RankShield Legal
Citation checker Request access
AI Confidentiality

How to Prove Privileged Data Never Reached a Third-Party AI Model

When a client, regulator, or opposing counsel asks whether your firm's AI use put privileged material at risk, a vendor's word is not evidence. Proving privileged data never reached a third-party AI model means producing a signed, independently verifiable record that the material was withheld, redacted, tokenized, or kept on a local model, not merely a contractual promise that it was never stored.

By Jamie Kloncz, Founder, RankShield 18 min read Published

When a client, regulator, or opposing counsel asks whether your firm's AI use put privileged material at risk, a vendor's word is not evidence. Proving privileged data never reached a third-party AI model means producing a signed, independently verifiable record that the material was withheld, redacted, tokenized, or kept on a local model, not merely a contractual promise that it was never stored.

The distinction sounds academic until the moment someone with standing asks the question and you have only a contract to point to. This piece walks through what that record contains, how it is built, how anyone can check it without trusting you, and, just as important, the precise limits of what it does and does not establish. None of this is legal advice. It is a technical account of how a firm can turn a confidentiality practice into evidence it can actually show.

Why zero-retention is a promise, not a proof

A retention promise says the vendor did not keep your data. An isolation attestation says your data was never there to keep.

Zero data retention (ZDR) is a legitimate and useful control: the vendor contractually assures you that prompts and outputs are not stored or used to train models. But ZDR is a promise about what a third party did with your data after it arrived. It presumes the data reached the model in the first place, and it asks you to trust that the vendor honored the term. When a client, regulator, or opposing counsel questions your firm's AI use, a contract clause is an assertion, not evidence.

An attestation inverts the burden. Instead of promising the data was not retained, it proves the data never reached the third-party model in retrievable form. The difference is the difference between "we said we wouldn't keep it" and "here is a signed record showing it never left the approved boundary." One is a representation; the other is independently verifiable proof. That contrast, proof versus promise, is the entire thesis of a privilege-isolation attestation.

It helps to be concrete about where the two controls sit in time. A retention promise governs the interval after data crosses the boundary to the vendor. An isolation attestation governs the boundary itself, the point of transmission, and it captures whether protected content was present at that moment at all. If the material was withheld, redacted, tokenized, or kept on a local model, then the retention question is moot for that material, because there was nothing sensitive on the other side to retain. The attestation is the more fundamental record because it speaks to the earlier and more decisive event.

The question you eventually have to answer

The reason this matters is not abstract. At some point a client running its own risk review, a regulator conducting an inquiry, or opposing counsel probing discovery will ask a direct question: did your use of AI expose privileged material? A firm that can only answer by describing its intentions and gesturing at a vendor contract is in a weaker position than a firm that can hand over a record and say, here is what happened, and you can verify it yourself.

The weakness of the contract-only answer is that it collapses two very different claims into one. The first claim is that the firm intended to keep privileged material out of the third-party model. The second is that it actually did so on a given occasion. A policy, a training deck, and a vendor agreement all speak to intent. None of them speaks to what happened during a specific interaction on a specific matter. The gap between intent and event is exactly the gap that an inquiry is designed to expose, and it is exactly the gap a per-interaction attestation is designed to close.

This is why the unit of proof matters. An attestation is not a firm-wide certificate that says the firm is careful in general. It is a record tied to a single interaction, so that the question "what happened on this matter, in this session, with this tool" has a specific, checkable answer rather than a general reassurance.

What a privilege-isolation attestation actually binds

A privilege-isolation attestation is a signed record stating that privileged material was one of four things, withheld, redacted, tokenized to a non-retrievable form, or processed only on a local model, and never transmitted to a third-party model in retrievable form. It is narrow and technical by design: it attests to what the architecture did, not to a legal outcome.

Concretely, RankShield's RS-211 mechanism binds four elements into a single sealed record: an interaction digest (a cryptographic fingerprint of the interaction), the approved tool identifier, the governing policy in force, and the client's informed consent. Binding consent matters because the American Bar Association's Formal Opinion 512 holds that lawyers should obtain informed consent before entering client information into a self-learning generative AI tool, and that boilerplate consent is insufficient under the Model Rule 1.6 duty of confidentiality [4]. An attestation that ties the specific consent to the specific interaction gives you a durable, checkable record that the consent step was actually performed, not just asserted after the fact.

