Safe AI in Law: Closing the Accountability Gap for UK Law Firms

Artificial intelligence is fast becoming embedded in everyday legal work. AI-enabled tools for document summarisation, contract analysis, research and internal knowledge retrieval are transforming how legal teams work across the UK legal sector, and adoption is accelerating. According to LexisNexis, 61% of lawyers now use AI in their day-to-day work, compared to 46% in January 2025. 

Join us at LegalEx London on 25 February, stand 12. Our Chief Technology Officer, Matt Smith, will be on  The Future of Law stage at 1:00 pm presenting Legal Under Siege, exploring how law firms can use Microsoft Security to defend against breaches while maintaining compliance and client trust. He will share practical steps to strengthen security hygiene and safeguard sensitive data, along with actionable strategies to turn cybersecurity from a potential vulnerability into a foundation for resilience. 

What is not keeping pace, however, are the safeguards required to use AI securely, ethically and in line with professional obligations. Many UK law firms now face a widening gap between the promise of AI and the controls needed to deploy it responsibly. That gap is increasingly recognised as a material governance and compliance risk. 

AI amplifies existing weaknesses 

Let’s be clear. Artificial intelligence doesn’t create entirely new vulnerabilities. It magnifies weaknesses that already exist within identity, access and data controls. Over-privileged user accounts become far more dangerous when connected to AI tools capable of surfacing sensitive client data in seconds. Poorly classified documents, once buried in shared drives, are easily exposed when fed into automated workflows. Unmanaged devices and remote access gaps, already a challenge for IT teams, become high-impact entry points when AI layers on top of them. 

In this sense, AI acts as a force multiplier. Where governance is strong, it accelerates efficiency, insight and competitive advantage. But where controls are weak, it doesn’t just add risk, it scales it. For law firms, this means the fundamentals of cybersecurity, including identity management, data classification and privilege control, are no longer optional hygiene measures. They are the prerequisites for safe AI adoption. 

The rise of shadow AI 

Shadow AI is the new shadow IT, and in many ways it is more dangerous. AI tools don’t just store data. They can ingest and process vast volumes instantly. A single unapproved prompt can expose more sensitive material than a misplaced email ever could. 

Lawyers and support staff are increasingly experimenting with unsanctioned AI tools because they are convenient and powerful. Microsoft® research suggests that nearly three quarters (71%)of UK employees used unapproved (Shadow AI) tools at work in 2025 (Microsoft UK’s 2025 Shadow AI research). In a legal context, that creates obvious risks around confidentiality, privilege and data leakage. 

If law teams lack approved, fit-for-purpose AI tools, they will find their own. If policies exist only on paper, they will be bypassed under client pressure. Yet Legal Futures reports that just a third of UK law firms currently have a dedicated AI policy (Legal Futures, 2024). Most rely on generic IT or confidentiality policies that were never designed for AI tools that generate content, process large datasets and operate outside the firm’s control. 

With regulators tightening expectations and clients demanding evidence of data governance, shadow AI is no longer theoretical. It is an operational and regulatory exposure waiting to surface. 

Building practical guardrails 

Bridging the gap between AI adoption and accountability does not mean slowing innovation. It means embedding safeguards that uphold legal, ethical and professional standards. For law firms, these guardrails are essential to protect client confidentiality, maintain compliance and preserve trust. 

Start with identity and access. When AI can surface information at scale, knowing who can use it, what data it can reach and how permissions are managed becomes critical. Least-privilege principles are not just best practice. They are a primary weapon to protect against accidental disclosure and misuse. 

Defending against AI-related identity risks demands continuous, expert-led monitoring. secure365®, a Managed eXtended Detection and Response (XDR) service from Softwerx that leverages the underlying Microsoft Security technologies already installed in the business infrastructure used by legal practices, provides 24x7x365 visibility across identities, AI workloads and connected applications, actively hunting for anomalous behaviour and stopping threats before they impact operations. Combined with automated response and a skilled team of Microsoft-certified security analysts, this significantly reduces the risk of data exposure and compliance failure. 

Data classification is equally vital. Without clarity on what constitutes client-confidential, privileged or sensitive information, enforcement becomes impossible. AI systems need clear boundaries on what they can and cannot process. Microsoft Purview® (part of the Microsoft Security portfolio) supports this by applying sensitivity labels and protection policies, ensuring confidential documents and emails remain protected wherever they are accessed. 

For many law practices, existing Microsoft investments already provide the security tools required to safeguard AI usage. Microsoft Purview Data Loss Prevention helps monitor and restrict sensitive data movement across Microsoft 365®. Microsoft Defender® for Cloud Apps helps detect and control shadow AI by identifying unsanctioned applications and enforcing policy-based controls. Microsoft Entra® ID strengthens identity governance through conditional access and least-privilege enforcement, creating a secure foundation for AI adoption. 

Optimising the tools already available within a law firm’s Microsoft Security stack strengthens identity hygiene, governs sensitive data and improves visibility. Managed XDR services such as Softwerx secure365 add continuous 24x7x365 oversight, helping law firms maintain control as AI use expands. 

AI has the potential to transform efficiency and client service in law firms, but only if it is used responsibly. The firms that succeed will pair innovation with control. By anchoring AI adoption in Microsoft Security and reinforcing it with Managed XDR, law firms can unlock AI benefits without compromising confidentiality, compliance or trust. 

Join us at LegalEx London on 25 February at The Future of Law theatre at 1.00 pm where our Chief Technology Officer, Matt Smith, will be exploring how law firms can optimise Microsoft Security to manage AI risk and defend against modern threats. 

What you’ll discover: 

• How Microsoft Security supports identity protection, data governance and AI readiness in law firms. 

• Practical steps to strengthen security hygiene and protect client trust. 

• Strategies to reduce AI-related risk while maintaining operational continuity. 

Join us and learn how to protect your firm, preserve operational integrity and build resilience as AI becomes a permanent part of legal practice.