Survey: Legal Profession Has a Long Way to Go on AI Data Protection

Security software provider Kiteworks recently released the findings from its 2025 AI Data Security and Compliance Risk Survey, which included responses from 461 cybersecurity, IT, compliance, and legal professionals. The survey found that the legal profession has a long way to go to get its AI data protection house in order. While 31% of legal respondents were concerned about data leakage via AI, 34% reported minimal or no policy controls in place, and 15% reported having no specific policies at all regarding the use of public AI tools with sensitive firm or client data. Here are some of the details:

– Only 15% of law firms report having comprehensive technical controls in place for AI data protection
– 19% rely on warnings only, with no monitoring or enforcement
– Despite 95% of legal professionals expecting AI to be central to firm operations within five years (per Thomson Reuters), only 41% currently have an AI policy
– 23% of legal organizations report no formal privacy controls yet are actively deploying AI solutions

If it’s any consolation to the legal profession, other critical sectors of the economy aren’t doing much better. For example, even though HIPAA requires tracking of all patient data, the survey found that only 35% of healthcare organizations can see their AI usage, and that only 39% of industry executives even recognize AI security threats. Although 39% of government agencies report putting significant private data into AI systems, only 17% have technical safeguards, while 11% have no governance plans at all. The survey found that although firms in the financial sector expressed the highest level of concern about data leaks, they were among the lowest when it came to implementation of controls (16%). Finally, and perhaps most frighteningly, while everyone in the tech sector is racing to build AI products, only 17% protect against their own employees’ AI risks.