AI, Ethics & Cybersecurity: What Every Lawyer Needs to Know About the Rise of Agentic AI

The  Emergence of Autonomous Legal Technology

Artificial intelligence is evolving rapidly—and with it, the nature of legal practice. Among the most transformative developments is the rise of agentic AI, a form of artificial intelligence that can autonomously pursue objectives, make decisions, and adapt to its environment. These systems differ fundamentally from traditional AI models that merely respond to prompts or follow fixed rules. Agentic AI introduces legal and ethical challenges at a scale and complexity previously unseen in professional services. As attorneys increasingly adopt AI-powered tools for drafting, analysis, client intake, and more, the line between tool and actor begins to blur. Legal professionals need to stay ahead of the curve—both in terms of technological literacy and ethical responsibility.

Understanding Agentic AI and Its Legal Significance

At its core, agentic AI refers to systems capable of independent action toward defined or learned goals, with minimal human input once deployed. These systems can self-optimize, engage in long-horizon planning, and even generate novel tasks to complete objectives. From a legal perspective, this raises critical questions about foreseeability, attribution of conduct, and the delegation of authority. Unlike earlier generations of legal tech, which largely functioned under close human supervision, agentic systems may initiate communications, synthesize confidential data, or alter workflows dynamically—all without prior human review. The implications for attorney-client relationships, firm governance, and legal liability are far-reaching.[1]

A deeper layer of concern may involve legal agency itself. If an AI makes a commitment or enters into a contract-like arrangement on behalf of a law firm or its client (which may already be happening), under what circumstances is that action binding? How should courts assess intent when no human initiated the act? These questions invite a reexamination of traditional legal doctrines in light of a non-human actor capable of autonomous “decisions.” Furthermore, tort principles may require new interpretations when harm is caused by AI systems acting within their defined scope yet outside human expectations. Courts may be compelled to develop new analogs of strict liability or novel standards of care for the “deployment” of agentic tools.

Ethical Challenges: Competence, Confidentiality, and Control

Lawyers are bound by professional ethics rules that predate today’s AI landscape but remain highly relevant. The duty of technological competence, recognized under ABA Model Rule 1.1 and adopted by many state bars, including under the Rules Regulating the Florida Bar, obliges attorneys to understand the technologies they use or to work with those who do.

Employing an agentic AI tool without sufficient understanding of how it operates[2] or how it handles data could constitute a breach of this duty. Additionally, the rules surrounding client confidentiality demand particular attention. If an AI system inadvertently discloses or misroutes sensitive client information due to an autonomous misjudgment, the attorney—not the algorithm—remains responsible. Another emerging concern is the risk of unintentional unauthorized practice of law. If an agentic AI begins to generate legal conclusions, draft binding documents, or interpret laws on behalf of a client without attorney oversight, both the software’s use and its designer may fall under scrutiny.

There is also the specter of bias amplification. Agentic AI trained on flawed or incomplete legal datasets could replicate or worsen disparities in legal outcomes. Attorneys must therefore assess the provenance, representativeness, and reviewability of training data. Moreover, as AI becomes integrated into hiring, billing, case prioritization, and even judicial functions, the ethical implications grow broader, implicating issues of fairness, equal access, and due process.

Cybersecurity and AI Governance: The Expanding Attack Surface

Underappreciated risks posed by increasingly autonomous AI systems are a major concern. Each deployment of agentic AI expands the what has been called the “digital attack surface,” making it a potential vector for malicious manipulation. Threats such as prompt injection, data poisoning, or adversarial attacks can undermine the integrity of an AI’s outputs or cause it to act in unpredictable, harmful ways. Moreover, poor governance—such as the lack of an audit trail, insufficient access controls, or missing human-in-the-loop safeguards—can allow these risks to escalate unchecked. For law firms and in-house legal teams, this is not merely a technical issue but a fundamental governance problem. It is not speculative about what theoretically might happen, it is real. Lawyers must participate in shaping internal AI policies that prioritize transparency, accountability, and resilience. Vigilance, minimizing risks of omissions, is key.

Beyond defensive strategies, there is a growing need for proactive cyber hygiene protocols tailored to agentic environments. These include deploying AI-specific firewalls, conducting adversarial testing before implementation, and monitoring system behavior for drift from intended ethical or functional parameters. Integration of these standards with existing cybersecurity frameworks, such as NIST SP 800-53 or ISO/IEC 27001, will be essential for defensibility and client assurance.

Policy, Regulation, and the Evolving Legal Landscape

Regulatory trends are beginning to catch up to technological realities. At the federal level, agencies such as the FTC and the National Institute of Standards and Technology (NIST) are issuing AI guidance, while state bars and court systems explore new ethics opinions and rule amendments. Internationally, the EU AI Act represents a sweeping regulatory framework that could influence future U.S. policy, particularly regarding high-risk applications and transparency obligations.

Law firms that advise clients in regulated industries or that manage cross-border matters must stay current with these developments and be prepared to interpret how AI governance laws intersect with existing legal doctrines, including those governing fiduciary duty, negligence, and data privacy. If small law firm practitioners thinks they are immune from these risks, they are not.

One promising development is the emergence of AI “nutrition labels” and accountability registries, which could eventually become standard compliance features for high-impact legal AI tools. These mechanisms offer transparency into data sources, training processes, and model performance, providing legal practitioners with critical information to assess risk. There is also a growing push for statutory recognition of algorithmic impact assessments (AIAs), especially in public sector procurement and deployment of AI tools that influence legal determinations. But the more limitations on the systems the issue then may become whether the platforms capabilities being hampered in ways that fail to adequately meet the objectives sought.

