- Prompt injection attacks manipulate AI guardrails using natural language, exploiting the semantic gap to get models to ignore developer instructions.
- AI social engineering scales faster and lowers attacker skill barriers, enabling automated, targeted campaigns like deepfakes and credential theft.
- Primary harms include data exfiltration, unauthorized transactions, and malicious or biased outputs that damage reputation and operations.
- Defenses are immature; require layered controls: human in the loop, prompt firewalls, input sanitization, least privilege, fuzz testing, patching, and user training.
Last Updated on May 6, 2026
As AI adoption among law offices and legal departments ramps up even faster than in many other industries, it is outpacing AI governance programs, creating significant operational and compliance risks. AI is now part of daily workflows for the great majority of legal professionals, but guidelines, policies, and controls for risk management, accountability, and accuracy are often informal or incomplete.
Key takeaways:
- AI adoption—with or without oversight—is skyrocketing across the legal profession, with in-house legal teams tracking ahead of law practices overall on both implementation and governance.
- Insufficient AI governance, including lack of training on responsible AI use, is becoming a major business risk for both law firms and in-house legal departments.
- The ungoverned use of general-purpose AI tools for legal work further increases the risk of errors, invalid outputs, and confidentiality breaches, as these tools lack legal-specific supports.
- In its Formal Opinion 512, the American Bar Association (ABA) emphasizes that legal professionals are required to maintain up-to-date technological competency with AI and other evolving legal tools they are using. Ad hoc or shadow AI usage does not meet this requirement.
- Integrating AI into legal workflows means selecting approved AI use cases and tools, validating results, tracking compliance, and defining ownership and escalation paths for issues across functions (e.g., privacy, cybersecurity).
What is the status of AI adoption in the legal vertical?
Reports show that legal is adopting AI at a faster rate than in many other verticals—more than doubling just from 2025 to 2026. Up to 92% of individual attorneys are currently using some kind of AI on legal matters, including document review, drafting, and research.
However, much of this AI use is operationally ungoverned, with policies, controls, and training lagging behind the proliferation of AI tools in legal environments. Over 40% of law firms still have no formal AI policy and approved tools, fueling shadow AI risks.
Even compared to other regulated sectors like finance and healthcare, legal entities may face steeper AI risk due to the high sensitivity of legal client data overlaid on the industry’s unique ethical duties. For example:
- Financial services and technology companies on the whole have stronger AI governance and risk management and are adopting formal AI policy “top-down” at a faster rate than legal. Whereas AI adoption in legal is often driven “bottom-up” by individual attorneys looking to boost their personal efficiency.
- While healthcare and legal share similar AI risk profiles around issues like data privacy, safety, and compliance, legal AI adoption is more complex because of its impacts on client billing relative to AI productivity and efficiency gains.
- Manufacturers are embracing AI even faster than legal as AI-driven automation around data-centric efforts like predictive maintenance, supply chain optimization, product development, and quality control has become a competitive necessity.
- Critical infrastructure firms are proceeding more cautiously with AI adoption versus legal, with a strong requirement for AI safety, cybersecurity, and operational reliability in IT/OT environments characterized by legacy hardware and software.
- Corporate legal departments across sectors may be overall more proactive than law practices when it comes to AI adoption and governance, with the goal of less reliance on outside counsel.
Overall, legal entities are at a tipping point, with growing pressure from clients, regulators, insurers, and other stakeholders forcing rapid AI governance implementation to better manage AI risk.
How does AI adoption among law firms versus corporate legal departments compare?
Law firms and corporate legal departments are both rapidly adopting AI. But law firms overall are leveraging AI more cautiously and have less mature AI governance than their in-house counterparts.
A key factor is AI’s evolving impact on law firms’ billable hours and revenue. Whereas in-house legal teams have been quick to implement AI to help cut costs and improve operational efficiency, potentially reducing their need for external counsel.
Leading AI use cases also vary between these groups:
- Law firms are using AI for legal research and to automate document review and production.
