Shadow IT and AI in Law Firms: Risks and Prevention Guide

What is shadow IT?

Shadow IT is software that’s used without any knowledge, approval, or oversight from a law firm’s IT experts. Broadly speaking, shadow IT includes software that is downloaded and installed on local hardware, as well as cloud-based tools that can be accessed by logging into a web browser. 

For example, individuals may install or set up access to their personal file-sharing apps (like Dropbox or their OneDrive accounts), communications tools (including social media messaging apps), or other productivity solutions. 

Today, AI solutions such as ChatGPT, Gemini, and Claude are some of the most risky forms of shadow IT for law firms. While these tools make staff much more productive, they also carry inherent risks, especially when it comes to the sensitive information managed within a law firm. 

It’s difficult to know how common shadow IT is (hence the name), which is why law firms need to know the risks, where they stem from, and how to be proactive in preventing them. 

Shadow IT in the age of AI (aka “shadow AI”)

Lawyers and their staff have been especially quick to adopt AI. According to the  2025 Legal Trends Report, 79% of legal professionals say they use AI in their work. Overall, this is a good thing, since it’s unlocked a long list of research-backed benefits for lawyers. 

But with so many using the technology for legal work, “shadow AI” (i.e., personal AI solutions used by firm staff) poses its own concerns, especially since public models typically don’t carry any privacy guarantees for information that’s shared with them. 

In fact, California’s Senate recently passed a bill that would restrict the use of generative AI, and especially general-purpose AI solutions, in regulated professions such as law. Central to the bill is the stipulation that attorneys not enter any confidential, personal identifying, or other nonpublic information into a public generative AI system to prevent breaches of attorney-client privilege. 

In light of this, it’s more important now than ever that lawyers and their firms put in place guidelines for the safe handling of firm information when using AI. Yet despite the need, 44% of law firms don’t have any policy on how AI should be used (2025 Legal Trends Report), and what risks should be taken into account. 

While most technologies (AI or not) aren’t necessarily malicious in their approach to data security (they aren’t taking user data for the purpose of committing a crime), they can still introduce vulnerabilities that firms should be aware of. 

The risks of shadow IT for law firms

IT teams invest significant time, energy, and resources to ensure secure data operations for law firms. This work involves thoroughly vetting solutions, configuring data protocols (within individual software platforms as well as between them), and developing policies and procedures to ensure staff are trained in how to maintain the utmost data security and privacy for the firm. 

When staff circumvent these safeguards, they introduce risks for the firm and the clients that its lawyers are sworn to protect. 

Some of the key risks to shadow IT include: 

• Data management: Any information stored in a staff member’s own private software won’t be available to the wider office, which can hinder accessibility and collaboration on important projects.
• Security protocols: When individuals define their own security parameters, they may not follow best practices for using strong and unique passwords. They may also skip two-factor authentication, which is by far the strongest means to prevent unauthorized access to user accounts. 
• Risk of data loss: When an individual takes a leave or transitions out of the firm, their work will be lost if it isn’t captured within the databases managed by the firm. 
• Data lifecycle management: Similarly, if data lives on platforms managed by individual staff, the firm won’t be able to manage that data in accordance with their retention schedules, nor will they be able to securely dispose of it. 
• Data breaches or exposure: Without proper vetting from trained IT professionals, it’s difficult to know how much rigor a company has put into their security and privacy safeguards. Even when dealing with a reputable software-provider, the security and privacy guarantees required by law firms may come at a premium, included only in higher-tier or enterprise plans. 

Risks law firms need to know about shadow AI

For lawyers, data privacy is especially problematic with consumer AI solutions such as ChatGPT, Gemini, and Claude. While these technologies are incredibly powerful and versatile, they often don’t have privacy guarantees, particularly when using free versions.

This means that when firm staff use these products, whether keying in queries or uploading files, they need to be especially careful not to share any sensitive firm information (e.g., any personally identifiable information of clients). 

These risks are even more serious for law firms that deal with sensitive information governed by additional regulations; for example, any firm dealing with protected health information could unknowingly run afoul of HIPAA’s strict data handling requirements. 

This is where the benefit of a legal platform solution can offer several workflows and capabilities within a secure environment. Clio and Clio’s AI capabilities, for example, ensure private and secure data protocols for all firm operations. When using Clio’s AI, all data is processed in real time and is never stored or reused, and it never leaves Clio’s secure data infrastructure. 

Why staff turn to shadow IT 

While the use of shadow IT can be problematic for law firms, the reality is that staff turn to their own solutions to make life easier for themselves. When staff aren’t happy with the systems provided by their firm, they’re more likely to seek their own solutions. 

Often, the problem is that firms use software that is outdated, inefficient, and difficult to use. In other situations, the firm may not provide any capabilities for certain tasks or workflows. 

