If you work in a technology‑driven business (or have clients who do), you’ve likely already experimented with generative AI to research a question, ask for advice on setting strategy, or draft an internal memo. There’s a big challenge, however, when those questions, strategies, and memos are related to issues of law.  The uncomfortable truth is that conversations between non-lawyer and AI are discoverable in litigation and not protected by attorney‑client privilege.  When having those chats with a GPT involves disclosing information that would not otherwise be discoverable in litigation, the “I was just trying to help” can quickly turn into critical evidence. Protecting clients’ interest in this new world of AI means that lawyers need to understand how it impacts privilege.

The Rules of Privilege

Protection of communications between clients and counsel.

Legal privilege is what keeps conversations between clients and lawyers from becoming discovered in trial and used as evidence against the client. To be considered “attorney-client privileged” the communication must meet a three-part test requiring that it: (1) is between a client and their attorney; (2) that it is intended to be, and in fact is, kept confidential; and (3) for the purpose of obtaining or providing legal advice.[1] The concept of attorney-client privilege is generally construed narrowly because it operates as an exception to the rule that “all relevant proof is essential” for a complete record and for “confidence in the fair administration of justice”.

However, it is also fiercely protected because it is seen as a necessity to ensure that lawyers are capable of meeting their ethical requirements of competency and representation – basically the need for lawyers to have the information necessary to have a comprehensive and frankly honest discussion with the client in order to provide the client with fully informed, competent advice and assist the client in complying with the law.  

In other words, privilege is important because without it, clients may not be sufficiently candid with their lawyers for the lawyers to give good legal advice.  The availability of good legal advice is of higher social importance than what may come from the suppression of evidence.[2]  

The “Work Product Doctrine”: Protecting Attorney Work

The work product doctrine is another type of privilege associated with legal representation. It is similar to attorney-client privilege in that it provides qualified protection for materials provided by or at the behest of counsel in anticipation of litigation or for trial.  It is more tightly tied to the work of the attorney than the attorney-client privilege that protects communications between clients because it is designed to protect the thought process of the lawyers in relations to pending or anticipated litigation.

The test for work product is simpler than the attorney-client privilege. It is simply that the work was prepared by or at the direction of a lawyer in anticipation of trial. So, there must be: (1) a lawyer; (2) preparation by either the lawyer or someone the lawyer is directing; and (3) anticipation of trial.  Again, all of those elements must be present for the materials to be considered privileged under the work product doctrine. Specifically absent from protection is materials that are merely in the possession of the lawyer, particularly if they are not related to the attorney’s thought process. This is why clients can’t simply hand over evidence to their lawyers and claim privilege.  

Pro Se litigants: Privilege without Lawyers

The rules for pro se litigants – those who elect to represent themselves as opposed to hiring a lawyer – are a bit different.  Because they act as their own attorneys, they may be able to protect the work they do (including conversations they have with AI) as privileged work product. Rules regarding confidentiality likely (I haven’t found case law addressing it directly yet) still apply but may end up being slightly different. Perhaps courts will find that the Terms of Service are not as crucial to the question of confidentiality so long as no other human parties are involved, particularly if the generative AI tool requires payment in order to exclude user input from model training.

Because, however, this blog is about interest in the business use cases of AI and not personal use cases, the pro se litigant will not be addressed here.

In-house Counsel and Privilege

In-house lawyers are unique in that they have only one client – their employer – and often provide a combination of legal, business, and ethics advice. In fact, the role of in-house counsel has been continuously broadening over the last several years, driven by legal, economic, business, and political changes.

The United States

In the United States, the law continues to protect communications between in-house counsel and the company.  When the advice includes both business advice and legal advice, the privilege will protect communications so long as the communication was made primarily for the purpose of generating legal advice. Complications can then arise when trying to determine whether the legal advice was appropriately given to “the client” (which is the company, not the individual employees of the company) and whether such advice remained sufficiently confidential.

While the “control group” test that used to extend privilege only to certain high-level executives within a company is only rarely used to determine the scope of attorney-client privilege, there is still a recognition that not every hypothetical that can be posed by an employee is regarding a matter likely to result in litigation. For that reason, there are now more complicated questions about whether appropriate superiors are directing employees to engage with legal teams in their quest for legal advice.