Each of the four bound elements answers a different question, and it is worth separating them. The interaction digest answers "which interaction are we talking about" without revealing its contents, because a digest is a fingerprint rather than a copy. The approved tool identifier answers "which system was permitted to be involved," so that use of an unsanctioned tool cannot masquerade as an approved one. The governing policy answers "under which rules was this interaction conducted," pinning the record to the standard in force at the time rather than a standard adopted later. And the bound consent answers "was the client's informed permission actually attached to this specific interaction." Bound together and signed, these four turn a diffuse claim of carefulness into a single, discrete, verifiable object.

  • Interaction digest: a cryptographic fingerprint that identifies the interaction without exposing its contents.
  • Approved tool identifier: the specific sanctioned tool the interaction was permitted to use.
  • Governing policy: the rule set in force at the moment of the interaction, not one applied in hindsight.
  • Informed consent: the client's specific permission, bound to this interaction rather than assumed from a boilerplate clause.

Why the record stores digests, not documents

A natural worry about any logging system is that the log becomes its own liability. If a record of a privileged interaction contained the privileged material, then the act of proving isolation would create a new copy of exactly the thing you were trying to protect. That would be self-defeating.

The design avoids this by storing digests only. A digest is a fixed-length fingerprint derived from the input; it lets anyone confirm that a particular interaction is the one referenced by the attestation, but it cannot be run backward to reconstruct the underlying content. The privileged material is not in the record. What is in the record is a mathematical commitment to the interaction's identity, plus the bound elements described above. This is what makes it safe to produce the attestation to a client, an auditor, a regulator, or opposing counsel: handing over the proof does not hand over the protected content.

This property also explains why an attestation can be shown to an adverse party without waiving anything about the substance of the work. You are disclosing that an interaction occurred and how it was handled, not what was said inside it. The record's usefulness comes precisely from carrying evidence of process while carrying none of the content.

This article is general information, not legal advice. Whether any particular practice satisfies your obligations depends on your facts, your jurisdiction, and your own professional judgment.

RANKSHIELD LEGAL Proving Privileged Data Stayed Isolated Attestation of architecture and consent, not a promise 4 Paths to keep material out of the model Withhold, redact, tokenize, localOpinion 512 ABA guidance on AI informed consent Under Model Rule 1.6Aug 14, 2024 NIST FIPS 204 and 205 effective Post-quantum signaturesRS-211 Binds digest, tool, policy, and consent RankShield Legal rankshieldlegal.com
Source: ABA Formal Opinion 512; NIST FIPS 204/205

Four ways to keep privileged material out of the model

There are four architectural paths to keeping privileged material out of a third-party model, and an attestation records which one was used for each interaction. First, withholding: the privileged content is never sent, only non-privileged context reaches the model. Second, redaction: privileged passages are removed before transmission, so what leaves the boundary contains no protected material. Third, tokenization to a non-retrievable form: sensitive values are replaced with tokens that cannot be reversed back into the original by the third party. Fourth, local-model processing: the material is handled only on a model that runs inside your controlled environment and never crosses to an external service.

Each path produces a different record, but the attestation captures the same core claim: privileged material did not reach the third-party model in retrievable form. Choosing among them is an architectural and policy decision your firm makes; the attestation's job is to make that decision auditable after the fact rather than asking anyone to take it on faith.

The paths are not ranked; they are suited to different situations. Withholding is the cleanest when the model does not actually need the sensitive content to be useful, because the safest data is the data you never send. Redaction fits when a document must be summarized or analyzed but its protected passages can be stripped first. Tokenization fits when structured sensitive values, names, numbers, identifiers, must travel in some form for the task to work but must remain unreadable to the third party. Local-model processing fits when the material genuinely must be processed in full and the answer is to move the model to the data rather than the data to the model. The point of recording the choice is that different interactions will reasonably call for different paths, and the attestation makes the specific choice legible later.

PathWhat leaves the boundaryBest suited to
WithholdingOnly non-privileged context; the protected content is never sentTasks where the model does not need the sensitive material at all
RedactionThe document with privileged passages removed before transmissionAnalyzing or summarizing a document whose protected parts can be stripped
TokenizationTokens that the third party cannot reverse into the originalsStructured sensitive values that must travel but stay unreadable
Local-model processingNothing; the material stays inside your controlled environmentWork that requires the full material and moves the model to the data
4 architectural paths an attestation can record for a given interaction

Making the proof independently verifiable

An attestation is only worth as much as your ability to check it without trusting the party who made it. That is why the record is cryptographically signed and sealed to a tamper-evident transparency log. A client, auditor, regulator, or opposing counsel can verify it independently, without access to your systems and without relying on RankShield's say-so.

