Section navigation
AAExample Conforming DeploymentABExample Conformance StatementACExample Record Surface MapADExample Configuration MatrixAEExample Multi-Vendor WorkflowAFExample Discovery AssessmentAGExample Feedback Routing TableAHExample Legal Hold ProcedureAIInternational Legal Sector GuidanceAJEmergent Autonomous Execution in a Web Research DeploymentAKMCP Integration with Regulated Financial InfrastructureALAcquisition Modality Landscape for Retained Interaction RecordsAMMobile Agent WorkflowANHealthcare Revenue Cycle Agent WorkflowAOEnterprise Governance Interceptor Workflow

Annex AI: International Legal Sector Guidance

ARCS ANNEX AI

International Legal-Sector Guidance Confirms the Access-Control Ceiling

Document Type: ARCS Annex (Regulatory Evidence)

Classification: External / Standards / Regulatory

Status: Historical comparative annex Note: This annex preserves an earlier control-model comparison drafted before the ARCS family structure was finalized. CT-01 through CT-09 references are retained here for historical continuity and are not part of the current ARCS control-family nomenclature.

Date: March 7, 2026

Prepared by: Vega Commons Project, Inc.

1. Purpose

This annex records the results of a cross-jurisdiction review of legal-sector and court-sector guidance on the use of generative artificial intelligence, based on primary source review of documents from eleven court systems across seven common-law jurisdictions, multiple professional bodies, law reform commissions, and international organizations. The purpose of the annex is to determine whether existing legal AI governance materials address the interaction-record custody surface as defined by ARCS, or whether current guidance remains within an access-control and responsible-use paradigm. The annex is intended to support the ARCS position that the controls defined in ARCS Sections 3.1 through 3.9 address a governance layer that is not covered by any existing framework reviewed.

2. Source Set

The review is based on the following primary sources, all reviewed in full text: Courts of New Zealand GenAI Guidelines (December 2023, three documents); UK Courts and Tribunals Judiciary AI Guidance for Judicial Office Holders (October 2025); Hong Kong Judiciary Guidelines on the Use of Generative AI (September 2024); Queensland Courts Guidelines for Judicial Officers (adopted by nine courts and tribunals); Canadian Judicial Council Guidelines for the Use of AI in Canadian Courts (September 2024); Singapore Supreme Court Guide on the Use of GenAI Tools by Court Users (October 2024); Singapore Ministry of Law Guide for Using Generative AI in the Legal Sector (March 2026); Victorian Law Reform Commission report on AI in Victoria's Courts and Tribunals (February 2026, 360 pages); Australasian Institute of Judicial Administration report on AI Decision-Making and the Courts (2023 update, 66 pages); CEPEJ European Ethical Charter on AI in Judicial Systems (December 2018, 79 pages); and the EU AI Act (Regulation 2024/1689, 180 pages). The source inventory was drawn from the Law Library of Victoria research guide, current as of March 2, 2026.

3. Observed Governance Model

Across the reviewed materials, the dominant governance model is consistent. The documents regulate responsible use of AI tools, verification of outputs, hallucination risk, protection of confidential and privileged information, disclosure obligations, human oversight requirements, professional responsibility, procedural fairness, auditability and documentation, and institutional governance controls. This model assumes that AI interaction artifacts exist and focuses on how they should be used, reviewed, and protected. Several jurisdictions have identified the fact of vendor-side data retention. The UK judiciary warns that even with chat history disabled, data entered should be assumed to be disclosed. New Zealand warns that platforms may retain anything users enter. Singapore's courts acknowledge that tools will store information for various purposes. In each case, the governance response is behavioral or access-based. No jurisdiction has defined governance controls for the data that persists after these mitigations are applied.

