RankShield Legal
Citation checker Request access
AI governance

Shadow AI in a Small Firm: Finding the AI Accounts Your Staff Already Opened

Shadow AI is the use of personal, unapproved AI accounts for firm work. In a small firm with no IT department, staff may already be pasting client facts into consumer tools that retain inputs and keep no consent trail, creating a Model Rule 1.6 confidentiality exposure nobody approved. This guide covers how to find those accounts and what to do next.

By Jamie Kloncz, Founder, RankShield 21 min read Published

Shadow AI is the use of personal, unapproved AI accounts for firm work. In a small firm with no IT department, staff may already be pasting client facts into consumer tools that retain inputs and keep no consent trail, creating a Model Rule 1.6 confidentiality exposure nobody approved. This guide covers how to find those accounts and what to do next.

The point of this article is not to alarm anyone. Shadow AI in a small firm is usually not misconduct; it is a paralegal or associate trying to work faster with the tools everyone already uses at home. The problem is that a personal AI account carries no firm oversight, no data-handling agreement, and no record of what was entered into it. This piece walks through two things in order: how a firm without a security team can realistically find the accounts staff have already opened, and how to move that use into a governed, provable process. It is informational and not legal advice.

What shadow AI actually looks like inside a small firm

Shadow AI in a small firm is usually not defiance. It is capable staff reaching for a fast, free tool because no approved alternative and no rule were ever put in front of them.

Shadow AI describes AI tools used for firm work without the firm's knowledge, approval, or oversight. It is the current version of a much older pattern once called shadow IT, where staff quietly adopt unsanctioned software to get their work done [3]. In a solo or small firm, the setting where it takes hold is specific: there is no IT department to approve tools, no security team to monitor usage, and often no written rule saying which AI systems are acceptable. Into that gap, ordinary work pressure does the rest.

The behavior is rarely dramatic. It looks like a paralegal pasting a fact pattern into a consumer chatbot to get a first-draft summary, an associate asking a personal AI account to rewrite a demand letter, or an assistant dropping deposition notes into a free tool to pull out key dates. None of these people set out to break a rule. In most small firms, no rule exists to break. The tool is free, it is already open in another browser tab, and it produces something usable in seconds. That combination of convenience and absent policy is exactly the soil shadow AI grows in.

What makes it a firm-level concern rather than a personal habit is where the information goes. A personal AI account is a contract between the individual and the vendor, not between the firm and the vendor. The firm has no visibility into what was entered, no agreement governing how that data is handled, and no record it could later produce. The work got done, but it left the firm's control on the way through.

Why a personal consumer account is a different risk than an enterprise one

The single most useful distinction for a small firm is the difference between a consumer AI account and an enterprise or business one. They can look almost identical on screen and behave very differently underneath. Consumer tiers of popular AI tools may retain the text you enter and, depending on the account settings and tier, may use those inputs to help improve the underlying model [3]. They generally provide no isolation between one user's data and the vendor's broader systems, and no audit trail the firm could inspect.

Enterprise and business tiers are built for a different buyer and usually carry different terms: contractual commitments about data handling, configuration options to turn off training on your inputs, and administrative controls a firm can actually manage. The gap between the two is not a marketing detail. It is the difference between entering client-related information into a system that treats it as your confidential data and entering it into one whose default settings offer no such protection. Our guide on whether ChatGPT is confidential for lawyers works through the consumer-tier terms in more detail. The table below sketches the contrast at a level a non-technical partner can act on.

ConsiderationPersonal consumer accountEnterprise or business account
Data retentionInputs may be retained by defaultRetention often configurable or limited by contract
Training on your inputsMay be used to improve the model depending on settings and tierCommonly can be turned off or is off by default
Data-handling agreementIndividual accepts consumer termsFirm negotiates or accepts business terms
Firm oversightNone; account belongs to the personAdministered and monitored by the firm
Record for later proofNo audit trail the firm can inspectAdmin logs and controls available

Terms and settings vary by vendor and change over time. Confirm the current data-handling terms of any specific tool before relying on this general comparison.

RANKSHIELD LEGAL Shadow AI in a Small Law Firm Finding unapproved AI accounts and governing them under Rule 1.6 Rule 1.6 Confidentiality duty shadow AI most directly implicates Op. 512 ABA guidance on inputting client information into AI tools July 20246 steps No-blame discovery process a small firm can run without IT 2026 NC Bar urged a realistic AI policy over an outright ban NC Bar Association RankShield Legal rankshieldlegal.com
Source: ABA Formal Op. 512; NC Bar Association

How a Rule 1.6 confidentiality exposure arises before anyone approves it

Model Rule 1.6 obligates a lawyer to protect information relating to the representation of a client and to make reasonable efforts to prevent its unauthorized disclosure. Entering that information into a third-party AI system is a disclosure to that vendor. ABA Formal Opinion 512, issued in July 2024, addresses this directly: before inputting information relating to a representation into a generative AI tool, a lawyer must evaluate the risk that the information will be disclosed to or accessed by others, and self-learning tools raise the risk that a later prompt could surface an earlier input [1]. Where that risk is present, the opinion indicates the client's informed consent may be required, and that informed consent means an actual explanation of the risk, not boilerplate in an engagement letter [1].

