One in three adults deployed artificial intelligence tools at work last month, according to a Department for Science, Innovation and Technology survey. Yet 84% of workers have received no AI-related training in the past year.
The gap is creating what employment lawyers describe as a legal timebomb for British businesses.
“Shadow AI” is spreading. That’s the term for employees using artificial intelligence tools without employer approval or oversight—and it’s already causing intellectual property leaks, confidentiality breaches and contract violations, according to Clarke Willmott, a national law firm tracking the trend.
Declan Goodwin, a commercial partner at the firm who specialises in data protection and intellectual property, has watched the problem intensify over recent months. “There’s no doubt that adopting AI can have significant benefits, however the use of ‘shadow AI’ without formal internal oversight or approval, is already widespread and steadily increasing,” he explained.
The consequences aren’t theoretical.
“When combined with inadequate training, which is common when new technologies are first being adopted in the workplace, there is real potential for data breaches to occur within businesses if personal data is shared,” Goodwin noted. “Breaches of confidentiality obligations could also occur if protected information is shared with AI models. Where this includes details of potentially patentable IP, such disclosure could harm the ability to patent such IP.”
Professional services firms have proved particularly vulnerable. High-profile incidents have emerged where advisers relied on AI-generated outputs that appeared accurate but contained fabricated information—so-called “hallucinations” in industry parlance. The errors only surfaced after advice had been given to clients.
“The unauthorised sharing of content is a recipe for the leakage of IP and confidential information,” Goodwin added. “This can not only cause internal issues, but external issues and contractual breaches.”
What complicates matters further: not all AI behaves the same way.
Most businesses are still grappling with generative AI—the type that produces content by learning from existing data patterns. But agentic AI introduces different risks entirely. “Even if businesses are getting to grips with generative AI, which creates original content by learning patterns from existing data, agentic AI is different because it involves going beyond content generation to actively setting goals, planning and executing multi-step tasks with minimal human oversight,” Goodwin said.
That autonomy creates fresh legal exposure. Agentic systems don’t just respond to prompts—they make decisions, sequence actions, pursue objectives. When an employee deploys such tools without understanding the implications, the potential for contractual breaches multiplies.
“The growing use of agentic AI is posing new problems and requires further governance and monitoring,” Goodwin observed. “Contracts between suppliers and customers will need to clearly define how and when generative AI and agentic AI can be used for the performance of a contract.”
His advice to employers: update policies now. “Employees will need clear guidance, policies and training to help them understand how they are permitted to use agentic AI, reflecting legal, contractual and sector-based requirements.”
Frederick Lambert, a solicitor in Clarke Willmott’s employment team, sees parallel risks in people management decisions. Line managers are experimenting with AI for hiring, promotions and performance reviews—often without proper oversight.
“The Department for Science, Innovation and Technology recently published the results of a survey confirming that one in three adults have used AI in their workplace in the last month, yet, the same report found that 84% of people in work have not undertaken any AI-related training in the past 12 months,” Lambert said. “Therein lies a growing legal risk that employers must be alive to as this technology develops.”
The inaccuracy problem extends beyond content creation. “One of the greatest risks associated with the use of AI are its inaccuracies and ‘hallucinations’,” Lambert explained. “Increasingly, particularly in the professional services industry, employees are relying on AI generated outputs that appear to be accurate but are anything but. This has resulted in a growing number of highly publicised incidents where professional advisers have been caught out by taking AI outputs at face value, without independent human oversight. Of course, uncontrolled dissemination by employees of confidential or sensitive information on unsecure AI models carries its own legal risks.”
When AI tools inform decisions about dismissals or promotions, the stakes climb higher. “For people managers, AI cannot currently make the nuanced decisions that a human line manager can,” Lambert noted. “Overreliance on AI when making people management decisions, such as hiring, promotion, or dismissal, can give rise to potential legal issues. When AI tools are relied on, there is a risk of unfair or rigid decision-making, and associated claims such as unfair dismissal or discrimination.”
His prescription mirrors Goodwin’s: governance before catastrophe. “For this reason, employers should be proactive in managing use of AI in the workplace. Employers should be looking to update their relevant workplace policies, ensure their employees have access to training and resources to use AI effectively and be conducting updated risk assessments and data protection impact assessments, where appropriate.”
The regulatory response is gathering pace. Westminster is pushing through the Cyber Security and Resilience (Network and Information Systems) Bill—the most significant overhaul of Britain’s cybersecurity framework since the Network and Information Systems Regulations arrived in 2018. The legislation, currently moving through Parliament, would grant government new powers to respond to emerging cyber threats, including those created by artificial intelligence deployment.
Whether that’s enough to close the training gap remains uncertain. For now, the contradiction persists: millions of workers using tools they don’t understand, inside organisations unprepared for the consequences.
Clarke Willmott operates from offices in Birmingham, Bristol, Cardiff, London, Manchester, Southampton and Taunton. The firm’s technology and employment practices have been fielding increased queries about AI governance over the past six months—a trend Lambert and Goodwin expect will accelerate through 2025.
