Blog
Recent
Cybersecurity

Client Confidentiality in the Age of AI Agents: A New Duty of Care

Shireen StephensonPublishedJune 29, 2026
What to Know Before You Read
  • AI agents can reuse context across client boundaries if not explicitly scoped, creating exposure that traditional “ethical walls” don’t cover. 
  • When client data passes through a third-party platform as part of an agentic workflow, firms may face arguments that attorney-client privilege has been weakened or waived, even if no disclosure was intended. 
  • Courts have already sanctioned attorneys for submitting unverified AI-generated citations, signaling tightening expectations around AI oversight (Mata vs. Avianca). 
  • As agentic AI usage grows, firms bear increasing responsibility to demonstrate oversight, auditability, and reasonable care. 
  • If you don’t know which tools your attorneys are authenticating into, you lack both visibility and control over where client data can flow. 
  • Enterprise AI governance doesn’t begin with tracking downstream AI actions but controlling and documenting where access is granted. 
  • Every downstream risk starts with a login. LastPass operates as a top-layer governance control, giving you visibility into every SaaS and AI tool your attorneys are logging in to. With LastPass, you have a defensible record of how AI tools entered your environment and who has the ability to use them. 
Protecting client confidentiality in the age of AI agents requires more than a data handling policy. You want to know what your AI tools can access, what they do with that access, and whether a human can explain every significant action they took. 

What if the belief that you “know where your data lives and who has access” isn’t as solid as you think?

Could your assumption allow a client confidentiality issue to slip through? 

Most law firms have a data handling policy. But very few know whether that policy will hold up with AI agents in the picture. 

If you’re an attorney or run IT for a law firm, you’re likely already familiar with the issue of cross-matter contamination (when agents maintain context across sessions) and you understand the need for an explicit policy on agentic AI usage.

To support your efforts, this article walks through what reasonable care requires right now and how to document it’s been met.

What makes agentic AI different from the AI tools your firm already uses?

Agentic AI can take autonomous, multi-step actions across platforms without human review, unlike AI chatbots that merely return output for you to act on.

Are small and mid-sized law firms using AI in 2026?

The answer is yes. 

According to the 2025 State of Law report:

  • 53% of small law firms and solo practitioners have integrated gen AI into their workflows, up from 27% in 2023.

Clio’s 2026 report on Legal Trends for Mid-Sized Law Firms says:

  • AI has enabled 43% of solo practices and 65% of mid-sized firms to take on higher volumes of work.

Many of these firms have adopted legal-specific AI tools like Clio for document review, court calendaring, case prep, contract review, and legal research.

But even widely trusted tools like Clio are largely prompt-driven and output-returning (not action-executing). The real shift in risk comes when firms move beyond the chatbot model into a true agentic system.

Ethical walls in the age of AI

Ethical walls are controls designed to prevent confidential information from one client matter from being accessed, reused, or inferred in another matter.

“There aren’t any guarantees when it comes to AI agents, and there likely won’t ever be guaranteed failsafes. Independent quality control is key. There absolutely needs to be detailed oversight in place. Having very clear AI governance policies is a good starting point.” ~ Martin Gasparian, owner and attorney at Maison Law Modesto. Martin is a business aficionado with a passion for justice. You can connect with him on LinkedIn.

If you’re familiar with agentic AI, you know agents can read emails, search case files, draft and send communications, and execute multi-step workflows with limited involvement from you.

And if you find these capabilities useful, you’re in the tech-savvy minority. According to Bloomberg Law’s 2025 State of Practice, more than 50% of the 750+ attorneys surveyed said they didn’t know what AI agents were.

Meanwhile, another 31% said they were familiar but hadn’t used them. Only about 5% said they had used AI agents “in a professional setting or to perform a work task.”

Tellingly, nearly 32% said they wouldn’t trust agents to responsibly handle any tasks in the next year.

Alex Freeburg, a Wyoming trial lawyer and small business owner who has operated Freeburg Law since 2013, frames the practical concern plainly. You can contact Alex Freeburg here.

