A New Governance Challenge
Artificial intelligence is quickly becoming embedded in nearly every aspect of legal practice. Most law firm leaders recognize that lawyers are using AI to research issues, summarize documents, draft communications, review contracts, and perform a growing number of other tasks. As AI adoption accelerates, firms are appropriately investing in governance, evaluating technology, developing policies, and educating lawyers on responsible use. Much of that effort has been driven by concerns about what has become known as Shadow AI, the use of artificial intelligence tools outside an organization’s approved technology and governance framework. Those concerns are real and deserve careful attention. At the same time, they represent only part of the challenge. Every lawyer who adopts AI also begins making decisions about how legal work should be performed. Without organizational guidance, those individual decisions gradually become the firm’s de facto operating model.
The existence of Shadow AI should not be viewed as evidence that lawyers are unwilling to follow firm policy. More often, it reflects the reality that AI capabilities are evolving faster than organizations can reasonably establish governance, workflows, and supporting standards for their use. Lawyers remain under constant pressure to deliver exceptional client service while improving efficiency and responsiveness. As a result, many begin incorporating AI into their daily work before institutional practices have fully matured. Shadow AI is therefore better understood as a symptom of organizational change than as an organizational failure.
Previously, I’ve discussed the importance of governance and guardrails, data quality, meaningful supervision of agentic tools, a use case-first approach to deploying AI, and ongoing, practical training. These are not abstract best practices. They are what allow individual lawyers’ good judgment to become institutional capability, rather than remaining isolated within each lawyer who exercises it. Lawyers have always relied on independent professional judgment, and AI does not change that obligation. What changes is the absence of a shared structure for applying that judgment to AI: without one, every lawyer reasonably decides for themselves how to validate output, when to rely on a tool, and how to document its use. Those decisions are sound on their own terms. The problem is that they remain individual, invisible to the firm, and disconnected from one another, even as more lawyers make them every day. Shadow AI, in other words, is not evidence of a lack of judgment. It is what happens when good individual judgment has no shared structure to build on.
Information Security Is Necessary, But It Isn’t Sufficient
Most published guidance on Shadow AI focuses on security, and for good reason. The American Bar Association, cybersecurity professionals, technology vendors, and law firms have all published valuable guidance addressing confidentiality, privilege, ethical obligations, and the protection of client information when using generative AI. Those concerns are not hypothetical. Courts have sanctioned lawyers after fictitious citations generated by AI were submitted without adequate verification. Confidential information has reportedly been entered into publicly available AI systems without appropriate authorization. These publications appropriately emphasize using only approved tools, responsible handling of sensitive information, and the importance of human review before relying on AI generated output. Every law firm should establish clear policies defining what information may be entered into AI systems and which technologies are approved for professional use. Security, however, is only part of the story.
The Real Problem Is Shadow Workflows
The rest of the story is this: in the absence of approved workflows, every lawyer who adopts AI starts solving the same problem alone and starts solving it differently. That pattern has a name. Shadow Workflows are the unofficial methods individual lawyers build to incorporate AI into their work when formal organizational standards and workflows have not yet been established. These include methods for prompting, validating results, documenting AI use, and deciding when AI should or should not be involved, each formed independently, lawyer by lawyer.
This is fundamentally different from the Shadow IT challenges organizations have faced for years. Shadow IT typically involved unauthorized software, cloud storage, or collaboration tools. Those activities certainly created security and support concerns, but they generally did not change how lawyers practiced law. Shadow AI does. It influences legal research, drafting, document review, negotiation, analysis, and client communication. The technology may be unauthorized, but the greater consequence is that the workflow itself becomes unofficial.
Every Lawyer Begins Building Their Own Operating Model
Consider a typical litigation department. One lawyer drafts briefs using an approved enterprise AI platform. Another relies on a personal subscription to a consumer chatbot. A third primarily uses Microsoft Copilot because it is available within the firm’s Microsoft environment. A fourth prefers not to use AI at all. Each settles on different prompting techniques, validates responses differently, relies on different sources of authority, and documents work according to personal preference rather than organizational standards.
From the client’s perspective, these lawyers all belong to the same firm. Internally, however, they may now be practicing under four different AI operating models. Leadership often has little visibility into which approaches produce the best results, which safeguards are consistently applied, or whether valuable lessons learned by one lawyer are ever shared with others. Instead of building institutional capability, organizations unintentionally encourage hundreds of individual experiments.
