- AI adoption in Professional Services has nearly doubled in one year, and most of it is happening outside IT oversight
- Shadow AI creates client confidentiality exposure under professional ethics rules.
- 58% of corporate logins occur outside SSO, making SSO-based identity tooling and IdP-centric authentication alone insufficient against identity-based attacks.
- A real AI app inventory requires continuous browser-based discovery, not annual audits or employee self-reporting.
- LastPass SaaS Monitoring surfaces AI tool usage without agents, integrations, or changes to how your team works.
- You can move from zero visibility to a working AI app inventory in days, without disrupting a single client engagement.
Your team is using AI tools to deliver client work faster. The question is: Do you know which ones?
Whether you have a law practice, accounting firm, or consultancy, the answer is critical to keeping your business on track.
According to the 2026 Thomson Reuters report, gen AI use in Professional Services has nearly doubled in the last year, from 22% to 40%.
- 79% of lawyers now use AI for brief analysis and summarization - Clio
- Financial professionals are close behind (72%), with variance analysis and management reporting cited as among the top ROI use cases - Tellius
- Consultants now drop client deliverable outlines into AI chat tools - The Digital Magazine
Everyone is focused on doing great work and delivering tangible outcomes. But if client data is moving through AI tools you haven't vetted, approved, or even included in your app inventory, your risks of non-compliance rise dramatically.
Building an AI app inventory is the practice of discovering and cataloging every AI tool your team is accessing, so your organization can see what's in use, assess its risk, and apply the right controls.
For Professional Services firms, where client confidentiality is a professional obligation, an AI app inventory isn't a nice-to-have but the baseline for responsible operations.
"Even innocent-looking tools, especially those that request broad permissions to things like email inboxes, calendars, or cloud storage, can become entry points for data leakage or regulatory non-compliance if not monitored with precision. For instance, popular file sharing and collaboration tools like Google Drive or Dropbox often become culprits for data leakage when files are shared publicly or with weak access controls" - Stephanie Schneider, LastPass Cyber Threat Intelligence Analyst @CPO Magazine
Why is AI app usage so hard to track in Professional Services?
AI app usage is hard to track in Professional Services because many AI tools either bypass SSO or are accessed with personal email credentials.
To many people, these tools are refreshingly easy to set up. They require nothing more than an email address and a credit card. There's no pesky IT ticket with long wait times or a procurement approval process that lasts weeks.
But as more corporate teams adopt AI this way, it significantly increases their risk of account takeovers (ATO) and data exfiltration.
Shadow AI refers to unapproved AI tools accessed by employees without IT oversight, often with corporate or personal emails.
The result is an AI app inventory gap: You have no idea how many tools are in play, who's using them, or what data they're accessing.
Enterprise security teams have had SaaS visibility for years. They run dedicated SaaS security platforms with full-time SOC staff.
For a 1–3 person IT team at a professional services firm, that infrastructure simply isn't realistic. This is where LastPass SaaS Monitoring changes things.
The same real-time view of every SaaS/AI tool in your environment (who's using it, how often, which accounts have weak credentials) is now something you can run without a security team, agents, or enterprise budget. With LastPass, you get to know what the big firms know, and you can act on it just as fast.
What's the real risk for professional services firms?
The real risk of unmanaged AI usage in Professional Services is unauthorized exposure of client data, which you know can trigger ethical violations, non-compliance, and the loss of client trust.
Consider a few realistic scenarios:
- A paralegal pastes deposition notes into an AI summarizer to prep for a trial. That summarizer stores input data for model training.
- An analyst at an accounting firm uploads a client's P&L into an AI-powered Excel tool to speed up analysis. The tool syncs to a personal cloud account.
- A strategy consultant runs competitive research through an AI platform that hasn't been reviewed for data retention policies. The client's strategic plans are now in that platform's logs.
None of the above professionals acted with malicious intent. But each scenario represents a SaaS risk management failure and a potential breach of client confidentiality.
For a professional services firm that runs on trust, the reputational cost can lead to more financial fallout:
- Shadow AI adds $670,000 to data breach costs.
- 65% of breached organizations say customer PII was compromised.
- Intellectual property was exposed less frequently but carried the highest cost per record (US $178)
- Nearly 40% of clients say they would fire or consider firing their law firm after a data breach.
Sources: IBM, Integris
What does a real AI app inventory look like?
A real AI app inventory is a continuously updated system that identifies which AI tools are in use, who's accessing them, how often they're accessed, and what risks they introduce.
A complete AI app inventory for a professional services firm is built on SaaS discovery, which surfaces:
- Which AI tools are in use, by name and category
- Who's accessing them: individual users, teams, or your entire organization
- What email accounts are being used to access them, corporate or personal. This is important because 71% of logins to SaaS and Gen AI tools use non-corporate email credentials, bypassing your IdP entirely.
- How often are AI tools used. A tool used once is a different risk profile than one a team of 10 uses daily.
- What policies apply. Can you block access, require FIDO2 authentication, or push usage toward an approved alternative with your current AI access control policies?
Without this picture, you can't have true identity and access governance for AI; you're instead reduced to guesswork in assessing your level of risk.
Where does an AI app inventory fit into your security stack?
An AI app inventory fills a critical visibility gap in your security stack by revealing browser-based SaaS and AI usage that endpoint protection, SSO, and IAM tools don't capture.
LastPass SaaS Monitoring continuously discovers and tracks the SaaS and AI apps your employees are accessing, surfacing new tools as they appear, flagging high-risk categories, and giving you the information needed to act.