The reason shadow AI is a governance problem, not just a technology one, is the sequence. In a firm with no approved-tool list, the decision to disclose client-related information to an outside vendor is being made by whichever staff member opened the tool, at the moment of use, with no consent step and no record. The firm has effectively delegated a confidentiality judgment it never knew it was delegating. Nobody approved it because nobody was asked.

It is worth being precise about terms here, because they are often blurred. Confidentiality under Rule 1.6 is a professional duty that covers all information relating to the representation, whatever its source. Attorney-client privilege is a distinct evidentiary protection with its own rules about what it covers and how it can be waived. Shadow AI can implicate both, but they are not the same thing, and a discussion of one does not automatically resolve the other. This article focuses on the Rule 1.6 confidentiality exposure, which is the duty most directly and most immediately touched when client-related information is entered into an unapproved tool. For a closer look at the confidentiality question specifically, see our guide on client confidentiality and AI.

1.6 the Model Rule whose confidentiality duty shadow AI most directly implicates

Finding the accounts your staff already opened: a no-blame discovery process

You cannot govern what you have not found. Before writing any policy, a firm needs an honest picture of what is already in use, and the tone of that discovery matters as much as the method. If staff believe the exercise is a hunt for someone to blame, they will understate what they do, and the firm will build its governance on a false map. The goal is an accurate inventory, which means making it safe to tell the truth. The steps below are a practical sequence a small firm can run without a security team.

  1. Ask directly, with amnestyOpen with a plain, no-blame message: the firm wants to make AI use safe and approved, not punish anyone, and needs to know what tools people currently use for work. Framing it as amnesty produces a far more accurate inventory than an audit posture does.
  2. Run a short, honest staff surveyGive everyone a simple form asking which AI tools they use, for what tasks, and on which accounts. Keep it brief and free of judgment so people actually complete it candidly.
  3. Review expenses and card statementsCheck expense reports and firm credit-card statements for AI subscriptions. A recurring charge to a consumer AI service is a concrete signal of a tool in active use.
  4. Check what is connected to firm systemsLook at which third-party applications have been granted access to firm email or document accounts through OAuth authorizations, and review any access logs you have. Connected AI tools show up here.
  5. Consult network signals if you have themIf the firm has browser, DNS, or network logs available, review them for traffic to known AI services. Many small firms will not have this; do not assume a capability you lack.
  6. Write down the inventoryRecord what you found in one place: the tool, who uses it, for what, and on what kind of account. This inventory is the foundation for every governance step that follows.

This process is designed for a firm without dedicated IT staff. Do not overstate the technical reach of a small firm; the survey and the direct conversation usually surface more than the logs do.

Reading the signals a small firm can realistically see

It is worth being candid about what a firm without a security team can and cannot detect, because overselling the technical side of discovery leads to false confidence. The signals most small firms can actually read are administrative, not forensic. Expense reports and credit-card statements are within reach of any firm and reliably catch paid subscriptions. The list of applications connected to your email or document system through OAuth authorizations is usually visible in account settings and catches tools that have been granted access to firm data. These two sources alone often surface most of what matters.

Network-level signals such as browser history, DNS lookups, or firewall logs can reveal traffic to AI services, but many small firms simply do not have these logs, do not retain them, or lack anyone able to interpret them. Presenting network monitoring as the answer would misrepresent what a two-lawyer office can do. The honest position is that the direct conversation and the staff survey typically reveal more than any log a small firm is likely to have, because the most common shadow AI use happens on personal accounts and personal devices that never touch firm infrastructure at all.

That last point is the reason the no-blame framing is not just courtesy. Free consumer accounts on personal phones or home laptops are largely invisible to any technical measure a small firm controls. The only reliable way to learn about them is for the person using them to tell you, which they will only do if telling you feels safe. Discovery in a small firm is therefore more a matter of culture than of tooling, and the firm that treats it that way gets a more accurate inventory.

Why an outright ban usually makes shadow AI worse

A ban with no approved alternative does not end AI use. It moves it onto personal accounts the firm can no longer see, which is the opposite of what governance is supposed to achieve.

