Q1 2025 opened with a problem most professional services firms hadn't put a name to yet: AI platforms had entered their vendor stacks without data processing agreements, and the subprocessor exposure those tools created was accumulating in the background while no one was watching. The quarter's defining pattern wasn't a single dramatic breach — it was the quiet expansion of the attack surface through tools that firms adopted for productivity reasons and never evaluated for data risk. Cloud consolidation accelerated the same dynamic: platforms aggregating more functionality absorbed more sensitive data, and the vendor chains behind them grew longer and less visible. The firms most exposed in Q1 weren't the ones that got hit. They were the ones that had no idea what their platforms were doing with client data.
"Firms adopted AI tools to save time. Most of them had no idea those tools were sending client data to subprocessors they'd never heard of."
By Q1 2025, AI-assisted drafting, research, and document review tools had reached meaningful adoption in small and mid-sized law firms and accounting practices — often without IT or compliance involvement in the selection process. Several widely used tools were found to route user-submitted content through third-party model providers, storage layers, and analytics subprocessors operating under terms of service rather than negotiated data processing agreements. In at least a dozen Q1 incidents involving law firms, privileged client communications submitted to AI drafting tools were found to have been retained by the platform's underlying model provider under terms permitting use for model training.
If your attorneys or staff are using AI tools — even free-tier or browser-based ones — for anything touching client matters, you have a subprocessor you didn't knowingly onboard. The question isn't whether your firm uses AI. It's whether you have a current inventory of every platform that touches client data, a data processing agreement with each one, and clarity on what their subprocessors are permitted to do with that data. Most firms have none of those things documented.
In January 2025, PowerSchool — a cloud-based student information system used by school districts across North America — confirmed a breach affecting an estimated 62 million student records and 9.5 million teacher records. The attack exploited a single compromised credential to access a customer support portal with broad data access. What made the incident notable beyond its scale was the structure: one credential, one vendor portal, one subprocessor access path — and an entire customer base exposed simultaneously. PowerSchool paid a ransom to prevent disclosure. The data was later reported to have been posted anyway.
The PowerSchool architecture — multi-tenant SaaS, customer support access with elevated permissions, credential-based authentication with no documented MFA enforcement — is structurally identical to the practice management and document management platforms used by most professional services firms. You are not in the education sector. But your vendor stack almost certainly has a support portal somewhere with access to your client data, protected by a credential you didn't set and can't monitor. That is the exposure PowerSchool made visible.
Q1 2025 continued a trend documented in prior periods: cloud platforms adding functionality through acquisition and partnership rather than internal development, with each addition expanding the subprocessor chain behind tools firms had already vetted — or assumed they had. Several major legal and accounting SaaS platforms updated their data processing terms in Q1 to reflect new AI features, analytics integrations, and cross-platform data sharing arrangements. The updates were disclosed via terms-of-service notifications that most firms neither read nor routed to anyone responsible for vendor risk.
A vendor you reviewed eighteen months ago may have a materially different subprocessor list today. Platform acquisitions, AI feature rollouts, and analytics integrations don't require your consent — they require a terms update you probably didn't read. If your vendor review process runs on an annual cadence or only triggers on new vendor onboarding, it is not capturing the actual rate of change in your vendor stack. This is the gap that Q1's incident pattern exploited most consistently.
The Identity Theft Resource Center's Q1 2025 analysis found that 68% of breach notices issued during the quarter contained no information about how the incident occurred. That figure has climbed steadily since 2022 and is now the defining characteristic of the current breach notification environment. Regulators in New York, California, and at the federal level have begun treating the absence of root cause disclosure as an independent compliance concern — separate from whether the underlying breach was preventable. For professional services firms, the implication runs in both directions: as recipients of breach notices from vendors, and as potential issuers of notices to clients.
When your vendor sends you a breach notice with no cause disclosed, you have no way to assess whether your client data was actually affected — or whether your own systems connected to that vendor are now at risk. That information gap is a problem you cannot fix from your side. But it is a reason to have vendor contracts that require timely, substantive incident notification rather than the legally minimal version most firms accept by default. On the outbound side: if your firm ever issues a breach notice that discloses no cause, regulators in several states have signaled that the documentation supporting that gap will be reviewed.
The FTC finalized its updated Safeguards Rule guidance for non-banking financial institutions in Q1 2025, with enforcement posture shifting toward active review of written information security programs at CPA firms and tax preparers. The updated guidance specifically addresses AI tool usage — clarifying that firms using third-party AI platforms for client data processing are required to treat those platforms as service providers under the rule, with documented vendor assessment and contractual data security requirements. The IRS also updated its Security Summit guidance for tax professionals in Q1, adding specific language around AI tool governance and requiring that firms using AI for client data have explicit policies governing what data may be submitted to those platforms and under what terms.
Bottom line: Using an AI tool for anything touching client tax data without a documented vendor assessment and data processing agreement is now a specific FTC Safeguards Rule compliance gap — not just a general best practice issue.
Q1 2025's threat story is about surface area that grew faster than awareness. AI tools added subprocessors. Cloud platforms added integrations. Vendor stacks changed while vendor review processes stayed still. The incidents that defined the quarter didn't require sophisticated attacks — they required access to data that firms had handed over, under terms they hadn't read, to platforms they hadn't fully mapped. The firms most at risk entering Q2 are not the ones that experienced an incident in Q1. They are the ones that still cannot answer a basic question: what does every platform in your stack do with client data, who are their subprocessors, and what are those subprocessors permitted to do?
If your AI tools don't have data processing agreements, you don't have a vendor program. You have a liability.