Enterprise DNA

Omni by Enterprise DNA

Enterprise DNA Resources

Thought leadership & research. Practical AI operating-system thinking for owners, operators, and teams doing real work.

220k+

Data professionals

Omni

AI agents and apps

Audit

Map the manual work

Key Findings

Third-party services like error trackers and project tools can hijack AI workflows. Here's how law firms audit and lock down agent access.

AI Tools in Law Firms Are Leaking Work Through Integrations
Insight ai

AI Tools in Law Firms Are Leaking Work Through Integrations

Sam McKay

The attack that hijacked Claude Code didn’t come through the AI itself. It came through Sentry, the error-tracking service. Datadog, PagerDuty, and Jira have the same exposure. If your firm is using AI coding assistants, document review tools, or intake automation, you’ve probably connected them to third-party services without thinking twice. Error logs, project boards, notification channels. Each one is a door.

For law firms, this isn’t academic. You’re running AI agents that touch client intake forms, matter files, and discovery documents. If an attacker compromises one of the dozen services you’ve plugged into your workflow, they can read everything the AI sees, inject instructions, and hijack the output. The breach won’t show up in your AI vendor’s logs. It’ll come through a support ticket system or a Slack integration you authorized six months ago.

This article walks through the exposure, what it looks like in a law firm context, and how to audit your AI workflows before someone else does it for you.

The Integration Problem Nobody Talks About

Most firms that adopt AI tools focus on the AI vendor’s security posture. You ask about SOC 2, encryption at rest, and access controls. That’s correct, but it’s not complete. The moment you connect your AI tool to a third-party service, you’ve extended the attack surface.

Here’s what that looks like in practice. Your intake agent processes form submissions and writes a summary into your case management system. To monitor errors, you’ve connected it to Sentry. To track performance, you’ve added Datadog. To send alerts when something breaks, you’ve hooked up PagerDuty. Each service gets API access to read logs, view prompts, and see outputs. If an attacker compromises any one of those services, they can read every intake form your AI has processed, inject a malicious prompt, and alter the summary before it hits your CMS.

The VentureBeat report on the Claude Code attack showed exactly this pattern. The attacker didn’t need to breach Anthropic. They compromised Sentry, which had legitimate access to the AI’s context. From there, they could see the code being written and manipulate the instructions. For a law firm, the equivalent would be an attacker reading client names, matter details, and conflict-check results as they flow through your intake pipeline.

Most firms don’t have a list of which third-party services can see AI workflows. You authorized them one at a time, usually by a developer or admin who needed to debug something. Six months later, nobody remembers what has access. That’s the gap.

Where Law Firms Are Exposed Right Now

If you’re running AI agents for intake, document review, or matter triage, you’re probably exposed in at least three places.

First, error tracking and monitoring. Sentry, Datadog, LogRocket, and similar services capture everything the AI processes when something goes wrong. That includes the full prompt, the client’s input, and the agent’s draft response. If your intake agent crashes while processing a form submission, the error log contains the client’s name, contact details, case description, and any conflict flags. An attacker with access to your monitoring dashboard can harvest that data in bulk.

Second, project management and ticketing. Jira, Asana, Monday, and Linear often receive notifications when an AI agent completes a task or flags something for human review. Your matter triage agent might create a Jira ticket with a summary of the incoming case and a recommended partner assignment. If someone compromises your Jira instance, they can read every case summary your AI has written. They can also edit the ticket to change the assignment or alter the summary before your team sees it.

Third, communication channels. Slack, Microsoft Teams, and email integrations receive alerts and summaries from AI workflows. Your document review agent might post a summary of flagged clauses to a Slack channel. If an attacker gains access to your Slack workspace, they can read those summaries and see which contracts your firm is reviewing. They can also inject a fake message that looks like it came from the AI, directing your team to take an action based on fabricated findings.

The common thread is that these services have legitimate access to sensitive data. You gave them that access because you needed visibility into your AI workflows. The problem is that you probably didn’t audit what they can see, how long they retain it, or who inside those companies can access your logs.

What an Audit Looks Like in Practice

The first step is to map every third-party service that touches your AI workflows. Start with the obvious ones: monitoring, logging, project management, and communication tools. Then look for the less obvious connections. Does your intake agent send data to a CRM? Does your document review tool export summaries to a cloud storage service? Does your matter triage agent trigger webhooks that hit other systems?