In either case, staff can adopt software that they already use in their personal lives, or they might even pay out of pocket for a business solution that they see as essential to their work. AI products in particular are prime candidates for shadow IT because they are so versatile and can be used for so many different types of work. 

At the end of the day, most workers want to get their work done faster, more efficiently, and with a higher degree of quality (and ideally with less fuss). 

How to prevent shadow IT and shadow AI at your law firm

The key to managing, or ideally preventing, the use of shadow IT and shadow AI is to be proactive. You’ll want to ensure that you communicate clear guidelines for what types of solutions can and can’t be used at the firm, while also ensuring that staff have access to the tools and capabilities they need. 

1. Implement and review firm software policies

It’s important that your law firm have clear guidelines on the software that staff are permitted to use, and how data should be collected and managed within them. These policies should be reviewed regularly, especially in light of new technologies like AI. If your law firm hasn’t implemented specific guidance on AI yet, make developing an AI policy a priority. 

2. Provide the right solutions 

Firms should provide solutions with the capabilities and support that staff need for their work. If staff have what they need, they’ll have no reason to look elsewhere for non-sanctioned tools. 

In a law firm, staff typically look for solutions that are designed specifically for legal work, such as tools to do legal research and draft legal documents. These systems should be easy to use and not require a lot of repetitive action to complete a task, which can be frustrating for workers. The upside of legal-specific software is that it typically comes with the data security and privacy guarantees that lawyers and their IT teams need. 

3. Educate and train your staff

It’s one thing to create rules on what solutions can be used; it’s another to provide the training and support to ensure everyone knows how to use them. When staff think they lack certain capabilities, they may just need a better understanding of their existing systems and processes. 

A few ways that firms can support better knowledge and training: 

• Create internal knowledge hubs. These hubs can provide guidelines on how to use systems and processes and how to ensure the safe handling of firm information. These resources could include detailed how-tos or short step-by-step instructions and videos. 
• Designate “software champions” to troubleshoot issues. These staff members should have the most knowledge and understanding of the solution at the firm, including details on implementations, processes, and where to seek additional support if needed. 
• Establish training protocols. Training should be provided to new staff as soon as they’re hired, and existing staff should receive training for new systems as they are implemented. In many cases, individual software platforms offer their own extensive training and support (and even in-depth certifications), which saves the firm having to set these up from scratch themselves. 

4. Listen, be supportive, and be open to needs

The technology landscape is fast evolving, and this is especially true for legaltech. As new solutions and capabilities become available, your staff will often have a first line on what’s most useful and valuable to their work, either from past workplaces or from the recommendations of friends and colleagues. 

Keeping an eye and ear out for new technology advantages will help ensure that your firm is doing its best work for its clients, while also keeping staff happy. When it comes to software, and avoiding shadow IT at your firm, this might be the most important task of all. 

What to do if you discover shadow IT at your law firm? 

If you discover staff using a form of shadow IT at your law firm, it can be an opportunity to identify potential gaps in your systems. 

The first thing to do is to learn how the solution is being used and how your firm’s existing systems aren’t sufficient. If you find that the software is solving a problem for your firm, you can always review it further to determine what data is being used, how it integrates with your systems, and if it meets your data security and privacy standards. 

If the solution doesn’t meet the requirements of your firm’s software policies, or if you’ve determined that another software used at the firm already offers the same functionalities, you’ll likely need to ensure that staff are aware of your expectations and that your education and training is readily available. 

What are the costs of shadow IT? 

Shadow IT can incur unneeded costs for the firm. If staff use funds from the practice to purchase their own software, your firm could end up paying for multiple solutions that all do the same thing. 

More critically, lawyers can be held liable for data exposures by their staff or third-party vendors if they fail to maintain proper security standards. Consequences could include regulatory sanctions, liability for financial damages, and in extreme cases, even criminal charges. 

As if firms aren’t busy enough, there’s also the time, effort, and resources needed to deal with a data breach if it occurs. Beyond the stress of dealing with all of this, there is also the strain of maintaining business continuity and the potential impact to the firm’s reputation to consider. 

Legaltech platforms offer more capabilities, more value, and more security under one roof

Clio’s Intelligent Legal Work Platform gives firms the tools and capabilities to manage both the business of law and the practice of law within one solution. 

When handling your casework in Clio, you get more than just a system of record; you unlock a system of action that takes on manual work on your behalf, including day-to-day scheduling, monthly billing, and routine client communications. 

For the practice of law, Clio can securely review individual cases against a legal library featuring over one billion records to surface relevant precedents, review depositions and contracts, and even draft legal documents, all with precise verification workflows. 

If your staff is looking for what’s next in legal AI, be sure to book a demo with our team today.