Legal AIPrimary sector: LegalLast reviewed: May 12, 2026

Harvey

Name: Harvey — AI Governance Scoring (EFROS Index)
Creator: Stefan Efros
Published: 2026-05-13
License: https://creativecommons.org/licenses/by/4.0/

Counsel AI Corporation (Harvey) · EFROS US AI Vendor Governance Index entry

By Stefan Efros, CEO & Founder, EFROS

Updated · June 4, 2026

Composite governance score

74/ 100B

B = strong posture. Deployable in regulated workloads with documented compensating controls.

Axes scored: 9 / 11

Trust-center maturity: 3 / 5

Sector weighting: Legal

About this vendor

Generative AI platform purpose-built for law firms. Backed by OpenAI; primarily deployed at Am Law 100/200 firms for drafting, research, and matter-aware workflows.

Enterprise tier: Harvey Assistant, Harvey Workflows, Harvey Vault (firm-wide licensing)
Vendor homepage: https://www.harvey.ai

Twelve-axis governance scoring

Each axis is scored Yes / Partial / No / N/A against public evidence — vendor trust portals, BAAs/DPAs, SOC 2 report cover pages, published methodology documents. N/A applies when the axis is structurally inapplicable (foundation models, for example, defer Section 1557 to the downstream healthcare deployer).

Axis	Status	EFROS note	Source
BAA / DPA available	Yes	Harvey signs enterprise data-handling agreements equivalent to BAA scope for client-confidential workloads. Firm-level deployment terms address privilege handling.	Harvey Security
Training-data opt-out	Yes	Harvey does not train on client data. Tenant isolation contractually enforced. Foundation models accessed via Harvey are configured with zero-retention enterprise contracts.	Harvey Security
US data residency option	Yes	US data residency available for enterprise customers. Harvey runs primarily on Azure US regions.	Harvey Security
SOC 2 Type II report	Yes	SOC 2 Type II completed. Report available to enterprise customers via direct request.	Harvey Security
ISO/IEC 42001 attestation	No	No public ISO/IEC 42001 attestation as of May 2026.	Public posture review
NIST AI RMF self-attestation	Partial	Harvey publishes governance documentation aligned to NIST AI RMF principles. No formal self-attestation.	Harvey governance documentation
Colorado AI Act readiness	Partial	Harvey acknowledges Colorado AI Act deployer responsibility model in customer documentation; firms own end-deployer obligations.	Harvey customer documentation
HHS-OCR Section 1557 readiness	N/A	Legal-vertical positioning.	Harvey positioning review
FRB SR 11-7 readiness	N/A	Legal-vertical positioning.	Harvey positioning review
ABA Formal Op 512 readiness	Yes	Harvey publishes ABA Formal Op 512 alignment documentation: data isolation, no training on client data, audit logging, privilege-aware retention controls.	Harvey ABA Op 512 documentation
Subprocessor list public	Partial	Subprocessor information available to enterprise customers under NDA. Not self-serve public.	Harvey enterprise documentation

Trust-center maturity

3/ 5

Security page documents core controls. Enterprise-grade documentation available on request. Less self-serve maturity than cloud-platform vendors.

Source: harvey.ai/security

Deep dive

Overview

Harvey is the highest-profile legal vertical AI vendor. The governance posture is strong on the dimensions that matter most for law firms (no-train, US residency, BAA-equivalent, ABA Op 512 alignment) but trust-portal maturity lags cloud-platform vendors. The competitive position depends on firm-specific workflow value rather than cross-cutting governance differentiation.

Strengths

Purpose-built for legal. Privilege handling and matter walls native to product
ABA Op 512 alignment documented
Default no-train, US residency, BAA-equivalent
Foundation-model upstreams contractually configured for zero-retention

Weaknesses

No ISO/IEC 42001
No formal NIST AI RMF self-attestation
Trust portal less mature than cloud-platform peers
Subprocessor transparency NDA-gated

Best-fit use case

Am Law 100/200 firms with established AI governance, where Harvey's privilege-aware workflow and matter-context features deliver value beyond what a foundation model alone provides.

Avoid when

Smaller firms (under 50 attorneys) where the per-attorney pricing doesn't amortize, and the ChatGPT Enterprise + ABA Op 512 protocol delivers acceptable functionality at lower cost.

Operator's take

Deploy Harvey when am Law 100/200 firms with established AI governance, where Harvey's privilege-aware workflow and matter-context features deliver value beyond what a foundation model alone provides. The composite score of 74 (grade B) reflects a defensible posture for regulated US workloads. Skip the vendor when smaller firms (under 50 attorneys) where the per-attorney pricing doesn't amortize, and the ChatGPT Enterprise + ABA Op 512 protocol delivers acceptable functionality at lower cost. In every deployment, treat the cells above as a snapshot — the acquisition that gets to production safely is the one that re-verifies the trust-center posture before contract signature and rebuilds the matrix at renewal.

How this scoring is computed

The composite score blends eleven scoreable axes (BAA, training opt-out, US data residency, SOC 2, ISO/IEC 42001, NIST AI RMF, Colorado AI Act, Section 1557, SR 11-7, ABA Op 512, subprocessor transparency) with the trust-center maturity score. Axes marked N/A are excluded from the denominator so vendors are not penalized for sector-inapplicable axes. The vendor's primary sector amplifies the most relevant axes — healthcare vendors weight Section 1557 ×2, legal vendors weight ABA Op 512 ×2, banking vendors weight SR 11-7 ×2 — so the composite reflects what matters in the actual buying context.

Read the full methodology →

Disagree with this scoring?

EFROS publishes scoring rationale per cell with a public source. If you have evidence that a specific axis should score differently — a new BAA, a new certification, a documented policy change — submit a formal challenge below. We re-score and publish the result with the next quarterly edition (or as a mid-quarter changelog entry if the change is material).

Disagree with a score?

Every cell in the EFROS Index is source-cited. If you have a public source that contradicts a score for Harvey, submit a formal challenge — we re-verify against the source and respond within 14 days.

Similar vendors (same category or sector)

Vendors in the same category as Harvey, padded with vendors that share its primary sector. All scored on the same twelve axes — useful for head-to-head shortlisting.

B80 / 100

Thomson Reuters CoCounsel

Thomson Reuters

View posture →

B76 / 100

Lexis+ AI

LexisNexis (RELX)

View posture →

B76 / 100

Westlaw Precision AI

Thomson Reuters

View posture →

D45 / 100

Spellbook

Rally Now, Inc. (Spellbook)

View posture →

C63 / 100

Ironclad AI

Ironclad, Inc.

View posture →

Where Harvey shows up in the rest of the Index

Harvey is scored in every state and (where applicable) sector slice of the Index. Use these views to compare Harvey against its peers from a state or sector lens rather than category.

Legal AI sector view →california view →colorado view →new york view →illinois view →texas view →

Disclaimer. Scoring as of 2026-05-13. Posture changes frequently — re-verify with the vendor's trust center before contract. This page is informational; it is not legal advice. EFROS clients get a refreshed posture review as part of the AI Governance Audit.

Take the scoring into production

The Index tells you the posture. These engagements turn the posture into a deployable program — vendor selection, governance policy, sector overlay, audit-ready evidence.

Reserve $5K AI Governance Audit Run AI Risk Score →See full Index →