- Corporate legal teams are using AI to automate compliance reporting, contract management, and legal analytics, helping to improve both work throughput and decision-making accuracy.
For both law practices and legal departments, the major challenges with AI adoption typically fall into these four categories:
- Developing and maintaining a dynamic AI strategy in the face of ever-accelerating technology change
- Managing AI risk (including cybersecurity and compliance risks) and putting effective AI governance in place
- Optimizing in-house data assets for optimal value as an input to AI systems
- Choosing AI tools, platforms, and technology partners
What are best practices to streamline AI adoption in legal?
Governance frameworks are essential for safe and ethical AI use in legal environments. Otherwise, the organization is at the mercy of negative impacts as AI-related risks inevitably manifest. Now is the time for senior leaders to drive top-down AI policy, as legal professionals will embrace AI with or without proper oversight.
Integrating AI smoothly into legal workflows means selecting approved AI use cases and tools, validating results, tracking compliance, and defining ownership and escalation paths for issues across functions.
Top strategies to support AI adoption include:
- Educating and training teams on how to use generative and agentic AI safely and effectively, including guidance on prompt engineering and AI-specific risks.
- Starting with “quick wins” by piloting AI for key use cases like automated contract review, document drafting, or transcript summarization.
- Emphasizing ethical AI principles to ensure ongoing client trust and compliance with professional standards.
- Partnering with AI providers and consulting advisors to help shape AI strategy, implementation, risk management, and governance.
AI governance among CBIZ clients
During a recent webinar, CBIZ legal clients were asked about the status of their AI governance programs. The results indicate an overall higher level of governance maturity versus the vertical as a whole, perhaps reflecting a history of ISO 27001 certification and other indicators of mature cybersecurity risk management.
According to participant self-report (see graphic below):
- 19% of firms have no AI governance.
- 24% are in the process of drafting AI policies.
- 33% have an approved AI policy with limited “official” AI adoption.
- 14% have a head start on AI controls, training, and monitoring in addition to policy.
- 10% have a mature AI governance program with continuous monitoring.
Top AI risk concerns among webinar participants include:
- Confidentiality/privilege leakage—62%
- Accuracy/hallucinations—29%
- Third-party/vendor AI and data handling risk—9%
- IP/copyright and ownership—0%
- Fairness/bias and discrimination—0%
Another common worry not on the above list is AI’s use in making business decisions or client matters judgements. A common view among law firm clients remains, “I’m not paying for AI. I’m paying for you.”
What is the practical AI journey for legal entities?
With strategic advice and support from a trusted advisor, a practical AI adoption journey can unfold smoothly alongside effective governance and risk management. This journey has four phases (see graphic below):
- Just experimenting.
In this initial phase, firms and individual legal professionals are curious about AI opportunities but may not know where to start to achieve the best results. A common stumbling block is ad hoc use of shadow AI tools. Best-practice activities at this stage include an AI readiness assessment, AI use case mapping, and ongoing policy and controls development.
- Actively adopting.
Structured AI adoption requires executive sponsorship with a focus on use cases and their projected value. Firms that are piloting AI can benefit from expert guidance in areas like developing an AI roadmap, managing risk and compliance, and assessing/improving data quality.
- Ready to scale.
Law firms that are ready to scale AI across the business can benefit from the CBIZ Vertical Vector AI platform or similar solution to accelerate governance, security, workflow automation, change management, and more. - Optimizing impact.
Once a business has operationalized robust AI governance it can begin to optimize AI’s return on investment with continuous risk management and automated reporting.
Next steps
Success with integrating AI into legal workflows has become a defining competitive factor for legal practices and a vital efficiency driver for in-house legal departments.
CBIZ Pivot Point Security is a trusted advisor for AI strategy, implementation, and governance. We can help you establish the foundational controls that will position your firm or department for future success, providing only the services and skills you need.
Contact us today to schedule a consultation with an AI expert.
