Risk Management for Claude in Legal Work: Containing Blast Radius

A hallucinated case citation in a brief is the failure everyone talks about, because it is embarrassing and occasionally lands a lawyer in front of a disciplinary board. But if you are responsible for deploying Claude across a legal practice, the citation problem is almost the least of your worries. It is loud, visible, and easy to catch with a verification step. The failures that should keep you up at night are the quiet ones: a privileged document silently included in a production set, a confidentiality wall breached by a misconfigured tool, a settlement number leaked across a Chinese wall. These do not announce themselves. They surface months later, in a sanctions motion or a malpractice claim.

Risk management in a legal AI deployment is the discipline of mapping these failure modes before they happen, estimating how far the damage spreads when they do, and building containment so that a single mistake stays small. This is not a compliance checkbox. It is the engineering work that decides whether your deployment is an asset or a latent liability.

The failure taxonomy: what actually goes wrong

Legal AI failures fall into four broad categories, and each demands a different defense. The first is fabrication — invented cases, misquoted statutes, citations to authority that does not exist. This is the famous one. It is also the most contained, because a deterministic check against a legal research database catches it every time, and the blast radius is limited to a single document that has not yet been filed.

The second is misclassification — Claude marks a privileged email as non-privileged, or treats a draft as final. The blast radius here is far larger, because a misclassified document can leave your custody and cannot be recalled. Privilege, once waived, may be waived for an entire subject matter. A single error can compromise a category of communications.

The third is boundary violation — the system accesses or combines data it should never touch, crossing an ethical wall between matters or clients. The fourth is silent drift — the deployment slowly degrades as a Skill is edited, a model is updated, or input documents shift in format, and nobody notices until accuracy has quietly collapsed. Each category needs its own detection and containment strategy; treating them as one undifferentiated "AI risk" guarantees you defend the loud failures and miss the expensive ones.

Mapping blast radius and containing it

The core risk-engineering move is to ask, for every workflow: when this goes wrong, how far does the damage travel before something stops it? A draft that a lawyer must review before filing has a blast radius of one document and one reviewer. A tool that writes directly to a document production system has a blast radius of an entire matter. You contain risk by inserting boundaries that shrink that radius.

flowchart TD
  A["Claude produces legal output"] --> B{"Citations & quotes verified?"}
  B -->|Fail| R["Block & route to human"]
  B -->|Pass| C{"Privilege & matter-wall check"}
  C -->|Violation| R
  C -->|Clear| D{"High-stakes action?"}
  D -->|Yes| E["Mandatory lawyer sign-off"]
  D -->|No| F["Auto-proceed with audit log"]
  E --> F
  R --> G["Incident log & eval update"]

The diagram shows the containment principle in practice: every output passes through deterministic gates before it can cause harm. The verification gate catches fabrication. The privilege and matter-wall gate catches misclassification and boundary violations. The high-stakes gate forces human sign-off on anything irreversible. Critically, these gates are code, not prompts. You do not ask Claude to check its own privilege determination and trust the answer; you run a separate, deterministic check — ideally a second model pass plus a rules engine plus a human for anything that leaves your custody.

The principle worth internalizing: never let a single Claude decision directly trigger an irreversible action. Drafting is reversible and gets light review. Filing, producing, or sending is irreversible and gets a hard human gate. The blast radius of any model error should be bounded by something deterministic that the model cannot talk its way past.

Defending against the quiet failures

Silent drift is the failure that beats most teams, because there is no dramatic moment to react to. The defense is a standing eval suite built from real past matters with known-correct outputs. Every time anyone changes a Skill, updates a model version, or modifies a tool, the suite runs and reports whether quality moved. Without this, your deployment degrades invisibly, and you discover the problem from a judge rather than a dashboard.

Boundary violations require defense at the infrastructure layer, not the prompt layer. If two matters must be walled off, the MCP servers and data connectors Claude can reach must be scoped per matter, so that an instance working on one case is technically incapable of querying the other's documents. Prompting Claude to "not look at the other matter" is not a control; removing its ability to reach that data is. Treat ethical walls as access-control problems with the same rigor you would apply to a financial system.

Finally, every action a Claude agent takes in a legal workflow should be logged immutably — input context, model version, tool calls, output, and the human who approved it. When something goes wrong, you will need to reconstruct exactly what happened, both to contain the immediate damage and to defend the firm's conduct. An unlogged AI deployment in a regulated practice is itself a risk.

Building the incident response muscle

Assume failures will happen and rehearse the response. Define, in advance, what you do when a fabricated citation reaches a filed document, when a privileged document is produced, and when drift is detected in production. Who is notified? How fast can you halt the affected workflow? Can you identify every other output the same flawed Skill version produced?

The firms that handle AI incidents well are the ones who treated them as inevitable and built the muscle before they were needed. The ones who handle them badly are the ones who believed their verification was perfect and had no plan for the day it wasn't. Risk management is not the promise that nothing will go wrong; it is the engineering that keeps the inevitable wrong thing small, visible, and recoverable.

Frequently asked questions

What is blast radius in the context of legal AI?

Blast radius is the extent of harm a single AI failure can cause before something stops it. A reviewed draft has a small radius — one document, one reviewer. A model that writes directly to a court filing or production system has a large radius. Risk management is largely the practice of inserting boundaries that shrink the blast radius of every workflow.

How do you stop Claude from leaking privileged documents?

You enforce it at the infrastructure layer, not the prompt. Scope each matter's MCP servers and data connectors so an agent is technically unable to reach data outside its assigned matter, run a deterministic privilege check before any production, and require human sign-off on anything that leaves your custody. Asking the model to behave is not a control.

Why are deterministic gates better than asking Claude to self-check?

A model that made an error may make the same error when asked to verify it, and it can be persuaded by its own confident reasoning. Deterministic gates — database lookups, rules engines, and human review — fail independently of the model, so they catch mistakes the model cannot catch in itself. Use the model for judgment and code for guarantees.

What is silent drift and how do you detect it?

Silent drift is the gradual degradation of an AI deployment as Skills, models, or input formats change without anyone noticing accuracy fall. You detect it with a standing eval suite built from past matters with known-correct outputs, run automatically on every change, so quality regressions surface on a dashboard rather than in a courtroom.

Bringing agentic AI to your phone lines

CallSphere applies these same containment and risk patterns to voice and chat — agents that handle every call and message with verification gates, audit logs, and human escalation for high-stakes moments. See the approach in action at callsphere.ai.

Source & attribution: This is an independent, original explainer inspired by Anthropic's coverage on the Claude blog. Claude, Claude Code, Claude Cowork, Claude Opus, and the Model Context Protocol are products and trademarks of Anthropic. CallSphere is not affiliated with or endorsed by Anthropic.