Shadow AI in Legal Firms: Why Meeting Data Is Your Biggest Compliance Blind Spot banner

Shadow AI in Legal Firms: Why Meeting Data Is Your Biggest Compliance Blind Spot

  • Posted on

Legal firms have spent years building information governance frameworks capable of withstanding regulatory scrutiny. Most have done the work: data classification, access controls, third-party due diligence. What many have not done is account for the AI tools their staff are already using without IT’s knowledge or approval. Shadow AI is not a future risk. It is present in most firms right now, and in professional services, the consequences of getting it wrong are real.

What Shadow AI is, and how it enters your firm

Shadow AI is the use of artificial intelligence tools without the knowledge, approval, or governance oversight of the organisation’s IT or security function. It is an extension of Shadow IT, the long-standing problem of staff adopting unsanctioned SaaS applications, but it carries a different order of risk. Where a rogue Dropbox account moves data, an AI tool processes it, learns from it, and in some cases retains it indefinitely.

shadow ai infographic 1

The routes of entry are not sophisticated. A fee earner uses a consumer AI assistant to summarise a long document. A business development team runs client call notes through ChatGPT to draft a proposal. A PA signs up to an AI meeting transcription service on a personal free-tier account. None of these are decisions taken with malicious intent, and that is precisely the problem. UpGuard’s State of Shadow AI report found that over 80% of employees use unapproved AI tools at work, with half doing so regularly. In many cases, they do not know that what they are doing falls outside sanctioned practice.

The hidden activation problem

AI features embedded in tools firms have already approved add a further complication. Productivity suites, CRM platforms, and video conferencing software now activate AI capabilities by default, often without triggering a procurement review. The result is AI processing happening across the organisation with no consistent governance applied to any of it.

Why regulated professional services firms face a different level of exposure

For most businesses, Shadow AI is primarily a security and data protection concern. In legal firms, those concerns sit alongside professional conduct obligations that carry their own enforcement consequences.

Solicitors operating under the SRA Code of Conduct are required to safeguard client confidentiality under Rule 5.1 and maintain appropriate governance over the systems used to deliver legal services. Feeding client matter content into a third-party AI tool without authorisation is not a grey area under those rules. Legal professional privilege is a further issue: sharing privileged communications with an external AI provider can amount to a waiver, making previously protected material discoverable.

UK GDPR adds a further layer: ICO penalties for data protection breaches reach up to £17.5 million or 4% of global annual turnover, and processing personal data through unsanctioned third-party tools without a lawful basis or Data Processing Agreement is a straightforward compliance failure.

The specific problem with AI meeting tools

Of all the Shadow AI entry points in a professional services firm, AI meeting transcription tools are among the most consequential and the least scrutinised.

Consumer-grade tools such as Otter.ai and Fireflies join calls as a participant, generate live transcriptions, and upload audio to cloud servers, in most cases located in the United States. One person can activate a transcription tool for a meeting without the knowledge of anyone else on the call. Under UK GDPR, that creates an immediate problem: no lawful basis established, no transparency notice given, no Data Processing Agreement in place. When the meeting involves client matters, deal strategy, personnel discussions, or material non-public information, what leaves the organisation is not a minor compliance footnote. Otter.ai is currently facing legal action in the United States over allegations that meeting audio was used to train its models without adequate disclosure to participants, a development that has prompted UK data protection practitioners to review their own exposure.

The information governance issues compound from there. Transcripts created by these tools are stored on servers outside the UK, with retention periods set by the vendor. There is no guarantee data will not be used for model training. There is no audit trail available to the firm. Access controls are typically tied to the individual’s account, so if that person leaves, the organisation cannot manage, retrieve, or delete the records. In a sector where data subject access requests, regulatory investigations, and litigation disclosure are operational realities, that gap matters.

External client meetings add another dimension. A client not informed that a third-party AI tool is transcribing the discussion has not given consent. If that client is itself a regulated entity, your firm’s tool usage may put them in breach of their own obligations.

What governance actually requires

The gap is rarely one of intent. Most IT and compliance leaders in professional services would not knowingly approve tools that fail the tests set out below. Shadow AI bypasses the approval process entirely, which is why the tests need to be applied retrospectively as well as prospectively.

The governance checklist firms should be applying

For any AI meeting tool in use within the organisation, these are the governance requirements that must be in place:

  • A lawful basis for processing personal data must be identified and documented before deployment.
  • A Data Protection Impact Assessment is required where processing is high risk. Systematic transcription of client meetings qualifies.
  • A Data Processing Agreement meeting the requirements of UK GDPR Article 28 must be in place with the provider.
  • Data residency must be confirmed: where audio, transcripts, and derived summaries are physically stored, and under which legal jurisdiction.
  • Retention periods must be set by the organisation, not inherited from vendor defaults.
  • The provider’s terms must explicitly prohibit the use of client conversation data for model training purposes.

Consumer tools routinely fail several of these. The answer is not to avoid AI meeting capture: the productivity case is real. The answer is to treat the procurement decision with the same rigour applied to any other third-party data processor, and to use tools built specifically for regulated environments rather than adapted from consumer products.

Working with a partner who understands the compliance landscape

Firms that operate in sectors where compliance is non-negotiable need meeting intelligence tools that keep data within defined jurisdictions, give administrators full control over access and retention, and have no commercial incentive to repurpose client conversation data. If your firm is assessing how to govern AI meeting tools, or is concerned about unsanctioned tools already in circulation, Marlin works with professional services organisations on exactly these challenges. We have a solution built for the compliance requirements of your sector. Get in touch to talk it through.