The next time a partner, client, or auditor asks about AI tool usage, you can pull up the dashboard and answer in 30 seconds. That's the moment LastPass SaaS Monitoring is built for. Try it free for yourself with a LastPass trial.
How does LastPass compare with other vendors for AI app inventory in Professional Services?
LastPass provides an AI app inventory by detecting direct browser logins outside SSO, giving Professional Services firms visibility that most IAM tools miss.
AI app inventory options for professional services firms
| LastPass Business Max | 1Password XAM | Bitwarden Enterprise | |
|---|---|---|---|
| Who is this a practical fit for? | IT teams of 1–3 people at small to mid-sized orgs managing SaaS and AI sprawl | Orgs with dedicated IT/security staff and capacity to configure and run a multi-module system | Technical teams prioritizing open-source control and hands-on configuration |
| What risky SaaS/ AI usage will I actually see? | Surfaces SaaS and AI apps through direct browser logins, including those outside SSO | SaaS discovery requires configuring the SaaS Manager module, a separate product layer within XAM | Visibility is limited to apps associated with vault-managed credentials; AI tools accessed via direct browser login aren't surfaced |
| How much operational effort does this add to my week? | Single console for SaaS inventory, credential health, and access controls, reducing the need to switch tools | Multi-module architecture (password manager, SaaS Manager, Device Trust) adds configuration layers and run-time effort | Self-hosted deployment requires ongoing server maintenance; cloud option is simpler but reduces flexibility |
| Does pricing stay predictable as my team grows? | Flat $9/user/month; with all Business Max capabilities included | SaaS Manager and Device Trust features are part of the extended platform and add additional cost | $6/user/month, but SaaS discovery doesn't include real-time app-level control with the ability to block, warn, or allow apps |
| Can I answer client or auditor questions with evidence? | Provides an app inventory with usage context and access logs that can support audit conversations around AI tool usage & governance | Supports governance but designed for orgs with teams to configure and operationalize | -Agent Access SDK focuses on just-in-time credential access for AI agents, not SaaS/AI tool discovery -Access Intelligence focuses on credential security tied to vault-managed credentials, not SaaS/AI tool discovery outside SSO |
| When would this be the wrong choice? | If your organization already operates a fully staffed IAM/CASB program and doesn't have visibility gaps outside SSO. | If you lack the internal staff and budget to fully deploy and maintain multiple security modules | If you need turnkey AI app visibility without managing infrastructure or custom configuration |
How do you gain visibility without disrupting client delivery?
You gain visibility without disrupting client delivery with browser-based SaaS discovery first and then targeted access controls for high-risk tools next.
The answer isn't to lock everything down but to act deliberately. Most professional services firms approach this the wrong way. They announce a policy, block several popular tools, and trigger the friction they were trying to avoid.
Here's a different sequence. We call it inventory-first, policy-second, and it's the approach that gets you from zero visibility to a working AI app inventory without frustrating your team.
- Discover what's in use: You're the one who keeps the place running and holds everything together when no one's watching. And you see browser-based AI sprawl for what it is: a visibility gap. LastPass SaaS Monitoring lets you close this gap, without adding complexity to your already full plate.
- Categorize by risk: Which tools handle client data? Which tools are consumer-grade, with no data retention policy?
- Identify approved alternatives for high-risk tools: Can you offer an approved version that meets the same workflow needs?
- Apply policies gradually. Start with FIDO2 MFA requirements for high-risk categories. Use granular access controls to block only the tools with clear liability exposure.
- Communicate with your team: People follow policy when they understand why. Frame AI access governance as client protection rather than an IT "rule."
This approach gets you from zero visibility to a working AI app inventory without triggering the "IT is slowing us down" conversation that derails most security initiatives in Professional Services.
Run SaaS Monitoring free for 14 days. See what's actually in your SaaS environment. Most IT teams find tools they didn't expect within the first week.
Does your Professional Services firm really need an AI app inventory?
You'll know your firm needs an AI app inventory if you can't confidently identify which AI tools are handling client data, who's using them, and what access controls are in place.
Here's a pragmatic self-check. If a partner at your firm were to ask which AI tools your team is using to handle client work, how confidently could you answer these questions?
- If you can name the tools, see who's using them, and point to an access policy, you're in a strong position.
- If you need to ask around, run an email survey, or rely on employees to self-report, you have an inventory gap.
- If you aren't even sure where to start, you aren't alone, and this is the right moment to close that gap before a client, auditor, or insurer asks the same question.
The firms that can answer confidently aren't necessarily bigger than yours. They may not even have dedicated security teams. But they almost always make one decision earlier than everyone else: building an AI app inventory before an incident occurs.
Your clients trust you with their most sensitive information. That trust is the foundation of every engagement you run. Building the access controls that protect it, without adding complexity that slows your team down, is what responsible AI adoption looks like in Professional Services.
"We gained the visibility and control we needed — without slowing teams down"
- Lawrence Lau EBC Financial Group Malaysia Country Manager
Read the case study on how EBC Financial Group, a global online brokerage, is enjoying seamless SaaS visibility and control across its network of offices worldwide.
Get visibility into every AI tool your team is using and the AI access controls and identity governance capabilities to act on what you find. See how LastPass protects professional services firms.
Sources
Thomson Reuters: 2026 AI in Professional Services Report
Clio: 2025 Legal Trends Report
Forbes. Identity Crisis: Why SaaS attacks are bypassing your best defenses
Help Net Security: 89% of enterprise AI usage is invisible to the organization