"You can't have an agent drafting advice, making recommendations, communicating with clients while keeping clients in the dark about it. They have a right to know who's involved in their case and to what extent. 

And I'd obviously not be very comfortable having AI get into things like settlement decisions, judging witness credibility, or providing any kind of final legal advice. 

I mean, two lawyers could look at the same facts and still reach different conclusions, and that’s how subjective decision-making is, which AI just can’t do right now. 

If you need to explain a decision to a client or judge later and the person defending it is your software, then it's way too involved."

Alex’s caution is well-founded: Agentic AI brings a new category of risk into the picture, one that courts are only beginning to scrutinize.

Which practice area uses AI the most and how is usage happening?

According to the 2025 ABA Legal Industry Report, the practice areas using AI the most are immigration law and personal injury.

  • Immigration law (47%)
  • Personal injury (37%)
  • Civil litigation (36%)
  • Criminal law (28%)
  • Family law (26%)
  • Trusts and estates (25%)

But a significant portion of this usage is happening via personal accounts. Which means access is happening outside firm-approved confidentiality safeguards.

This creates a governance problem. If you don’t control how attorneys access these systems, you can’t control where client data flows or prove that you exercised reasonable care. If you aren’t sure which AI tools your attorneys are logging into, LastPass surfaces this. To see what's in your environment, start a free trial.

What new confidentiality risks do AI agents introduce that current legal frameworks weren't designed to handle?

The duty of confidentiality (which covers attorney-client privilege) assumes a human shares info with a known party and “reasonable efforts to maintain secrecy” can be expected across communications, especially if they pertain to client work. 

But an AI agent breaks this assumption in several ways:

  • No identified recipient.AI agents can chain actions through third-party tools and sub-agents, which means sensitive data passes through an invisible trail of platforms.
  • Blurred line between processing and use. If agent interactions are retained to improve models, it’s still unsettled whether this counts as “dissemination” or transient processing. 
  • No clear authorizing party. Agents act autonomously and make their own judgment calls. When something goes wrong, it’s often unclear who’s responsible for the disclosure.
  • Machine-speed cross-region transfers. Agents can route data across borders in milliseconds, raising data localization issues that existing agreements don’t address.

Ron Harper calls this “permission scope drift.” Ron is the founder and owner of OTD Ticket Defenders Legal Services. After more than 20 years as a Provincial Prosecutor in Ontario courts, he’s now in private practice. 

Most AI agents require broad read & write access to function across a firm's files, and that access doesn’t reset between tasks the way a human paralegal's attention does. 

An agent pulling context from a matrimonial file to assist with a corporate matter isn’t doing anything its permissions technically prohibit. 

The problem is that confidentiality rules were built around discrete, purpose-limited disclosures. They don’t account for a system that aggregates context passively across unrelated client matters                                                                                           

Canadian courts haven’t addressed this directly yet, and firms that haven’t scoped their agents to matter-specific access windows are sitting on exposure without knowing it.

Emma Alves agrees, calling the same phenomenon “inference leakage.” An expert in family law at Alves Law, Emma is experienced in all approaches to resolving family law matters, including negotiation, mediation, arbitration, and litigation. You can connect with Emma here.

When an agentic system is granted broad access so that it can assist across matters, it builds internal context that doesn't get wiped between tasks. 

Your firm's agent can help draft a custody motion while having already indexed financial disclosure documents from a completely different client file it accessed two sessions earlier.

PIPEDA and solicitor-client privilege rules assume a discrete transaction, where you share a document with a named party for a stated purpose. 

Agents don't operate that way. They aggregate and retain info.

And the moment a client's info passes through a third-party vendor's infrastructure as part of that agentic loop, you may face arguments that privilege has been waived, because a third party now touched the communication. Canadian courts haven’t ruled on this yet, but this gap is where firms are going to get caught.

Riley Beam, the Managing Attorney for Douglas R. Beam, P.A., a firm that specializes in negligence litigation, warns that vendor liability is limited. You can connect with Riley on LinkedIn.

