RankShield Legal
Citation checker Request access
AI Confidentiality

Can Law Firms Use AI Without Waiving Attorney-Client Privilege?

Yes, law firms can use AI without waiving attorney-client privilege, but only with deliberate boundaries. Privilege and confidentiality are separate duties, and feeding client material into a third-party model can threaten both. The safest path pairs informed client consent with an architecture that isolates privileged data from any self-learning model, and, increasingly, proof that the isolation held.

By Jamie Kloncz, Founder, RankShield 21 min read Published

Yes, law firms can use AI without waiving attorney-client privilege, but only with deliberate boundaries. Privilege and confidentiality are separate duties, and feeding client material into a third-party model can threaten both. The safest path pairs informed client consent with an architecture that isolates privileged data from any self-learning model, and, increasingly, proof that the isolation held.

The question sounds like it has one answer, but it actually contains two. One is ethical: does putting client material into an AI tool comply with a lawyer's professional duties? The other is evidentiary: does that same act risk stripping a communication of the protection that keeps it out of court? These questions run on separate tracks, they are governed by different authorities, and they can come out differently for the same set of facts. A firm that treats them as one question tends to answer the easy half and assume the hard half took care of itself. The sections below keep the two duties apart on purpose, walk through what current guidance and reporting actually say, and end with the part most advice skips, which is how a firm proves after the fact that its isolation worked.

Privilege and confidentiality are two different things

Attorney-client privilege and the duty of confidentiality are related but distinct, and conflating them causes most AI missteps. Privilege is an evidentiary protection: it can keep certain lawyer-client communications out of court, and it can be waived by disclosure to a third party. Confidentiality is a broader ethical duty under Model Rule 1.6 [4] that covers all information relating to a representation, regardless of whether litigation is involved.

When a lawyer pastes client facts into a public AI chatbot, both duties are in play, but they fail in different ways. The ethical duty of confidentiality is engaged the moment information leaves the firm's control, which is why the ABA grounded its AI guidance in Rule 1.6 [4]. Evidentiary privilege, by contrast, turns on whether a communication qualified for protection and whether disclosure to an outside system waived it. Treating "we used enterprise AI" as if it resolves both questions is a category error. A firm can satisfy one duty while quietly compromising the other, and courts and bar regulators evaluate them on separate tracks.

The reason this distinction is worth laboring is that the two duties are enforced by different people at different times. The confidentiality duty is enforced by bar regulators and by the client relationship, and it applies continuously, in every matter, whether or not anything is ever litigated. Privilege only becomes a live issue when someone tries to compel a communication in a proceeding and the firm resists on the ground that it is protected. A lawyer can go an entire career without a privilege ruling, yet the confidentiality duty attaches to every piece of client information that lawyer touches. So the day-to-day discipline is a confidentiality discipline, and privilege is the risk that surfaces later, often when the stakes are highest and the record is already fixed.

  • Privilege is evidentiary: it governs whether a protected communication can be kept out of a proceeding, and disclosure to a third party can waive it.
  • Confidentiality is ethical: Model Rule 1.6 [4] covers all information relating to a representation, litigation or not.
  • The ABA anchored its generative AI guidance in the Rule 1.6 confidentiality duty [4], not in the law of privilege.
  • A firm can comply with one duty and still expose the other, because they are judged on separate tracks by different authorities.

Two duties, two failure modes

Same act, two questions. Answering the confidentiality question does not answer the privilege question, and no vendor promise resolves the second.

Because the two duties fail differently, it helps to see them side by side rather than in prose. The confidentiality duty is proactive and continuous, and it is the one Opinion 512 speaks to directly [4]. The privilege question is reactive and situational, and it is the one reporting on Heppner puts in play [9]. Mapping them against each other keeps a firm from answering the ethical question and assuming the evidentiary one is settled.

The table below is a summary of what has already been established above, not a source of new rules. It is meant as a working reference for the moment a lawyer is deciding whether a given AI use is safe. If a proposed use is clean on the left column but unresolved on the right, that is exactly the situation this article is about, and it is the situation most guidance leaves unaddressed.