The signatures use post-quantum algorithms standardized by the National Institute of Standards and Technology, FIPS 204 (ML-DSA) and FIPS 205 (SLH-DSA), effective August 14, 2024 [5]. Post-quantum signing is meaningful because attestations may need to remain verifiable for years or decades, and a signature scheme broken by a future quantum computer would undermine a proof relied upon long after it was created. To be precise: these standards are quantum-safe, not quantum-proof, they are designed to resist attacks from both classical and quantum computers under current analysis, not to carry an absolute guarantee. Sealing each record to a transparency log adds a second property: anyone can confirm the attestation existed at a given time and has not been altered since.

The phrase "independently verifiable" carries real weight here, so it is worth stating plainly what it rules out. It rules out a verification model where the only way to trust the record is to trust the entity that produced it. A signature that anyone can check against a published verification key does not depend on the signer's continued cooperation or honesty at the time of checking. A transparency log entry that anyone can confirm does not depend on the log operator's word either, because the log's structure is designed to make silent alteration detectable. The combined effect is that the party asking the question can answer it for themselves, which is the only kind of proof that survives an adversarial setting.

  1. Confirm the signatureCheck the record's post-quantum signature against the published verification key to establish that it was produced by the expected signer and has not been modified.
  2. Confirm log inclusionVerify that the record is sealed into the tamper-evident transparency log, which establishes that it existed at a given time and has not been altered since.
  3. Match the interaction digestCompare the digest in the record against the interaction in question to confirm the attestation refers to that specific interaction and no other.
  4. Read the bound elementsInspect the approved tool identifier, the governing policy, and the bound consent to see which isolation path was used and under what rules and permission.

Why the durability of the signature matters

Most technical records only need to be trustworthy for a short window. An attestation about privileged material is different, because a privilege or confidentiality question can surface long after the interaction that produced it. A matter can be reopened, an inquiry can look backward over years of practice, and a record created today may need to remain checkable well into the future.

That long horizon is the reason the choice of signature scheme is not incidental. If a proof relied on a signature scheme that a future adversary could forge or break, then the proof would quietly lose its value at the exact moment it might be needed most, without anyone necessarily noticing. Standardizing on the post-quantum algorithms named above [5] is an attempt to keep the record's evidentiary weight from decaying as the computing landscape changes. The honest framing remains the one stated earlier: quantum-safe under current analysis, not quantum-proof by guarantee. The goal is durability against known and anticipated attacks, not a claim of permanence that no one can responsibly make.

Consent, bound to the interaction, not assumed

Consent deserves its own treatment because it is where a lot of AI-confidentiality practice quietly falls short. Formal Opinion 512 holds that lawyers should obtain informed consent before entering client information into a self-learning generative AI tool, and it treats boilerplate consent as insufficient under the Model Rule 1.6 duty of confidentiality [4]. The practical problem is that consent obtained once, in the abstract, at the start of an engagement, is easy to point to but hard to connect to any specific later use of a tool.

Binding consent into the attestation addresses that gap directly. Rather than a general clause buried in an engagement letter, the record ties a particular consent to a particular interaction, so the later question is not "did the client ever agree to AI use in principle" but "was the client's informed permission attached to this interaction." That is a materially stronger record, because it shows the consent step was actually performed and connected to the event it governs, rather than assumed from a signature collected long before and far from the moment of use.

It is worth being careful about what this does and does not establish. Binding consent to an interaction demonstrates that a consent step occurred and was linked to that interaction. It does not, by itself, adjudicate whether the consent was legally sufficient in a given situation; that judgment depends on the disclosure that accompanied it and on the facts of the matter. What the attestation contributes is evidence that the step happened and when, which is the part that is otherwise easy to assert and hard to prove.

Confidentiality and privilege are not the same thing

A recurring source of confusion is the assumption that keeping something confidential and preserving its privilege are the same task. They overlap, but they are governed by different bodies of rules, and conflating them leads to overclaiming.

The duty of confidentiality under Model Rule 1.6 is an ethical obligation about protecting client information, and it is the duty that Opinion 512 addresses in the AI context [4]. Privilege, and questions of privilege waiver, are governed by evidentiary rules and decided by courts on the facts. Opinion 512 is explicit in the sense that its subject is the confidentiality duty, which is not the same thing as the evidentiary rules that govern privilege waiver [4]. A firm can be scrupulous about confidentiality and still face a genuine, separate question about whether privilege was preserved in a particular dispute. An attestation is built to support the confidentiality and process side of that picture; it is not built to decide the evidentiary side, and it should not be described as if it could.

