What Is Shadow AI? The Growing Risk Inside Legal Departments

July 2026
Posted by Daniel Hayter

It’s safe to say that artificial intelligence has moved from experiment to expectation among most legal departments. In Axiom's recent webinar, Across the Channel: An AI Compliance Guide for the UK and EU, I noted that 88 percent of businesses report using AI, and a recent Axiom survey found that 96 percent of legal departments have adopted AI in at least some capacity.

But a meaningful share of that AI usage is happening outside official channels, on tools that no one in IT, security, or legal ever approved.

This is what’s referred to as shadow AI, and my guests and I named it as one of the most common blind spots in AI governance today. In my discussion with Lisa Lischak, Divisional General Counsel at Nexora, Ruud van Herpen, Chief Legal Officer at Xebia, and Axiom lawyer Steve Coope, we explored the EU's prescriptive AI Act and the UK's lighter, principles-based approach, where binding AI legislation is not expected until later in 2026, leaving teams with European exposure straddling two very different regulatory regimes.

Shadow AI is a risk under both. This article draws out that thread: what shadow AI is, why it matters so much for legal teams, and how to get it under control.

What Is Shadow AI?

Shadow AI is the use of artificial intelligence tools, features, or systems inside an organization without the knowledge or approval of the IT, security, or legal teams responsible for overseeing technology. During the webinar, Steve described the problem as unofficial use of large language models or automation tools that never appear on the surface, which makes it difficult for companies to flush out and address.

The contrast with approved tools is stark. An approved AI tool goes through security checks and legal review before anyone touches it, and access controls determine who can use it and what data it can reach. Shadow AI skips every one of those steps. An employee signs up for a free AI-powered service, pastes in work material, and the organization has no record that it ever happened.

Why Shadow AI Is Growing So Quickly

The panelists shared that several forces explain why shadow AI is spreading faster than governance can keep up.

First, the market is flooded with new tools. Lisa described new AI solutions mushrooming in the marketplace, popping up every week and even every day. In fact, she shared how she delayed a planned review of contract lifecycle management systems because the field was changing so quickly.

Second, AI features are appearing inside everyday software. Many software-as-a-service (SaaS) products now ship with AI features built in, and a quick browser extension can promise instant summaries or drafting help. Employees often do not register these as new AI systems at all.

Next, the pressure to adopt can be emotional. Lisa described the current moment as emotionally charged, with everyone in a frenzy to adopt AI and a real sense of FOMO for anyone not on the bandwagon. And that urgency often pushes people toward whatever tool is closest at hand.

It’s also important to consider that the new generation of lawyers arrives already fluent in these tools. Ruud raised the challenge of young lawyers joining straight from college with all of these tools ready to grasp. They are bright and capable, and the task is teaching them to combine legal knowledge, technology, and judgment before turning them loose.

And now, more work than ever is landing in-house. Axiom research cited in the webinar found that over 80 percent of legal departments plan to move significant law firm work in-house or to alternative legal services providers within 24 months. More work with the same headcount creates a strong incentive to reach for anything that saves time.

Finally, policy simply struggles to keep pace. Lisa’s team issued version two of their global AI policy last year and is already preparing version three because AI is developing so rapidly. Even diligent organizations find their rules aging in months rather than years.

Why Shadow AI Is Especially Risky for Legal Departments

Every department carries some risk from unapproved AI usage, but the risks of shadow AI are sharper in legal because of the nature of the work. Legal teams handle privileged material like confidential client information and regulated personal information every day, and they carry professional duties on top of ordinary security risks.

Lisa put it plainly: Lawyers have an ethical duty to understand a tool before putting information into it, whether the tool is AI-driven or otherwise, and the old rules still apply. Confidential client information stays out. Privilege, intellectual property, and data protection considerations all still govern.

We also explored real-life incidents. I mentioned a recent incident involving the Solicitors Regulation Authority in which a large portion of a highly confidential contract was accidentally uploaded to the public version of ChatGPT rather than an enterprise version. Lisa cited an earlier SRA matter involving an immigration practitioner who uploaded confidential client information to a public AI tool. These are exactly the scenarios a shadow AI problem produces.

The regulatory stakes are rising as well. Steve walked through the EU AI Act's enforcement regime, which carries fines of up to 35 million euros or 7 percent of global turnover, whichever is greater. The Act also expects organizations to maintain a clear inventory of their AI systems and assign risk levels to each one, an obligation that is impossible to meet if tools are in use that the organization does not know about.

There’s a security dimension, too. Lischak noted that standard cybersecurity training does not yet cover the behavioral responses needed for evolving threats like prompt injection. When security teams don’t even know a tool is in use, that gap gets wider.

Common Examples of Shadow AI in Legal Work

Shadow AI tools in a legal department rarely look dramatic. They usually look like ordinary team members trying to work faster:

  • Using a free public chatbot instead of the enterprise version of the same AI tool, as in the SRA incident we discussed, where confidential contract material went into public ChatGPT.
  • Unofficial use of large language models or automation tools that never surface to IT or legal operations.
  • Installing an AI browser extension that reads pages or summarizes documents without any security review.
  • Switching on new AI features inside already approved software without anyone assessing what those features do with data.
  • Using a personal account for an AI tool to draft, research, or summarize legal work outside company systems.

The Data Risks: What Legal Teams Should Not Put into Unapproved AI Tools

Our guidance maps to several types of data, all of it sensitive in one form or another, that should never enter an unapproved AI tool:

  • Confidential client information, which Lisa identified as the clearest line, echoing duties that predate AI entirely.
  • Privileged material, where disclosure to an outside system raises questions about whether protection survives.
  • Intellectual property, including the organization's own proprietary information.
  • Personal data covered by data protection law, including customer data and employee information.
  • Commercially sensitive contract terms, the category at the center of the ChatGPT incident we discussed.

