| Risk ID | Risk Title | Description | Regulatory Reference | Likelihood (1–5) |
Impact (1–5) |
Severity | Required Action | Owner | Status | Review |
|---|---|---|---|---|---|---|---|---|---|---|
| Category A — Data Protection & Client Confidentiality | ||||||||||
| DP-001 | Client data processed through unapproved third-party AI tools | Fee earners inputting client personal data, privileged communications, and sensitive case information into AI tools without executed Data Processing Agreements | UK GDPR Art 28 SRA Code Para 6.3 UK GDPR Art 32 |
5 | 5 | Critical | Immediately suspend client data use in unapproved AI tools. Execute DPAs with all AI vendors. Conduct retrospective matter review. | AI Gov Lead + DPO | Open | Immediate |
| DP-002 | Shadow AI use — personal accounts processing client data | Fee earners using personal ChatGPT, Gemini, Claude accounts on client matters without firm knowledge, consent, or any data governance controls | UK GDPR Art 5(1)(f) UK GDPR Art 28 SRA Code Para 6.3 |
4 | 5 | Critical | Implement Shadow AI Detection policy. Mandatory disclosure of all AI tools in use. Technical controls to prevent personal account use on firm devices. | IT Director + AI Gov Lead | Open | 2 weeks |
| DP-003 | No DPIA conducted for AI tool deployment | Data Protection Impact Assessments not completed for any AI system processing personal data — mandatory under ICO guidance for high-risk AI processing | UK GDPR Art 35 ICO DPIA Guidance EU AI Act Art 9 |
4 | 4 | High | Conduct DPIA for each AI tool processing personal data. Document findings. Implement identified mitigations. Review annually. | DPO | Open | 30 days |
| DP-004 | AI model training on client data without consent | Risk that AI vendors are using firm-submitted data to train or fine-tune models — particularly relevant for tools without explicit contractual prohibitions | UK GDPR Art 6 UK GDPR Art 28(3) SRA Code Para 6.3 |
3 | 5 | High | Audit DPAs for model training prohibition clauses. Request written confirmation from all AI vendors. Prioritise enterprise-tier subscriptions with explicit no-training guarantees. | AI Gov Lead + DPO | Open | 30 days |
| DP-005 | Inadequate data retention controls for AI outputs | AI-generated outputs stored in document management systems without clear retention policies, deletion schedules, or labelling as AI-generated content | UK GDPR Art 5(1)(e) ICO Retention Guidance |
3 | 3 | Medium | Implement AI output labelling policy. Update document retention schedule to include AI-generated content. Quarterly deletion review. | Records Manager | Open | 60 days |
| Category B — Professional Conduct & SRA Obligations | ||||||||||
| PC-001 | No AI output verification protocol — negligence exposure | Fee earners submitting AI-generated documents without mandatory review. SRA holds supervising solicitor responsible for AI outputs regardless of how generated. Hallucination risk in legal documents is live and documented. | SRA Code for Solicitors Para 3.5 SRA Code for Solicitors Para 3.2 Law Society AI Notes Professional Negligence |
4 | 5 | Critical | Implement mandatory AI output verification checklist. All AI-drafted documents require qualified fee earner review before client delivery or court submission. Log all verification steps. | Managing Partner | Open | Immediate |
| PC-002 | No client disclosure of AI use on matters | No policy requiring fee earners to disclose AI use to clients. Engagement letters contain no AI clauses. EU AI Act Article 50 imposes transparency obligations. 60% of in-house counsel report they don't know if AI is used on their matters. | EU AI Act Art 50 SRA Transparency Rules Law Society AI Notes |
5 | 4 | Critical | Add AI disclosure clause to all engagement letter templates. Create client-facing AI use statement. Implement matter-level AI use log. Train all fee earners on disclosure obligations. | Managing Partner | Open | 2 weeks |
| PC-003 | AI literacy obligations not met — Article 4 EU AI Act | EU AI Act Article 4 requires organisations deploying AI to ensure staff have adequate AI literacy. No structured AI literacy programme exists. Fee earners using AI tools without understanding capabilities, limitations, or failure modes. | EU AI Act Art 4 SRA Competence Statement SRA Code for Solicitors Para 3.2 |
5 | 3 | High | Design and deliver AI literacy training programme covering capabilities, limitations, hallucination risk, data handling obligations, and firm policy. Mandatory for all fee earners before August 2026. Document completion. | HR + AI Gov Lead | Open | 6 weeks |
| PC-004 | No AI governance structure or named accountability | No AI Governance Lead appointed. No management committee responsibility defined. No escalation path for AI incidents. SRA expects firms to demonstrate clear governance accountability for technology use. | EU AI Act Art 9 SRA Technology Guidance SRA Code for Firms Rule 2.1(a) |
5 | 3 | High | Appoint AI Governance Lead at partner level. Define management committee accountability. Establish escalation matrix. Add AI governance to board/committee agenda. | Managing Partner | Open | 2 weeks |
| PC-005 | Bias risk in AI-assisted legal research | AI legal research tools may produce outputs with jurisdictional bias, demographic bias, or recency gaps that disadvantage certain client positions. No systematic audit of AI research outputs for bias. | SRA Code for Solicitors Para 3.2 ICO AI Fairness Guidance Equality Act 2010 |
3 | 3 | Medium | Implement AI research output verification protocol. Require cross-checking of AI research against primary sources. Document verification steps on matter files. | Practice Group Leads | Open | Quarterly |
| Category C — Regulatory Compliance | ||||||||||