Almost all vendors providing AI products contain clauses limiting their liability to $500-$1,000. If AI creates millions of dollars in damages and the contract with the vendor limits their liability to a few hundred dollars, your firm may have to pay nearly all of the damages from the loss.

Firms often attempt to challenge this limitation in court, arguing that it’s unreasonable or that the AI vendor knew of a serious flaw in the software. 

Unless you can prove the developer knowingly concealed a fatal, systemic defect in their algorithm, judges treat this as a standard business risk you willingly accepted."

What does "reasonable care" actually require when AI agents are involved?

Reasonable care when AI agents are involved requires shifting from one-time disclosure agreements to ongoing, system-level diligence. This means vetting and monitoring the agent’s full chain of tools (and sub-tools) and decision-making privileges.

Harrison Jordan is direct on this. Harrison is the Founder and Managing Attorney at Substance Law

“Reasonable care includes explicit supervision guidelines, clearly marked checkpoints for review of AI-generated materials before passing to clients or using as evidence in court, and careful records of which lawyers have been entrusted with reviews. 

Firms that can’t tell "what was reviewed, and who performed reviews before sending out" are holding significant liability risks, not accounted for by their malpractice insurers. 

 "The standard of reasonable care has always been determined by what a competent practitioner would do, and as AI agents juggle multistage legal workflows, competence will require not only the knowledge of the AI agent’s actions but also the ability to explain them in court." 

Emma Alves lays out the documentation standard regulators will be looking for:

"Law firms must demonstrate documented, use-case-specific oversight to satisfy reasonable care, and right now most can’t. Law Societies in both Alberta and Ontario have issued guidance making clear lawyers bear personal responsibility for any AI-assisted work product...

So, law firms using AI to draft separation agreements carry a different duty than those using it only for legal research summaries. 

The former carries direct client harm if it contains errors. Courts and regulators are going to want to see that you identified the risk category of each use, assigned a named reviewer, and kept records of that review. Vague 'we always double-check' policies won't hold up when a filing contains a hallucinated citation and opposing counsel catches it first."

Riley Beam agrees on the documentation standard:

“Firms require records demonstrating confidence levels and sources, as well as logs that allow a human to verify the AI's output has been validated. Failure to maintain these records creates significant challenges in establishing a reasonable standard of care.”

Robert Tsigler, whose firm is top-rated for criminal defense in NY, lays out the steps to ensure duty of care. You can connect with Robert on LinkedIn. 
 
The standard of care requires continuous monitoring of autonomous systems. 

  • Partners must audit underlying datasets and operational parameters every ninety days for compliance. 
  • Legal teams should test autonomous software with mock patterns before deployment.
  • Firms must restrict autonomous tools to basic tasks like automated document formatting. 
  • Supervising attorneys need to establish hard caps preventing external data transmissions without approval. 
  • Technical administrators should run weekly scans to detect leaks within twenty-four hours.

Documenting these strict operational limits provides clear evidence of responsible data management.

Finally, Ron Harper shares the consequences of audit failures:

“The question a regulator or opposing counsel will ask won’t be "Did you review the AI output?" but "Can you show me who reviewed it, on what date, and against what standard?"

I’ve watched paralegals in traffic courts submit AI-drafted disclosure requests that cited the wrong provincial statute, and the file showed no review steps at all. That’s a supervision failure, and Law Society disciplinary panels treat it accordingly.”

Looking for a TL;DR reasonable care checklist? Here it is:

  1. Document what each AI tool can access and what actions it can take autonomously.
  2. Scope agent access to matter-specific windows, not org-wide read & write permissions.
  3. Assign a named human reviewer to every AI-assisted work tool.
  4. Maintain audit logs that can be shared with courts or regulators.
  5. Verify whether your AI vendor uses client data to train or improve its models.
  6. Test systems with mock scenarios before full deployment.

Alan Heimlich, President of Heimlich Law and an attorney with 20+ years of experience in intellectual property law, broadens the checklist from legal governance to security governance.

