The invisible AI adoption already happening in your practice
Ask most small UK law firms whether anyone uses AI chat tools to complete tasks and the answer is more than likely, yes. It's a reasonable assumption that members of staff will have pasted client material into one of these tools at some point, not out of carelessness, but because it was easy, available, and genuinely helpful.
The proliferation of AI tools like ChatGPT, Microsoft Copilot, and Claude has made sophisticated text generation as accessible as opening a web browser. When faced with a blank page and a tight deadline, the temptation to use a tool that can draft a first pass of a contract clause or summarise a lengthy judgment in minutes and not hours is considerable. The question for a managing partner isn't really whether this is happening at their firm, it almost certainly is, the question is whether you can demonstrate, when the time comes, that you'd done what was reasonable to manage and report against it. I'm pretty sure the Solicitors Regulation Authority won't accept "we didn't know" as a defence, particularly when the technology has been widely available and discussed for over two years. This isn't about being alarmist, it's well known that most firms have some kind of unregulated shadow AI use going on and at the moment they aren't experiencing immediate disasters. However, the regulatory framework that governs your practice already applies to AI use, whether you've formally acknowledged it or not.
What shadow AI looks like in your practice
The scenarios are more mundane than you might expect, but they're happening across the profession:
- A partner stays late to finish a complex commercial lease and uses ChatGPT to draft initial clauses, then refines them.
- A paralegal working on disclosure uses Copilot to summarise key points from fifty pages of case law.
- A trainee uses Claude to help structure a client letter explaining the implications of new legislation.
None of these activities are inherently problematic, the AI-generated output isn't being sent directly to clients without review and the fee-earners involved are still applying their professional judgement. The work product may well be better, clearer, more comprehensive, completed faster, than it would have been without AI assistance. The problem is visibility and control. These tools, ChatGPT, Microsoft Copilot, Google's Gemini, Anthropic's Claude, are consumer-grade services. They're not subject to the same IT-sanctioned rules within your firm. For instance: they don't maintain audit logs that you can access, when your paralegal summarises those cases, you have no record that AI was involved, no way to trace what information was shared with the service, and no technical measures in place to prevent client-identifying details from being processed by systems outside your control.
The tools themselves aren't the issue; it's that they're being used without oversight, documentation, or integration with your firm's information governance processes. Your people aren't being malicious, they're solving immediate problems with available technology. But from a regulatory compliance perspective, you're operating blind. Most concerning is that attempts to simply forbid AI use often push the activity further underground. Fee-earners who find AI genuinely useful won't stop using it; they just stop mentioning it, they switch from work devices to personal phones, from corporate accounts to personal ones, and you lose even the limited visibility you had before.
Why the SRA Code already applies to AI use
The SRA Principles and Code of Conduct don't have a specific AI exemption, and they weren't designed with one in mind. When your firm uses AI tools, existing professional obligations apply immediately. Consider paragraph 6.3 of the SRA Code of Conduct for Solicitors, which requires you to keep client affairs confidential. When client material is pasted into a public AI service, that information has left your firm's technical and administrative control — it's sent to the provider's servers, typically in the United States, to be processed. The service provider's terms will typically grant them rights to process, store, and in some cases use that data for training purposes. Even if the AI provider's privacy policy offers reassurances, you've created a situation where client confidential information is being processed by a third party without explicit consent or appropriate safeguards.
Paragraphs 3.5 and 3.6 of the Code require proper supervision of work carried out by others. If AI contributes to drafting a document and that document isn't properly reviewed, if the supervising partner doesn't know AI was involved, or doesn't understand its limitations, then supervision is compromised. The partner signing off on the work isn't making an informed assessment of what needs checking. The SRA's regulatory framework also requires compliance with all applicable obligations, including data protection law. UK GDPR Article 5 establishes the core data protection principles including requirements for lawful and transparent processing, and Article 32 requires appropriate technical measures to protect personal data. When client personal data is processed through unsanctioned AI tools, both are at risk.
The Information Commissioner's Office has published substantial guidance specifically on AI and data protection — updated in 2023 and supplemented by a strategic approach published in 2024. The ICO is clear that organisations remain responsible for personal data even when using AI tools, that appropriate safeguards must be in place, and that a Data Protection Impact Assessment is expected before deploying AI systems that process personal data at scale. These aren't theoretical concerns. The SRA has published guidance confirming that existing professional obligations apply to AI use, and early cases involving AI in legal practice are beginning to reach the courts, including a 2025 High Court case where a solicitor was referred to the SRA after submitting AI-hallucinated case citations. The regulatory direction of travel is clear even if the body of decided cases is still forming.
The regulatory framework assumes you know what's happening with client data and client work within your firm. Shadow AI undermines that assumption in a way that creates both immediate compliance risks and longer-term reputational exposure.
