ICP-by-vertical · Legal AI
Prompt-injection scanner for legal AI
Legal AI products — contract review, e-discovery, due-diligence automation, lease abstraction, and regulatory compliance analysis — ingest documents from the most adversarially interesting counterparties in any enterprise: opposing counsel, M&A targets, commercial counterparties in active disputes, and regulators with audit authority. The moment a legal AI pipeline accepts a counterparty-supplied PDF or scanned exhibit and passes a rendered page image to a vision model, it is operating on untrusted external input. A FigStep-class adversarial payload embedded in the background pattern of a scanned contract page passes OCR and every text-level prompt-injection scanner, but reaches the vision model's token stream intact. The model reads the embedded instruction and may act on it — suppressing a risk flag, altering an extracted obligation, generating a false summary. Scan image bytes at the inference boundary. Do not rely on OCR to strip adversarial content.
TL;DR
Before passing any scanned contract exhibit, counterparty-submitted PDF, or e-discovery image to your vision model, POST the raw bytes to Glyphward's /v1/scan. Score ≥ 70 means a payload is present — reject the document before it reaches the model. Under 200 ms per page, returns score, flagged region, and scan_id for your audit log. Free tier — 10 scans/day, no card.
Legal AI use cases with multimodal PI exposure
Contract review and NDA analysis. Contract-review AI extracts obligation clauses, limitation-of-liability caps, indemnification triggers, and termination conditions from counterparty-submitted contracts. Counterparties in commercial negotiations have an incentive to influence the AI's summary of their own contract. A payload embedded in a letterhead graphic, page border, or company-logo watermark on a scanned contract page is invisible to the lawyer reviewing the PDF but readable by the vision model. The model may summarise an extracted obligation as more favourable to the counterparty than the actual text, or suppress a non-standard clause from the issues list.
M&A due-diligence automation. Due-diligence platforms ingest data-room documents submitted by the target company: material contracts, employment agreements, IP assignments, litigation summaries, and regulatory filings. The target has a financial incentive to control what the AI extracts and summarises from these documents. Scanned exhibits, appendices, and ancillary documents within the data room are the highest-risk inputs — they are less likely to be programmatic PDFs and more likely to be scans of physical documents where a payload can be embedded in the document image. See PDF prompt-injection detection for the full attack surface.
E-discovery and litigation document review. E-discovery AI reviews large document sets for relevance, privilege, and responsive material. Documents are produced by opposing parties or third-party custodians under subpoena — both categories may have incentives to cause the AI review to classify documents incorrectly (mark privileged documents as non-privileged, classify responsive documents as irrelevant). Scanned documents in the production set — physical mail, faxes, printed documents re-scanned for production — are the image attack surface. A payload on a scanned page can cause the classification AI to misroute documents.
Lease abstraction and real-estate document AI. Lease-abstraction platforms extract rent, term, options, obligations, and restrictions from commercial leases. Landlords and tenants have directly opposed interests in what these terms say. A counterparty who submits a scanned lease amendment or estoppel certificate with an embedded adversarial instruction can cause the AI to extract favourable terms that do not appear in the plain text.
Regulatory and compliance document AI. Legal and compliance teams use AI to review regulatory submissions, enforcement notices, and audit reports from regulators. These documents typically come from authoritative, non-adversarial sources — but internal policy documents, third-party compliance certifications, and vendor-submitted attestations are less controlled. Any document that originates outside the firm's own systems is a potential attack surface when processed by a vision model.
Professional responsibility and audit trail considerations
Attorney work product and AI reliance. When a lawyer relies on an AI system's summary of a contract or document, and that summary was corrupted by an adversarial payload, the professional responsibility consequences fall on the attorney — not on the AI vendor. Bar association guidance on AI use in legal practice consistently emphasises attorney oversight and verification. The existence of a per-request scan record (via scan_id) demonstrates that the AI pipeline applied a defined input-validation step before generating the output the attorney relied on. It is not a guarantee of accuracy, but it is affirmative evidence of a reasonable process.
EU AI Act Annex III — employment and access to services. AI systems used in employment screening decisions (clause 4) and access to essential private services (clause 5) are high-risk. Legal AI used in employment (screening employment contracts for HR compliance) or access to financial services (analysing loan documentation) may meet these thresholds. For high-risk systems, Article 15 cybersecurity requirements — including adversarial-example prevention — apply from 2 August 2026. See EU AI Act Article 15 — multimodal PI compliance.
ISO 27001 A.8.28 — secure coding and input validation. Legal AI platforms that hold SOC 2 Type II or ISO 27001 certifications represent to their clients that input validation controls are in place for their AI systems. A platform that passes externally-sourced document images to a vision model without scanning them has an uncontrolled external-input channel. Per-request scan evidence via ISO 27001:2022 A.8.28 closes this gap in the ISMS.
