Bench & Bar May/June 2026

HOW SHOULD LEGAL ORGANIZATIONS RESPOND TO THE RISK SURFACE OF GENERATIVE AND AGENTIC AI? In response to the risk surface that has emerged with gen AI and agentic AI, the first step is conceptual: law firms and courts should begin thinking in terms of their security posture, not merely AI conve nience. In other words, the questions firms ask should not be limited to “What can these AI tools do?” and “Are we usings these tools enough?” but should expand to “What can this AI system access, what can it trig ger, what can it remember, what can it send, and what will happen if it is wrong?” That broader view is what many organizations now call AI Security Posture Management . The idea is to achieve visibility across the AI’s implementation and workflow—from model selection to deployment, permis sions, connectors, runtime actions, logging, and incident response. Lawyers do not need to become engineers to appreciate the core point: if you cannot see the workflow of the agent, you probably cannot supervise it competently. The second step is to make sure that all of your AI tools and agents that might implicate the risks described in this article operate in a locked down environment, typically described as an enterprise grade solution that implements one of the follow ing options: PRIVATE AI: An AI system developed and operated within a secure, controlled environment, ensuring data never leaves the organization. Your firm can download or develop, fine tune, and deploy its own AI system and not rely on cloud-based and web-based products owned and controlled by a third party. The AI will be self-hosted and on-premises— i.e. , running on local servers air gapped from the rest of the world so data never leaves the premises. (Natu rally this option requires a certain level of AI tech expertise or the hiring of those who can provide it). Closed System/Closed Environment: An intermediary step can be an AI model owned and operated by an AI developer

( e.g. , Microsoft or Google) that operates exclusively within an organization’s internal firewall, often using tools like Retriev al-Augmented Generation (RAG) to process data without exposing it to public models. Many vendors offer this service but be sure to “vet the vendor” carefully by reviewing and discussing its terms and conditions to make sure its promises meet your firm’s needs. VPC (VIRTUAL PRIVATE CLOUD) DEPLOYMENT: A VPC deployment is a specific technical implementation where the AI is hosted within the organization’s private cloud network, isolating it from the public internet. It can be self-hosted or acquired through a vendor whose security measures and guaranties match your firm’s needs. The third step is to implement and enforce a Zero Trust architecture which ensures that every user, agent, and application is authenticated and authorized, stopping rogue agents or malicious users. The fourth step is to make sure all genera tive and agentic AI workflows contain steps for a meaningful expert in the loop review , especially for high-risk actions. When agents can work for hours on end without timing out or “dropping the state” of their memory and attention, these checkpoints are necessary to allow a human to notice the AI going off course and have the chance to stop the process or regain control to bring the AI back on track. This is not neces sary for each step of the AI’s workflow, but actions involving filings, deadlines, external communications, privileged material, set tlement terms, client advice, or irreversible system changes should not be left to auton omous execution. Human review should be a real control point, not a ceremonial click-through. The question for lawyers is not whether the system can do the task. It is whether professional responsibility permits the system to do the task without human confirmation. The fifth step is a policy of least-privilege access . AI agents should be given the min imum permissions necessary to complete a defined task. If an agent only needs to sum marize documents, it should not be able to

ENDNOTE 1 Consult the terms and conditions of your license to the services first; many services are antsy about letting bots interact with their research platforms even if you, the paying customer, au thorize it. Law. He leads UK’s Artificial Intelligence and the Law Project and the Blockchain, Cryptocurrency, NFT, and the Metaverse Law Project, working at the collision point where cutting-edge tech meets law prac tice reality. His scholarship and teaching focus on generative and agentic AI in legal practice, and on the legal and ethical issues of deepfakes and deception, intellectual property (copyright, trademark, and right of publicity), and the power of visual legal rhetoric. In the end, “risk surface” is a useful term because it captures the truth that agentic AI risks are not confined to one dramatic failure. They are distributed across memory, permissions, workflows, tools, identities, connectors, supervision, and judgment. For lawyers, the central lesson is straight forward: the more an AI system can do, the more carefully its scope, permissions, and supervision must be designed. For judges, the lesson is equally clear: the profession may use new tools, but the old duties remain. Competence still matters. Candor still matters. Supervision still matters. Con fidentiality still matters. And when digital agents begin to act inside the practice of law, the human lawyer remains responsible for where those actions lead. ABOUT THEAUTHOR MICHAEL D. MURRAY is a University Research Professor and the Spears Gilbert Professor of Law at the University of Kentucky J. David Rosenberg College of send emails, alter records, or access every matter file in the system. If it needs read access, do not grant write access. If it needs one folder, do not grant the entire drive. Lawyers already understand this concept in another form: not every human employee should have unrestricted access to every client matter. The same rule should apply to digital workers. CONCLUSIONS

29 bench & bar