Shadow AI Detection & Amnesty for Melbourne In-House Counsel: Find the Tools Already in Use, Then Bring Them Into the Light

Your CEO asked you last week whether the legal team uses AI. You said “we have a policy”. The honest answer is you don’t know. A paralegal has been pasting contract clauses into a consumer chatbot for months. A junior lawyer uses a browser extension that summarises emails — including privileged correspondence. Two of your commercial team have personal accounts on a US-hosted drafting tool. None of this is in the AI register. None of them want to admit it because the policy says “don’t”. Shadow AI Detection & Amnesty is built to map what’s actually happening inside your function, then give people a structured, non-punitive way to declare it.

The problem

The Australian Solicitors’ Conduct Rules bind every solicitor in your in-house team to obligations around confidentiality (Rule 9), competence and diligence (Rule 4), and supervision of legal staff (Rule 37). When a team member feeds client or commercial information into an external AI tool without authorisation, those obligations don’t pause — they’re potentially breached, and the practitioner with carriage of the matter wears it. The harder problem for in-house counsel is structural: punitive “no AI” policies push usage underground rather than eliminating it. You end up with worse visibility than if you’d permitted nothing and assumed everything. By the time a tool surfaces — usually because something went wrong — the data has already left the building, and you have no audit trail of what was sent, when, or by whom.

What Shadow AI Detection & Amnesty does

Shadow AI Detection & Amnesty is a structured programme — not a surveillance product — that combines technical discovery with a time-bound amnesty window for self-declaration. The discovery side maps AI tool usage across the legal function using signals you already have: browser telemetry where corporate policy permits, SaaS expense records, SSO logs, network egress data, and a confidential staff survey. The amnesty side runs in parallel: a defined window during which any team member can declare a tool they’ve used, what data went into it, and on what matters, without disciplinary consequence. The output is a single register of actual AI exposure across your function, paired with a remediation plan for each tool — sanction, restrict, replace, or prohibit.

How it works

1. Scoping interview with the General Counsel or Head of Legal Operations to identify the data perimeter, the in-scope team, and any HR or workplace-relations constraints on telemetry collection.
2. Discovery phase (typically two to three weeks): passive signal collection across the agreed sources, plus an anonymous staff survey on tool usage and use cases. No content is read — only tool identities, frequencies, and data categories.
3. Amnesty window (typically 14 to 21 days): a structured declaration form runs concurrently with discovery. Self-declared usage is reconciled against the technical signals to produce a single picture.
4. Findings report: every tool identified, the data categories observed flowing to it, the ASCR rules potentially engaged, and a recommended posture (sanction with controls, restrict to defined use cases, replace with an approved alternative, or prohibit).
5. Remediation handover: a register your team can maintain, plus draft amendments to your internal AI use policy that reflect what people actually need to do their work.

Why this matters in Melbourne

Victorian solicitors — including those practising in-house — are bound by the Legal Profession Uniform Law Australian Solicitors’ Conduct Rules 2015, which adopted the ASCR in Victoria from 1 July 2015. The same supervision and confidentiality duties that apply in a private firm apply to the in-house team of a Melbourne-headquartered corporate, financial services provider, or government business enterprise. Melbourne’s concentration of ASX-listed corporates, major insurers, and superannuation funds means that the in-scope data inside in-house legal teams is frequently market-sensitive, personal information under the Privacy Act, or subject to confidentiality undertakings. Discovering shadow AI usage after a breach — rather than before — is materially worse than the awkwardness of running an amnesty. The amnesty design exists because punishing the first declaration is how you guarantee the second one never comes.

Sources

• Law Council of Australia — Australian Solicitors’ Conduct Rules: https://lawcouncil.au/policy-agenda/regulation-of-the-profession-and-ethics/australian-solicitors-conduct-rules

Exegesis capability references:

• Shadow AI Detection & Amnesty spec
• RuleCheck by Exegesis — open-source citation verifier

Join the waitlist

Join the waitlist — be the first to know when Shadow AI Detection & Amnesty opens for Melbourne in-house legal teams

We’re staging this engagement for a small number of Melbourne in-house functions in the first cohort so we can calibrate the discovery toolkit against real corporate environments. Join the waitlist and we’ll come back to you with scope, timing, and what an amnesty window looks like inside your specific governance setup.