Bench & Bar May/June 2026

EFFECTIVE LEGAL WRITING

EXPOSING THE RISK SURFACE OF AGENTIC AI IN THE PRACTICE OF LAW BY PROFESSOR MICHAEL D. MURRAY

L awyers and judges may already be familiar with the first wave of AI in the practice of law: generative AI chatbots that answered questions and performed legal tasks. While the first wave inspired lawyers’ imaginations on how AI could augment and improve the efficiencies of legal practice, it came with the risks that sensitive, confiden tial client information could be pasted into a public model and exposed; the models could confidently produce work product with fabricated case citations; the AIs could generate false summaries of law and legal sources; and these tools catered to attorneys’ temptations to treat fluent machine output as if it were reliable legal analysis. Those risks remain real. But the legal profession is now moving into a second and more dan gerous phase of AI adoption—the shift from passive generative systems to autonomous or semi-autonomous “agentic” systems. That shift changes the risk surface in a fun damental way. The phrase “risk surface” is useful here because it forces us to think beyond whether an AI system gives a wrong answer. In AI security and operations, the risk surface is the full range of points at which a system can fail, be manipulated, or cause harm. In a legal setting, that includes not only

cybersecurity threats and malicious misuse but also ordinary operational failures: an agent taking an unauthorized action, mis using a tool, applying a hidden malicious instruction in a document, or acting far beyond what the lawyer intended. The move from chatbot AI to agentic AI expands the risk surface from information problems to action problems. And once AI can act, not just talk, the ethical implications spread far beyond confidentiality and candor. For traditional generative AI, the risk sur face was comparatively narrow. The central concerns were data exposure, prompt manipulation, and model unreliability. A lawyer might paste confidential client infor mation into a public model and create a Rule 1.6 problem. A malicious prompt might trick the model into bypassing guard rails. A poorly trained or unreliable model might produce bad output. Serious issues, certainly—but still issues largely centered on what the model said. Agentic AI changes that. Agentic systems can plan, call tools, access databases, execute code, navigate websites, interact with other agents, remember prior tasks, and trigger downstream workflows. A legal agent might draft an email, open client files, tap into a

document repository, compare billing records, analyze a litigation file, populate a form, or pass work to another specialized sub-agent. Lawyers will love having their AI minions be able to accomplish all of these tasks—it will help fulfil the efficiencies of AI adoption. But when agents can perform all of these tasks autonomously, taking one step after another to carry out a broad task, the risk surface widens dramatically. Now the legal profession must worry not only about what the system knows or says, but what it is permitted to do, what it can cause other systems to do, and whether anyone truly understands the chain of actions it has triggered. That wider risk surface implicates a broad range of professional duties under the Model Rules of Professional Conduct: Confidentiality under Rule 1.6 remains central, but it is no longer the only or even the primary concern. Competence under Rule 1.1 now includes understanding the operational behavior of AI agents, not just their content-generation limitations. Scope of representation under Rule 1.2 is implicated when an agent goes beyond the client-approved objectives or methods of representation. Fees under Rule 1.5 come into play when lawyers bill for AI-assisted

26 may/june 2026