Bench & Bar May/June 2026

EFFECTIVE LEGAL WRITING

added category is tool and execution risk . Once an agent is connected to application programming interfaces (APIs), plugins, databases, code execution tools, filing workflows, billing systems, or document repositories, the system is no longer merely answering questions. It is taking steps in the world. An agent with permission to retrieve client documents may retrieve the wrong set. An agent with permission to draft and route communications may send the wrong communication to the wrong person. An agent tied into infrastructure or production systems may overwrite data, delete files, misconfigure settings, or trigger cascading errors across platforms. In a law office, that could mean more than a technical glitch. It could mean missed deadlines, destroyed evidence, inadvertent disclosures, unau thorized settlement communications, or corrupted client files. A second major category is long-term memory misuse . Agentic systems are increasingly designed to retain task history, user preferences, and institutional knowl edge over time. That memory can make them more useful. It can also make them more dangerous. An agent that “remem bers” prior matters, client preferences, firm templates, or settlement approaches may begin to combine information from different clients’ matters in ways that violate confidentiality, privilege, privacy obligations, or internal ethical screens. A system may surface information from one matter while working on another, or infer patterns about clients that were never meant to be linked together. In a profession built on compartmentalization, confidentiality, and need-to-know access, memory itself becomes a risk vector. A third risk is cross-agent cascading fail ure . Many organizations including law firms are moving toward multi-agent sys tems in which one agent performs intake, another reviews documents, another drafts correspondence, and another routes work or monitors deadlines. This can create effi ciency. It can also create amplification of error. A compromise or failure in one agent can nearly instantly propagate through the rest of the workflow. A single injected malware instruction in an email might be passed from an intake agent to a drafting

agent and then to a filing or communication agent. A false factual assumption gener ated by one agent early in a workflow may infect every downstream task. In human terms, one bad associate memo with faulty analysis or mistaken assumptions can mis lead one or two of the associate’s supervising partners on a team. In agentic systems, the speed and scale of the propagation of errors could be much greater. A fourth and especially troubling category is the inability to distinguish data from instruction . Human lawyers generally understand that an email from oppos ing counsel is data to be analyzed, not an instruction to be obeyed. Agentic systems do not always maintain that distinction. A hidden line in an uploaded document, embedded text in a PDF, or cleverly phrased instruction in an email can be treated by the system not as content to analyze but as a command to execute. In other words, the agent may confuse adversarial input with authorized instruction. For law practice, this is a serious problem. Litigation files, contracts, discovery productions, regula tory communications, and client emails all arrive from outside sources. If an agent cannot reliably separate “things I should read” from “things I should obey,” then the legal workplace has a new and potent attack surface. These technical and operational risks quickly become legal ethics problems. Imagine an agent reviewing discovery mate rial that contains a hidden prompt directing the system to ignore privilege markers and export all responsive communications to an external platform. Imagine a bankruptcy agent connected to claims data and creditor lists that autonomously decides to use an external analytics tool with insecure set tings. Imagine a litigation support agent that calls a calendar API and changes deadlines based on a misread docket event. These are not science-fiction hypotheticals. They are exactly the kinds of mistakes that become possible when systems are given initiative, memory, and tool access. There also is the increasingly important phenomenon of Shadow AI . Lawyers, like other professionals, are bringing AI tools into the workplace on their own and using

them to do legal work unbeknownst to and without the supervision or approval of the firm’s IT and cybersecurity team. A part ner may experiment with a browser-based AI agent at home and then use it on a firm laptop. An associate may copy client doc uments into a public chatbot because the approved internal system is slower or less convenient. A staff member may use an unapproved AI plugin to summarize con tracts or draft email responses. Shadow AI is dangerous not simply because it is untested or unauthorized. It is dangerous because it sits outside the firm’s cyberse curity protections, compliance systems, logging, privilege controls, vendor vet ting, and governance structure. In a law office, unsanctioned AI use is not just an IT problem. It is a competence problem, a confidentiality problem, a supervision prob lem, and sometimes a malpractice problem. In the good old days of several years ago, if an attorney took a client file out of the office to work on at home, and that file had particularly sensitive client information in it, at most that attorney might have received an admonition, “You really should not do that.” With AI, a client file released outside the firm’s network could be catastrophic to the client and the firm. Closely related are identity and permission risks . Agentic systems often need creden tials, permissions, and access rights to be useful. But the more capable the agent, the more tempting it is to give it broad author ity: access to matter files, calendars, billing systems, customer relationship tools, cloud drives, or document management plat forms. At that point the agent becomes a kind of digital insider . If it is misaligned, compromised, manipulated, or simply wrong, it can act with authorized access. The danger here is not always an external hacker. It may be the perfectly “authorized” agent doing something the lawyer never intended but was technically allowed to do. That is why least-privilege thinking matters so much in agent design. No legal agent should have the capacity to do everything merely because it is convenient.

28 may/june 2026