The hidden prerequisite
Agentic AI sounds like a software breakthrough: systems that can plan, retrieve, draft, route and execute across legal workflows. In practice, the limiting factor is much less glamorous. The agent can only be as good as the information environment it inhabits.
If matter files are mislabeled, permissions are inherited through old groups, client data sits in unmanaged repositories, and prior-work-product taxonomies differ by practice group, an agentic system will not merely be inefficient. It will be dangerous.
Permissions become product design
Traditional information governance treated permissions as defensive infrastructure. Agentic AI turns permissions into product behavior. A tool that drafts a diligence summary must know not only which documents exist, but which it is allowed to read, which it must ignore, which are privileged, and which client restrictions travel with the material.
The same point appears in recent cybersecurity warnings about agentic AI: each component broadens the attack surface. In a law firm, that surface includes ethical walls, client commitments, data rooms, deleted drafts, chat logs and shadow repositories.
What firms should build now
The practical work is not mysterious. Normalize matter metadata. Map repositories. Retire stale access groups. Create AI-readable classifications for privileged, confidential, client-restricted and public material. Log agent actions in a way a partner can review without needing an engineer.
Most importantly, put information governance in the AI design loop. If the IG team is consulted only after product selection, the firm will discover governance failures when the pilot reaches real matters.
The bottom line
The firms that win agentic AI will not be the firms with the most permissive agents. They will be the firms whose agents are constrained enough to be trusted and informed enough to be useful.