There is also the question of confidentiality. It is not sufficient that all employees work for the same entity where the client is the entity. The limits of confidentiality as an element of legal privilege are no different from the rules of confidentiality around highly sensitive business information and generally rely on a “need to know” requirement before disclosure can be made. Company communication tools like email, shared drives, Slack, and Teams are often geared far more towards efficient communication that strict access controls. Many of security controls that stand in for access controls – like DRM – are often requested not to be used by in-house legal teams because they make it so difficult for the legal team to effectively engage with outside counsel and subject matter experts.

Europe

The global nature of business also affects the ability to maintain privilege of attorney-client communications and work products. In the European Union (EU), in-house lawyers are often trained and licensed very differently from their American counterparts[3]. In-house counsel in the EU often have only a Bachelor of Laws degree and may not be a fully-licensed member of the bar association or law society of their country – the organizations generally tasked with attorney accountability and oversight. In fact, in some jurisdictions, lawyers with bar admissions are specifically required to give up their bar membership when transitioning to an in-house role.[4] In-house attorneys, and to some extent transactional attorneys generally are seen as business advisors rather than officers of the court. This is also why in many European countries, consulting services offer legal advice provided by individuals who have studied law at some level but have no law license.

The challenge for privilege is that the genesis of privilege stems from attorneys’ obligations of confidence and competent advice and how they are held accountable to those standards. Without licensing oversight, the duties of confidence and competence cannot be professionally enforced outside of the employment context (for in-house counsel) or via expensive lawsuits for malpractice that may be easily thwarted via consulting contracts that offer no warranty or guarantees for the quality of service. Protection of privilege on a global advisor scale then becomes even more difficult. Some jurisdictions will apply the privilege rule associated with the location of the lawyer, others with the location of the client, and others “where the communication is made” – a determination that may be near impossible considering the myriad electronic communications capabilities available today.

Logistical realities

The frameworks for privilege obviously create a number of logistical challenges for in-house legal teams. Most in-house lawyers are familiar only with the “Upjohn Warning” that they provide as part the corporate onboarding program or internal investigations.[5]  Now we have a new challenge: Artificial Intelligence.

AI, Privilege, and Overeager Clients.

In the post-Internet era, any in-house lawyer (and many in private practice) can attest to the number of incoming clients who are already certain that they know the legal outcome of their issue. They will come in with Google searches, law firm blogs, Wikipedia pages, and full confidence that all they really need is for the lawyer to agree with them. Generative AI tools and the ease with which they can now get cited case law and arguments that read like law review articles have exponentially raised their confidence. Media reinforces their belief that high prices lawyers, in fact, provide no value when there is AI that is “an A+ law student“ and has “passed the bar”. The legaltech startup world is almost worse - chockablock with entrepreneurs nearly foaming at the mouth with the idea that they might create a tool that will replace lawyers.

U.S. v. Heppner: Humanity is Required for Privilege

In October 2025, the Department of Justice brought charges against Bradley Heppner for securities fraud, wire fraud, conspiracy, making false statements to auditors, and falsification of records. When FBI agents executed a search warrant, they seized dozens of electronic devices as evidence. Shortly after the search, defense counsel informed the government that, before his arrest, Heppner had run queries related to the government’s investigation through Anthropic’s Claude generative AI tool in which he had outlined defense strategy, analyzed the factual and legal landscape of the charges he anticipated, and prepared materials after learning of the grand jury proceedings against him. Heppner’s defense team sought to protect these communications and materials as attorney-client privileged communications and attorney work products. The government disagreed. The government won.

Judge Rakoff’s ruling asserted that neither the communications with Claude nor its output materials could be considered privileged because Claude is neither an attorney nor human. “All “[recognized] privileges” require, among other things, “a trusting human relationship,” such as…a relationship “with a licensed professional who owes fiduciary duties and is subject to discipline.”” (p.6 of holding). The lack of both humanity and a law license were not the only reasons that the Court found that no privilege existed (there were also issues of confidentiality based on the version of Claude used and how it could be and was configured), but it likely would have been dispositive. As every first-year law student knows: a three-part test must have all three parts satisfied to be passed. Heppner satisfied only one: he was preparing for trial.