The Cost to Lawyers, Not Just the Firm
The conversation about Shadow Workflows tends to focus on what the firm loses: consistency, institutional knowledge, defensibility. But the lawyers building these workflows are not getting a good deal either. A lawyer who builds their own approach to prompting, validating, and documenting AI use has no way of knowing whether that approach is sound, mediocre, or quietly accumulating risk, because there is no firm standard to measure it against and no one positioned to tell them. They are, in effect, supervising themselves on a skill most of them are still learning. The lawyer who happens to land on a careful, well-validated approach and the lawyer who does not are both operating with equal confidence, because confidence in this setting comes from repetition, not from feedback. That should concern firm leadership for its own sake. A profession built on mentorship, training, and the gradual transfer of judgment from senior lawyers to junior ones is now asking many lawyers to form a core part of their practice with none of those things.
Why This Creates New Operational Risks
The costs to individual lawyers are not the only ones worth considering. Firms often have no consistent record of how work product was created or what validation occurred before it reached a client. Valuable prompting techniques and workflow improvements remain isolated with individual lawyers rather than becoming institutional knowledge. New lawyers learn personal habits instead of consistent organizational practices. Quality assurance becomes increasingly difficult because there is no common process against which work can be evaluated. None of these challenges can be solved simply by approving another AI platform.
These unofficial workflows often take hold despite the best intentions of both lawyers and firm leadership. Organizations understandably require security review, procurement, governance, and risk assessment before broadly deploying new technologies. At the same time, lawyers continue facing demanding client expectations and increasingly recognize AI’s ability to improve productivity and responsiveness. As those two realities converge, unofficial workflows naturally begin to emerge before official ones are fully established. The result is not organizational misconduct. It is organizational inconsistency.
What Clients Stand to Lose
Clients do not generally experience a law firm as an institution. They experience the lawyer in front of them. When that lawyer’s approach to AI was built independently, without the benefit of firm-wide standards or oversight, the client has no way of knowing it. They simply receive the work, and they trust that the work reflects how the firm operates, not how one lawyer happens to operate. That trust is reasonable. It is also, in a firm governed by Shadow Workflows, frequently misplaced. A client whose matter was handled by the lawyer with the careful, well-validated approach gets one experience. A client whose matter landed with a colleague three doors down, working from a different set of habits, gets another. Neither client can see the difference. They only see the result, and eventually, if results vary enough across matters, they start to notice. A firm’s reputation is built on the premise that quality does not depend on which lawyer is assigned to the matter. Shadow Workflows quietly erode that premise, one matter at a time, long before any client complaint makes the inconsistency visible to firm leadership.
Governance Must Extend Beyond Technology
Many organizations approach Shadow AI primarily as an information technology issue. The response therefore becomes restricting access to websites, publishing additional policies, or approving another software platform. Those actions certainly reduce important categories of risk, but they do not address the larger operational challenge. Lawyers who experience meaningful value from AI will naturally seek appropriate ways to incorporate it into their work. Sustainable governance therefore depends upon creating workflows that are easier, more effective, and better supported than unofficial alternatives.
The firms making the greatest progress increasingly recognize this distinction. They are establishing AI governance committees, developing approved use cases, publishing prompting guidance, investing in lawyer education, evaluating models before deployment, and implementing continuous operational oversight. These organizations understand that AI adoption is not a technology implementation project. It is the development of a long-term organizational capability.
Every Firm Already Has an AI Operating Model
An AI operating model is the sum of every decision a firm makes, deliberately or by default, about how AI gets used: which tools are sanctioned, how output gets validated, what gets documented, and how lessons learned by one lawyer reach the rest of the firm. Every law firm has one whether leadership recognizes it or not. In some firms, that operating model has been intentionally designed through governance, workflow design, education, operational discipline, and continuous improvement. In others, it has emerged organically through hundreds of independent decisions made by individual lawyers selecting their own tools, creating their own prompting techniques, developing their own validation methods, and establishing their own approaches to legal work. Both organizations have an AI operating model. Only one designed it intentionally. That distinction may ultimately determine which organizations realize AI’s full potential.
Law firm leaders should recognize that the larger opportunity lies in designing consistent, scalable, and well-governed workflows that enable lawyers to use AI confidently and responsibly. Shadow AI is not simply about unauthorized technology. It is about unofficial methods of practicing law. Firms that recognize they are managing Shadow Workflows rather than merely Shadow AI will be far better positioned to deliver consistent quality, strengthen governance, support the lawyers doing the work, protect client trust, and create lasting competitive advantage.
