Right now, it’s not AI that is breaking the rules. People are, by skipping the work of oversight.
For the past five years, the legal industry has grown increasingly excited about what AI could make possible, but the more pressing story is what it is already enabling: automation that, when deployed without the right safeguards, can quietly expose privileged data, overlook regulatory expectations and introduce real liability concerns.
The challenge isn’t the technology itself, it’s ensuring the guardrails are strong enough to let firms capture the benefits of speed and scale without compromising trust or compliance.
We’re not talking about possible future risks anymore. We’re talking about current exposure, happening right now across legal departments, firms and in-house teams.That’s why finding the right technology partner, one who understands your organization’s unique needs and can deliver both efficiency and security, is critical to achieving lasting value.
Legal Confidentiality Is Colliding with Unregulated Automation
Legal operations depend on trust above all else. They require confidentiality, evidentiary integrity and traceable workflows. But AI is slipping into these environments without the guardrails that protect those principles.
A recent Reuters survey showed 72% of legal professionals view AI as a force for good in their profession, yet 37% have worries about how well AI technology can protect sensitive legal data.
And their worries are not unfounded. Privileged contracts, internal communications, HR complaints and strategy notes are being pushed through models that might retain data, train on it or reproduce it elsewhere, often with no audit trail, retention controls or meaningful oversight.
Ethical Duties Don’t Disappear with New Tools
The profession’s obligations haven’t changed. Under the ABA’s Model Rules of Professional Conduct, lawyers must:
- Maintain competence in technology (Rule 1.1)
- Protect client confidences (Rule 1.6)
- Report concerns internally when necessary (Rule 1.13)
Using AI without understanding how it handles data, whether it retains, reuses or even replicates that data in later outputs, opens the door to serious privacy risks .
Without sufficient understanding of the tools being used, and without policy-level vetting, lawyers risk violating these standards in ways that may be invisible until something goes wrong.
AI-Washing Isn’t the Whole Problem
There’s growing awareness around “AI-washing”, when vendors overstate the sophistication or safety of their technology. That’s a concern, especially when systems are marketed as “secure” or “compliant” without independent verification.
But the more pervasive risk in legal is assumed safety, when internal teams trust that a tool is fine because others are using it, or because no one has asked hard questions. Ignorance is not always bliss.
In early 2025, AI-related securities class action lawsuits surged, with 15 class actions filed in 2024 (which was more than double the 2023 total). Many of the 12 AI lawsuits filed in the first half of 2025 alone allege misleading disclosures or exaggerated claims regarding AI integration, performance or future potential. Regulatory agencies have started issuing statements, but enforcement frameworks remain in flux.
Until there’s clearer guidance, legal teams must self-govern, something many are still unprepared for.
What Legal AI Oversight Should Actually Involve
Oversight needs to move beyond checklists and vendor decks. A legal-grade AI framework should include:
- Legal companies should hold vendors to strict security requirements, ensuring they maintain relevant compliance certifications, submit to regular third-party audits, and demonstrate clear accountability.
- Sensitive or privileged data should be minimized at entry, with permanent redaction and stripping of unnecessary information before any interaction with an AI system.
- Every action, access, and output should be captured in immutable audit logs so that activity is transparent, traceable, and defensible if questions arise.
- AI systems should operate with zero-retention defaults, meaning they forget by default and only retain data when explicitly required.
- Organizations should map the provenance of AI systems to understand where models were trained, what data was used, and what legal exposures may exist as a result.
The tools legal teams rely on must be defensible under discovery, not just efficient during intake.
The Human Gap in the AI Loop
The issue isn’t just about systems. It’s about leadership. AI isn’t unethical on its own. But deploying it without design review, without policy or without accountability is.
When firm leaders elevate efficiency without equal attention to scrutiny, or when in-house teams bypass compliance because they’ve adopted the “everyone’s using it” mindset, the risk extends beyond operations to professional integrity. The danger lies not in moving quickly, but in moving carelessly, once sensitive content slips into the public record or a court filing, it’s too late to pull it back.
The myth that AI will become safer as regulations catch up ignores the rate of adoption. Law doesn’t move as fast as software. Until it does, responsibility sits squarely with those using the tools.
A Moment for Recalibration
This is the legal industry’s moment to get it right. As hard as it may be, that means slowing down, asking hard questions and building governance processes that match the pace of deployment.
Whether through in-house policies, external audits or model-level vetting, the priority must shift from “can we?” to “should we?”
This isn’t a call for the legal field to reject AI. In fact, AI tools can be extremely helpful to automate those mundane tasks and give lawyers the time to work on what they do best. But we must stop treating it like an inevitability and start treating it like a tool with real consequences.
Because right now, it’s not AI that is breaking the rules. People are, by skipping the work of oversight.
Join the conversation!