As generative AI tools such as ChatGPT became widely available, employees at a prominent international law firm began using them informally across functions - drafting documents, updating CVs, and exploring ways to automate research. While the firm had implemented its own internal AI assistant based on OpenAI, leadership knew that unsanctioned usage of external tools - also known as shadow AI - was growing fast.

The firm’s CISO recognised that these tools were being used with good intent but posed significant risks. Confidential client data, PII, and even fragments of source code could potentially be exposed to public AI models, breaching privacy obligations and regulatory standards. At the same time, a blanket ban on GenAI tools was seen as overly restrictive and likely to drive such behaviour further underground.

“We were caught between risk and reality,” the CISO explained. “Our people wanted to experiment with AI to work more efficiently. We just needed to ensure it was being done safely.”

What the firm needed was a way to see exactly what tools were being used, identify when risk was introduced, and guide employees in real time, all without blocking innovation or adding friction to daily work.

The firm partnered with CultureAI to implement a secure AI usage enablement strategy that combined visibility, proactive protection, and behaviour change at scale.

CultureAI was deployed to track GenAI activity across the web, including both sanctioned and shadow tools. Usage was categorised and surfaced through a central dashboard, allowing the security team to identify which GenAI applications were being used, by whom, and for what types of tasks. Crucially, tools like ChatGPT, Claude, and Gemini were flagged automatically, and new ones could be detected as soon as they appeared.

To tackle high-risk behaviours, CultureAI introduced real-time controls that could detect when users were about to paste sensitive information - such as PII, source code, or confidential client data - into GenAI tools. These prompts were either blocked automatically or intercepted with a customised in-browser coaching message explaining the risk and suggesting safer alternatives, such as the firm’s internal AI assistant.

This in-the-moment intervention proved far more effective than after-the-fact alerts. Employees received contextual guidance while working, helping them understand the organisation’s expectations and reinforcing safe AI use.

CultureAI also helped the firm automate triage for critical risks. When source code or regulated data was detected, alerts were routed to the security team via lightweight playbooks directly into existing SIEM workflows. Meanwhile, the platform’s “audit mode” allowed the firm to see broader trends in AI usage, helping the CISO evaluate policies based on real data before enforcing changes.

Privacy concerns were addressed through CultureAI’s privacy-safe approach, which ensured that employee actions were monitored without invasive logging and that no sensitive documents were used to train any models.

Over the first three months, the firm saw measurable risk reduction and increased employee awareness:

Importantly, the firm did not need to default to a full ban on public GenAI use. Instead, the security team could justify its position with real data, and interventions were tailored to specific behaviours rather than applied indiscriminately.

“Our goal wasn’t to shut everything down,” said the CISO. “We wanted to enable AI safely, not stifle it. CultureAI gave us the confidence to do that.”

With the foundation in place, the firm is planning to expand its approach by:

This case demonstrates that even in highly regulated, risk-sensitive environments, organisations can embrace the future of work—so long as they pair visibility with real-time behavioural intervention. With CultureAI, the firm didn’t just reduce AI risk. It helped build a safer, smarter culture of innovation. 

Discover how a leading international law firm secured generative AI (GenAI) usage without sacrificing productivity. Facing growing concerns over shadow AI tools like ChatGPT, Bard, and Claude, the firm partnered with CultureAI to gain full visibility into GenAI activity, prevent data loss, and coach employees in real time. Within just three months, they blocked 98% of high-risk AI submissions—such as PII, source code, and confidential data—while avoiding a blanket ban.

Learn how CultureAI enabled proactive GenAI governance through browser-based controls, automated risk triage, privacy-first monitoring, and behaviour-based nudging. The firm identified 20+ shadow tools, delivered over 120 monthly in-the-moment interventions, and created a safer culture of AI innovation—proving that regulated industries can adopt GenAI responsibly without compromising compliance.

How an International Law Firm Prevented 98% of High-Risk GenAI Submissions Without Locking Down Innovation

How an International Law Firm Prevented 98% of High-Risk GenAI Submissions Without Locking Down Innovation

Recommended for you

The Back Room Problem: Why Most Organisations Lack AI Data Visibility

A January Snapshot: Real-World AI Usage

Pixels, Polygons, and Payloads:Malware delivery in 3D software pipelines