"The actual risk is in terms of identity permissions and out-of-control data pipes. Every agent should have its own credentials. 

Shared logins create a mess for investigations and undermine accountability. Every agent that can send email, approve spending, change code, access customer files, or sign into third-party platforms must have a hard permission boundary and must require human approval prior to any external or irreversible action. 

Issues of data retention, model training, notice of breach, and the ownership of outputs should all be handled in vendor contracts, as security risk easily turns into IP risk when an agent is involved in the creation of inventions, source code, or confidential business plans."

Can improper AI use waive attorney-client privilege?

In some circumstances, yes. But there are nuances to consider.

ABA Formal Opinion 512 states that inputting client data into free or consumer-grade AI can breach Rule 1.6. This, however, was issued in 2024, when the chatbot model was predominant, not in 2026, with autonomous agents having persistent cross-session memory.

Improper AI use actually creates two separate legal exposures, and courts are addressing them differently. 

**Important legal note**

The legal treatment of AI-assisted workflows, including privilege, confidentiality, and supervision duties, varies by jurisdiction. The examples discussed below reflect emerging case law and should be understood as directional rather than definitive standards.

The first is privilege waiver, whether client data passing through an AI platform breaks the confidentiality that protects attorney-client communications. This is evolving across jurisdictions.

The second is competence liability, whether failure to supervise AI output constitutes sanctionable conduct.

Attorney Jesse Danoff discussed a recent privilege case. 

Jesse Danoff is a Managing Partner at Mitchell & Danoff, a personal injury law firm. 

“There was a recent case in the Southern District of New York, ruling that communications with Gen AI platforms weren’t protected under attorney-client privilege, because there couldn’t be any reasonable expectation of confidentiality [with such platforms]. 

This case involved a non-lawyer communicating with the platform and trying to get legal advice from it. 

The natural follow up question to this case is "What happens if it’s a lawyer communicating with the platform about a client's case?" I would be very surprised if the District Court doesn’t rule this type of communication as privileged attorney work-product.

Currently, courts seem to favor holding the deploying firm responsible and have been adopting agency law (treating the rogue AI like an employee doing the company's bidding) or general negligence for failure to train or supervise.”

The case Danoff is referencing is United States versus Bradley Heppner (25 Cr. 503 (JSR).

The court held that a criminal defendant’s chats with a gen AI platform “in connection with a pending criminal investigation” weren’t protected by attorney-client privilege.

The ruling is significant, but limited. 

It involved a non-lawyer interacting with an AI chatbot but doesn’t definitively resolve how privilege applies when attorneys feed client data into AI tools or to agents.

For the other risk (whether courts will sanction attorneys for AI competence failures), it’s clear that lawyers are increasingly being held responsible for confirming the legal authorities they cite actually exist.

In April 2026, The Guardian reported on AI hallucinations in a major filing by elite Wall Street firm Sullivan & Cromwell. 

In a letter to the court, Sullivan & Cromwell insisted it maintains “comprehensive policies and training requirements governing the use of AI tools in legal work.”

However, those policies weren’t followed, and a secondary review process also didn’t “identify the inaccurate citations generated by AI.”

In a similar case (Mata vs. Avianca), a NY federal judge actually sanctioned attorneys for submitting “legal rulings” ChatGPT had made up.

The takeaway is clear:

  • Even firms with AI policies face risks, without auditability.
  • Courts are addressing AI-related risk in three ways: sanctions for misuse, scrutiny of internal controls, and emerging questions around privilege.

Taken together, these cases show a clear pattern: Expectations are increasing faster than formal guidance.

I talked to three attorneys who offered their unique perspectives: Joanna Smykowski (Custody X Change), Michael McCready (McCready Law) and Adam Dayan (Consumer Law Group).

Joanna Smykowski is a law expert at Custody X ChangeYou can connect with Joanna on LinkedIn.

“The aspect that concerns me the most is confidentiality and attorney-client privilege. In family law and disability law cases, client data is highly sensitive, as it may involve a person's medical history, parenting practices, financial data, and diagnoses. 

