Advanta is currently undergoing final system calibration ahead of launch. Selected infrastructure and experiences may still be in active refinement.

advanta

Framework / Risk Taxonomy 2026

Nine classes. One vocabulary.

The Risk Taxonomy 2026 names the nine classes of risk that legal AI introduces or amplifies. Distinct mechanism, distinct evidence, distinct mitigation, distinct accountability — the inventory side of the Defensibility framework.

Request Executive Diagnostic — $2,500Read the Defensibility canon

Authored by

Nishant Bhaskar — Founder + Editor-in-chief, Advanta Legal Tech

Version 2026.1 · Binding canon

Executive Summary

Risk Taxonomy 2026 names the nine classes of risk that legal AI introduces or amplifies. It is the inventory companion to the Defensibility framework: where Defensibility describes the response capability a legal function must demonstrate, the Taxonomy describes what must be responded to. Generic enterprise risk frames — cybersecurity, vendor, operational — are necessary but insufficient for legal AI. Hallucination, data leakage, model drift, vendor lock-in, regulatory non-compliance, professional conduct exposure, client confidentiality breach, shadow AI proliferation, and accountability dilution each have distinct mechanisms, distinct evidence requirements, and distinct mitigation patterns. The Taxonomy is binding canon (v2026.1). Risk Registers should map each entry to one of the nine classes. Vendor evaluations should score against them. Incident reviews should classify root cause using the same vocabulary. Consistency of language across these three artefacts is what makes AI governance discussable at board level. The Taxonomy and Defensibility together constitute the minimum institutional posture for AI at scale in a legal function.

Why a Taxonomy

Generic enterprise risk categories cannot drive action.

Legal functions adopting AI inherit an existing risk vocabulary built for other domains — cybersecurity, vendor, operational, reputational. AI use cases get registered against these existing categories, and the function moves on.

The problem is that the existing categories do not capture the shape of legal AI risk with enough specificity to drive action. A hallucinated case citation is technically an "operational risk" or an "AI accuracy issue" depending on framing, but no generic framing identifies the actual mechanism, surfaces the evidence required to defend against it, or names the control that reduces it.

The Taxonomy names the nine classes that constitute legal AI risk with enough specificity to make response operationalisable. Each class has a distinct mechanism, distinct evidence base, distinct mitigation pattern, and distinct accountable owner. None collapses into another. None is captured by a generic enterprise category at the resolution legal governance requires.

The Nine Classes

What legal AI risk actually is.

Each class satisfies four criteria: distinct mechanism, distinct evidence, distinct mitigation, distinct accountability. A candidate that collapses to the same answers as an existing class is a variant, not a new class.

Class 01

Hallucination

Mechanism

The AI system generates content that is plausible, coherent, and authoritative-sounding but factually wrong — a citation to a case that does not exist, a regulation that does not say what the AI claims it says, a synthesised summary that diverges materially from the doctrine itself.

Legal-context manifestation

A research memo cites three cases; one is fabricated. A drafting tool inserts a clause referring to a defined term the underlying contract does not define. A regulatory summary describes an obligation consistent with the Act's spirit but absent from its text.

Defensibility element

Decision traceability. The function must reconstruct, for any AI-assisted output of consequence, what the input was, what the model returned, and which reviewer validated each claim against primary sources.

Class 02

Data leakage

Mechanism

Information that should have remained inside the function reaches a model provider or another vendor customer through the AI system's data pathways. Can be deliberate-by-design, inadvertent, or operational.

Legal-context manifestation

A partner pastes a draft brief into a tool whose terms permit training-on-prompts. A paralegal uploads a deposition transcript to a vendor with unclear data residency. Vendor support staff access prompt logs without per-incident customer authorisation.

Defensibility element

Data handling. Contemporaneous proof per AI system that customer data is isolated from model training by default, residency is documented, retention is bounded, and vendor employee access to prompt content is controlled.

Class 03

Model drift

Mechanism

The vendor's underlying model changes behaviour between versions without proportionate notice. A tool that produced one set of outputs in January produces materially different outputs in March on identical inputs.

Legal-context manifestation

A contract-review tool flags a clause as high-risk in one matter and identical language as low-risk in a later matter. A research tool returns different summaries for identical queries two months apart.

Defensibility element

Lifecycle and methodology transparency. Vendors must publish change logs, model upgrade notices with customer-impact assessment, and deprecation policies. The function must version its methodology against the model in use.

Class 04

Vendor lock-in

Mechanism

Workflows, data, and methodology become so embedded in one vendor's tooling that exit cost is disproportionate to value extracted. Lock-in can be technical, workflow, commercial, or regulatory.

Legal-context manifestation

Five years of contract-review history sits in proprietary format with no portable export. The function's AI literacy programme is vendor-specific. DPAs reference vendor-specific certifications that require re-papering on exit.

Defensibility element

Methodology transparency and lifecycle. The function must articulate methodology in terms of capabilities required, not vendors deployed. Contracts must include portability, exit-assistance, and continuity terms.

Class 05

Regulatory non-compliance

Mechanism

The deployment of an AI system, or the function's governance around it, violates a current regulatory obligation or fails to anticipate a near-term emerging one. EU AI Act, UK ICO guidance, sectoral regulators, court rules on AI disclosure.

Legal-context manifestation

A contract analytics tool processes employment contracts meeting EU AI Act high-risk criteria, but the conformity assessment is incomplete. AI in court filings is not disclosed where local rules now require disclosure.

Defensibility element

Governance posture and methodology transparency. The function must maintain a current mapping of AI use cases to applicable regulations, plus an audit trail showing each obligation has been assessed.

