AI use inside law firms has crossed the majority line, and most firms crossed it without writing down how the technology should be used. This article is for managing partners and COOs at law firms, consultancies, and advisory groups who need to close the gap between fast AI adoption and the governance, security, and measurement that should have arrived with it.
Generative AI use among legal professionals climbed from 31 percent in 2025 to 69 percent in 2026. Over the same stretch, the share of firms with a documented AI governance program sat at 7 percent. Most firms have crossed the adoption line. The question that now sets a firm's risk exposure, its client relationships, and its profitability is whether it crossed the governance line too. The data says most did not.
The gap between adoption and governance is a liability
Set the numbers side by side. Sixty-nine percent of legal professionals now use generative AI. At the same time, 54 percent of firms provide no AI training, 43 percent have no formal AI policy, and 7 percent have a documented AI governance program. Subtract the governed firms from the adopting firms and what is left is the largest pool of ungoverned professional work most firms have ever carried. Lawyers are using AI tools on client matters with no policy defining acceptable use, no training on confidentiality and verification, and no documented program a partner could show a client or a regulator.
This is shadow IT, and the cause is understood. One of the most common mistakes legal organizations make is adopting AI with no clear strategy. A top-down push to use AI produces scattered tools, shadow IT, and low real adoption. When leadership signals enthusiasm without supplying structure, individual lawyers fill the gap with whatever consumer tools they can reach, and the firm carries the combined risk with none of the control.
The exposure is concrete. With no policy, a firm cannot show a client that privileged material is being kept out of third-party model training. With no training, a firm cannot show that associates are checking AI output before it goes out. With no documented program, a firm has no defensible answer when a client's procurement team asks how AI use is controlled on their matters. In 2026, procurement teams are asking. The 7 percent who can answer are about to start winning work from the 93 percent who cannot.
Adoption was the easy part, orchestration is the work now
The legal industry has reached what analysts call an inflection point, the move from AI adoption to AI orchestration. Adoption means the tools are in the building. Orchestration means those tools are coordinated, measured, governed, and built into how the firm delivers work. The gap between those two states is the gap between owning instruments and conducting them.
The market is building for that move. In May 2026, Harvey launched Command Center, a product made to help firms manage, measure, and improve enterprise AI adoption, with benchmarking drawn from anonymized, aggregated usage data across more than 1,500 Harvey deployments worldwide, and it partnered with DeepJudge on institutional knowledge. The point for managing partners is not the specific product. The point is what its existence signals. The leading vendors now assume their buyers need to govern and measure AI, not only access it. A firm whose AI conversation is still about which tool to buy is a full cycle behind the firms treating it as a measurement and governance job.
Orchestration also reframes the top operational complaint in the industry. Understanding, selecting, and deploying new legal technology is now the number one challenge for legal professionals at 54 percent, ahead of work volume at 52 percent. That is a sharp inversion. For the first time, choosing the tools is harder than doing the work. Firms that respond by buying more tools make the problem worse. Firms that respond by orchestrating, by consolidating, integrating, governing, and measuring, turn the challenge into an advantage.
Clients are already planning to use outside counsel less
One number deserves to be treated as a strategic alarm: 64 percent of in-house legal teams expect to depend less on outside counsel as AI capability matures. Clients are not waiting for their firms to work out AI. They are building their own capacity, and they plan to send less work out.
That changes what AI investment is for. The spend buys relevance more than margin. The firms that come through the in-house buildout will be the ones that use AI to deliver work in-house teams cannot easily reproduce: faster turnaround on complex matters, deeper institutional knowledge applied consistently, and pricing that reflects AI-driven efficiency rather than hiding it. A firm that quietly uses AI to do the same work at the same hourly rate is inviting the exact disintermediation the 64 percent figure points to.
The returns are real for firms that get the strategy right. 52 percent of firms report revenue growth after putting AI tools in place, and 80 percent say AI tools meet or beat expectations. The clearest signal: firms with clear AI strategies are 2x more likely to see revenue growth and 3.5x more likely to realize real AI benefits than firms still deliberating. The difference in every one of those numbers is strategy that is documented, governed, and measured, not the tools themselves.
Security is the governance test that cannot wait
AI governance and data security are one management job, and 2026 has made that plain. LexisNexis Legal and Professional confirmed a breach in which attackers accessed customer and business information. The DocketWise data breach affected roughly 116,000 individuals, with notification letters to affected law firm clients beginning April 3, 2026. These are core legal-industry providers, which means the exposed surface is the supply chain, not only a firm's own perimeter.
The trend is worse than the single incidents. Law firms reported a near-doubling of cyber incidents over the prior year, with 20 percent of surveyed U.S. firms reporting they were the target of a cyberattack. The average cost of a breach is $4.56 million. Ransomware is still the top risk, and attackers now run double extortion, taking sensitive client data before encrypting it, so restoring from backup no longer ends the incident. The attacker can still leak or sell the files. Midsize and smaller firms, long assumed to sit below the threat line, now face rising breach exposure because their controls lag.
For COOs, the operational lesson is that scattered technology is itself a security liability. 41 percent of firms name fragmented tools as their primary issue, and 54 percent name technology decisions as their biggest challenge. Every disconnected system is one more attack surface, one more vendor in the breach supply chain, and one more integration nobody fully owns. Moving onto fewer, well-secured, well-integrated platforms cuts cost and cuts risk at the same time.
Consolidation pays when it is run as strategy
The financial case for consolidation is clear once leadership runs the numbers. A unified CRM and billing platform that lifts collection rates from 87 percent to 95 percent on $10 million in annual billings produces roughly $800,000 in added revenue, and most firms reach positive return within 6 to 12 months. The investment is real but bounded. Integrated billing and CRM systems run roughly $500 to $2,000 per user, with implementation and training between $10,000 and $50,000 depending on firm size.
The mistake to avoid is running consolidation as a buying exercise. Run as strategy, consolidation means deciding which platforms become the firm's systems of record, retiring the overlapping tools around them, integrating the survivors so data moves with no manual re-entry, and governing the result. Run as a buying exercise, it means signing a new contract and leaving the old tools running anyway, which adds cost and attack surface rather than removing them. The discipline that should govern AI adoption, strategy first, documented and measured, is the discipline that makes consolidation pay.
Priority actions for firm leadership
- Publish an AI governance program this quarter. Join the 7 percent. The program should define acceptable use, confidentiality and client-data handling, required verification of AI output, an approved-tools list, and clear accountability. A documented program with rough edges beats no program.
- Close the training gap. With 54 percent of firms providing no AI training, even baseline training on confidentiality, verification, and approved tools is both a competitive edge and a malpractice safeguard.
- Build a client-facing answer on AI. Assume client procurement teams will ask how the firm governs AI on their matters. Have the documented answer ready before the question arrives, because it is becoming a condition of winning work.
- Treat security as part of AI governance, not a side track. Audit legal-tech vendors for breach history and controls in light of the LexisNexis and DocketWise incidents. Confirm that ransomware resilience accounts for double extortion, not only backup restoration.
- Consolidate as strategy. Name the systems of record, retire overlapping tools, and integrate the survivors. Model the collections return, because the move from 87 percent to 95 percent is achievable and pays for itself.
- Point AI investment at client relevance. With 64 percent of in-house teams planning to use outside counsel less, direct AI spend toward work in-house teams cannot reproduce and toward pricing that reflects efficiency.
The firms that lead professional services in 2027 will be the ones that governed AI first. Adoption was the easy 69 percent. The decisive, profitable work is the orchestration, and that work belongs to firm leadership.
