Back to blog
Legal Operations

The Consolidation Cliff: Why Every Tool You Add Makes Your Firm Less Secure and Less Intelligent

Legal tech spending surged 9.7% in 2025. Firms are buying more tools than ever — and creating more breach surfaces, more data silos, and more barriers to AI than ever. The data says consolidation isn't optional anymore.

David Diamond14 May 20268 min read

Three numbers that don't belong in the same industry at the same time.

9.7%
Growth in law firm tech spending in 2025 — the fastest ever recorded
Thomson Reuters, 2026 State of the US Legal Market
74%
Of data breaches involve human error, phishing, or stolen credentials
Verizon DBIR, cited across 2026 legal security analyses
77%
Of employees use GenAI at work — most without telling their employer
EY Work Reimagined Survey, 2025

Firms are spending more on technology than ever. They're also more exposed than ever. And their staff are feeding client data into consumer AI tools that sit entirely outside the firm's security perimeter.

These aren't three separate problems. They're the same problem from three angles. The problem is the stack itself.

The point-solution trap

The average mid-size Australian law firm runs 8–15 separate tools. Each one is a separate vendor, a separate login, a separate data store, and a separate breach surface.

Every integration between them — PMS to Xero, email archiver to DMS, time tracker to billing — is a point where encrypted data is decrypted, processed, and re-encrypted in a different system under different security controls.

Select the tools your firm uses. Watch the complexity accumulate.

🔧

Vendor Stack Calculator

Select the tools your firm uses — see the complexity you're carrying

Practice Management
Accounting
Document Management
Email & Calendar
Time Recording
Communication
AI Tools
Payments
Select the tools your firm uses above to see your infrastructure complexity

A typical 15-person firm running LEAP, Xero, NetDocuments, Gmail, Harvest, Slack, and Zoom? That's 7 vendors with access to client data. At least 10 integration points. Four different authentication mechanisms.

$5.08M
Average cost of a law firm data breach — up 10% year-on-year
2026 legal security analyses
Near-doubling of law firm security incidents in 2025 vs prior year
FindLaw Annual Data Security Report

The consolidation imperative

The industry is catching up to what the data has been saying for two years.

Litera's 2026 analysis is blunt: the administrative overhead, security risks, and training burdens of a fragmented tech stack are no longer sustainable. Thomson Reuters tells the same story from the spending side — record investment, fragmented returns.

This isn't a preference shift. It's a structural reckoning.

Reframe: consolidation is a security strategy

Every vendor you remove isn't just a subscription you cancel. It's a data processing agreement you no longer audit, an attack surface you've eliminated, a breach notification chain you've shortened, and an integration point that can no longer fail or be exploited.

The shadow AI crisis

While firms debate which DMS to standardise on, their staff have already made a technology choice that dwarfs everything else in risk.

77%
Of employees using GenAI at work
EY, 2025
28%
Of leaders who have AI governance in place
EY, 2025
1,369
Legal decisions involving AI hallucinations now catalogued
AI hallucination case tracker, 2026

In practice, that means associates pasting privileged communications into ChatGPT. Paralegals uploading contracts to Claude. Practice managers feeding financial data into consumer AI for analysis.

None of these tools know about your access controls. None respect your sensitivity labels. None appear in your audit log.

The legal profession has a specific term for what happens when privileged information enters an uncontrolled system: a waiver event.

Banning consumer AI doesn't work. The only viable strategy is providing governed AI that's better than the consumer tools staff are already using — and that operates within the firm's security boundary.

The time-pressed paralegal — deadline approaching, needs to summarise a 40-page affidavit. Opens ChatGPT, pastes the full text. The affidavit contains privileged communications and client financial data. That data is now outside the firm's security boundary with no audit trail.

The associate doing research — uploads three client contracts to an AI for comparison. Those contracts contain client names, financial terms, and negotiation positions. The firm gets three potential privilege waiver events.

The practice manager running numbers — exports WIP data into a consumer AI for billing analysis. That export contains every client name, every matter, every fee earner's rate, every unpaid invoice. It's now sitting in a system the firm has no DPA with.

In every case, the person acted rationally. The security failure isn't the person — it's the firm's inability to provide AI that's equally capable within a governed boundary.

The "in the stack" thesis

Most legal tech commentary misses this because it requires understanding infrastructure, not features.

"Integrates with Microsoft 365"
Data lives in the vendor's database
API connectors transfer data across boundaries
Every sync is a decryption event and trust boundary crossing
Three systems exchanging data = three attack surfaces
AI must stitch together four APIs with four permission models
Built on the Microsoft stack
Data lives in Business Central and SharePoint
No API boundaries — same tenant, same security domain
Documents, email, financials in one encrypted boundary
One audit log, one permission model, one identity
AI sees everything natively — no integration needed

This distinction matters for three compounding reasons.

