Search for:
Artificial Intelligence

AI Use Cases for Lawyers, Part 1 – Vibe Coding a Training Game for a New Policy

By: , , , , , , , , , , , and

In recent blog posts, we provided a quick guide on which AI models should be used for which legal tasks (e.g., research vs. writing vs. image generation). We will be updating that post later this week in light of the release of GPT-5. We also wrote about how to use the various AI model features (e.g., Deep Research, Canvas, Custom GPTs). As a follow up, we are launching a new series of blog posts on how we are using different AI tools. In this Part 1 of the series, we’re discussing “vibe coding”.

Our team was asked to help train lawyers and professional staff on the firm’s new AI policy, so we decided to create a game that is based on the policy using Generative AI, even though none of us can code. A link to a public version of a game that is similar to the one we created, using only natural language prompts, can be found below. We teamed up with our friends at Mandiant Consulting to make sure we adequately covered the cybersecurity risks associated with vibe coding a training game.

Try the Game on Your Computer here.

Try the Game on Your Phone here.

Google Notification: When you launch the game on your mobile device, the application opens through a Google hosted link. As a security measure, Google will send a system notification asking you to confirm the link.

A. What is Vibe Coding?

“Vibe coding” is an iterative process for creating software where a user directs a Large Language Model (LLM) with natural language prompts. Instead of writing code line-by-line, the user describes the desired outcome, functionality, and even aesthetic—the “vibe”—and the AI generates the underlying code. While this dramatically lowers the barrier for those with no coding background to create applications, it doesn’t remove the need for human oversight. The initial output from the AI should be seen as a strong first draft that requires careful testing, refinement, and validation by the user to ensure it is secure and performs as intended.

B. How You Can Use Gemini to Create an AI Policy Training Game

  1. Open Gemini 2.5 Pro and upload the policy you want to train on.
  2. Ask the model to create the materials needed for the game:

Example Prompt to Use: I am preparing a game to test employees’ knowledge of the firm’s AI policy, which I just uploaded. Please review the attached policy very carefully.  Take your time and then create a user-friendly summary of the policy, an FAQ, and a set of 20 multiple choice questions (three answers each) about the policy with only one right answer per question, which I will use to help create the game.

  1. Review the results to make sure they are accurate and that the questions test the right issues, with the right level of difficulty, and have only one correct answer. With a few small changes to the draft questions and answers provided by the AI model, you will be ready to move forward.
  2. Upload the finalized questions and answers, and instruct Gemini to create the prompt you need to code the game:

Example Prompt: Please build a prompt to create the “Law Firm Generative AI Policy Knowledge Game.” A player needs to enter their name to start. The goal is to answer 10 questions correctly in a row. If a player gets an answer wrong, their score should reset to zero. When they win, they should get a professional-looking, printable certificate with their name on it. The game should have a black and red design (example colors) and work well on both computers and mobile phones.

Please create the game as a single, self-contained HTML file. The final product must be fully functional without any external file dependencies, and written in HTML, JavaScript, and CSS only. Implement sanitization of inputs to reduce vulnerabilities.

  1. Gemini will then create the prompt that is set forth in the Appendix A to this blog post. Copy and paste that prompt back into the chat window, and Gemini will then create the game for you. You can find an example of our game at the top of this blog post.

C. Security Considerations

Using Generative AI to write code can create cybersecurity risks, including “slop squatting,” where attackers take advantage of the fact that AI coding tools can hallucinate (make up) the name of a software package or website address. So, for example, suppose for your game, you needed a software package that generates PDFs for the certificate. Rather than coding it from scratch, the AI coding tool may identify a software package (e.g., pdf-generator-pro) that is supposed to carry out that function but does not actually exist. Knowing that the AI coding tool hallucinates this particular software package, attackers create a real PDF generator tool named pdf-generator-pro, and include malware in that package. So, when the AI coding tool calls out for this software package, it finds this newly created malicious package and includes it in the program.

Generative AI may create code that accomplishes the minimum described in the prompt. Activating specific security considerations in the prompt can help to minimize risk of the code including classes of vulnerabilities.

To reduce the risk of slop squatting and other AI coding vulnerabilities, based on advice from Mandiant, add this language to the initial prompt:

Please create the game as a single, self-contained HTML file. The final product must be fully functional without any external file dependencies, and written in HTML, JavaScript, and CSS only. Implement sanitization of inputs to reduce vulnerabilities.

*   *   *

If you have ideas for practical uses of Generative AI for lawyers for us to discuss in this series, please let us know.

To subscribe to the Debevoise Data Blog, please click here.

The Debevoise STAAR (Suite of Tools for Assessing AI Risk) is a monthly subscription service that provides Debevoise clients with an online suite of tools to help them with their AI adoption.

Please contact us at STAARinfo@debevoise.com for more information.

The cover art for this blog was generated by Gemini 2.5 Pro.