A common first instinct, once a firm realizes staff are using unapproved tools, is to ban AI entirely. This tends to backfire. When a firm prohibits AI without offering an approved alternative, the underlying pressure that drove people to those tools does not disappear; the work is still due, and the tool is still one tab away. What changes is that the use goes further underground, onto personal devices and personal accounts where the firm has even less visibility. A ban without an alternative often converts visible, discussable behavior into hidden behavior [3].

A more durable approach, and one increasingly reflected in bar guidance, is to move past the ban toward a realistic policy: give people a small set of approved tools configured for confidentiality, and make those the easy default. The North Carolina Bar Association framed exactly this point in early 2026, arguing that firms need a realistic AI policy rather than a prohibition staff will quietly ignore [2]. The lesson for a small firm is that governance succeeds when the compliant path is also the convenient one. If the approved tool is slower or harder to reach than the consumer app, the policy loses on the merits every busy afternoon.

From discovery to an approved-tool list people will actually use

Once the firm knows what is in use, the first governance step is a short, clear list of approved tools, chosen and configured with confidentiality in mind. For a small firm this does not need to be elaborate. It can be one or two tools on enterprise or business tiers, set up so that inputs are not used to train the vendor's models where that option exists, with the firm administering the account rather than leaving it to individuals. The aim is to give staff a sanctioned way to do the thing they were already doing, so the approved path competes with the consumer app on convenience.

The list is only useful if it is paired with a plain prohibition on using unvetted tools for firm work, and if staff understand the reason rather than just the rule. People follow a policy they understand better than one they merely received. Explaining that a consumer account offers no data-handling agreement and no record, while the approved tool does, turns the rule from an arbitrary restriction into an obvious precaution. This is the same structure covered in more depth in our law firm AI policy guide, applied here to the specific problem of replacing shadow tools.

An approved-tool list also does something the ban cannot: it gives the firm a defined boundary to govern against. Once there is a clear set of sanctioned tools, the firm can reason about what should and should not be entered into them, whether consent is needed, and how to show later that the rule operated. Without that boundary, every one of those questions is being answered ad hoc by whoever opened a tab. Approved-tool gating that ties work to sanctioned systems is one way to make the boundary enforceable rather than aspirational; the point is that governance needs a defined edge before it can do anything else.

A simple data-classification rule staff can follow

An approved-tool list answers which systems staff may use. It does not answer what information they may put into them, and those are separate questions. A tool can be entirely appropriate for general research and entirely inappropriate for client-identifying facts. The bridge between them is a data-classification rule simple enough that a busy paralegal can apply it without stopping to deliberate. Complexity is the enemy here; a rule nobody can remember is a rule nobody follows.

A workable small-firm version sorts information into a few plain categories and matches each to what is permitted. Public or non-sensitive material carries the least friction. Internal firm work product that is confidential but not client-identifying warrants more care. Client-identifying or matter-specific information calls for the most restrictive handling and, where required, informed consent before it goes into any tool. The exact categories should be set with counsel for the firm's obligations, but the discipline is what matters: staff should never have to guess whether a given fact is safe to enter, because the rule already told them.

The reason this rule earns its place is that it targets the precise moment the Rule 1.6 exposure occurs, which is the instant client-related information is typed into a tool. A tool choice made once and a data judgment made every time are different controls, and a firm that has only the first has left the more frequent decision ungoverned. Pairing the approved-tool list with a classification rule closes that gap.

Consent, training, and the limit of a policy that lives in a PDF

Two components complete the governance picture, and both are easy to underweight. The first is consent. Where a matter calls for entering client-related information into an AI tool in a way that requires the client's informed consent, ABA Formal Opinion 512 is explicit that informed consent means an actual explanation of the risk rather than boilerplate language buried in an engagement letter [1]. A small firm should decide, in advance, when consent is needed and how it will be obtained and recorded, so the decision is not improvised mid-matter. The second is training. A short, practical session that shows staff which tools are approved, what the classification rule means, and why the consumer app is off-limits does more to change behavior than a document ever will.

The honest limit worth stating plainly is that a policy is necessary but not sufficient. A PDF in a shared drive is not governance; it is the description of governance. What makes a policy real is that it is monitored and enforced, that staff are trained on it, and that the firm can show it operated when asked. A written rule with no way to see whether people follow it recreates the original problem in a more formal font. The firm still does not know what its staff are entering into which tools; it has only documented that they should not.

This is where the discovery work and the governance work meet. The same no-blame culture that surfaces an accurate inventory is what keeps a policy honest over time, because staff who feel safe telling the firm what they use will keep telling it. Governance in a small firm is less a one-time project than an ongoing conversation supported by clear rules, sensible tools, and periodic checks. For the broader security context these controls sit within, our law firm cybersecurity guide covers the surrounding practices.