Free public tools typically offer no contractual assurances about how inputs are stored, shared, or reused, which is part of what separates them from approved enterprise tools. Lisa also raised longer-term concern for the profession itself: lawyers' experience and technical knowledge as knowledge workers are being used to train AI models, with implications for the legal profession down the line.

How to Manage Shadow AI Without Killing Innovation

No one is arguing for shutting AI down. All three organizations represented by my guest are actively expanding their AI adoption. The question we focused on is how to manage shadow AI while allowing for genuine progress. Our experience suggests a sequence.

Start with an audit and a central register:

Steve’s first recommendation was a clear internal audit and inventory of every AI tool in use, with shadow AI deliberately flushed out and brought onto the register rather than ignored.

Assign risk levels to each tool:

Steve also suggested mapping every tool against the EU AI Act's four risk categories, from unacceptable through high and limited to minimal risk, and using that framework as the baseline even for global operations.

Publish clear guidelines on what can and cannot be used:

Ruud stressed the need for clarity and strict guidelines about which tools are allowed and backed by firm guardrails, so no one has to guess.

Enforce the policy:

Lisa described her organization's approach as binary – onboarding a new AI tool requires security and legal checks, and using unapproved tools carries consequences. She also emphasized assurance work, meaning audit and internal controls that reveal who is using what and how.

Give people a sanctioned path that actually works:

The most effective counter to shadow AI is an approved alternative people want to use. Ruud’s team built a legal front door, a single entry point that connects the department's approved tools in one place. It took about six months to develop and test, accuracy was refined over time, and questions the system cannot answer are routed to the right lawyer. When the official route is that convenient, the incentive to circumvent it shrinks.

Train continuously:

Steve pointed to the EU AI Act's AI literacy requirement, with mandatory training for all staff already in effect and deeper training for functions like HR and IT. Cybersecurity training needs a major refresh to cover threats like prompt injection as organizations move into agentic AI.

Adopt with intention:

Lisa’s closing advice was to take stock, understand what AI actually means for your organization, define the use case and the problem first, and then implement. Ruud’s version of the same idea was to map your processes, ask whether each one is still necessary, and only then match technology to genuine needs.

With EU AI Act deadlines extended, it can be tempting to relax. But it’s important to keep the pace and governance programs moving, because regulators will expect more from organizations that were given extra time.

What Should Be in a Legal Department AI Policy?

Drawing their recommendations together, a legal department AI policy should cover:

  • A complete inventory and central register of AI tools and AI systems in use across the organization.
  • Risk classification for each tool, mapped to a recognized framework such as the EU AI Act's risk categories.
  • An approval process requiring security checks and legal review before any new tool is onboarded.
  • A clear list of approved tools alongside explicit rules on prohibited usage.
  • Data rules specifying the types of data that must never enter unapproved systems, including confidential client information, privileged material, intellectual property, and personal data.
  • Vendor contract requirements, including transparency obligations, updated terms with the correct clauses, and jurisdiction checks.
  • Governance and oversight, with a designated lead or compliance owner.
  • Human oversight requirements, keeping a human in the loop for higher-risk uses.
  • Transparency measures such as chatbot disclosure and checks on risks like deepfakes where relevant to the business.
  • Training requirements for all staff, with deeper coverage for high-exposure roles.
  • Consequences for noncompliance, stated clearly and applied consistently.

Treat the policy as a living document. Lisa shared how her team is on its third version in a short span, and she was candid that the pace of change makes regular upgrades unavoidable.

For help developing an effective AI policy, companies and legal departments can benefit from consulting an artificial intelligence lawyer.

Frequently Asked Questions

What is shadow AI?

Shadow AI is the use of AI tools or AI features inside an organization without the approval or oversight of IT, security, or legal teams. It includes free public chatbots, unapproved browser extensions, and AI capabilities switched on inside existing software.

What does shadow AI mean in a legal department?

In a legal department, shadow AI means lawyers or legal staff using unapproved AI tools for legal work such as drafting, research, or contract review. Because that work often involves confidential and privileged material, the stakes are higher than in most other functions.

What is the difference between shadow AI and shadow IT?

Shadow IT is the broader practice of using any unapproved technology at work, including software, devices, and cloud services. Shadow AI is a subset of shadow IT that involves unapproved artificial intelligence tools specifically, and it carries added data risks because AI tools invite users to paste in the content they are working on.

What is the difference between shadow AI and approved enterprise AI?

Approved enterprise AI has been through security checks and legal review, with access controls and contractual protections in place before anyone uses it. Shadow AI has been through none of that, so the organization has no visibility into where its data goes or how the tool behaves.

Why is shadow AI risky for legal departments?

Legal teams handle privileged, confidential, and regulated information. Putting that material into unapproved tools can breach client confidentiality, endanger privilege, violate data protection obligations, and expose the organization to regulatory penalties, including fines under the EU AI Act of up to 35 million euros or seven percent of global turnover.

How should legal departments manage shadow AI?

Begin with an audit and a central register of every AI tool in use, assign each tool a risk level, publish clear guidelines on approved tools and prohibited data, train the team continuously, enforce consequences, and give people sanctioned alternatives that genuinely meet their needs.

Posted by Daniel Hayter

Daniel Hayter is Managing Director and Vice President of Axiom Europe.