DimensionConfidentiality (Rule 1.6)Privilege (evidentiary)
NatureEthical duty [4]Evidentiary protection
ScopeAll information relating to a representation [4]Certain qualifying lawyer-client communications
When it appliesContinuously, litigation or notWhen protection is asserted in a proceeding
How it failsInformation leaving firm control without proper consent [4]Disclosure to a third party can waive it
Who decidesBar regulators and the client relationshipA court, case by case
RANKSHIELD LEGAL Using AI Without Waiving Privilege Confidentiality and privilege are separate duties that fail differently Op. 512 Requires informed consent for self-learning AI ABA, July 29 2024Heppner AI-generated documents held not privileged S.D.N.Y., reported 2026Rule 1.6 Confidentiality duty over all client info ABA Model Rule2 Separate analyses to run every time confidentiality and privilege RankShield Legal rankshieldlegal.com
Source: ABA Formal Op. 512 (2024); reporting on US v. Heppner (2026)

What US v. Heppner signals about AI and privilege

A 2026 U.S. District Court ruling (S.D.N.Y.), reported as United States v. Heppner, is reported to hold that AI-generated documents are not privileged and not attorney work product [9]. Read narrowly, that reporting suggests a court may decline to extend privilege or work-product protection to material a generative model produced, even when a lawyer prompted it. Treat this as a signal, not settled nationwide law.

The distinction that matters is between a lawyer's protected thinking and an AI system's output. Privilege and work-product doctrine historically shield attorney communications and mental impressions. Reporting on Heppner suggests that machine-generated text may sit outside those protections [9]. If that framing holds and spreads, drafts, memos, and analyses produced by an AI could be discoverable in ways a lawyer's own work would not be. The practical takeaway is caution: one district court's reported ruling is not binding across jurisdictions, and appellate review could reshape it. But firms should not assume that routing work through AI automatically inherits the protections that attach to a lawyer's own hand.

It is worth being precise about how much weight one reported district court ruling can bear. A single trial-level decision binds no other court, and reporting on a ruling is a further step removed from the ruling itself. The framing could narrow, widen, or be revised on review. None of that makes the signal safe to ignore. The prudent reading is not that AI output is definitely unprotected everywhere, but that a firm cannot count on protection attaching just because a lawyer was in the loop. When the downside of being wrong is that a draft becomes discoverable, planning for the stricter interpretation costs little and the alternative can cost a case.

There is also a line worth holding between the lawyer's contribution and the model's. A lawyer's own analysis, mental impressions, and strategy are the classic core of work-product and privilege doctrine. Reporting on Heppner is about the machine-generated portion [9], and it should push firms to think carefully about how tightly AI output is woven into privileged work. The more a document is genuinely the lawyer's own reasoning, the more comfortable the traditional footing. The more it is raw model output presented as work, the more a firm is relying on an unsettled question, and the more it needs a record of exactly what happened.

Heppner is one reported district court ruling. It is a signal to plan around, not binding nationwide law, and it may be narrowed or revised on review.

2026 Year of the reported S.D.N.Y. Heppner ruling on AI-generated documents [9]

What ABA Opinion 512 actually requires

ABA Formal Opinion 512, issued July 29, 2024, requires lawyers to obtain client informed consent before inputting client information into a self-learning generative AI tool [4]. It is grounded in the Model Rule 1.6 duty of confidentiality, and it makes clear that boilerplate consent buried in an engagement letter is not enough [4]. Consent must be informed and specific to the risk.

The opinion reaches further than consent. It also implicates competence under Model Rule 1.1, meaning lawyers must understand the AI tools they use well enough to judge the risks, and supervision under Rules 5.1 and 5.3, meaning firms must oversee both lawyers and nonlawyer staff who deploy these tools [4]. Crucially, Opinion 512 is an ethical guidance document about the confidentiality duty. It is not a rule about evidentiary privilege waiver, and it does not decide when privilege is lost. A firm can be fully compliant with 512's consent and competence expectations and still face a separate, unresolved question about whether a given disclosure waived privilege in court. Both analyses have to be run.

Reading the opinion as a single consent checkbox misses how it is structured. It bundles three obligations that reinforce one another, and a firm that satisfies one while neglecting the others has not really met the standard. Informed consent without competence produces a consent that the lawyer cannot honestly explain, because the lawyer does not understand the tool well enough to describe the risk. Competence without supervision leaves the knowledgeable partner comfortable while an associate or staff member uses the tool in a way no one is watching. The obligations are meant to travel together.