| RC-001 | EU AI Act compliance programme not initiated | Full high-risk AI obligations active August 2026. Firm has not begun AI system inventory, risk classification, technical documentation, human oversight protocols, or provider due diligence required under Articles 9–15. | EU AI Act Arts 9–15 August 2026 Deadline (EU-facing firms) ICO max fine £17.5M / 4% turnover (all UK firms) |
5 | 5 | Critical | Initiate EU AI Act compliance programme immediately. Conduct AI system inventory and risk classification within 2 weeks. Engage external governance support. Achieve compliance before August 2026. | Managing Partner + AI Gov Lead | Open | Immediate |
| RC-002 | AI tool risk classification not completed | EU AI Act requires risk classification of all AI systems in use. AI systems used in administration of justice or legal proceedings may be classified as high-risk. No classification exercise completed. | EU AI Act Annex III EU AI Act Art 6 Art 9 Risk Management |
4 | 4 | High | Complete AI tool inventory. Apply EU AI Act risk classification framework to each tool. Document classification rationale. Review annually or when new tools deployed. | AI Gov Lead + IT Director | Open | 4 weeks |
| RC-003 | No AI incident reporting system | No defined process for reporting AI incidents — hallucinations in client documents, data leaks via AI tools, or AI-related complaints. No SRA/ICO notification thresholds documented. | UK GDPR Art 33 SRA Reporting Obligations EU AI Act Art 73 |
3 | 4 | Medium | Implement AI incident reporting template. Define SRA and ICO notification thresholds. Train all fee earners on reporting obligations. Establish monthly incident review by AI Governance Lead. | AI Gov Lead + Compliance | Open | 30 days |
| RC-004 | Bar Standards Board guidance not reviewed | BSB has issued AI guidance relevant to barristers and chambers. Firms with barrister-facing practice areas or chambers relationships have not assessed applicability. | BSB Handbook BSB Technology Guidance |
2 | 3 | Low | Review BSB AI guidance. Assess applicability to firm's practice areas. Update AI policy if relevant obligations identified. | Compliance Manager | Open | Quarterly |
| Category D — Operational AI Governance | ||||||||||
| OP-001 | No agentic AI supervision framework | Fee earners beginning to deploy AI agents for research, drafting, and scheduling. No human-in-the-loop checkpoints defined. No escalation triggers. No audit log requirements for agentic actions. | EU AI Act Art 14 SRA Supervision Obligations Law Society AI Notes |
3 | 5 | High | Develop agentic AI supervision framework. Define human oversight checkpoints by task type. Implement audit logging for all agentic actions. Review quarterly as capabilities evolve. | AI Gov Lead + IT Director | Open | 8 weeks |
| OP-002 | No prompt governance guidelines | No guidance on what fee earners can and cannot instruct AI tools to do. Risk of fee earners instructing AI to generate misleading content, fabricate authorities, or produce outputs that misrepresent the firm's position. | SRA Code for Solicitors Para 1.4 SRA Code for Solicitors Para 3.2 Professional Negligence |
4 | 3 | Medium | Develop prompt governance guidelines covering prohibited instructions, required verification steps, and documentation requirements. Include in AI Acceptable Use Policy and mandatory training. | AI Gov Lead | Open | 6 weeks |
| OP-003 | AI tool access not role-differentiated | All fee earners have identical AI tool access regardless of seniority, practice area, or matter type. High-risk matter types (litigation, regulatory matters) may require elevated oversight requirements. | SRA Supervision Obligations EU AI Act Art 14 |
3 | 3 | Low | Implement role-based AI access framework. Define elevated oversight requirements for high-risk matter types. Review and approve access levels annually. | IT Director + Practice Leads | Open | Quarterly |
| Category E — AI Supply Chain & Vendor Governance | ||||||||||
| SC-001 | No AI vendor due diligence process | AI tools procured without structured due diligence. No vendor questionnaire. No EU AI Act provider documentation checklist (Article 11 technical docs, Article 47 declarations). Harvey AI deployed with no security assessment. | EU AI Act Art 11 EU AI Act Art 47 UK GDPR Art 28 |
5 | 4 | High | Implement AI Vendor Due Diligence Framework (30-question questionnaire, DPA checklist, EU AI Act provider documentation). Apply retrospectively to all current vendors. Mandatory for all future AI tool procurement. | AI Gov Lead + Procurement | Open | 30 days |
| SC-002 | No approved AI tool register | No central register of approved, conditionally approved, and rejected AI tools. Fee earners selecting tools independently without oversight. No version control of tool approvals. | EU AI Act Art 9 SRA Technology Guidance IT Governance |
4 | 3 | Medium | Create and maintain AI Tool Register (Approved / Conditional / Rejected). Publish to all fee earners. Update monthly. Require AI Gov Lead sign-off for new tool adoption. | AI Gov Lead + IT Director | Open | Monthly |
| SC-003 | No ongoing vendor monitoring protocol | AI vendor compliance status, security posture, and regulatory standing not monitored after initial procurement. Changes to vendor terms, data policies, or security incidents not tracked. | UK GDPR Art 28 EU AI Act Art 9 ISO 27001 |
3 | 3 | Low | Implement quarterly vendor monitoring reviews. Subscribe to vendor security bulletins. Annual DPA review for all AI vendors. Trigger re-assessment on any material vendor change. | IT Director + Procurement | Open | Quarterly |
| SC-004 | AI tool API integrations not security assessed | Third-party integrations connecting AI tools to practice management systems, document management, and email not security assessed. Data flows between systems not mapped. | UK GDPR Art 32 ISO 27001 Cyber Essentials Plus |
3 | 3 | Low | Map all AI tool API integrations and data flows. Conduct security assessment of each integration. Implement monitoring for anomalous data flows. | IT Director | Open | 6 months |