Bench & Bar May/June 2026

DEFINING THE RISK SURFACES OF NON- AGENTIC GENERATIVE AI VS. AGENTIC AI With non-agentic generative AI , the risk surface usually clusters around three familiar concerns. First is data exposure. Lawyers can directly or inadvertently upload confidential client information, attorney-client communications, work product and lawyer strategies, medical records and protected health informa tion, financial records, or proprietary firm information to a public-facing chatbot. This unauthorized and detrimental dis closure is further complicated because the AI service may “train on” this information making it a part of the AI service’s Large Language Model (LLM) where other users of the AI service could have the informa tion served up to them in response to their own queries ( e.g. , “Hey, ChatGPT, what’s new with XYZ corporation?”). A second risk is operational mistakes that can take the form of hallucinations and confabula tions and simple mistakes in interpretation by a standard generative AI system. There are certain things standard generative AI’s don’t like doing ( e.g. , “Quote me the spe cific language of the case”), and the risk of mistakes is compounded when the dataset is smaller, as with a small jurisdiction like Kentucky which is not awash in case law, legal sources, or commentary on the law. A third risk surface is malicious external action such as prompt injection or model poisoning where a malicious user uses adversarial prompts to hack information out of the system. But sometimes this can be accomplished by the system receiving an uploaded document from what was thought to be a client or other trusted source, but the document contains hidden instructions that manipulate the model into ignoring system programming limits ( i.e. , guard rails) or revealing protected information. Models can be affected in ways that create backdoors, introduce biases, or force the generation of unreliable outputs. These are serious problems, but they are still problems largely confined to the production of text, images, or analytical outputs. With agentic AI , the risk surface becomes larger, deeper, and more dynamic. The first

work or pass agentic AI costs to the client without clarity or consent. Candor under Rule 3.3 is at risk if an agent files, drafts, or supports a submission containing fabricated facts, hallucinated authorities, or distorted record references. Rules 5.1 and 5.3 become critical because agentic AI behaves much more like a “digital associate” or “nonlawyer assistant” than a passive research database and therefore needs more supervision. Rule 5.5 hovers in the background whenever an AI system begins to communicate bespoke legal advice to outsiders and thereby looks like it is independently practicing law. BRINGING THE RISK SURFACE OF AGENTIC AI INTO FOCUS To understand why the profession must take these developments seriously, it helps to compare the older generative AI risk sur face with the newer agentic one. Consider the following scenarios of AI use in a legal workplace: SCENARIO 1: A super-smart, amaz ingly well-read new legal assistant is hired. She stays put in the office. She can be approached multiple times an hour, all day long, to answer questions; do research; write memos, reports, and legal briefs; do analysis on data; and make projections. But she doesn’t do a single thing unless she is asked to. She does not act on her own. She does not go out into the world to talk to clients, witnesses, adversaries, or courts. This scenario is describing a non-agentic generative AI system . We’ve had these systems available to us in law practice for three years now. SCENARIO 2: You hire a different legal assistant—an AI agent. This one can make decisions on its own, mean ing it can autonomously decide what to do to accomplish assignments and figure out the best way to do it. For your own convenience, this agent will be given access to internet sites and perhaps even your accounts on legal research systems. 1 An AI agent goes out into the world. It does not have to hang around the office waiting for instructions on the next steps for a project. You can communicate with

an AI agent by text message, through Slack, or through other means you are already using for talking to employees and associates. You are likely to want to give this AI agent access to all client files because it will be most effective and convenient in terms of work effi ciency to do so. You may also let the agent take over your own laptop or desktop computer with all of your own personal and work files on it (a prac tice referred to by the innocuous term of “Computer Use”) and the agent will be able to look into and copy anything on your computer. But here is the part to perk up your ears on: The AI agent will carry out the assigned task on its own, making all the decisions on the first step, second step, third step, etc., until it finishes the task, all without necessarily checking in with you, the human expert in the loop, and wait ing for you to approve what it is doing. You will generally (hopefully) build in a final step of human domain expert approval of the agent’s work before it goes out the door to a client, adversary, or the court. But before that final step, you may have decided not to build in checkpoints where a human can observe or control all of the agent’s steps leading to the final work prod uct and completion of the task because such steps slow down the process and take up human lawyer time. Why will the agentic supported workflow look like scenario 2? Because it will be very convenient and efficient to let AI agents work that way. You will want to give the AI agent big tasks—the biggest you can think of—to take full advantage of its powers. You could design a task as broad as, “We’ve got a meeting with XYZ client coming up. Read every client file on XYZ. Write a report on the status of all pending matters. Analyze the next steps for all of its pending matters and make recommendations on addressing the issues of these steps. Compile all the dis covery and deposition transcripts . . .etc.” I ran out of room here before I ran out of ideas because an AI agent can literally do anything an associate could do—only much faster and without breaks for meals, sleep, vacation, or illness.

27 bench & bar