The rise of Claude in legal practice
When Anthropic released Claude 3 and expanded its context window to handle massive documents, the legal sector quietly took notice. For associates tasked with reviewing hundreds of pages of contracts, case law, or discovery materials, Claude's ability to ingest, parse, and summarise entire case files in seconds felt like a superpower.
The problem? Most partners have no idea their associates are doing it.
In our AI discovery audits for professional services firms, we consistently find that Claude is the fastest-growing unapproved tool in the legal sector. While IT departments are busy locking down ChatGPT, associates have simply moved to Claude on their personal devices or private browser tabs.
This unmanaged adoption — Shadow AI — creates a perfect storm for data leakage and regulatory breaches.
The confidentiality risk
The core issue is twofold:
1. Where is the data being sent?
2. What is Anthropic doing with it?
When an associate pastes a confidential contract into the free consumer version of Claude, that data leaves your protected environment. It is processed on third-party servers, often in the United States. Under GDPR and SRA guidelines, sending personal or confidential client data to unauthorized third-party processors without correct safeguards is a severe breach.
Furthermore, many consumer AI tools explicitly state in their terms of service that user inputs may be used to train future models. While Anthropic has generally taken a more privacy-centric stance than some competitors regarding training data, the consumer tier does not offer the same absolute guarantees or zero-retention policies found in enterprise agreements.
If your client's confidential case strategy is processed by a consumer-tier AI model, you may have already breached your duty of confidentiality.
Why blanket bans don't work
Faced with these risks, many managing partners issue a blanket ban on all AI tools. "Nothing leaves our internal servers."
In practice, this simply drives the behavior further underground. Associates who have experienced the productivity gains of using AI to summarize 400-page discovery documents will not go back to doing it manually. They will simply do it off-network, meaning you lose all visibility and auditability.
Instead of banning AI entirely, forward-thinking law firms are taking a managed approach: provisioning safe, enterprise-grade AI tools (which guarantee zero training and compliance with UK data residency) while aggressively auditing to ensure consumer-tier tools aren't being used.
What you need to do today
If you operate a UK law firm, you cannot afford to ignore this. You need to act before a client asks about your AI governance — or before the SRA intervenes.
1. Find out what's really happening
You need to conduct a Shadow AI audit. You must discover exactly which tools your fee-earners are using, on what devices, and what data they are uploading. You cannot secure what you cannot see.
2. Implement a strict AI Acceptable Use Policy
Drafting a bespoke policy is critical. It must explicitly state which versions of tools are allowed (e.g., "Enterprise Claude is approved, consumer Claude is strictly prohibited") and define exactly what types of data can never be entered into any AI system.
3. Train your team
A policy document alone is not enough. You must train your staff on why pasting client data into consumer AI tools is so dangerous. They need to understand the SRA implications, the GDPR risks, and the difference between consumer and enterprise AI.
Stop guessing. Start governing.
Your staff are using AI right now. The question is whether they are using it safely. If you aren't absolutely certain, you need to find out.
At VeratoAI, we specialise in helping professional services firms discover Shadow AI, write robust policies, and train their teams. If you want to get your firm's AI usage under control, book a free 30-minute discovery call with our advisory team today.