What this proves to a court, and what it does not

This is the honesty section, and it is the most important one. A privilege-isolation attestation proves architecture and consent. It does not prove that a court will find privilege preserved or unwaived. Those are legal conclusions that depend on facts, jurisdiction, and judicial reasoning that no vendor controls or can certify.

What the attestation gives you is verifiable evidence about the technical steps and the consent process, a record that privileged material was withheld, redacted, tokenized, or kept local, and that informed consent was obtained and bound to the interaction. That evidence can support an argument that reasonable steps were taken. It is not a ruling. And note the distinction in scope: Opinion 512 addresses the ethical duty of confidentiality under Model Rule 1.6, which is not the same thing as the evidentiary rules that govern privilege waiver [4]. Separately, at least one reported matter, United States v. Heppner (S.D.N.Y. 2026), has, per reporting, treated certain AI-generated documents as not privileged and not work product [9], a reminder that how AI is used can itself shape privilege questions, which no attestation resolves. The attestation strengthens your record; it does not decide the law.

The right way to hold all of this is that the attestation moves you from assertion to evidence on the questions it actually covers, and stays silent on the questions it does not. It gives you a checkable record of what the architecture did and that consent was bound to the interaction. It does not, and cannot, tell a court how to rule. RankShield is a technology vendor, not a law firm, and the value of the record comes from being precise about that boundary rather than blurring it. A proof that overstates itself is worse than no proof at all, because it invites exactly the scrutiny it cannot survive. A proof that says only what it can defend is the one worth producing.

Test yourself

Test yourself on proof versus promise

Four questions on what an isolation attestation shows and where its limits sit.

  1. 1How does an isolation attestation differ from a zero-retention promise?

    Answer: An attestation shows the data never reached the model in retrievable form; retention promises the vendor did not keep it

    A retention promise governs the interval after data crosses the boundary. An isolation attestation governs the boundary itself, showing the material was never there to keep.

  2. 2Which are the four architectural paths an attestation can record?

    Answer: Withholding, redaction, tokenization, local-model processing

    Each interaction records which of the four paths kept privileged material out of the third-party model in retrievable form.

  3. 3What does a privilege-isolation attestation actually prove?

    Answer: The architecture used and that informed consent was bound to the interaction

    It attests to architectural isolation and the consent process, not to a legal conclusion. Whether a court finds privilege preserved depends on facts and jurisdiction no vendor controls.

  4. 4Is confidentiality under Model Rule 1.6 the same as evidentiary privilege?

    Answer: No; confidentiality is an ethical duty, while privilege is decided by courts under evidentiary rules

    Formal Opinion 512 addresses the Rule 1.6 confidentiality duty. Privilege and waiver are separate evidentiary questions decided by courts on the facts.

Honest self-check. There is no sign-up, and nothing is stored.

Questions answered

Straight answers to the common questions

The questions readers ask about this topic, answered directly. No forms, no sales pitch.

JAMIE KLONCZ · SEO AGENCY NAPLES ONLINE

Pick a question on the left, or search above. You will get the direct answer, the way an answer engine would give it.

REQUEST ACCESS →

References

  1. ABA Standing Committee on Ethics & Prof'l Responsibility. Formal Opinion 512: Generative Artificial Intelligence Tools. July 29, 2024. https://www. americanbar. org/news/abanews/aba-news-archives/2024/07/aba-issues-first-ethics-guidance-ai-tools/.
  2. NIST. FIPS 204 (ML-DSA) and FIPS 205 (SLH-DSA). Effective Aug 14, 2024. https://www. federalregister. gov/documents/2024/08/14/2024-17956/announcing-issuance-of-federal-information-processing-standards-fips-fips-203-module-lattice-based.
  3. Reporting on United States v. Heppner (S. D. N. Y. 2026). https://www. dlapiper. com/en-us/insights/publications/2026/02/are-ai-generated-documents-privileged-key-takeaways-from-heppner.
Written by

Jamie Kloncz

Founder, RankShield

Jamie Kloncz is the founder of RankShield, the verifiable AI and quantum security platform behind RankShield Legal. An engineer by training, he built RankShield after his own devices and business were attacked, including an AI voice-cloning scam that targeted his family, on one conviction: unverifiable security is the real danger, so every consequential action should leave a receipt anyone can independently check.

More about Jamie →
Try it · Free

Check a citation against live case-law

Paste a citation from an AI-drafted brief and see whether the case actually exists, resolved against live case-law. Free, no sign-up. Then request early access to certify a full filing.

Try the citation checker