The authors would like to thank Summer Associate Cameron Hellerman for assistance in drafting this blog post.

*   *   *

Appendix A – Gemini 2.5 Pro Created Prompt

A. Project Structure:

  • Create a single index.html file.
  • All CSS styling must be written from scratch and embedded within <style> tags in the <head> of the HTML document.
  • All game logic must be written in pure JavaScript and embedded within <script> tags at the end of the <body> of the HTML document.

B. Content:

  • Use the multiple-choice questions, answers, and explanations from the attached file (Firm.policy.questions.docx) verbatim.
  • Hardcode this question-and-answer data directly into a JavaScript array within the <script> section.

C. Start Screen:

  • The game must begin on a start screen that prompts the player to enter their full name.
  • Display today’s date on this screen, formatted as: Month Day, Year (e.g., August 19, 2025).

D. Gameplay Logic:

  • The goal is to get 10 correct answers in a row.
  • Display the questions in a random order for each new game.
  • If a player answers a question correctly, that question must not be shown again during that game session.
  • After each answer, provide immediate feedback: a green checkmark for correct answers or a red X for incorrect ones, along with the corresponding explanation from the answer key.
  • An incorrect answer resets the player’s streak to 0, but the game continues with a new question.

E. Winning & Certificate:

  • Upon achieving a 10-question streak, the game ends and displays a certificate.
  • The certificate must have an official and elegant design.
  • It must be customized with the player’s name, displayed in a large, fancy, script-style font (using a standard system font like cursive).
  • The certificate must state that the player has successfully completed the “Law Firm Generative AI Policy Knowledge Game.”
  • Include a button that allows the user to print the certificate or save it as a PDF using the browser’s native print functionality.

F. Styling and Layout:

  • Implement a professional black and red color scheme.
  • Use a large, readable font size throughout the game for accessibility.
  • The layout must be fully responsive and function correctly on all devices (mobile, tablet, desktop).
  • Use web-safe system fonts: Arial for body text, Georgia for titles, and a cursive font for the name on the certificate.

G. Technical and Security Requirements:

  • No external libraries or APIs are allowed. All code must be pure HTML, CSS, and JavaScript.
  • Implement input sanitization on the player’s name field to escape characters like < and > to prevent XSS vulnerabilities.
  • Do not use the browser’s alert() function. Display any necessary messages (like the name validation error) as text on the page.
Author

Charu A. Chandrasekhar is a litigation partner based in the New York office and a member of the firm’s White Collar & Regulatory Defense and Data Strategy & Security Groups. Her practice focuses on securities enforcement and government investigations defense and artificial intelligence and cybersecurity regulatory counseling and defense. Charu can be reached at cchandra@debevoise.com.

Author

Avi Gesser is Co-Chair of the Debevoise Data Strategy & Security Group. His practice focuses on advising major companies on a wide range of cybersecurity, privacy and artificial intelligence matters. He can be reached at agesser@debevoise.com.

Author

Matthew Kelly is a litigation counsel based in the firm’s New York office and a member of the Data Strategy & Security Group. His practice focuses on advising the firm’s growing number of clients on matters related to AI governance, compliance and risk management, and on data privacy. He can be reached at makelly@debevoise.com

Author

Diane C. Bernabei is an associate in the Litigation Department. She can be reached at dcbernabei@debevoise.com.

Author

Adam Shankman is an associate in the Litigation Department. He can be reached at adshankm@debevoise.com.

Author

Achutha Raman is a law clerk in the Litigation Department. He can be reached at anraman@debevoise.com.

Author

Carl Lasker is an associate in the Litigation Department. He can be reached at calasker@debevoise.com.

Author

William Sadd is the Head of Practice and AI Systems at Debevoise. He can be reached at wjsadd@debevoise.com.

Author

Oleksiy Pikhmanets is a Senior Data Strategy & Security Practice Attorney in the Litigation Department. He can be reached at opikhman@debevoise.com.

Author

John Mark Ozaeta is Practice & AI Systems Analyst at Debevoise. He can be reached at jozaeta@debevoise.com.

Author

Ron Nascimento is the Principal Cloud Security Architect for Strategic Cybersecurity Consulting at Mandiant Consulting, a Google Cloud company. He leads engagements in the western United States and has extensive experience in application security, cloud security, and massively scalable data centers in cloud providers. In addition, Ron is a Software Engineer contributor at Google Cloud Privacy Engineering.

Author

Rohan Durve is a Principal Consultant at Mandiant (part of Google Cloud). With over a decade's experience at leading security assessments for organisations in the financial and public sectors, Rohan helps organisations defend against real-world threats. He has previously presented conferences like BlackHat and DefCon, and is qualified as CREST Fellow, CCSAS, CCT-APP, and OSCE.

Author

Brice Daniels is a Computer Security Consultant and the Head of Northeast Offensive Security Services at Mandiant Consulting.

Related Posts