 of a solicitor facing regulatory investigation after uploading client documents into ChatGPT is not an isolated incident. It is a visible symptom of a broader structural issue unfolding across highly regulated industries.

Legal professionals operate under strict duties of confidentiality, and yet the tools reshaping their workflows are being adopted faster than governance and operational controls can keep pace.

The challenge is not whether AI should be used in legal practice. It already is. 

The question is whether firms have meaningful control over how it is used, what data is being shared, and where exposure is being created.

AI Is Already Embedded in Core Legal Workflows

The State of Enterprise AI Usage: The Illusion of Control

, confirms that AI adoption is no longer experimental. According to the survey of 300 senior technology and risk leaders, 

 of organisations report that AI is widely used across teams, and 

 expect usage to increase over the next 12 months.

This is not confined to low-risk functions. The highest concentration of AI usage sits within data analysis, software development, and customer-facing roles, all of which routinely handle sensitive, regulated, or commercially significant data. 

In a legal context, this maps to case strategy, contract drafting, litigation preparation, and client communications.

When a solicitor uploads client material into an AI tool, the action often appears operationally normal. It is simply a prompt or a document upload in the course of drafting or analysis. 

Yet that single action can create regulatory exposure, confidentiality breaches, and long-term data control risks that are difficult to reverse.

The Illusion of Control in the Legal Sector

Across the market, AI adoption is accelerating faster than enforcement. In sectors such as finance and IT, shadow AI levels exceed 

, even where governance frameworks are in place. 

policy maturity does not automatically translate into behavioural control.

Even acknowledging the small sample size, the signal is strong. Where confidentiality is existential and regulatory scrutiny is direct, AI governance maturity accelerates. Legal firms understand that AI risk is not theoretical. It is professional, contractual, and reputational.

Despite universal governance and detection claims, 

 of legal respondents still reported shadow AI.

This raises the question of whether, even in highly regulated professions with strong governance intent, AI usage still finds unmanaged paths. 

Productivity pressure, embedded AI features in SaaS tools, personal accounts, and informal experimentation all create exposure outside approved channels.

Regulatory Accountability and the Shift from Policy to Proof

For solicitors in England and Wales, this is not merely an internal governance issue. 

 holds both individual solicitors and firms accountable for maintaining client confidentiality, acting with integrity, and upholding proper standards of practice. 

If sensitive client material is entered into an external AI system without appropriate safeguards, the regulatory exposure sits squarely with the firm and the individual practitioner.

The regulatory question will not be whether a firm has an AI framework or an AI committee in place. It will be whether the firm can demonstrate:

Policies describe intent. The SRA assesses conduct. This is where 

AI governance defines what should happen. AI Usage Control ensures that behaviour at the point of prompt or upload aligns with that policy. 

It provides visibility into sanctioned and shadow AI usage, applies data-aware guardrails in real time, and generates the audit trail required to evidence compliance.

Legal firms are right to prioritise AI in 2026. The next step is ensuring that control is continuous, measurable, and operational, not assumed.

That is how the illusion of control becomes a defensible reality.

book

In March 2026, CultureAI releases new research: 

The State of Enterprise AI Usage Control: The Illusion of Control.

300 senior leaders in regulated industries

, this report explores enforcement maturity, sector-specific trends, and regulatory readiness in greater depth. 

A regulatory investigation into a solicitor’s use of ChatGPT exposes a wider issue in the legal sector: AI adoption is accelerating, but governance frameworks are failing to control data at the point of use. Here is why policies alone are not enough, and what operational AI Usage Control must look like.

Why Legal AI Governance Must Operate at the Point of Use

Recommended for you

Trouble Brewing - Dissecting a fake homebrew update that stole user data

The Back Room Problem: Why Most Organisations Lack AI Data Visibility

6 Strategic Implications of AI for Security Leaders in 2026