Where verifiable attestation fits, and where it does not

Once a firm has an approved-tool list, a classification rule, a consent practice, and training, a further question appears: how would the firm prove, later, that privileged or confidential material stayed inside the approved boundary? A policy tells you what should have happened. Proof tells you what did. This is the gap RankShield works on. RankShield is a security vendor, not a law firm, and nothing here is legal advice. Its approach pairs approved-tool gating, which ties work to sanctioned systems, with privilege-isolation attestation, which is intended to produce a verifiable record that protected material was handled within the approved boundary rather than sent to an unvetted tool.

It is important to be candid about the maturity and the limits of this. The attestation gateway that produces those records is a roadmap item in active development, not a finished product to be represented as already deployed. And even in its intended form, attestation proves a narrow, useful thing: that material was kept within a defined boundary and that a record of it exists. It does not decide the legal question of whether privilege attaches or survives, which remains a matter of law and lawyer judgment, and it does not by itself prevent a waiver. Describing it as proof of isolation, rather than proof of privilege, keeps the claim inside what the evidence supports. Our privilege isolation page explains that boundary in more detail.

The reason this matters for shadow AI specifically is that the entire problem is one of missing records. A personal consumer account leaves no trail the firm can inspect, which is what makes the exposure so hard to see and so hard to answer for. The remedy is not only to route work to approved tools but to make that routing demonstrable, so that if a client or a court asks whether confidential material stayed where it should have, the firm can show a record instead of restating an intention. Adopting any vendor's tooling does not by itself satisfy a professional duty; the duty remains the lawyer's. What good tooling adds is evidence.

Test yourself

Shadow AI governance self-check

A few questions on finding and governing unapproved AI use in a small firm.

  1. 1Why is a personal consumer AI account a different risk than an enterprise one?

    Answer: It carries no firm data-handling agreement, oversight, or audit trail the firm can inspect

    A personal account is a contract between the individual and the vendor, not the firm, so the firm has no data-handling agreement, no oversight, and no record of what was entered.

  2. 2Under ABA Formal Opinion 512, what does informed consent to AI use require?

    Answer: An actual explanation of the risk, not boilerplate

    Opinion 512 indicates informed consent means an actual explanation of the risk rather than boilerplate buried in an engagement letter.

  3. 3What usually happens when a firm bans AI without offering an approved alternative?

    Answer: Use moves onto personal accounts and devices the firm can no longer see

    A ban without an alternative tends to push use further underground onto personal accounts, which is the opposite of what governance aims to achieve.

  4. 4Is confidentiality under Rule 1.6 the same as attorney-client privilege?

    Answer: No, confidentiality is a professional duty and privilege is a separate evidentiary protection

    Confidentiality under Rule 1.6 covers all information relating to the representation; privilege is a distinct evidentiary protection with its own rules on waiver.

Honest self-check. There is no sign-up, and nothing is stored.

Questions answered

Straight answers to the common questions

The questions readers ask about this topic, answered directly. No forms, no sales pitch.

JAMIE KLONCZ · SEO AGENCY NAPLES ONLINE

Pick a question on the left, or search above. You will get the direct answer, the way an answer engine would give it.

REQUEST ACCESS →

References

  1. American Bar Association Standing Committee on Ethics and Professional Responsibility. Formal Opinion 512: Generative Artificial Intelligence Tools. July 29, 2024. https://www.americanbar.org/news/abanews/aba-news-archives/2024/07/aba-issues-first-ethics-guidance-ai-tools/
  2. North Carolina Bar Association. Beyond the Ban: Why Your Law Firm Needs a Realistic AI Policy in 2026. January 13, 2026. https://www.ncbar.org/2026/01/13/beyond-the-ban-why-your-law-firm-needs-a-realistic-ai-policy-in-2026/
  3. Falcon Rappaport & Berkman LLP. Why Shadow AI Use by Employees is Creating Hidden Legal Exposure. 2025. https://frblaw.com/why-shadow-ai-use-by-employees-is-creating-hidden-legal-exposure/
Written by

Jamie Kloncz

Founder, RankShield

Jamie Kloncz is the founder of RankShield, the verifiable AI and quantum security platform behind RankShield Legal. An engineer by training, he built RankShield after his own devices and business were attacked, including an AI voice-cloning scam that targeted his family, on one conviction: unverifiable security is the real danger, so every consequential action should leave a receipt anyone can independently check.

More about Jamie →
Try it · Free

Check a citation against live case-law

Paste a citation from an AI-drafted brief and see whether the case actually exists, resolved against live case-law. Free, no sign-up. Then request early access to certify a full filing.

Try the citation checker