Skip To Content
Blog May 15, 2026

When Your AI Becomes Your Liability: Lessons for Law Firms

by M&Co. Staff

For law firms and other professional services organizations, reputation has always been built on trust, judgment, and credibility. Those qualities are not simply differentiators; they are the foundation under which the decision is made to pay for those services. Whether in law, consulting, accounting, or communications, clients engage advisers because they expect expertise applied with a professional duty of care. 

That is why public AI failures can create outsized reputational damage for these firms. 

In April 2026, it was reported that Sullivan & Cromwell LLP submitted a court filing containing fabricated legal citations generated through AI tools. This offers a timely reminder that the risks of AI adoption are not theoretical. They are material, can become rapidly public and increasingly consequential. 

The issue was not merely that errors occurred. Errors happen in every profession. The greater challenge was that the mistakes cut directly against the core promise of a top-tier advisory firm: rigorous standards, human judgment, and dependable oversight. 

AI is here to stay, but it also must be used responsibly. It’s a valuable technology tool, like any other. But when an AI-generated error becomes public, the technology itself is rarely the true story. The story is about governance. 

Why AI Errors Create Different Reputational Risk 

Most corporate mistakes can be explained as isolated lapses in judgment or operational failures. A misfiled motion or a typo in a closing memo reads as human, the kind of slip that, while embarrassing, fits within the industry’s understood margin for error.  

But an AI-fabricated citation reads as something else entirely: a document that looked authoritative on the page, passed through review, and reached a court without anyone catching that the cases did not exist. That is not a slip. It is a breakdown in the chain of verification that clients assume sits behind every page of work product. 

That is why AI-related mistakes often trigger a different reaction. They raise broader questions: 

  • Was the firm careless in deploying new technology?  
  • Were quality controls bypassed?  
  • Did speed take precedence over adherence to defined standards?  
  • How many other outputs may contain similar issues?  
  • Is leadership genuinely in control of the tools being used?  

For firms whose brands are built on discretion and competence, those questions can travel quickly among clients, regulators, media, and employees. 

That is especially true for law firms and professional services firms. The greater the reputation for competence, and the prestige that flows from it, the higher the expectations…and the steeper the fall when those expectations go unmet. 

What Sullivan & Cromwell Did Right in Its Response 

While the incident drew understandable scrutiny, the law firm’s response also offers useful lessons: 

  • First, the firm moved to correct the filing rather than defend the indefensible. In any credibility crisis, factual correction must come before reputation repair. 
  • Second, there was acknowledgement and apology. Attempting to minimize clear errors often extends the life of a story and invites harsher judgment. 
  • Third, direct outreach to the opposing side reportedly took place. That matters because crisis response is not only about public optics. It is also about repairing trust with the stakeholders most immediately affected. 

These are practical steps rooted in an old principle: accountability remains the most effective form of damage limitation. That and timely course correction to prevent repetition of the same errors. 

Building a Response Model Before the Incident 

As AI tools become embedded across professional services, firms need a clear issues management and crisis communications framework before an incident occurs. The firms that handle these moments well are not the ones with the most sophisticated technology stack. They are the ones whose governance, communications, and accountability structures were already in place and rehearsed long before the headline. 

  • Treat AI risk as a reputation issue, not only an opportunity to benefit from an emerging technology.
    Too many organizations house AI governance solely within IT or innovation teams. But AI failures rarely play out as technology stories. They play out as breaches of trust, with legal, regulatory, client, and employee dimensions all in motion at once. Governance needs to sit across legal, compliance, communications, risk, and leadership. 
     
  • Preserve the human chain of accountability.
    Clients do not hire algorithms. They hire firms with management structures, sign-off protocols, and named professionals who put their reputations behind the work. In high-stakes environments, that ownership should be visible in the file: who reviewed, who verified, who approved.
     
  • Respond with speed and substance.
    The first 24 to 48 hours tend to determine how the story is framed. Acknowledge known facts quickly and avoid jargon-heavy defenses about models or tools. That language often reads as evasion to non-technical readers. Resist the temptation to redirect blame toward a vendor. Clients hired the firm, not the software.
     
  • Show the fix, not just regret.
    Stakeholders are largely uninterested in apologies untethered from corrective action. They want to see what has changed and have the confidence that the oversight won’t happen again: enhanced review protocols, restricted use cases, mandatory citation verification, training requirements, and clear escalation paths. The more specific the fix, the more credible the regret.
     
  • Use incidents to reinforce, not just repair.
    Handled with discipline, a setback can demonstrate seriousness, humility, and the kind of institutional self-correction clients hope to see. The narrative shifts from “they made a mistake” to “they responded the way a firm of their caliber should.” 

The Real Differentiator 

In an era when nearly every professional services firm has access to the same generative tools, technological capability is no longer the edge. What separates firms is not whether they use AI, but how visibly and credibly they govern it. 

For senior leaders, this is the test of the moment. Not whether AI can be deployed, but whether it is being used in a way the firm would be proud to defend on the record. That’s in committees that meet when nothing is on fire, in sign-off protocols followed even under deadline, and in the firm-wide expectation that no output leaves the building without a human name attached. 

When AI becomes visible in the wrong way, the reputational cost is rarely measured in a single bad headline. It is measured in doubt about the institution. And for firms whose business model depends on trust, doubt is the real liability. 

Share