Why the outright ban is the wrong response
The instinctive response to shadow AI — a firm-wide prohibition — creates more problems than it solves. The productivity gains from AI are measurable and real, fee-earners who have used these tools effectively will continue to do so, but they'll do it on personal devices with personal accounts, entirely outside any monitoring or oversight. A blanket ban doesn't eliminate the risk; it drives it underground. The firm loses the limited visibility it had and gains nothing but the illusion of control. Fee-earners who were previously at least using AI on work devices, where some form of monitoring was possible, switch to personal phones and home computers. The worst regulatory outcome isn't "we used AI and managed it properly." It's "we banned it and have no idea what's actually happening." When the SRA investigates an incident, they'll look at what reasonable steps you took to manage AI use, not whether you successfully prevented it entirely.
An outright ban is essentially a paper defence. It might satisfy some partners that the firm has "done something," but it won't satisfy the SRA if problems emerge — professional regulators understand that technology adoption happens whether organisations formally approve it or not. They're more interested in what you did to manage the reality than what policies you wrote to prevent it. More practically, AI tools are becoming embedded in software your firm already uses: Microsoft 365 includes Copilot features, contract analysis platforms incorporate AI processing, practice management systems are adding AI-powered functionality. A blanket AI ban quickly becomes unworkable as these integrations proliferate.
The productive response is to acknowledge that AI use is happening and focus on making it visible, controlled, and compliant with professional obligations.
What a small firm can realistically implement
Most compliance guidance assumes resources that small firms don't have. The realistic approach is to implement controls in tiers, starting with what can be done immediately and building towards more sophisticated governance as the firm grows.
Minimum viable governance (implement this week)
Every firm should have a written AI policy, even if it's only one page. The policy should require fee-earners to declare when AI has been used in client work and mandate the removal of client-identifying details before any AI tool is used. This takes a morning to draft and can be implemented immediately. The point isn't to create bureaucracy; it's to establish that the firm recognises AI use as something that needs to be managed. This policy becomes your evidence to the SRA that you took reasonable steps to address AI use, even if individual fee-earners didn't always comply perfectly. Include a simple declaration process — when AI is used on client work, it should be noted in the file. This creates an audit trail and ensures that supervising partners know when AI has been involved in document preparation.
Practical governance (implement this quarter)
The middle tier focuses on approved tools and training. Identify which AI services the firm will permit and establish basic logging requirements — Microsoft Copilot for Business, for example, provides audit logs that consumer ChatGPT does not. Run a training session with specific examples of acceptable AI use, show staff how to remove client-identifying details properly, and demonstrate the difference between using AI for research (generally lower risk) and using it for client document drafting (higher risk, requiring more oversight). Most importantly, establish partner-level accountability. Partners need to understand when and how AI has been used in work they're supervising, not for micromanagement, but to ensure that professional obligations around supervision are met.
This tier is achievable within a quarter for most firms if there's buy-in from the partnership. It addresses the majority of regulatory risk while preserving the productivity benefits that make AI attractive to fee-earners.
Comprehensive governance (implement this year)
The top tier involves governed AI platforms with full audit trails, document source controls, personally identifiable information detection, and human-in-the-loop approval processes. This becomes important as firms grow or handle more regulated client sectors: financial services clients, public sector work, or cases involving particularly sensitive personal data. At this level, AI use is fully integrated with the firm's information governance processes, every AI interaction is logged, client data is automatically detected and protected, and high-risk AI use triggers additional approval requirements. Most small firms don't need this level of control immediately, but it's where the profession is heading as AI becomes more sophisticated and regulatory expectations evolve.
The honest implementation timeline
Most firms can't and shouldn't attempt to implement comprehensive AI governance immediately. Any vendor telling you otherwise is prioritising a sale over an honest assessment of what your firm actually needs right now.
The minimum tier — a written policy and declaration process — should be in place before you do anything else. It's achievable immediately and provides basic regulatory protection. The middle tier is realistic within a quarter if there's partner-level commitment, and becomes the practical target for most practices. The comprehensive tier is a destination rather than a starting point; it becomes necessary as firms grow, handle more sensitive work, or face increased regulatory scrutiny. Attempting to implement enterprise-grade AI governance in a fifteen-person practice is likely to create more friction than value. The key is starting with what's achievable and building systematically — the SRA will expect you to demonstrate that you've taken reasonable steps appropriate to your firm's size and client base. Perfect governance on day one isn't the standard; reasonable and improving governance is.
Shadow AI is already in your firm. The question is whether you'll manage it proactively or wait for it to become a regulatory problem. The tools exist to make AI use visible and compliant with professional obligations, but they require acknowledgement that the technology is here and implementation of appropriate controls.
If you'd like to see how proper AI governance works in practice, you can try our platform with your own documents. The trial is at taylinai.com/signup — 30 days, no credit card required.
Jason Taylor has spent 30 years building and securing infrastructure for regulated organisations — from the Bank of England and HBOS Treasury to government departments and Lloyd's market insurers.