Shadow IT, Confidential Client Data, and What Happens When Your Attorneys Use Unapproved AI Without a Policy
Artificial intelligence tools have arrived in legal practice faster than most law firms' policies can keep up. Attorneys are using AI to draft demand letters and summarize depositions. Paralegals are pasting case facts into AI chatbots to speed up research. Legal assistants are using AI writing tools to clean up client correspondence. Some of this is happening with the firm's knowledge and approval — but much of it is not. A 2024 CybSafe/NCSA study found that 38% of employees share confidential data with AI tools without employer approval. A separate BlackFog study found that 49% use unapproved AI tools at work. For a law firm handling privileged client communications, those numbers are a professional liability alarm.
The Confidentiality Problem with AI Tools
When an attorney or paralegal pastes confidential case information into a publicly accessible AI tool, several things happen — most of them invisible. Depending on the tool's data handling policies, that input may be stored, used to train future models, reviewed by human trainers, or retained in server logs. The attorney-client privilege that protects that information in a legal context does not follow the data into an AI platform's infrastructure.
The risk is not theoretical. Multiple law firms have already faced bar complaints and client disputes after attorneys inadvertently disclosed privileged information through AI tools. In one widely reported case, an attorney used an AI assistant to research case law, and the tool invented citations — fabricated case names and holdings that had never existed. The attorney filed the AI-generated citations in court without verification and faced sanctions. AI hallucinations — confident, plausible-sounding errors — are a documented feature of current AI systems, not a bug that will be quickly patched away.
For Salt Lake City law firms, the dual risk is clear: using an unapproved AI tool with confidential client data risks a privilege breach, and using AI output without human verification risks submitting fabricated research or incorrect facts in legal documents. Both risks require a deliberate policy response.
What Shadow IT Looks Like in a Law Firm
Shadow IT refers to any technology — software, apps, cloud services — that employees use for work purposes without IT or management approval. In a law firm context, shadow IT most commonly looks like an attorney using a free AI writing assistant to draft a client email, a paralegal using a consumer AI chatbot to summarize a deposition transcript, or a legal assistant using a personal cloud storage account to share a client contract that is too large to email.
The problem with shadow IT is not that employees are trying to cause harm — they are trying to work efficiently. The problem is that these tools operate outside the firm's security controls, data governance policies, and professional responsibility framework. When a paralegal uploads a client contract from SharePoint into an unapproved AI tool, that document leaves the firm's secure environment entirely. The firm has no visibility into where it goes, how long it is retained, or who else may access it.
Platforms like Clio and Filevine are designed with legal data security in mind. Consumer AI tools are not. The gap between those environments is exactly where privilege breaches occur.
The Hallucination Risk in Legal Documents
AI hallucinations — invented statistics, fabricated case citations, nonexistent statutes — are a serious and underappreciated risk in legal practice. Current AI language models are designed to produce fluent, authoritative-sounding text, not to verify factual accuracy. When a busy associate asks an AI tool to research precedent and the tool invents a case, the output looks indistinguishable from a real citation.
In legal practice, an invented statistic in a client proposal damages the firm's credibility. An invented case citation filed in court risks sanctions, malpractice exposure, and bar discipline. The attorneys most at risk are those who treat AI output as research rather than as a draft that requires verification — and the risk increases when the AI tool being used has not been vetted for legal use.
A sound AI policy for law firms distinguishes between AI as a drafting assistant (acceptable with proper review) and AI as a research authority (never acceptable without verification). That distinction needs to be explicitly written into your firm's technology policy.
Three Things Your Law Firm Should Do Right Now
1. Audit what AI tools your attorneys and staff are currently using.
You cannot govern what you cannot see. Start with a simple survey: what AI tools are your attorneys and staff currently using for work tasks? The results will almost certainly include tools your firm has never evaluated, vetted, or approved. This audit is the starting point for a rational AI policy.
2. Define clearly what client information must not be entered into AI tools.
Even with approved AI tools, there are categories of information that should never be entered without explicit authorization: client names, case facts, privileged communications, deposition transcripts, settlement terms, financial disclosures. A written policy that defines these boundaries — and trains your team on them — is both a security control and a professional responsibility measure.
3. Establish an 'AI drafts, humans approve' workflow.
AI tools are most valuable and least risky when they function as drafting assistants rather than autonomous decision-makers. AI can draft a letter, summarize a document, or suggest language — but an attorney must review, verify, and take professional responsibility for every output before it reaches a client or a court. This is not just a security policy. It is a professional responsibility requirement.
Choosing Approved AI Tools for Legal Practice
Several AI tools are specifically designed for legal environments with data handling agreements, confidentiality protections, and legal use cases. Platforms like Harvey, Casetext CoCounsel, and Thomson Reuters AI (built on Westlaw's verified legal database) offer legal AI capabilities with contractual commitments around data privacy that consumer AI tools do not provide.
Approving one or two vetted legal AI tools — and explicitly prohibiting all others for client work — gives your attorneys the efficiency benefits they are seeking while maintaining the firm's professional obligations. The worst outcome is a policy vacuum: attorneys using whatever tools they prefer, with no guidance, no audit trail, and no protection for client confidentiality.
Qualit works with Salt Lake City law firms to protect client confidentiality and meet bar association IT requirements. Schedule a free discovery call to build an AI and shadow IT policy that fits your firm's practice.
Frequently Asked Questions
Q: Are there bar ethics opinions about attorneys using AI tools with client data?
Yes — and they are proliferating rapidly. Bar associations in California, Florida, New York, New Jersey, and several other states have issued formal ethics opinions on AI use in legal practice. The consistent themes are: attorneys remain professionally responsible for AI output, confidentiality obligations apply to AI tools just as they apply to any other technology, and attorneys must understand the capabilities and limitations of AI tools they use (duty of competence). Utah attorneys should monitor guidance from the Utah State Bar as this area continues to evolve.
Q: What if an attorney uses a personal AI tool on their own device for work?
The professional responsibility obligations follow the attorney, not the device. An attorney using a personal AI tool on a personal device is still bound by their duty to protect client confidentiality. If that personal tool's data handling practices are inconsistent with those obligations, the use is ethically problematic regardless of the device. Firm-wide policies should address personal device use explicitly — including BYOD (bring your own device) policies that extend to AI tool usage.
Q: How do we handle it if we discover an employee has been using an unapproved AI tool with client data?
Treat it as a potential confidentiality incident. Assess what information was entered into the tool and what the tool's data handling policy provides. Consult with your ethics counsel about whether client notification is required. Update your AI policy immediately and conduct training for all attorneys and staff. Consider whether the tool's privacy policy provides any contractual protections — many consumer AI tools explicitly state they retain and may use inputs, which constitutes a disclosure outside the firm's control.