4. ARCS Controls Not Addressed by Any Reviewed Source

The following ARCS controls address governance surfaces that are not defined in any reviewed framework. CT-01 (Semantic Labeling Accuracy) requires that user-facing deletion controls correspond to backend deletion of all retained categories. No reviewed framework requires this correspondence. CT-02 (Retention Schedule Disclosure) requires complete retention timelines for all data categories surviving user-initiated deletion. The Singapore Ministry of Law's vendor checklist asks whether custom retention periods are available but does not ask what retention occurs by default or what survives deletion. CT-03 (Session-Level Non-Retention Option) requires that users have access to a session mode that processes interactions without writing to persistent storage. No reviewed framework requires or recommends non-retention modes. CT-04 (Cryptographic Attestation) requires verifiable proof of retention boundary conditions. No reviewed framework addresses attestation of retention behavior. CT-05 (Tier Parity Disclosure) requires disclosure of all differences between enterprise and consumer data handling. No reviewed framework addresses this distinction beyond noting that enterprise tools are preferable to public tools.

CT-06 (Legal Hold Transparency) requires notification when data is subject to legal hold that overrides deletion controls. No reviewed framework addresses legal hold behavior for AI interaction records. CT-07 (Secondary Use Prohibition) requires that interaction data not be used for purposes beyond those disclosed. While several frameworks address model-training opt-out, none address the full range of secondary uses including safety classification, evaluation sampling, and abuse detection. CT-08 (Institutional Deployment Requirements) addresses governance requirements for organizational AI deployments. Several frameworks, particularly the Singapore Ministry of Law guide and the VLRC report, address institutional governance but do not include custody-specific controls. CT-09 (Verification) requires independent verification of compliance with the above controls. No reviewed framework defines a verification mechanism for custody compliance.

5. Significance for ARCS Positioning

The cross-jurisdiction review demonstrates that ARCS does not duplicate any existing governance framework. The controls defined in ARCS Sections 3.1 through 3.9 operate at a governance layer that is not addressed by court guidance, professional body guidance, law reform recommendations, or international regulatory frameworks. ARCS extends existing access-control governance by adding the custody layer. It does not replace privacy, security, compliance, or professional conduct frameworks. An operator implementing ARCS adds custody governance to whatever access-control framework its jurisdiction has established.

A structural tension exists between the EU AI Act's logging mandate and the custody controls defined by ARCS. Article 12 of the EU AI Act requires automatic logging for high-risk AI systems, and Article 19 requires providers to retain those logs for at least six months. These requirements create a comprehensive, searchable archive of user interactions as a matter of legal compliance. ARCS controls CT-03 (Session-Level Non-Retention) and CT-06 (Legal Hold Transparency) address exactly this tension. CT-03 provides the architectural mechanism for non-retention in contexts where logging is not legally required. CT-06 ensures that when logging is legally required, the operator is notified and the scope of retention is disclosed. Without these controls, an operator subject to the EU AI Act has no mechanism to distinguish between logging that is mandatory for safety compliance and logging that creates unnecessary discovery exposure. ARCS provides that mechanism.

A systematic keyword search across the full corpus of approximately 64 reviewed documents confirms the negative finding. The terms "custody governance," "interaction-record lifecycle," "compelled production exposure," "vendor persistence," and "controlled existence" return zero substantive results. The term "retention" appears only in privacy and deletion contexts, not as a structured governance object. The term "logs" appears only in audit and supervision contexts. The term "subpoena" is essentially absent, and "legal hold" does not appear. This negative evidence is significant because the source base includes the most comprehensive and institutionally credible AI governance documents available in any common-law jurisdiction. The absence of custody-layer terminology from these materials confirms that ARCS occupies a governance surface that no existing framework defines.

The consistency of the access-control ceiling across eleven court systems, seven jurisdictions, and multiple international frameworks indicates that the gap is paradigm-wide rather than jurisdiction-specific. This supports the ARCS thesis that modern AI systems create a class of records that existing governance frameworks do not address, and that a separate standard is required to govern their existence, persistence, and legal exposure.

Vega Commons Project, Inc.

ARCS Annex AI | International Legal-Sector Guidance Confirms Access-Control Ceiling | v2 | March 7, 2026