17 June 2026
AI in law firms: Understanding the risks and managing the exposure
Artificial intelligence creates opportunities from improved efficiency to faster document handling and knowledge retrieval. But as AI adoption grows, so does the risk landscape. For law firms, the challenge is balancing the positive benefits while ensuring proper governance and managing the professional, cyber, regulatory, and insurance exposures that may follow.
The speed of adoption could give law firms a competitive advantage or, at the very least, help them keep pace with their peers, as this tool promises to support productivity, streamline workflows, and enable lawyers to process large volumes of information more efficiently. However, used without proper oversight, it can create a range of operational, regulatory and liability concerns. The speed at which a law firm integrates and adopts the AI into its everyday work should be matched stride for stride by its governance of it.
AI can’t be viewed solely as a technology issue. It touches confidentiality, data protection, cyber resilience, client service, governance and professional accountability. As with any emerging risk, firms should consider both the internal exposures arising from their own use of AI and the external threats created by bad actors using AI against them.
Internal exposures: risk from within the firm
Confidential Data
Holding legally privileged material, commercially sensitive information and significant volumes of personal data is an accepted part of the day-to-day riskfor law firms. Regulations governing data holding and processing have become stricter over the years, and firms have responded by implementing robust governance to prevent breaches. New open and free-to-use AI tools threaten this. When information is entered into public or poorly governed AI tools, firms may lose visibility into how it is processed, stored, or reused. That creates potential exposure not only from a regulatory perspective but also from a client-trust and Professional Indemnity (PI) standpoint. PI policies typically respond to data breaches resulting from professional negligence or breach of duty that cause a client's financial loss.
Data Reliability
Generative AI can produce smooth and persuasive output, but this doesn’t guarantee it's accurate. Data sources can be biased, incomplete or outdated. When individuals rely on AI-generated summaries, drafting or research without appropriate review, the outcome can be flawed leading to poor advice and false submissions. A poor outcome for the client increases the potential for complaints, notifications and negligence allegations. A law firm must ensure that all work it produces externally using AI undergoes rigorous checks to verify citations and evidence; otherwise the firm will breach its professional duty, even if the AI used was provided by a supplier.
Governance
A firm’s exposure lies not just in formal deployment but in informal use. Many fee earners and support staff will likely use online AI tools outside of the proprietary practice AI program and often without the approval or oversight of senior or supervising solicitors. This use of “shadow AI” is common when drafting documentation, note summarisation or undertaking research. This use can fall outside the scope of procurement, compliance, and IT controls, making it harder to identify and manage.
Supply Chain
Third-party vendor risk must be considered carefully. Where AI capability is delivered through external providers such as case or practice management systems, the firm must ensure that there is an understanding how data is handled, who owns the data, what security standards apply, whether prompts or inputs maybe retained, and most importantly of all where does the contractual liability sit. This is essential for risk mapping. If the AI tool contributes to negligent advice or a data breach, the exposure is not limited to the AI supplier but extends to the firm's surrounding contractual and operational framework making the firm liable for any resulting claims.
External exposures: AI-enabled cyber threats
The benefits of AI are not limited to legitimate businesses. The growing sophistication of AI-enhanced cyber threats means threat actors can now use AI to scale phishing campaigns, mimic writing style, generate convincing fraudulent communications and support more effective social engineering attempts.
Law firms are attractive targets, and as a result, so are their vendors. Firms hold sensitive client information and operate under time pressure. Putting sensitive information into AI tools, even approved ones, creates opportunities for attackers. AI makes it easier for attackers to produce more credible phishing emails, impersonation attempts, and fraudulent requests.
This creates a dual exposure: Firstly, there are the direct costs of a cyber event; business interruption, forensic investigation, breach response, regulatory scrutiny and breaches and reputational damage. There may be client exposure, with confidential information compromised, deadlines missed, or transactions disrupted all of which would result in breaches of civil liability and/or negligence.
Managing the exposure
Maintaining an inventory of AI tools in use and classifying them by risk is key to beginning to mitigate the firms exposure to the negative impacts of AI. Not every use case carries the same exposure. Administrative or internal support tools may be relatively low risk. Tools used in legal research, drafting, client advice, disclosure, HR or decision-making are high risk and require stronger controls and procedures for use.
A clear AI policy is required to identify approved tools, prohibit or minimise uses, escalation routes, review requirements, and data-handling rules. It should set out what information must never be posted onto public platforms and the level of human review required before AI-assisted output is used externally especially in advising clients.
To improve awareness and set a minimum level of skill, a training programme should be implemented. Staff need practical guidance on what the tool is, what it can access, its reliability, and when its output must be checked or rejected. Comprehensive training supports more defensible behaviour across the firm and reduces the likelihood of misuse through misunderstanding or convenience.
Controls should extend to procurement and incident response. Supplier contracts should address confidentiality, security, data use, audit rights, business continuity, intellectual property, indemnities and liability caps. Incident response plans should also reflect AI-specific scenarios, such as data leakage through prompts, compromised knowledge repositories or AI-assisted fraud attempts.
From an insurance perspective, firms should also review how AI-related exposures interact with their existing programme. Depending on the firm’s use of AI, this may engage professional indemnity, cyber, directors’ and officers’ liability, employment practices liability or technology-related covers. A firm needs to be aware of where a claim might arise and which policy or policies will respond to it to avoid any gaps in coverage. Underwriters are beginning to ask questions about AI exposure and expect firms to be proactively managing the risk.
An example of such questions are as follows;
How has the AI tool been selected and to what extent has the terms and conditions been reviewed for exposures?
What is the purpose of the AI being used and has the practice set out a clear set of circumstances where they consider AI to be used and where it is not?
What AI training has the practice provided to its staff on the grounding and framing of AI and what procedures are in place to assess the outputs for accuracy and acceptability?
A managed approach
AI offers a real opportunity, but the firms most likely to benefit will be those that approach it in the same way they approach any other evolving exposure: with clear accountability, robust oversight, and proportionate controls aligned with their usage. Speed of adoption will give firms a competitive advantage. Ensuring its risk is properly governed will help it last.
Read more
Message from the Market: What the April 2026 PII Market Means for Law Firms
After several consecutive years of a short-lived hard market, the solicitors’ professional indemnity insurance (PII) market is decisively back in favour of buyers.
Preparing for a New Era of AML Regulation
Following the UK government’s announcement in October 2025 that the Financial Conduct Authority (FCA) will become the single professional services supervisor for anti-money laundering (AML) and counter-terrorism financing (CTF), the legal sector is now wondering what this change means for them in practice.
Let's talk
The Walbrook Building 25 Walbrook London, EC4N 8AW
Privacy Policy - Do Not Sell or Share My Personal Information (U.S. Residents Only)
Arthur J. Gallagher (UK) Limited is authorised and regulated by the Financial Conduct Authority. Registered Office: The Walbrook Building, 25 Walbrook, London EC4N 8AW. Registered in England and Wales. Company Number: 119013.