Shadow AI in Law Firms: The Risk Your Partners Don't Know They're Running

Shadow AI is the use of artificial intelligence tools by employees without the knowledge, approval, or governance controls of their organisation. In law firms, it is not a theoretical risk. It is happening right now, on active client matters, across firms of every size.

What Shadow AI Looks Like in a Law Firm

Shadow AI in legal practice is rarely malicious. It is almost always a fee earner under deadline pressure reaching for the most convenient tool available. Common patterns include:

• An associate using a personal ChatGPT account to draft a client email at 11pm because it is faster than starting from scratch
• A partner summarising a confidential due diligence report into Gemini to quickly extract key issues before a board meeting
• A paralegal using Otter.ai to transcribe a client conference call for note-taking purposes without realising the audio is being processed by a third-party server
• A fee earner using Claude to review a contract and identify issues — with the full contract text, including client names and commercially sensitive terms, submitted as input
• A solicitor using a free AI legal research tool that they discovered independently and have never disclosed to IT or compliance

Why Shadow AI Is a Live SRA Violation

The SRA Code of Conduct does not have a shadow AI carve-out. The obligations that apply to supervised, approved AI use apply equally to unsanctioned personal tool use by fee earners. Specifically:

• Paragraph 6.3 requires solicitors to keep client affairs confidential. Submitting client information to a consumer AI tool without adequate data protection agreements — and without the client's knowledge — is a potential breach of this obligation.
• Paragraph 4.2 requires competence, including understanding the tools used in practice. Using an AI tool without understanding how it handles submitted data, where it stores it, or whether it uses it for model training is a competence failure.
• Paragraph 7.1 requires appropriate supervision of work. A supervising partner who does not know that shadow AI is being used on their matters cannot supervise the AI outputs — and remains professionally responsible for them.

Why Shadow AI Is a Live UK GDPR Violation

UK GDPR Article 28 requires that any processor of personal data — including AI tool providers — must be appointed under a written Data Processing Agreement that meets specific requirements. Consumer AI tools, personal accounts, and free-tier subscriptions almost universally lack adequate DPAs for professional legal use.

When a fee earner submits client personal data — names, addresses, financial details, medical information, legal matter details — to a consumer AI tool, the firm is processing that data without a lawful processor agreement. This is an active Article 28 violation, not a theoretical one.

Additionally, many consumer AI tools process submitted data for model training purposes. This means client confidential information submitted by a fee earner may be used to train the AI's future responses — a use of personal data with no lawful basis under UK GDPR Article 6.

The Five Fixes — Implementing Shadow AI Controls

• Conduct a shadow AI audit now. Survey fee earners confidentially — ask which AI tools they are using, on what types of work, and how frequently. The results will surprise you. Most managing partners underestimate shadow AI prevalence by 50% or more.
• Implement an AI tool register. Publish a clear list of approved tools, conditionally approved tools, and rejected tools. Make it accessible to every fee earner. Update it monthly. Make clear that using unlisted tools on client work is a disciplinary matter.
• Execute Data Processing Agreements with all approved vendors. Enterprise-tier subscriptions for legal use typically include appropriate DPAs and explicit model training prohibitions. Consumer accounts do not. The cost difference is the cost of compliance.
• Issue an immediate firm-wide advisory. Before you have a full governance programme in place, issue a one-page advisory to all fee earners: approved tools, prohibited uses, and what to do if they have already used an unapproved tool on a client matter.
• Implement technical controls. Where possible, configure device management to restrict access to unapproved AI tools on firm devices and networks. Policy alone does not stop shadow AI — it reduces it. Technical controls are required for meaningful control.

What to Do If Shadow AI Has Already Occurred

If your shadow AI audit reveals that client personal data has already been submitted to unapproved tools, you should take the following steps:

• Identify the scope — which matters, which clients, which data categories, which tools
• Assess whether a UK GDPR data breach notification to the ICO is required — the threshold is whether the breach is likely to result in a risk to individuals' rights and freedoms
• Consider whether affected clients should be notified — take legal advice on this question before acting
• Document everything — the discovery, the assessment, the decisions taken, and the remediation steps implemented
• Report internally to the firm's COLP and COFA as appropriate under your firm's incident reporting obligations