Your lawyers are uploading client data to ChatGPT right now

Browser security is where legal work happens—and where controls vanish

Most law firms have hardened authentication, email, mobile, and device management but left the browser ungoverned. That environment is now where lawyers spend their working time and where the largest compliance exposures sit.

The exposure has two sources. First, shadow AI: only 30% of law firms have a specific AI policy in place (per Thomson Reuters' 2025 Generative AI in Professional Services report), and even fewer have the infrastructure to enforce one. When policy is absent or unenforced, lawyers use personal accounts on public AI platforms. Client facts, strategy, identifiers, and personally identifiable information end up in prompts. Many AI providers retain prompts for model training and route traffic through third countries. Without browser-level controls, a firm cannot prevent uploads, detect when they happen, or produce an audit trail for regulators.

Second, the legacy application blind spot: firms still rely on matter management systems, time recording, and case management software built for client-server architectures. The standard workaround is virtual desktop infrastructure (VDI), which governs data inside the virtual session. But lawyers simultaneously use their regular browser outside that VDI session. Data copied from a VDI application and pasted into a public AI tool falls into neither firm's audit trail and operates across two separate, unintegrated security contexts.

The problem is architectural, not behavioural. The path of least resistance when approved tools are slow or unavailable is a personal AI account. One source estimates nearly half of people using generative AI platforms do so through personal accounts their organisations do not oversee.

Regulators will expect evidence that you tried to stop this

A confidentiality violation involving client data routed through an unsanctioned AI service exposes a firm to SRA and ICO investigation. The investigator will ask: what controls did you have in place? What did you audit? What did your logs show? If the answer is "nothing at the browser level," the firm cannot demonstrate that appropriate measures were in place, even if a policy document exists.

Browser-level governance—DLP controls that prevent uploads to unsanctioned AI tools, restrict copy-paste of sensitive content, watermark documents, and enforce print controls—operates in the environment where the actual risk lives. Such controls also have a second-order effect: they provide security teams with visibility into which AI tools are being accessed across the firm, flag unauthorised data transfers, and create the evidence locker that regulators expect after a breach.

Start with visibility, then lock down policy

Audit what your lawyers can access in their browsers without firm governance. Identify which AI tools staff are using and whether any of those tools are unsanctioned. Check whether your current security controls operate at the browser level or only at the network and device levels. If your VDI environment is separate from your managed browser environment, you have a fragmentation problem: data moving between them is unlogged.

Once you have visibility, implement browser-level DLP that prevents uploads to unsanctioned platforms and restricts sensitive data operations without governance. Make sure legacy applications move into the managed browser perimeter rather than remaining in a separate VDI context, so that the same controls apply to data flowing through them.

The combination of browser-level DLP, AI tool allowlisting, and consolidated application governance closes the gaps that currently exist in most firms' architectures.