Vol. III · No. 128 Independent LegalTech Analysis Wednesday, June 17, 2026

The Legal Stack

← Analysis Analysis · AI Tools / Governance

The Legal AI 'Scope Creep' Problem: Why Tools Procured for Contract Review Are Now Being Used for Employment Decisions Nobody Approved

The contract review platform your firm procured in 2024 almost certainly had a clean compliance narrative. Narrow use case, low risk classification, straightforward data handling. Your legal ops team ran the vendor assessment, procurement signed off, IT provisioned the access, and everybody moved on. What...

Andy Armstrong
June 12, 2026 · 7 min read

The contract review platform your firm procured in 2024 almost certainly had a clean compliance narrative. Narrow use case, low risk classification, straightforward data handling. Your legal ops team ran the vendor assessment, procurement signed off, IT provisioned the access, and everybody moved on. What nobody planned for was the associate in the Warsaw office who figured out the tool's natural language interface could screen lateral candidate writing samples just as easily as it could redline an NDA. Or the paralegal manager in Chicago who started feeding performance feedback summaries through the document automation platform to generate quarterly review drafts. Nobody approved those use cases. Nobody reassessed the risk profile. And yet here you are, potentially operating a high-risk AI system under the EU AI Act with zero of the required governance infrastructure in place.

This is not a hypothetical. It is happening across mid-size and large legal departments right now, and the liability exposure is landing squarely on the desk of the GC who signed the original procurement agreement.

How Scope Creep Actually Happens

Legal AI tools are procured for defined tasks but built for general language processing. That gap is where scope creep lives. A contract intelligence platform like Luminance or Ironclad, designed to extract obligations and flag risk clauses, is functionally capable of analyzing almost any document-dense workflow. When an associate discovers that capability, they don't file a governance request. They use it.

The sales cycle accelerates the problem. Vendor account executives, working on expansion quotas, routinely demonstrate adjacent use cases to power users without looping in compliance or legal ops. A tool sold into the contracts team gets demoed to HR as a candidate communication drafting solution at a cross-departmental lunch. The demo is convincing. Someone gets informal permission from a practice group leader. The use case spreads laterally through the organization without ever surfacing back to the people who vetted the original procurement.

By the time the GC finds out, the tool has six months of employment-adjacent usage history, a subset of employee data has been processed, and the vendor's standard agreement says nothing useful about this scenario.

Where the EU AI Act and State Statutes Actually Hit

This is where the governance failure becomes a legal exposure. Under the EU AI Act, which has been fully applicable since August 2026, employment-related AI applications are classified as high-risk systems under Annex III. Specifically, systems used for recruitment, selection, promotion, performance monitoring, or termination decisions fall under the high-risk category regardless of what the system was originally designed to do. The classification is functional, not descriptive. If your contract review tool is being used to screen lateral candidates, it is operating as a high-risk recruitment AI under the Act's logic, full stop.

High-risk classification triggers a defined set of obligations: fundamental rights impact assessments, human oversight requirements, data governance documentation, conformity assessments, and registration in the EU AI database. None of those requirements were satisfied when you procured a contract review tool. None of them have been satisfied since. The deployer — meaning your organization, not the vendor — carries primary compliance responsibility under Article 16. The vendor's CE marking for a contract analysis use case does not extend to your repurposed employment workflow.

At the state level, the exposure is equally specific. Colorado's AI Act, effective February 2026, imposes algorithmic accountability obligations on any employer using an automated decision system that makes or materially influences a consequential decision affecting employment. Illinois amended its Artificial Intelligence Video Interview Act to cover written AI assessments in 2025. New York City Local Law 144, the original algorithmic hiring audit statute, has spawned successor legislation in several jurisdictions requiring independent bias audits before any AI touches hiring workflows. If your team is using a document tool to pre-screen writing samples from lateral candidates in any of these jurisdictions, you may already be out of compliance and subject to enforcement action.

Where the Governance Failure Actually Lives

The honest answer is that it is distributed across multiple failure points, but the accountability concentrates at the top.

IT provisioning without use-case controls is the entry point. Most enterprise legal AI tools are provisioned with broad access rights because IT doesn't have the legal context to scope them narrowly. Access equals implied permission in most organizational cultures.

Legal ops owns the procurement contract but rarely builds post-deployment monitoring into the operating model. The risk assessment happens once, at procurement. There is no standing obligation to reassess when usage patterns shift.

Associates and paralegals are doing what skilled employees do: solving problems with the tools available to them. They are not the governance failure. They are the symptom.

Vendor sales teams are actively expanding use cases without triggering compliance review. This isn't malicious; it's structural. The account executive selling an HR workflow expansion to a power user has no incentive to route that conversation through your legal ops director. The GC should be asking vendors directly whether their expansion conversations include mandatory compliance re-evaluation requirements. They almost never do.

The GC and legal ops director hold the exposure because they signed the original agreement, they have fiduciary responsibility for the organization's legal risk, and courts and regulators will ask what oversight framework was in place. "We didn't know" is not a defense that has worked well in GDPR enforcement, and it will not work better here.

The Fix Requires Structural Change, Not Just Policy

Publishing an acceptable use policy for AI tools and calling it governance is the equivalent of posting a speed limit sign on a highway with no enforcement. What the AI Act and state statutes require is demonstrable operational control: documented use-case registries, regular audits of actual deployment patterns, contractual obligations on vendors to flag upsell conversations, and a designated AI governance function with real authority to halt expansions pending review.

The GCs who will avoid significant liability over the next eighteen months are not the ones with the most sophisticated procurement frameworks from 2024. They are the ones who are conducting honest deployment audits right now, asking their associates what they are actually using these tools for, and building governance infrastructure around reality rather than original intent.

The scope creep already happened. The question is whether you find it before the regulator does.

More Analysis