Sam Bock, Editor, The Relativity Blog (sponsored content)
What’s dwelling in the dark corners of your tech stack? As business leaders have long learned, what you don’t know can hurt you.
Shadow IT is nothing new. Legal leaders have dealt with employees using unsanctioned tools, from cloud storage to messaging apps, for years.
Now, whether leaders have noticed or not, that challenge has evolved to include shadow AI. Already, 69 percent of cybersecurity leaders report evidence or suspicions of employees using prohibited generative AI tools at work.
What Is Shadow AI?
Shadow AI refers to the use of artificial intelligence tools - such as ChatGPT, Google Gemini, and similar technologies - without organisational approval, visibility, or governance from IT, legal, compliance, or security teams.
When employees lack approved tools or guidance, they fill the gap themselves. This disconnect is visible today: 46 percent of lawyers report using AI, while only 32 percent of firms provide AI-powered tools.
Most employees are not trying to undermine their organisations. They’re trying to be more productive: researching, drafting, summarising, brainstorming, and exploring how AI can fit into their work.
It’s clear how AI can accelerate workflows, so it’s no surprise they want to take advantage. The result is widespread experimentation - sometimes thoughtful, sometimes reckless, often invisible.
Ultimately, even well-intentioned use introduces risk. In legal data contexts, that risk can be significant.
Legal and Compliance Risks of Shadow AI
For legal leaders, the risks will feel familiar:
- Privacy, privilege, and confidentiality: Sensitive information entered into unvetted AI tools may be subject to unknown retention policies, model training, or compromise protections.
- Regulatory compliance: Data protection laws and AI regulations raise questions about how systems are used, data handling, and validation.
- Contractual obligations: Shadow AI use may violate commitments around how data is handled and shared.
- Poor output quality: Overreliance on AI can obfuscate quality control, introducing reputational and matter-specific risks.
There is inherent accountability in the legal profession: regardless of tools used, people are responsible for outcomes. Legal teams are right to be cautious.
Still, caution alone is not a strategy.
Building a Culture of Trust (Not Fear)
Most employees want to use AI responsibly, and many don’t realise their usage is unsanctioned. They simply need guidance, clarity, and trust.
Effective AI policies require engagement across the organisation: understanding use cases, evaluating tools, and defining what “trustworthy AI” means. Clear guidance helps employees develop their own judgement.
Strong policies also protect legal teams. Even if some unsanctioned use continues, documented guidance demonstrates good-faith governance and oversight.
The payoff extends beyond internal operations. Clients increasingly ask about AI use, data protection, and risk management. Legal leaders who can answer confidently build trust faster.
You can’t build that trust by ignoring AI. But engaging thoughtfully - balancing enthusiasm with appropriate caution - goes a long way.
How to Begin Addressing Shadow AI
You don’t need a perfect AI strategy to take meaningful action. Start by:
- Collaborating with IT and security teams to establish safeguards and improve visibility.
- Working with HR and internal communications to define expectations and provide guidance on acceptable use.
- Talking to your people. Shadow AI users are often your best source of insight. Ask what tools they’re using, why, and what problems they’re trying to solve
Addressing shadow AI is not about control for its own sake. It’s about enabling responsible innovation - protecting your organisation while empowering people to work more effectively.
Relativity
4 Chiswell Street
3rd Floor
London EC1Y 4UP
United Kingdom
+44 (0) 203 984 8486