Heppner also tried to rely on another common misunderstanding seen by in-house lawyers: that all they have to do to protect information from being discovered is bring it to the legal team, label it as ‘privileged’ and it will magically become privileged. While I personally think Judge Rakoff missed a chance to reference Harry Potter, he aptly noted that “it is black letter law that non-privileged communications are not somehow alchemically changed into privileged ones upon being shared with counsel” (p.8).  In other words, there simply is no vera verto spell that will transform discoverable conversations or materials into privileged ones simply because it is later handed to counsel. Not a Potter fan? Think: “Dammit, Jim, I’m a lawyer not a magician.”

Mitigating Risks

Many lawyers will joke that the biggest risk to their ability to provide good legal advice is simply the client. Client use of AI is complicating legal practices in many ways, both within in-house practices and with private practice. This is likely one of the reasons that the ABA Formal Opinion 512 (as well as the guidance of multiple state bar associations) requires a reasonable understanding of the capabilities and limitations of Generative AI as part of the lawyer’s duty of competence. While the ABA Opinion focuses on tools the lawyers use, it is reasonable to include knowledge of how clients use these tools, too. Especially when there is a high likelihood that clients will use AI in ways that impact privilege.

Lawyers must have and use this competence to advise clients on how to maintain privilege while still taking advantage of this powerful technology. Focusing on the in-house practice, this can be done in a number of ways, including appropriate AI policies, practical playbooks that address AI use, and requirements for legal service provider diligence and contract terms.

AI Policy Updates

For in-house teams, the starting point is usually the AI Policy. Don’t have an AI Policy? Well…that’s a great place to start. Already have an AI Policy? Check that it addresses issues of legal privilege. Does your AI policy restrict the use of AI to only the legal team on issues such as obtaining legal advice or preparing for legal proceedings such as trials or regulatory investigations? It should. Note that you might need to make sure the policy clearly defines what “legal advice” is, as the term itself can be misunderstood and many people don’t understand that simply asking “Is X legal?” can be considered “asking for legal advice”.[6]

If you have an AI policy but the policy is simply “No AI!” its time to make more significant changes. This is an unrealistic policy that is likely to be unenforced or unenforceable given the nature of both humans and technology.

Practical Playbooks

If you have a playbook and/or training on privilege (or a playbook/training that covers privilege), update it to address AI tools. Including both the AI Policy and playbook/training updates in the same project or workflow can get this done. Be sure to include both how lawyers and non-lawyers can use AI tools, and which tools they are permitted to use.

If the intention to update playbooks and training is to reinforce the “No AI!” policy, see note above.

Address vendor agreements for non-legal service providers working on matters relating to potential litigation.

While most of the in-house legal team’s budget is spent on outside counsel, we often utilize third party service providers in legal investigations. A frequent example is cybersecurity forensics teams. These teams are often on contract with the security teams in the business and will be engaged to provide forensic investigations for cybersecurity events such as data breaches. You may want to consider using different firms – or at least different contracts – for work done under the direction of counsel in preparation for litigation and work done in the normal course of business.  

Contract terms restricting the use of generative AI should also be considered for these engagements. Not necessarily saying “No AI!” (again – this is difficult or impossible to monitor, detect, or enforce) but expectations of when and how AI can be used if/when the services in question may result in legal investigations, preparation for trial, or regulatory investigations.

Vetting legal technology service providers for privilege controls.

For attorneys using AI, nothing in Heppner suggests that the use of AI by a lawyer will destroy privilege. Consistent with ABA Opinion 512, there is, however, an indication that attorneys must be cautious with the tools they use. There is a duty of competence that requires licensed attorneys to understand the technology they are using and to competently manage it in a way that preserves privilege.

Heppner discusses specific terms of use in Claude that allow (or, in Heppner’s case did not allow) the application to be configured to preserve the confidentiality of the “conversation” with the app by preventing the information to be stored by Anthropic in its normal course of business. The technology industry is now filled with companies providing technology to lawyers that is built on these base GPTs, but without necessarily giving the lawyer end user the right to configure what data is stored in the normal course of business.

