Shadow AI Guide for Law Firms
64% of attorneys at 2-9 person firms use ChatGPT, mostly on consumer-tier accounts where the firm has no visibility, no audit log, and no way to enforce confidentiality controls. This is the shadow AI problem.
This guide covers the risk tiers of common AI tools and what each means for your firm's confidentiality obligations under Rule 1.6.
Admin APIs covering enterprise-tier accounts are blind to personal ChatGPT Plus, Claude Pro,
and Gemini Advanced accounts. The only way to reach consumer-tier usage is a browser extension
or attestation-based self-reporting. See the Packet for how we handle this.
AI Tool Risk Tiers
| Tool | Tier | Confidentiality Risk | Notes |
|---|---|---|---|
| ChatGPT Free / Plus | Consumer | High | OpenAI may use inputs to train models unless opted out. No admin visibility. Cannot confirm attorney-specific data handling. |
| ChatGPT Team | Team | Medium | OpenAI does not train on Team inputs by default. No admin API access. Better than Free/Plus but still no audit log. |
| ChatGPT Enterprise | Enterprise | Lower | Admin console available. OpenAI Compliance API available (March 2026). SOC 2 Type II. 20-seat minimum. |
| Claude Pro | Consumer | High | Anthropic may use inputs for training. No admin visibility. Consumer terms. |
| Claude Enterprise | Enterprise | Lower | Compliance API available (Feb 2026). Admin visibility. 20-seat minimum self-serve. |
| Gemini Advanced | Consumer | High | Google consumer terms. No admin visibility. |
| Gemini for Workspace | Enterprise | Lower | Admin SDK Reports API available. 180-day log retention. |
| Microsoft Copilot Pro | Consumer | High | Consumer terms. No admin log access. |
| Microsoft Copilot (M365) | Enterprise | Lower | Requires M365 E3/E5 for full audit log. aiInteractionHistory API available for content capture. |
What to Do Right Now
- Survey which AI tools your attorneys and staff are actually using. Include personal accounts.
- Categorize each tool as approved, permitted with restrictions, or prohibited.
- For any consumer-tier tool: either prohibit it or obtain client consent under Rule 1.6.
- Document your tool decisions in your written AI policy.
Tool tier information verified 2026-04-23. API availability may change.