For law firms handling sensitive matters (family law, disability law, and child welfare cases), my recommendation is obvious: Don't use consumer AI tools to process confidential materials. The difference between free chatbots and enterprise solutions with proper confidentiality agreements can’t be considered a matter of taste. It’s a matter of duty of care.

In family law, a mistake may result in losing custody of a child or missing deadlines for receiving disability benefits, so the division of responsibility matters a lot. 

I expect more Bar Associations to issue more detailed guidance on when AI can be used, what should be disclosed to clients, what level of human oversight is required, what should be explained to clients about such use, and how much control is needed over it. 

I also expect enforcement actions against lawyers who rely on AI without properly reviewing its output or disclosing confidential information via insecure platforms.”

Meanwhile, Michael McCready, Founder and Managing Partner of McCready Law and a member of the AI Advisory Board at WashU Law School, identifies the gap between how attorneys and security professionals handle AI risk. You can connect with Michael on LinkedIn

"One major challenge is that attorneys and security professionals often focus on different risks. Attorneys are concerned with attorney-client privilege, confidentiality, contracts, liability, and professional duties. 

Security professionals focus on access controls, system weaknesses, cyberattacks, and data breaches. These groups must communicate and work together. AI tools change quickly, and employees may use new ones that haven't been properly reviewed or approved. Clear written policies, training, and strong communication are essential."

Finally, Adam Dayan, Founder of Consumer Law Group, states the pre-use diligence requirement plainly. You can connect with Adam on LinkedIn.

"To maintain confidentiality and ultimately attorney-client privilege, attorneys must determine where the information goes, how it will be stored, how it can be used, and if the information could be used to train future AI modelsbefore uploading their documents and communicating with clients via AI tools."

As of 2026, 31 state bars have already issued AI guidance (note ABA Formal Opinion 512 Rules 5.1 & 5.3 on supervision). 

The biggest shift is the California Supreme Court directing the State Bar to specifically address agentic AI usage. 

The key takeaway: Don’t wait for your bar association to issue formal guidance before putting the necessary internal controls in place.

How can your firm's IT or operations team gain visibility into which AI tools attorneys are actually using?

Visibility into attorney AI tool usage starts with browser-level discovery. 

In 2026, 68% of employees are using unauthorized AI tools at work.

If you run a law firm, that means your attorneys and paralegals could be uploading client data to consumer tools that have no data processing agreement with your firm, audit trail, or enforceable confidentiality guarantees.

Worse, shadow AI tools have an average security score of just 68 out of 100, well below what any regulated firm should accept.

As can be expected, the consequences aren’t pretty: Nearly 80% of IT leaders say their organization has already experienced negative outcomes from employee use of Gen AI, including leaking sensitive data into AI tools.

Stephanie Schneider, Senior Cyber Threat Intelligence Analyst at LastPass, describes what the audit trail requirement means in practice. You can read Stephanie’s threat intelligence reports here and also connect with her on LinkedIn.

"Knowing what your agent did, how it got there, and why it had access is the foundation of responsible AI deployment. A firewall monitors who gets in, whereas an audit trail tells you what happened once something is already inside. 

For agentic AI, that second layer is where the real risk is and where SMBs may be the most exposed. Two agents can produce the same output through completely different paths, one safe and one not. 

If you only monitor what the agent delivered, you might approve a result that was reached by touching systems it had no business accessing." 

Stephanie also connects the regulatory stakes directly to the tools firms are already using: 

"Regulatory frameworks like HIPAA and PCI-DSS don't distinguish between a human and an agent when sensitive data is touched. 

And many incidents won't be malicious at all. It could look like an agent pulling the wrong file or over-sharing in a summary. 

The audit trail matters equally for compliance, for diagnosing accidents, and for detecting threats. 

Access to AI tools, connectors, memory stores, and enterprise data sources should be limited by role and need; data classification and role-based access controls are essential guardrails."