1. Security is structural

Click through each dimension below. These aren't feature gaps that vendors can close with engineering — they're structural properties of being inside vs. outside the stack.

🛡️

Security Posture Comparison

Unified platform vs. best-of-breed — click any dimension to see the detail

Dimension
Unified Platform
Best-of-Breed

The security gap is structural, not feature-based. Third-party vendors can add encryption, improve their auth, and publish SOC 2 reports. What they cannot do is eliminate the integration boundaries, data transfer points, and identity fragmentation that come from being outside the stack. Every connection between systems is an attack surface that doesn't need to exist.

2. AI needs unified data

An AI agent is only as useful as the data it can access coherently.

An AI stitching together responses from four systems with four data models, four permission systems, and four latency profiles is fundamentally different from an AI operating within a single data environment.

The coherence test

Ask your AI: "Show me all matters where trust balance is low and there's significant unbilled WIP, cross-referenced with client email history to see if they've been chasing us about billing." In a fragmented stack, that's four APIs, four auth flows, four freshness guarantees. In a unified stack, it's one query.

Microsoft Copilot in a unified M365 + Business Central environment reads email, checks the client database, looks up active matters, reviews trust balances, and suggests next actions — all within one security boundary, one permission model, one audit log. No integration. No sync delay. No data leaving the tenant.

That's not a feature advantage. It's an architectural advantage that cannot be closed by adding features. Vendors would need to be the platform.

3. Compliance is one conversation

When the regulator asks — and in Australian jurisdictions, trust accounting audits are not optional — the question is simple: show me the trail from trust deposit to general ledger, and show me who had access at each step.

Fragmented stack
Trust receipt in PMS, synced to accounting, reconciled in bank rec tool
Three systems, three audit logs, three access control models
Proving chain of custody = correlating records across vendors
Business Central
Trust receipt → trust ledger → general ledger → bank reconciliation
One system, one audit log, one set of permissions
One answer to the regulator's question

The 2026 decision framework

Four questions to evaluate your technology strategy this year.

1
Target: one identity provider (Entra ID) for everything
Start with identity
0
Target: zero external vendors holding client data unnecessarily
Count your data boundaries
?
Ask: where does your AI see data — inside or outside the boundary?
Evaluate AI by architecture

Ask the shadow AI question directly. Ask your staff: what AI tools are you using that the firm didn't provide? The answer will tell you more about your security posture than any vendor's SOC 2 report.

If your staff use consumer AI because your platform doesn't have native AI capabilities, you've found your most urgent technology gap.

The most common pushback: if you go all-in on Microsoft, aren't you at their mercy?

Yes, you're concentrating vendor risk. But the alternative isn't independence — it's distributed risk across 8–15 providers, each of which can raise prices, change APIs, get acquired, or suffer a breach.

Microsoft's enterprise agreements include data portability commitments. Business Central data is in standard SQL tables. SharePoint documents are files. Emails are accessible via standard protocols. The data is yours, in extractable formats.

Compare that to proprietary PMS platforms where data export requires vendor cooperation, document metadata is trapped in proprietary schemas, and "your data" means "your data in our format, on our terms."

Lock-in is real. The question is which lock-in profile carries lower total risk.

Where this goes

The trend lines converge: the legal technology market is consolidating around platforms, not point solutions. Thomson Reuters is acquiring AI companies for deeper workflow integration. Litera launched Litera One to unify legal workflows within M365. Every major vendor is moving toward platform strategies.

The platform that already holds your identity, email, documents, calendar, and collaboration tools — the one your staff already knows, your AI already operates within, and your security team already governs — has an advantage that no amount of integration engineering can replicate.

Every tool you add outside that platform adds complexity, breach surfaces, and barriers to AI coherence. Every tool you remove reduces risk and simplifies the compliance conversation.

That's not a technology argument. It's a business argument. And the data says it's no longer optional.

See what a unified stack actually looks like

MatterX running inside Business Central — trust accounting, time recording, billing, and documents — all within your M365 tenant. No integrations. No sync. No separate logins.

Book a Demo
securitylegal-operationsplatform-strategyai-agentsmicrosoft-365

Related Articles

Legal Operations

The Seven Systems Every Law Firm Runs On (Whether They Know It Or Not)

Every law firm has the same seven systems. The difference between firms that scale and firms where the founder works 60-hour weeks is whether those systems are documented, automated, or just living in someone's head. Here's what we see after 50+ implementations.

Product Updates

AI Agents for Law Firms: What Copilot Actually Looks Like Inside a Practice Management System

Not theory. Not a roadmap. We built 38 API endpoints that let AI agents create matters, record time, check conflicts, and prepare invoices inside Business Central. Here's what that looks like in practice.