  1. Informed, specific consentObtain the client's informed consent before inputting client information into a self-learning generative AI tool, with language specific to the risk rather than engagement-letter boilerplate [4].
  2. CompetenceUnder Model Rule 1.1, understand the tool well enough to judge how it handles inputs and what the risks are [4].
  3. SupervisionUnder Rules 5.1 and 5.3, oversee both lawyers and nonlawyer staff who deploy these tools, so use happens inside firm policy rather than ad hoc [4].

Opinion 512 is ethical guidance about confidentiality. It does not decide privilege waiver, so satisfying it does not close the evidentiary question.

Why an "enterprise" AI tier is not the same as privilege

An enterprise AI subscription with zero data retention reduces one risk, but it does not, by itself, establish that privilege is preserved. Enterprise contracts and no-training commitments are procurement facts. Privilege is a legal conclusion a court reaches later, based on whether a communication qualified and whether disclosure waived it. The two live on different tracks, and vendors cannot promise the second.

Much of the guidance aimed at large firms stops at "use enterprise-grade tools with zero data retention." That advice is reasonable, but incomplete. It reduces the confidentiality exposure that Opinion 512 targets [4] by limiting where client data flows and whether a model trains on it. It does not resolve the evidentiary question that reporting on Heppner raises [9]. It also leaves a proof gap: a contractual promise is not the same as demonstrable evidence that privileged material never reached a third-party model in retrievable form. When a dispute arises, "the vendor said it wouldn't retain data" is an assertion. Firms increasingly need something they can show, not just something they were told.

The core confusion is between a promise and a proof. A procurement term describes what a vendor has agreed to do. It does not, on its own, describe what actually happened to a specific piece of client material on a specific day. Those are different objects. A firm relying only on the contract is one step removed from the fact it may eventually need, which is a record of how a particular matter's data was handled. The enterprise tier lowers the probability of a bad outcome. It does not generate the evidence that would matter if the outcome is questioned later.

  • Enterprise contracts and no-training commitments are procurement facts, not legal conclusions about privilege.
  • Zero data retention lowers the confidentiality exposure Opinion 512 targets [4] by limiting where client data flows.
  • It does not resolve the evidentiary question reporting on Heppner raises [9].
  • A contractual promise is not the same as demonstrable evidence that privileged material never reached a third-party model in retrievable form.
  • When a dispute arises, "the vendor said so" is an assertion, not something a firm can show.

Running both analyses, not one

The practical discipline that follows from all of this is simple to state and easy to skip: run both analyses every time, and do not let a clean answer on one substitute for the other. The confidentiality analysis asks whether the firm has met Opinion 512's expectations around consent, competence, and supervision [4]. The privilege analysis asks whether a given disclosure could waive protection and whether AI-produced material carries protection at all, given what reporting on Heppner suggests [9]. Neither answer settles the other.

Because Opinion 512 is ethical guidance and one district court's reported holding is not nationwide law [4][9], the sound posture is to build for the stricter case. Assume a court may later scrutinize both whether confidentiality was preserved and whether AI-touched work retains any protection, and design so the answers hold up under either lens. The sequence below is a way to keep the two questions visibly separate on a given matter, so that a firm never quietly answers one and assumes the other.

  1. Classify the matterDecide how sensitive the material is before any tool touches it, so the most sensitive work is handled under the strictest assumptions.
  2. Run the confidentiality checkConfirm informed, specific consent, that the responsible lawyer understands the tool, and that use sits inside firm supervision, per Opinion 512 [4].
  3. Run the privilege checkAsk separately whether the disclosure could waive privilege and whether AI-generated portions carry protection at all, given reporting on Heppner [9].
  4. Record what happenedKeep a record of which model saw which data and when, so the firm can show its handling rather than merely assert it.

A clean confidentiality answer does not close the privilege question. Treat them as two checks that must both pass.

A defensible AI-confidentiality setup for a firm

Layer people, contracts, and architecture, then keep records so each layer becomes something you can show, not just something you did.