For each service, document three things. First, what data does it see? Pull up the API permissions and read the scope. If it says “read all messages” or “access logs”, assume it can see everything the AI processes. Second, how long does it retain that data? Most monitoring services keep logs for 30 to 90 days by default, but some retain them indefinitely unless you configure retention limits. Third, who can access it? Check the user list for each service and confirm that only current employees with a legitimate need have access. Remove anyone who left the firm or moved to a role that doesn’t require visibility.

Once you have the map, start reducing access. For monitoring services, configure them to redact sensitive fields before logging. Most tools support regex-based redaction rules that can strip out names, email addresses, and case details. For project management tools, create a dedicated workspace or board for AI-generated tasks and lock down permissions so only the relevant team members can view it. For communication channels, move AI notifications to private channels and enable audit logging so you can see who accessed what.

The goal isn’t to eliminate all third-party integrations. It’s to make sure each one has the minimum access it needs and that you can detect if someone abuses it. If your error tracker doesn’t need to see the full client intake form to diagnose a bug, configure it to see only the error message and stack trace. If your project management tool doesn’t need to store case summaries forever, set a 30-day retention policy.

This is the work we walk through in the AI audit for law firms. We pull the integration list, map the data flows, and identify where you’re exposed. Then we build a lockdown plan that keeps your AI workflows running without leaking client data to a dozen third-party dashboards. It takes 60 minutes and you walk out with a specific list of changes to make.

How AI Agents Change the Risk Profile

When you run AI agents that handle client intake, matter triage, or document review, the volume of sensitive data flowing through third-party services increases by an order of magnitude. A human paralegal might process 10 intake forms a day. An intake voice agent processes 50 calls and 30 form submissions. Each one generates logs, error reports, and task notifications. If your monitoring service retains logs for 90 days, you’ve now got 7,200 client interactions sitting in a third-party dashboard.

The agents we build for law firms touch three high-risk workflows. The intake voice agent answers every call, runs a conflict check, and books a consultation. If it’s connected to an error tracker, that tracker can see the caller’s name, the nature of their case, and whether your firm has a conflict. The matter triage agent reads incoming emails and form submissions, classifies the practice area, and routes the matter to the right partner. If it posts summaries to Slack, anyone with access to that channel can see which cases are coming in and how they’re being prioritized. The document review agent performs first-pass review on contracts and discovery documents, flags clauses, and produces a memo. If it logs errors to Datadog, that log contains excerpts from the contract and the AI’s analysis.

Each of these agents creates value by processing high volumes of work that would otherwise require associate time. The intake agent eliminates the 30 to 40 percent of after-hours inquiries that never convert because nobody answered. The matter triage agent cuts the delay between form submission and partner assignment from hours to minutes. The document review agent turns a three-day associate task into a 20-minute review of the AI’s memo. But each agent also creates a new attack surface if you don’t lock down the integrations.

The firms that adopt AI agents without auditing their third-party access end up in a position where a breach of a monitoring service or a project management tool exposes thousands of client interactions. The firms that audit first reduce that exposure to near zero by redacting sensitive fields, locking down permissions, and setting retention limits.

If you want a practical starting point, we’ve put together an AI Client Intake Checklist for Law Firms that walks through the specific fields to redact, the permissions to review, and the retention policies to set when you’re running an intake agent. It’s a worksheet you can hand to your IT lead or your AI vendor and work through line by line.

The Dollar Reality of a Breach

The cost of a breach isn’t just the regulatory fine or the client notification expense. It’s the reputational damage and the loss of trust. If a client learns that their intake form was exposed because your error tracker was compromised, they’ll question whether your firm can protect their interests in a matter. If a prospective client sees a news story about your firm leaking case details through a Slack integration, they’ll go to a competitor.

For a firm doing $5 million in annual revenue, a breach that exposes 1,000 client intake records could trigger a $50,000 to $150,000 regulatory response, depending on jurisdiction and the nature of the data. That’s the direct cost. The indirect cost is the loss of referrals, the time spent rebuilding trust, and the distraction from billable work. Partners and associates will spend weeks managing the fallout instead of working on matters.

The firms we work with typically leak $80,000 to $250,000 per year in unbilled time, intake delays, and inefficient document review. Adopting AI agents recovers most of that leakage. But if you adopt agents without auditing your third-party integrations, you trade operational leakage for security risk. The math doesn’t work.

The correct sequence is to audit your current integrations, lock down access, and then deploy agents into a controlled environment. That way you capture the efficiency gain without creating a new exposure. The firms that do it in reverse end up spending the money they saved on incident response.

