The Difference Between AI Usage and AI Exposure: What Law Firms and Insurers Need to Understand

Artificial intelligence is already embedded in most large law firms, whether leadership formally acknowledges it or not. Associates experiment with drafting tools. Vendors quietly integrate AI features into research platforms.…

Artificial intelligence is already embedded in most large law firms, whether leadership formally acknowledges it or not. Associates experiment with drafting tools. Vendors quietly integrate AI features into research platforms. Marketing teams deploy predictive analytics. In most firms, some level of AI activity is already present.

What has not been adequately examined, particularly at the executive and underwriting level, is the distinction between AI usage and AI exposure. The two are frequently discussed as if they were interchangeable. They are not.  Usage refers to activity. Exposure refers to vulnerability.

Professional liability claims over the past three decades show that the cases that develop into meaningful losses are rarely about whether a tool was used. They turn on whether the firm had adequate supervision, verification, and documentation around reliance. The same analytical frame applies here.

AI usage is observable. One can identify when a lawyer employs a generative system to summarize testimony or draft a preliminary memorandum. Usage can be restricted, expanded, or temporarily prohibited. It is episodic and visible, at least in theory.

AI exposure is different. It arises when output generated by a system influences professional judgment, when client data moves through third-party models without clear contractual protections, or when attorneys begin to rely on AI-assisted research without consistent verification protocols. Exposure is not limited to the moment of interaction with the tool. It is embedded in the firm’s processes and culture.

Two firms may report similar levels of AI experimentation. Their liability profiles may nonetheless diverge significantly.  One firm may require supervisory review of all AI-assisted drafting, maintain clear documentation standards, conduct training on hallucination risks, and impose vendor due diligence requirements. Another may rely on informal expectations that “lawyers will use good judgment.” From a malpractice perspective, those are materially different risk environments, even if both firms characterize their AI usage as modest.

Professional liability carriers do not ultimately insure tools. They insure systems of professional responsibility. The underwriting inquiry is therefore not simply whether AI is permitted. It is how AI alters the probability of error, the speed at which errors can propagate, and the evidentiary record that will exist if a client later alleges negligence.

AI accelerates output. Acceleration can be beneficial, but it also compresses the time available for reflection and review. It can generate text that appears authoritative while containing subtle inaccuracies. It can introduce external data flows that do not align neatly with traditional confidentiality controls. None of those features are inherently disqualifying. They do, however, require intentional oversight.

The more difficult risk to identify is exposure that exists without deliberate adoption.

Vendors now integrate AI capabilities into platforms firms have used for years. An associate under time pressure may upload client documents into an external system without fully understanding the data retention implications. A practice group may informally rely on AI-assisted summaries without creating a record of human verification. In each instance, leadership may believe the firm’s AI footprint is minimal. The exposure may tell a different story.

From a governance standpoint, the central question is whether responsibility for AI oversight has been clearly assigned and operationalized. In emerging risk categories, diffusion of responsibility is common. Technology is viewed as an IT issue, professional judgment as a lawyer issue, and risk management as a separate administrative function. When accountability fragments in this way, no single person can credibly testify that the firm exercised structured oversight.

In litigation, plaintiffs’ counsel do not focus on experimentation. They focus on reliance and process. They ask who approved the workflow, what training occurred, what policies governed data handling, and what the executive committee knew about emerging risks. Those inquiries are predictable. They mirror the questions historically asked in matters involving e-discovery failures, cybersecurity incidents, and conflicts management breakdowns.

AI governance, properly understood, is not about restriction. It is about documentation, supervision, and clarity of roles. It requires mapping where AI systems intersect with client advice, identifying verification checkpoints, and ensuring that vendor relationships align with confidentiality obligations. It also requires periodic executive-level review, because exposure evolves as tools and practices evolve.

We are still early in the litigation cycle.  Although the profession is seeing a dramatic rise in the frequency of AI hallucinations and sanctions, it has not yet seen a significant wave of AI-driven malpractice claims. That should not be mistaken for safety. Emerging risks typically follow a familiar progression: quiet adoption, uneven policy development, a high-visibility failure, and then retrospective scrutiny of what a reasonable firm should have done.

The firms that treat AI as a governance category rather than an innovation project will be better positioned when that scrutiny arrives. The same is true for insurers evaluating risk portfolios that may be more correlated than currently appreciated.

The distinction between usage and exposure does not require alarm. It requires clarity. Executives and underwriters should be asking not only where AI tools are being used, but how their presence changes the firm’s supervisory obligations and defensibility. That inquiry is less visible than usage statistics, but it is far more consequential.

Questions to Consider

Next Steps for Law Firms

1. Inventory AI Usage Across the Firm

Identify where attorneys, staff, and vendors are currently using AI-enabled tools.

2. Map AI Exposure Areas

Determine where AI influences legal judgment, client communications, document drafting, legal research, and decision-making.

3. Evaluate Verification Practices

Assess whether AI-assisted work is subject to documented review, validation, and supervisory requirements.

4. Review Vendor Relationships

Examine contractual protections, confidentiality provisions, data retention practices, and AI-related service terms.

5. Assign Governance Accountability

Designate individuals or committees responsible for AI oversight, policy management, and incident escalation.

6. Strengthen Documentation Standards

Create evidence demonstrating training, governance decisions, policy compliance, and review procedures.

7. Conduct Periodic Exposure Assessments

Review how AI-related risks evolve as tools, workflows, and adoption patterns change.


Next Steps for Professional Liability Carriers

1. Distinguish Usage From Exposure During Underwriting

Move beyond questions about whether AI is used and evaluate how it is governed.

2. Assess Verification Controls

Determine whether firms have documented processes for validating AI-assisted work product.

3. Evaluate Supervisory Structures

Review how attorneys, managers, and governance functions oversee AI-related activities.

4. Review Data Governance Practices

Assess controls related to client confidentiality, third-party vendors, and external AI systems.

5. Incorporate Governance Maturity Indicators

Use governance practices as a leading indicator of future risk quality.

6. Monitor Portfolio Correlation Risk

Evaluate whether multiple insured firms rely on similar AI platforms, vendors, or workflows.

7. Encourage Governance-Based Risk Reduction

Consider underwriting incentives for firms that demonstrate mature governance, verification, and oversight practices.


Related Topics