A defensible setup layers people, contracts, and architecture. Start with informed client consent that names the specific AI use, satisfying Opinion 512 rather than relying on engagement-letter boilerplate [4]. Add competence and supervision controls so lawyers understand the tools and firms oversee staff use [4]. Then isolate privileged material architecturally so it never trains a self-learning model, and keep records that show what happened.

Concretely, that means classifying matters so the most sensitive material is walled off from general-purpose AI, using tools with contractual no-training and retention terms, and documenting which model saw which data and when. Competence obligations mean the responsible lawyer should be able to explain, at a basic level, how the tool handles inputs [4]. Supervision means associates and staff operate inside firm policy, not ad hoc [4]. Because Opinion 512 is ethical guidance and one district court's reported holding is not nationwide law [4][9], build for the strict case: assume a court may later scrutinize both whether you preserved confidentiality and whether AI-touched work retains any protection. Design so the answers are defensible in either analysis.

The layers are deliberately redundant because each covers a different weakness. People controls, meaning consent, competence, and supervision, address the human decisions that Opinion 512 is concerned with [4]. Contract controls, meaning no-training and retention terms, constrain what a vendor is permitted to do with the data. Architecture controls put a wall between the most sensitive material and any self-learning model, so that even a mistake at the human or contract layer has a smaller blast radius. Records sit underneath all of it, turning each of the other layers into something the firm can later demonstrate. Remove any one layer and the setup still functions, but it becomes harder to defend when the question is asked at the worst possible moment.

  • Consent that names the specific AI use, not engagement-letter boilerplate [4].
  • Competence controls so the responsible lawyer can explain how the tool handles inputs [4].
  • Supervision so associates and staff operate inside firm policy rather than ad hoc [4].
  • Classification that walls the most sensitive matters off from general-purpose AI.
  • Tools with contractual no-training and retention terms.
  • Records of which model saw which data and when.

Proving isolation, not just promising it

The gap most guidance leaves open is proof. A firm can consent correctly and buy the right tier and still be unable to demonstrate, after the fact, that privileged material never reached a third-party model in retrievable form. RankShield Legal's RS-211 approach attests to architectural isolation and informed consent, producing cryptographic evidence of how data was handled rather than a promise that it was handled well.

The honest framing matters here. RankShield does not prevent privilege waiver and does not guarantee that privilege is preserved, because waiver is a legal determination a court makes, not a control a vendor can enforce. What it can do is attest that the isolation architecture functioned as designed and that consent was captured, then anchor that record so it can be verified independently later. That converts "the vendor said so" into evidence you can produce. It closes the proof gap that BigLaw guidance stops short of, without overstating what any technology can promise about a court's eventual privilege ruling.

The reason proof deserves its own section is that it is the thing time destroys. Consent can be documented and a subscription tier can be chosen, but the specific fact a firm may need later, which is that a given matter's privileged material stayed isolated, is exactly the kind of fact that becomes hard to reconstruct once the moment has passed. An attestation captured at the time, and anchored so it can be checked independently afterward, is a way of preserving that fact before it decays into memory and assertion. It does not change the law of waiver. It changes whether the firm can show what happened.

What attestation can and cannot claim

It is worth stating plainly what a proof layer does and does not do, because the value of honest framing is that it survives contact with a courtroom. RankShield Legal's RS-211 approach is a way to evidence isolation and consent, and it is a vendor capability, not a legal outcome. Being clear about the boundary is not a hedge. It is the point. A claim that overreaches is worse than no claim, because it invites the exact challenge it cannot survive.

The list below separates the two carefully. Everything on the "can" side is a factual matter about how data was handled and whether that handling can be verified later. Everything on the "cannot" side is a legal determination that belongs to a court, and no technology moves it. Keeping these apart is how a firm avoids trading a real evidentiary advantage for a claim that collapses under scrutiny.

  • Can attest that an isolation architecture functioned as designed for a given matter.
  • Can attest that informed consent was captured, supporting the Opinion 512 record [4].
  • Can anchor that record so it is independently verifiable after the fact, converting assertion into evidence.
  • Cannot prevent privilege waiver, which is a legal determination a court makes.
  • Cannot guarantee that privilege is preserved, because that too is the court's call, not a vendor's control.
  • Cannot substitute for the firm's own confidentiality and privilege analyses under Opinion 512 [4] and the case law [9].