Class 06

Professional conduct exposure

Mechanism

AI use creates exposure under professional conduct rules that govern lawyers individually — competence, candour, confidentiality, supervision, misrepresentation. Distinct from regulatory exposure on the function.

Legal-context manifestation

A solicitor signs a written opinion containing AI-generated analysis without verifying the methodology. A litigator submits a brief with AI-generated argument structure without disclosing where rules require disclosure.

Defensibility element

Decision traceability and continuous learning. The function must maintain attribution standards for AI-assisted work, jurisdiction-specific disclosure protocols, and supervision frameworks updated for AI-mediated tasks.

Class 07

Client confidentiality breach

Mechanism

Information protected by attorney-client privilege or matter confidentiality reaches a third party through an AI system. Adjacent to data leakage but distinct: this class covers privileged content with downstream legal consequences for the function and its clients.

Legal-context manifestation

Privileged communications enter prompts to a vendor whose terms permit training use, potentially waiving privilege. AI vendor processing crosses jurisdictions in breach of a matter's protective order. A partner uses a tool an outside-counsel-guideline prohibits.

Defensibility element

Data handling and governance posture. Matter-level and client-level AI policy mapping, vendor approval workflows that consider client-specific consent, intake processes that surface AI restrictions before tooling is deployed.

Class 08

Shadow AI proliferation

Mechanism

Individuals inside the function use AI tools the function has not approved, the governance framework does not know about, and the Evidence Register cannot account for. The structural condition that creates every other class without governance visibility.

Legal-context manifestation

A senior associate uses a consumer AI assistant on a personal account to summarise a deposition. A team adopts a free research tool informally because procurement is slow. Partners share AI-generated content in informal channels without methodology transparency.

Defensibility element

Governance posture. Actively-curated approved-vendor list, fast-path approval process, AI literacy programmes that name the approved list explicitly, non-punitive disclosure mechanism to surface existing shadow use.

Class 09

Accountability dilution

Mechanism

When AI is in the decision loop, the question of who decided becomes structurally blurry. The lawyer signed. The AI suggested. The function approved. The board approved. The blurriness itself, independent of any specific failure, is the risk.

Legal-context manifestation

A regulator inquires about an AI-influenced decision; the investigation produces multiple accountability candidates but no single party fully accountable. A board asks who is accountable for AI overall; the answer is matrixed; the board concludes no one is.

Defensibility element

Governance posture and continuous learning. A named individual accountable for AI overall, with documented mandate to enforce the framework. The accountability must be articulable without preparation.

How it is used

Three artefacts. One vocabulary.

Consistency of vocabulary across these three artefacts is what makes AI governance discussable at board level. A board that hears "AI risk" abstractly cannot govern it; a board that hears the nine classes named with their specific manifestations can.

Risk Register

Every AI-related entry maps to one of the nine classes. Entries that do not map cleanly are reclassified. The function does not create off-Taxonomy entries — if the candidate risk does not fit, either the Taxonomy needs expansion (proposed at quarterly review) or the candidate is a description rather than a class.

Evidence Register

Per AI system in use, the function records the evidence it holds against each of the nine classes. Hallucination evidence is the per-system evaluation history. Data leakage evidence is the DPA and residency confirmation. Vendor lock-in evidence is the export and exit-assistance terms.

Vendor Index scoring

The Advanta Vendor Index scores vendors against six dimensions that align to the Taxonomy. A vendor that scores poorly on Evaluation introduces hallucination risk; one that scores poorly on Data Handling introduces data leakage and confidentiality risk; one that scores poorly on Lifecycle introduces drift and lock-in risk.

Versioning and Revision

Quarterly review. Annual major revision.

The Taxonomy is versioned. This release is 2026.1. The version label travels with the Risk Register and Evidence Register entries that reference it, so a function reviewing its records in 2027 can identify which version of the Taxonomy each entry was filed against.

At quarterly review, the Editorial Council examines the Taxonomy against the prior quarter's incident reports, regulatory developments, and vendor ecosystem shifts. New classes may be proposed for addition if they meet the four-criteria test. A major revision (2027.1) may be issued if the structure needs realignment — triggering remapping of all Risk Register entries. Removal of a class requires founder and unanimous Editorial Council approval; the bar is high because historical incidents classified against a removed class become harder to compare against future ones.

Editorial status

The canonical Risk Taxonomy essay is in authorship.

The nine classes above are anchored to canon v2026.1 and are structurally complete. The long-form essay extends each class with full warning-sign lists and worked incident examples; it ships incrementally over the coming weeks.

Subscribe — get the essay when it lands

From inventory to operation

Map your Risk Register to the Taxonomy.

Two paths. Run the diagnostic to surface which of the nine classes are unaddressed in your current posture. Or request the Executive Diagnostic to attest evidence against each class formally.

Take the Free Baseline DiagnosticRequest Executive Diagnostic — $2,500

Related Canon

Where the Taxonomy sits.

Defensibility

The response capability the Taxonomy is responded to with — the umbrella canon.

ROAI 4-Quadrant

How Risk Taxonomy classes shape the Defensibility quadrant of return.

AI Lifecycle

Which risk classes are exposed at which stage — Concept through Sunset.

Agentic Tier

How the nine classes change severity profile as autonomy rises.

Legal AI OS — Framework

The 8 pillars and 6 layers; Risk Taxonomy is the inventory layer.

Maturity Stack

How risk-class evidence maps to band placement.

Vendor Index methodology

Six dimensions that crosswalk the nine classes.

Diagnostic — baseline placement

Where your Risk Register sits against the Taxonomy today.