Transformative Possibilities and Professional Responsibility

While much of the discussion around agentic AI focuses on risk, the opportunities for positive transformation are equally significant. Properly designed and governed AI systems can help lawyers manage information overload, enhance access to justice, streamline compliance, and support collaborative legal intelligence. Yet, this requires a disciplined approach to deployment. Legal organizations must conduct internal risk assessments, create robust vetting procedures for AI vendors, implement staff training programs, and ensure that AI systems complement rather than replace sound legal judgment. In short, agentic AI must be treated not merely as a productivity tool, but as a participant in a human-directed professional ecosystem. At least currently, nothing can substitute for human review of all results and external confirmation of accuracy.

Attorneys should consider integrating AI usage reviews into standard engagement agreements and governance documents, clarifying the boundaries of use and human oversight responsibilities. Likewise, firms may benefit from establishing AI ethics review boards or internal audit panels to periodically assess AI alignment with client service principles and ethical norms. Ongoing training programs, coupled with versioning and change logs for AI system updates, should become core compliance practices for law firms that rely heavily on these tools.

A Call to Ethical and Technological Leadership

The agentic AI revolution demands more from legal professionals than passive adaptation. It calls for leadership—ethical, technological, and strategic. Lawyers must ensure that their use of AI aligns with the profession’s highest values: competence, integrity, confidentiality, and justice. As these systems grow in influence and capability, it will be lawyers who must interpret their actions, manage their consequences, and preserve the trust placed in the legal system.  An urgent need for a proactive stance is clearly needed. Rather than wait for regulation to define our boundaries, the legal community must help shape them.

The legal profession is at a crossroads. Agentic AI is no longer experimental; it is operational, influential, and persistent. It is lawyers who must build the frameworks of accountability, who must question the defaults of delegation, and who must advocate for systems that serve justice and not merely efficiency. This is not just a moment of transformation. It is a call to reimagine what legal stewardship means in the age of autonomous technology.

Appendix A: Sample AI Use and Governance Policy for Law Firms

This model policy outlines guidelines for the responsible deployment of agentic AI in a legal environment.

1. Purpose and Scope This policy governs the use, oversight, and risk management of agentic AI systems in all legal practice areas at [Firm Name].

2. AI System Vetting and DocumentationAll AI systems must be vetted for reliability, transparency, and data security. Documentation must include the system’s data provenance, update history, and operational parameters.

3. Confidentiality and Privilege AI tools may not access, process, or store client confidential or privileged information without documented consent and a verified encryption protocol.

4. Human Oversight Requirement All outputs from agentic AI systems must be reviewed by a licensed attorney before dissemination to clients, courts, or third parties.

5. Vendor Compliance Vendors must comply with applicable legal standards and provide audit access upon request. Contracts must include indemnification clauses and SLAs specific to AI malfunctions.

6. Ethical Use The firm prohibits use of AI systems that exhibit unexplainable bias, breach ethical norms, or automate decisions that substitute for legal judgment.

7. Training and Auditing All legal staff must complete annual training on AI ethics and cybersecurity. Regular audits shall be conducted to assess system performance, risks, and compliance.

 Appendix B: AI Risk Assessment Checklist for Legal Professionals

1. Is the AI tool agentic or merely responsive?
2. Have you reviewed its data inputs and training sources?
3. Does the tool produce outputs requiring legal interpretation?
4. Can outputs be traced, logged, and explained?
5. Is there a human review process for high-risk tasks?
6. Are client consent and disclosures clearly documented?
7. Does the system comply with jurisdictional privacy and security regulations?
8. Are AI-related errors included in your E&O insurance policy coverage?

Appendix C: Hypothetical Scenario for CLE Discussion

Scenario: A midsize litigation firm adopts an agentic AI system to automate early drafts of demand letters. Without human review, the system sends a letter to opposing counsel that misrepresents the applicable statute of limitations and includes privileged information extracted from an unrelated case file. The opposing counsel notifies the court.

Discussion Points:

• Has the firm violated its duty of competence or confidentiality?
• Can the firm claim the AI tool was at fault?
• What remedies, disclosures, or mitigation steps are now required?

Appendix D: Selected References and Reading List

1. ABA Model Rules of Professional Conduct, Rules 1.1, 1.6, 5.3
2. Florida Bar Ethics Opinion 20-01 (Use of Technology and Supervision)
3. FTC Report: “Aiming for Truth, Fairness, and Equity in Your Company’s Use of AI” (2021)
4. EU AI Act, Proposal COM/2021/206 final
5. NIST AI Risk Management Framework 1.0 (2023)
6. Cal. CPRA Regulation Text (Title 11, Div. 6, Ch. 1)
7. Rebecca Crootof, “Machines as Legal Actors,” Yale J.L. & Tech. (2015)
8. Ryan Calo, “Artificial Intelligence Policy: A Primer and Roadmap,” U.C. Davis L. Rev. (2017)
9. Neil Daswani et al., “The Anatomy of AI Security Risks,” Firebolt Ventures Whitepaper (2024)
10. Kimberly Klayman and Gregory Szewcyk, “AI Risk Governance in the Legal Sector,” Ballard Spahr Insights (2024)

[1] One of the issues this author sees in the use of the current Westlaw, Lexis and similar offerings in this area, is  their apparent current narrow scope and limited abilities  to generate with the type of complexity available through other generative and agentic AI platforms, presumably, due to the risk of errors. While well intentioned, these limitations may encourage many practitioners to experiment with (and adopt) the far reaching capabilities of such platforms as ChatGPT, Grok, CoPilot, Claude, and many others, due to their dynamic interfaces and ability to conduct evaluative work, simulate legal reasoning and assist extensively with evaluation of legal data.

[2] To this author’s understanding it is unclear if anyone fully understands how these platforms operate currently.