Attestation proves isolation and consent. It does not prove privilege. Anyone claiming a tool preserves privilege is describing something a court decides, not something a vendor can deliver.

Questions to resolve before AI touches a privileged matter

None of this has to be improvised matter by matter. The same handful of questions comes up every time, and a firm that answers them before client material reaches a tool is running both analyses by habit rather than by luck. The questions map directly to what has already been covered: the confidentiality duty Opinion 512 addresses [4], the evidentiary question reporting on Heppner raises [9], and the proof gap that sits underneath both.

This is not a compliance program in a box, and it is not a substitute for judgment on a specific matter in a specific jurisdiction. It is a way to make the two-question discipline routine, so that the harder evidentiary question is never skipped just because the ethical question had an easy answer.

  • Has the client given informed, specific consent to this AI use, or only signed boilerplate [4]?
  • Does the responsible lawyer understand how the tool handles inputs well enough to explain the risk [4]?
  • Are associates and staff using the tool inside firm policy, under supervision [4]?
  • Has the firm run the privilege question separately, given reporting on Heppner about AI-generated material [9]?
  • Can the firm later show, not just assert, that privileged material stayed isolated from any self-learning model?

This article is general information about how these duties interact, not legal advice. ABA opinions are non-binding guidance that states adopt differently, and privilege is decided case by case, so consult your jurisdiction's rules and your own counsel before relying on any AI workflow.

Test yourself

Test yourself: AI and privilege

Four questions on keeping confidentiality and privilege apart when using AI.

  1. 1Is confidentiality the same as attorney-client privilege?

    Answer: No, one is an ethical duty and the other an evidentiary protection

    Confidentiality under Rule 1.6 is a continuous ethical duty over all representation information; privilege is a narrower evidentiary protection a court decides and that disclosure can waive.

  2. 2What does ABA Opinion 512 require before inputting client information into a self-learning AI tool?

    Answer: Informed, specific client consent, not engagement-letter boilerplate

    Opinion 512 requires informed consent specific to the risk, and it also implicates competence under Rule 1.1 and supervision under Rules 5.1 and 5.3.

  3. 3What does reporting on US v. Heppner signal?

    Answer: A court may treat AI-generated documents as not privileged and not work product

    The reported S.D.N.Y. ruling suggests machine-generated text may sit outside privilege and work-product protection; it is one district-court signal, not binding nationwide law.

  4. 4What can RankShield's RS-211 attestation claim?

    Answer: That the isolation architecture functioned and consent was captured

    Attestation proves isolation and consent, not privilege; waiver is a legal determination a court makes, and no vendor can guarantee privilege is preserved.

Honest self-check. There is no sign-up, and nothing is stored.

Questions answered

Straight answers to the common questions

The questions readers ask about this topic, answered directly. No forms, no sales pitch.

JAMIE KLONCZ · SEO AGENCY NAPLES ONLINE

Pick a question on the left, or search above. You will get the direct answer, the way an answer engine would give it.

REQUEST ACCESS →

References

  1. ABA Standing Committee on Ethics & Prof'l Responsibility. Formal Opinion 512: Generative Artificial Intelligence Tools. July 29, 2024. https://www. americanbar. org/news/abanews/aba-news-archives/2024/07/aba-issues-first-ethics-guidance-ai-tools/.
  2. Reporting on United States v. Heppner (S. D. N. Y. 2026). Secondary: https://www. dlapiper. com/en-us/insights/publications/2026/02/are-ai-generated-documents-privileged-key-takeaways-from-heppner.
Written by

Jamie Kloncz

Founder, RankShield

Jamie Kloncz is the founder of RankShield, the verifiable AI and quantum security platform behind RankShield Legal. An engineer by training, he built RankShield after his own devices and business were attacked, including an AI voice-cloning scam that targeted his family, on one conviction: unverifiable security is the real danger, so every consequential action should leave a receipt anyone can independently check.

More about Jamie →
Try it · Free

Check a citation against live case-law

Paste a citation from an AI-drafted brief and see whether the case actually exists, resolved against live case-law. Free, no sign-up. Then request early access to certify a full filing.

Try the citation checker