Python integration: contract and exhibit scanning
import fitz # PyMuPDF
import base64, httpx
from pathlib import Path
GLYPHWARD_API_KEY = "YOUR_GLYPHWARD_API_KEY"
GLYPHWARD_SCAN_URL = "https://glyphward.com/v1/scan"
SCAN_THRESHOLD = 70 # legal document AI standard threshold
def scan_pdf_pages(pdf_bytes: bytes, doc_id: str,
dpi: int = 150) -> list[dict]:
"""Render each page to PNG and scan for PI. Returns list of all results."""
results = []
doc = fitz.open(stream=pdf_bytes, filetype="pdf")
for page_num in range(len(doc)):
png = doc[page_num].get_pixmap(
matrix=fitz.Matrix(dpi / 72, dpi / 72)
).tobytes("png")
encoded = base64.b64encode(png).decode()
resp = httpx.post(
GLYPHWARD_SCAN_URL,
headers={"Authorization": f"Bearer {GLYPHWARD_API_KEY}"},
json={
"image": encoded,
"source": "legal_document",
"metadata": {"doc_id": doc_id, "page": page_num},
},
timeout=5.0,
)
resp.raise_for_status()
result = resp.json()
result["page"] = page_num
results.append(result)
return results
def safe_ingest_legal_doc(pdf_path: str, matter_id: str) -> dict:
"""Gate: scan document, return scan summary, raise if any page flagged."""
pdf_bytes = Path(pdf_path).read_bytes()
results = scan_pdf_pages(pdf_bytes, doc_id=matter_id)
flagged = [r for r in results if r["score"] >= SCAN_THRESHOLD]
summary = {
"doc_id": matter_id,
"pages_scanned": len(results),
"pages_flagged": len(flagged),
"scan_ids": [r["scan_id"] for r in results],
"passed": len(flagged) == 0,
}
if flagged:
raise ValueError(
f"Legal document {matter_id} blocked: "
f"{len(flagged)} flagged page(s). "
f"First: page {flagged[0]['page']}, "
f"score={flagged[0]['score']}, "
f"scan_id={flagged[0]['scan_id']}"
)
return summary # log summary to matter audit trailFor large document sets in e-discovery (thousands of pages), scan pages in parallel using asyncio + httpx.AsyncClient to keep throughput high. Log all scan summaries — including clean passes — to your matter audit trail so you can demonstrate per-document input validation at any subsequent review.
Coverage matrix
| Tool | Detects PI in scanned contract exhibits | Detects PI in e-discovery scanned docs | Detects PI in counterparty PDF data-room files | Per-matter audit log (scan_id) |
|---|---|---|---|---|
| Lakera Guard | No (text only) | No (text only) | No (text only) | Text channel only |
| Azure Prompt Shields | No (text only) | No (text only) | No (text only) | Text only |
| LLM Guard (Protect AI) | No (text only) | No (text only) | No (text only) | Text channel only |
| OCR + text scanner | OCR layer only — misses image PI | OCR layer only | OCR layer only | No per-request evidence |
| Glyphward | Yes — page-render scan | Yes — page-render scan | Yes — page-render scan | Yes — scan_id per page |
Related questions
Should I scan documents produced by opposing counsel in litigation?
Yes, with appropriate care. Documents produced by an opposing party under discovery obligations are untrusted external inputs to your AI pipeline. The producing party controls the document content, and has incentives to cause AI-based document review to classify documents incorrectly. Scan all produced documents before passing them to your review AI. Note that scanning does not imply tampering allegations against opposing counsel — it is a standard input-validation step analogous to virus scanning incoming document sets, which legal IT departments already do routinely.
How do I handle a document that is flagged? Do I discard it?
Do not discard it — the original document may be relevant evidence. Instead: (1) quarantine the flagged version, (2) log the scan_id and flagged page to your matter audit trail, (3) route the document for human review before any AI processing, (4) if the document will be processed by AI, consider using a sanitised re-render (print-to-PDF the flagged page at low DPI, discarding embedded graphics, then rescan). Never silently pass a flagged document to the AI model — if the scan fires, the model must not receive that input without a human decision.
Does this affect attorney-client privilege over the scan data?
Scan data — the scan score, flagged region, and scan_id for a client document — is generated as part of your firm's or platform's AI pipeline operation. It is not the document itself. It is metadata about your input-validation process. Standard privilege analysis applies to the underlying document; the scan metadata does not change that analysis. The scan_id is a reference to an anonymous inference result, not a reproduction of the document content. Review with your counsel if privilege concerns are specific to your jurisdiction or matter type.
What about native electronic documents (not scanned) — are they also at risk?
Native electronic PDFs (programmatically generated, not scanned from physical) can also carry adversarial payloads in embedded images: company logos, signature blocks, charts, appendix graphics. The risk is lower than for scan-origin documents because the image content is more controlled, but not zero. The PDF attack surface is not limited to scanned documents — any embedded image within a PDF can carry a payload. See PDF prompt-injection detection for the full breakdown of native PDF vs scanned PDF attack patterns.
Can a law firm's legal technology vendor be liable for this gap?
Vendor liability depends on the contract and jurisdiction. Most legal technology vendor agreements include limitation-of-liability clauses and exclude liability for outputs generated by AI systems. The gap here — passing unscanned document images to vision models — sits in the vendor's AI pipeline design. Law firm clients should review vendor security attestations (SOC 2 Type II reports, ISO 27001 certificates) to determine whether the vendor's input-validation controls cover multimodal AI inputs from external documents. If the attestation covers "text-based prompt injection" only, it does not cover the image attack surface.
Further reading
- PDF prompt-injection detection — the full attack surface for legal PDFs: scanned exhibits, embedded image pages, overlay attacks.
- FigStep detection — the typographic attack class that survives OCR extraction.
- Why text-only scanners miss image prompt injection — architectural explanation for non-security engineers.
- EU AI Act Article 15 — multimodal PI compliance — legal AI products with EU exposure.
- ISO 27001:2022 A.8.28 AI controls — input-validation evidence for legal-tech ISMS.
- SOC 2 AI security controls — CC6.6 evidence for legal-tech SOC 2 Type II audits.
- Prompt-injection scanner for RAG pipelines — legal knowledge-base ingestion patterns.
- Prompt-injection scanner for financial services AI — M&A and due-diligence document AI overlap.