What the Omni Audit Covers

When we run an Omni Audit for a law firm, we start by mapping your current intake, triage, and document review workflows. We identify where time leaks, where clients drop off, and where associates are doing work that an agent could handle. Then we map every third-party service that would touch those workflows if we deployed agents. We pull the API permissions, check the retention policies, and flag anything that’s over-scoped.

The output is three things. First, a workflow map that shows where agents fit and what data they’ll process. Second, a risk assessment that lists every third-party integration, what it can see, and what changes are needed to lock it down. Third, a deployment plan that sequences the agent rollout so you’re never exposed. We don’t hand you a deck. We hand you a task list and a timeline.

The audit takes 60 minutes. You bring your intake process, your case management system, and a list of the tools you’re currently using. We walk through the workflow, identify the integrations, and build the lockdown plan in real time. By the end of the call, you know exactly what needs to change before you deploy an agent.

Most firms that go through the audit find three to five integrations that are over-scoped. Error trackers that retain logs for a year. Project management tools that give every employee access to AI-generated tasks. Slack channels where case summaries are posted to a public workspace. Each one is fixable, but only if you know it’s there.

You can book a 60-min Omni Audit and we’ll walk through your specific setup. We’ll map the integrations, flag the risks, and give you a plan to lock it down before you deploy any agents. No deck, no follow-up meeting, just the task list and the timeline.

The Lockdown Sequence

Once you’ve identified the over-scoped integrations, the lockdown sequence is straightforward. Start with the monitoring services. Configure redaction rules to strip out client names, email addresses, case descriptions, and any other fields that aren’t needed to diagnose errors. Most services support regex-based redaction, so you can write a rule once and apply it to all logs. Test the redaction by triggering a sample error and confirming that the sensitive fields are masked in the log.

Next, lock down your project management and ticketing tools. Create a dedicated workspace or board for AI-generated tasks and restrict access to only the team members who need to see them. Enable audit logging so you can track who viewed or edited each task. Set a retention policy so tasks are archived or deleted after 30 days unless they’re explicitly marked for long-term storage.

Then, move AI notifications to private communication channels. If your agents post summaries to Slack, create a private channel for each practice area and invite only the relevant partners and associates. Disable link previews and file sharing in those channels to prevent accidental leaks. Enable two-factor authentication for everyone with access.

Finally, audit your API keys and service accounts. Most third-party integrations use an API key or a service account to authenticate. If that key is compromised, the attacker has the same access as your integration. Rotate your API keys every 90 days and store them in a secrets manager, not in a config file or an environment variable. Use the principle of least privilege: if a service only needs read access, don’t give it write access.

The entire lockdown sequence takes one to two weeks, depending on how many integrations you have and how much custom configuration is required. It’s not glamorous work, but it’s the difference between deploying agents safely and creating a breach waiting to happen.

Why This Matters More Than You Think

The firms that get breached aren’t the ones that ignored security. They’re the ones that focused on the wrong layer. They audited their AI vendor, locked down their case management system, and trained their staff on phishing. But they didn’t audit the dozen third-party services that their AI workflows depend on. When the breach happened, it came through a monitoring service that nobody thought to review.

The VentureBeat report on the Claude Code attack is a wake-up call. The attack vector wasn’t the AI. It was the integration. If you’re running AI agents in your firm, you need to assume that your integrations are the weak point and audit them accordingly. The firms that do this before a breach avoid the cost and the distraction. The firms that wait end up spending six months rebuilding trust and explaining to clients why their intake form was exposed.

We built Omni for law firms to solve this problem. We deploy agents that handle intake, triage, and document review, and we lock down the integrations before the agents go live. We don’t assume your monitoring service is secure. We configure it to redact sensitive fields. We don’t assume your project management tool is locked down. We create a private workspace and restrict access. We don’t assume your Slack channels are safe. We move AI notifications to private channels and enable audit logging.

The result is that you capture the efficiency gain without creating a new exposure. Your intake agent answers every call and books consultations without leaking client details to a third-party dashboard. Your matter triage agent routes cases to the right partner without exposing case summaries to your entire Slack workspace. Your document review agent produces associate-grade memos without logging contract excerpts to a monitoring service that retains them for a year.

If you’re ready to audit your AI workflows and lock down the integrations, book my Omni Audit and we’ll walk through your setup in 60 minutes. You’ll leave with a workflow map, a risk assessment, and a deployment plan. No deck, no follow-up, just the task list you need to deploy agents safely.

For more on how AI agents are changing law firm operations, visit our insights library or explore the full Omni platform. If you’re looking for a deeper dive into AI strategy for professional services, check out our guides and learning resources.