabilistic by design — the same question, asked twice, can return two different answers. Inside the legal team, that is fine, because a trained lawyer is reading the output before it leaves their desk.

Outside the legal team, it is dangerous.

When a salesperson asks “can I sign this NDA?” they are not equipped to second-guess the answer. They will trust whatever comes back. If your automation layer is just a chat box pointed at a model, you will get the same five questions answered three different ways by Friday — and you will not know it happened until a deal closes on the wrong position.

For routine legal and compliance work that bypasses the expert, what the organisation needs is the opposite of free-form LLM output:

• A single, named position for each repeatable question — written by the in-house team, enforced consistently.

• Deterministic logic for routing: this NDA gets approved automatically, this one escalates to the GC, this third one needs a redline first. Same input, same outcome, every time.

• An audit trail that shows the lawyer exactly which policy ran, on which request, for whom, and what it returned — so they can refine the policy, not re-check every answer.

The AI is doing language. The decision layer is doing rules. That combination is what makes an answer trustworthy to a non-expert end user.

A copilot, on its own, cannot give you that. It is built to be helpful in the moment, not consistent across a thousand requests.

What “automating the executional layer” actually looks like

The work most legal and compliance teams do divides cleanly into two categories.

Strategic work — the M&A, the regulator response, the bet-the-company contract, the new market entry, the litigation call. This belongs in the room with the C-level. No copilot, and no automation, should be pulling that work away from a senior in-house lawyer.

Executional work — NDAs, vendor reviews, DSARs, policy lookups, standard SaaS subscriptions, sanctions screens, “can I use this AI tool for this,” “what’s our position on indemnity caps.” It is repeatable. It follows the team’s own internal playbook. It exists because policies need to be enforced consistently, not re-decided each time.

Three examples from our pipeline.

A 180-person fintech with two lawyers. Before: every vendor NDA waited for the GC’s review queue. Turnaround four to seven days. After: the GC defined the NDA position once. Standard NDAs now route back to the requester within minutes with a recommended action; only edge cases land in the GC’s inbox. Review queue dropped by roughly 70%. The GC did not work less — she stopped doing NDAs and started building the data governance framework she had been deferring for a year.

A 60-person iGaming operator. Before: the Head of Legal hand-answered “can we run this promotion in this jurisdiction” questions from marketing. After: the compliance ruleset for each licensed market sits in a deterministic layer. Marketing asks the question directly. Answers come back cited and logged, escalating to the Head of Legal only when the market combination is novel.

A regulated reinsurer. Before: information-security questionnaires from prospective clients were a two-week round-trip through security, legal, and compliance. After: the questionnaire is answered automatically against the certified knowledge base, with sign-off only at the points where a human is required by policy.

None of these replaced a lawyer. Each of them removed the lawyer from a path where the lawyer was the queue, not the decision.

What this means for your AI plan

If you have already equipped your legal and compliance teams with Claude, Copilot or Gemini, you have completed the productivity layer. The next layer is organisation-level automation: the parts of the workflow where the request never needed to touch a human inbox in the first place — and where the answer to the salesperson, the vendor manager, the new hire, the engineer needs to be deterministic, not best-effort.

A simple diagnostic for whether your organisation is ready for that shift:

• Can you list the five questions your legal or compliance team answers most often? If yes, those are the candidates.

• Does your in-house team have a written position on each one? If yes, that position is the policy. It is also what the automation runs.

• Do other employees currently wait for that team to give them the answer? If yes, that wait is the cost.

Your in-house team designs the policy. Something else should be running it — consistently, the same way, every time.

That is the shift worth making in 2026 — and the reason a copilot, on its own, will not get you there.

Arna is the workflow layer that takes a legal or compliance team’s standard positions and runs them directly for the rest of the company — deterministically, with the audit trail, governance and access control your GC requires. If you have copilots in place and the queue is still the constraint, that’s exactly the gap we’re built for.