AI adoption in law: the case for stronger accountability
Softwerx explores how law firms can reap the rewards of AI without breaking client confidentiality and trust, sharing key guardrails for safe usage
AI is no longer in the future for the legal profession. It is already embedded in daily practice and reshaping legal work. Tools summarising documents, analysing contracts and supporting legal research are now part of standard workflows, with adoption accelerating rapidly. Research from LexisNexis shows that a significant amount of of lawyers now use AI every day, and that this has increased since January 2025.
However, while uptake is advancing, safeguards required to ensure AI is used securely, ethically and in line with professional obligations are not keeping pace. Many UK law firms are experiencing a growing disconnect between AI capability and effective governance. This gap introduces material risks around compliance, confidentiality and accountability that leadership teams can no longer ignore.
“We realised early on that AI was entering the legal workplace, whether we were ready or not,” says Claire Vincent, partnership manager on the business support team at Barker Gotelee. “Trying to block it was never realistic, so we introduced an AI policy early and continue to refine it. Our priority is protecting client confidentiality and giving staff clear boundaries, so we can explore AI’s benefits without undermining trust or compliance.”
AI doesn’t create risk — it exposes it
AI doesn’t inherently introduce new categories of cyber risk. Rather, it amplifies existing weaknesses in identity, access and data governance. User accounts with excessive permissions become significantly more dangerous when connected to AI systems capable of retrieving client information instantly. Documents once buried deep in file stores can be unintentionally exposed when incorporated into AI workflows. Unmanaged devices and weak remote access controls become higher‑impact vulnerabilities once AI is layered on top.
In this respect, AI is a force multiplier. Where governance is strong, it accelerates efficiency, insight and competitive advantage. Where controls are weak, it scales risk quickly and invisibly. For law firms, foundational cybersecurity such as access governance, data classification and privilege control are no longer optional — they are prerequisites for responsible AI adoption.
Beware shadow AI
Shadow AI is the modern equivalent of shadow IT, but with greater consequences. Unlike traditional unauthorised software, AI tools don’t just store data: they ingest, analyse and reuse information at scale. A single unauthorised prompt can expose far more sensitive data than a misplaced email ever could.
Legal professionals are experimenting with unapproved AI tools because they are easily accessible and powerful. Microsoft research indicates that 71% of UK employees used unapproved AI tools at work during 2025. In a legal environment, this behaviour creates obvious risks around confidentiality, privilege and data leakage.
If legal teams lack officially sanctioned AI tools, staff will simply source their own. If policies exist only on paper, they will be bypassed. Yet the latest LPM Frontiers report shows that only just over half of UK law firms currently maintain an approved list of AI tools with a clear published and enforced AI policy. The others rely on generic IT or confidentiality policies never designed for AI, operating outside firm‑controlled environments.
As regulators sharpen expectations and clients increasingly demand evidence of data governance, shadow AI is no longer theoretical — it’s a real operational and regulatory exposure for firms.
Establishing effective guardrails
Closing the gap between AI adoption and accountability doesn’t mean slowing innovation, but does require safeguards aligning AI use with legal, ethical and professional responsibilities. For firms, this is essential to protect client confidentiality, maintain compliance and sustain trust.
Identity and access controls are a critical start. When AI can surface information at scale, understanding who can use it, what data it can access and how permissions are managed becomes fundamental. Least privilege access is no longer merely best practice; it is a vital defence against accidental disclosure and misuse.
Defending against AI‑driven risk requires continuous monitoring. A Managed eXtended Detection and Response (MXDR) capability, such as secure365® from Softwerx, builds on existing security investments to provide 24x7x365 visibility across identities, AI workloads and applications. By detecting anomalous behaviour and triggering rapid response, this approach significantly reduces the likelihood of data exposure and compliance breaches.
Data classification is equally important. Without a shared understanding of what constitutes privileged or sensitive information, enforcement is impossible. AI systems require clear boundaries defining data they can process. Applying sensitivity labels and protection policies ensures that confidential documents and communications remain protected, regardless of where or how they are accessed.
Many firms already possess much of the technology required to secure AI usage. Built‑in data protection tools can monitor and control sensitive information flows. Cloud application security capabilities help identify shadow AI and enforce policy‑based controls. Identity governance features such as conditional access and privilege management provide a durable foundation for responsible AI adoption.
AI offers law firms compelling opportunities to enhance productivity and client service, but only when implemented with care. Those that succeed will be organisations that pair technological progress with clear accountability. By grounding AI initiatives in strong cybersecurity and supporting them with continuous, expert oversight, firms can realise AI’s benefits without compromising confidentiality, compliance or client trust.