Is your firm prepared to demonstrate compliance before it's required?

The firms that build documented AI governance before bar associations formalize standards will be in a stronger position than those reacting after an enforcement action or malpractice claim. The key questions to ask now are:

  • Have you documented what each AI tool in use can access and what it can do autonomously?
  • Are your agents scoped to matter-specific access or granted org-wide permissions?
  • If a client asked tomorrow which AI tools were used in their case, could you answer?
  • Do your vendor contracts include contractual guarantees that client data won't be used for model training?

These questions don’t map to a single control or tool.

They span multiple layers of AI governance:

  • Discovery and access (what tools are in use)
  • Permissions (what those tools can reach)
  • Oversight (how outputs are reviewed)
  • Documentation (what records exist after the fact)

While not every failure starts at the same point, every risk discussed so far (privilege exposure, cross-matter leakage, and supervision failures) has a common upstream dependency: Access.

Meaning, every downstream risk starts with a login, before questions of review or documentation come into play.

If you can’t answer: Which AI tools are being used, who’s using them, how those tools are accessed, then you can’t demonstrate reasonable care, regardless of downstream review processes.

This is where identity and access governance becomes foundational. 

Before you can enforce ethical walls, you need visibility into how AI tools enter your environment in the first place.

This is the layer where LastPass operates, allowing you to:

  • Surface which AI apps are being accessed
  • Standardize how credentials are managed
  • Create a verifiable record of tool usage across your firm

This doesn’t replace review workflows or matter-specific controls.

But it addresses a prerequisite those controls assume: Continuous Visibility.

If you aren’t sure which AI tools are already in your environment, that's what LastPass surfaces. And unlike CASB or DLP tools that traditionally require network-level deployment and heavy configuration, LastPass gives you browser-level AI tool visibility as a native extension. 

Start a free trial now; most firms have a clear picture of their AI tool footprint within the first session.

Sources

The Guardian. AI Hallucinations Found in High-Profile Wall Street Law Firm Filing (2026)

U.S. Courts and Regulators Grapple With Liability for Autonomous AI Agents (2026)

Who Is Legally Responsible When An AI Agent Causes Harm (2026)

Who Is Legally Liable When an AI Agent Makes a Mistake? (2026)

Agentic AI: Who Is Responsible for the Actions of an AI Agent? (2026)

Forbes. When AI Agents Act, Who is Liable? (2026)

Via its SaaS Monitoring capability, LastPass automatically discovers the apps employees log into through the browser, including AI tools they may not have disclosed to IT.  

You can see usage frequency, login method, and credential security status across your team without manual audits or employee surveys.

Your firm absorbs the remaining exposure. Courts generally uphold commercial liability caps unless the vendor knowingly concealed a systemic defect.  

The practical solution is to vet vendors carefully, require contractual guarantees that client data won’t be used for model training, and maintain your own access controls and audit trails independent of vendor commitments. 

A chatbot tool returns output a human can review before acting on.  

In contrast, an agent can act autonomously to send emails, execute tasks, or access files across multiple platforms. 

The duty of care for agents is higher because the locus of risk has moved from what the AI says (chatbot) to what the AI does and how it handles client data (agent).  

Courts are beginning to treat AI agent governance as an obligation, not just a technology choice; ABA Formal Opinion 512 Rules 5.1 & 5.3 concern action and access, not just output quality.

Attorney Alex Freeburg identifies conflict checks, settlement decisions, witness credibility assessments, and final legal advice as tasks that require judgment AI can’t currently replicate. 

"Two lawyers could look at the same facts and still reach different conclusions; that's how subjective decision-making works, which AI just can't do right now.”

Most bar associations have issued initial guidance, and enforcement actions are widely expected to increase.  

According to attorney Joanna Smykowski: "I consider that such guidelines will become both inevitable and necessary."  

The firms that build documented governance before requirements are formalized will be better positioned to navigate risk and less likely to be the test cases that define the standard.

Share this post via:share on linkedinshare on xshare on facebooksend an email