Peer to Peer: ILTA's Quarterly Magazine
Issue link: https://epubs.iltanet.org/i/1544492
P E E R T O P E E R M A G A Z I N E ยท S P R I N G 2 0 2 6 109 ANTHONY DIAZ Anthony Diaz, Chief Information Security Officer at Exterro, brings two decades of expertise in the cybersecurity and technology industry to Exterro. Before joining, he led transformative programs at companies such as Merrill Lynch, J&J, Deloitte, IBM, Optiv Security Inc., Ernst & Young, and HSBC. His security practitioner and business leader background offers a unique perspective to help drive positive business outcomes for Exterro's clients. As the CISO, he manages and communicates risk, defines the strategy, and oversees the execution of the information security program at Exterro. DATA PROVENANCE AS THE SPINE OF DEFENSIBILITY Trust in agentic AI means knowing that outputs are reliable, validated, and verified. For litigation, data provenance is the spine of defensibility. It dictates that we must track the source, custody, transformations, access, and outputs of all data handled by the AI. Essential provenance artifacts include dataset manifests, retrieval citations, document IDs, timestamps, cryptographic hashes, and explicit user approvals. Provenance must document who approved what, not just what the system did. This provenance differs by phase, requiring unique artifacts for preservation and collection versus processing, review, and final production. Without this structural recordkeeping, agentic systems cannot meet litigation-grade standards. GOVERNANCE IN THE REAL ENTERPRISE Unmanaged agentic automation and lack of accountability inevitably lead to systemic issues. Governance requires joint ownership. The CISO defines the security, identity, and provenance controls. The general counsel and ediscovery leadership define the legal signoff points and defensibility requirements. Legal ops operationalizes and audits execution. A minimum policy set must define acceptable use, dataset scoping, strict rules for human approval gates, logging retention policies, and incident response plans. When procuring third-party agentic tools, vendors must be evaluated on provenance support, immutable logs, system isolation, tool controls, and transparency into safeguards. Procurement decisions in this environment are not about feature comparisons. They are about litigation survivability. THE LESSON HISTORY TEACHES US The legal industry has seen this cycle before. Powerful technologies enter the market promising simplicity and cost savings. Some capabilities prove valuable. Others fall short under scrutiny. Agentic AI will absolutely deliver productivity gains. It will accelerate analysis, reduce mechanical coordination, and surface insight faster than any prior generation of tooling. But regulated workflows are different from general productivity environments. Legal leaders must decide carefully which AI tools are appropriate for productivity support and which can safely operate within regulated decision workflows. As big tech once again enters legal workflows with powerful capabilities, the lesson remains consistent: not every powerful technology is purpose- built for regulated decisions. The future of AI in the legal industry will not be defined by who adopts the fastest. It will be defined by who builds autonomy on foundations strong enough to withstand scrutiny.