It’s not enough to simply configure Claude, ChatGPT, or Gemini to avoid training on data – legal teams must now vet every new technology to determine how they treat data at every layer of the technical stack. For corporate teams buying legal tech, it is also necessary to consider how the software approaches access controls and sharing rights – particularly given that a broad sharing of information, even within the walls of the company, can be seen as an indicator that the information was not intended to remain confidential, which is a necessary trait of a conversation protected by privilege.

This means it is necessary to ensure that not only are these tech tools able to be used in a way that avoids disclosing confidential information to the technology provider, but also that they do not unnecessarily share confidential information within the company. The ability to enforce “need to know” restrictions on attorney-client communications that take place in these applications should be considered for any tool that trains a model based on a conversation – even those that simply train internal models.

The TL;DR

A competent understanding of AI – including how it is used by clients – is not just a duty of your legal license, but necessary to help protect the privileges that encourage the candid conversations with your clients necessary to provide good legal advice. This level of understanding goes far beyond configuring generative AI applications and should cover at least:

• Update Guidance on Privilege. Whether it is your engagement letter with clients, corporate or firm AI Policy, or training you provide to the business as in-house counsel, make sure clients are aware of how their use of AI in legal matters can put their legal position at risk.

• Confidentiality by default. Configure AI and check your vendors. Not only no model training on customer data, but also no co-mingling of your content (conversations, uploads, etc.) and – for “AI First” SaaS offerings – assurances of controls relating to confidentiality at their application layer.[7]

• Ensure lawyer‑directed workflows. Client-led workflows are likely to be seen as “ordinary course of business” and not work done in anticipation of litigation.

• Need‑to‑know access controls at the matter level. Not everyone at the company needs to know all legal advice. Even if you are training a company-only legal AI – and no company data or legal advice leaves the corporate domain – there’s still a significant risk that people in the company without need to know will find out. Consider whether an employment lawyer could use the tool without all employees finding out about an investigation into an executive for bad behavior.

• Evidence‑ready logging. Whether you need them for internal reviews and investigations or to produce privilege logs in response to legal demands, a lack of logging will eventually hurt.

Artificial intelligence is a powerful tool that can greatly improve legal services and business outcomes. With great power comes great responsibility, though. Responsible use of AI in legal requires more than just technology adoption; it requires both technically and legally competent attorneys with a high level of awareness of how clients act when unsupervised. Applying our curiosity to learn both AI for the law and client behavior with AI will lead us all to the future of a technology-enabled practice of law.  

Footnotes:

[1] U.S. v. Meija, 655 F.3d 126, 132, with more comprehensive test under U.S. v. United Shoe Machinery Corporation, 89 F. Supp. 357

[2] Don’t @ me: the rule is not absolute (hence, “narrowly construed”), so balances must be made, and it will not apply if client and lawyer are conspiring to commit crimes.

[3] Geopolitical & Brexit issues aside, “Europe” here does not include the UK, which has more in common with the licensing structure of the U.S..

[4] In many countries, such as Norway (where the author was in-house), there are separate words for these two types of legal professionals: juriste (one has a degree in law and provides legal advice as a profession) and advokat (a licensed attorney). Since both are roughly translated to English as “lawyer,” use caution if using machine translation to read articles explaining the difference – it will not make sense.

[5] The Upjohn warning is the notice that states the attorney represents the company as the client, not the individual, and that the attorney-client privilege belongs to the corporation and not employee. The implication, of course, is that if the course of a corporate investigation discovers wrongdoing by an employee, the corporation has the right to waive privilege (or simply not assert it) and put frankly, throw the employee under the bus to protect the company.

[6] If you think this seems unnecessary, consider the author’s experience in privacy law, where  a client once said “We don’t have personal information, it’s just identity.” To which she responded, “Say that again, but slower.”

[7] Security Development Lifecycle, Secure Architecture reviews, security testing, and other controls should also be evaluated for reasons of integrity and availability, but those pillars of security are no directly tied to privilege, so are not addressed here.