# Client Confidentiality and Generative AI

> Putting client data into generative AI implicates Model Rule 1.6. What ABA Opinion 512 says, informed consent, and how to attest AI isolation, not promise it.

[Home](https://rankshieldlegal.com/) / [Solutions](https://rankshieldlegal.com/solutions/) / Client Confidentiality & AI Confidentiality duty
# When client data enters an AI tool, can you prove where it went?
**Putting client information into a self-learning generative AI tool implicates your Model Rule 1.6 confidentiality duty** — and ABA Formal Opinion 512 (2024) says it can require the client’s informed consent. A zero-retention contract is a promise; an attestation is proof that privileged material stayed inside the approved boundary.
[Try the citation checker](https://rankshieldlegal.com/ai-legal-citation-checker/) [Request early access](https://rankshieldlegal.com/contact/)

Confidentiality is the oldest duty in the practice, and generative AI puts it under new pressure. The moment a lawyer pastes client facts into a general-purpose model, the material has left the firm’s control — and the firm usually has no way to show a client, a regulator, or opposing counsel what happened to it. The ethical rules have started to catch up, and the practical answer is to isolate privileged material by design and attest that isolation, rather than relying on a vendor’s promise after the fact. This page walks through what the guidance actually says, why the confidentiality duty and evidentiary privilege are two different things you should never let collapse into one, and how a small firm can produce evidence of isolation without standing up an enterprise security program.

## What does ABA Opinion 512 actually say?
**Two different things, kept separate on purpose.** Confidentiality (Model Rule 1.6, the ethical duty Opinion 512 addresses) is not the same as evidentiary privilege (what a court decides). RankShield attests the confidentiality architecture and consent — never a privilege outcome. ABA Formal Opinion 512 (2024) addresses a lawyer’s use of generative AI and treats the confidentiality question under Model Rule 1.6. Its practical thrust is that before inputting information relating to the representation of a client into a self-learning generative AI tool, a lawyer may need the client’s informed consent — and must weigh the duties of competence, confidentiality, and reasonable fees along the way.
It is important to be precise about what that opinion is and is not. Opinion 512 is ethics guidance interpreting the Model Rules of Professional Conduct. It concerns the ethical duty of confidentiality, which is distinct from evidentiary privilege. It does not hold that using AI waives privilege; that is a separate, unsettled legal question that a court, not an ethics committee, would decide. Read carefully, the opinion is a duty map, not a bright-line rule: whether consent is required depends on the tool, the information, and how the tool handles what it receives. A tool that trains on your inputs is treated differently from one that does not, and the analysis turns on the specific facts of the representation rather than on a single yes-or-no answer.
The reason the opinion matters to a small or midsize firm is that it converts a vague sense of unease into concrete obligations you can plan around: understand the tool well enough to advise on it (competence), keep client information inside a boundary you control or have disclosed (confidentiality), and do not let AI efficiency quietly inflate a bill (reasonable fees). Each of those is auditable if you build the workflow to leave a record — and unprovable if you do not.

## What is the difference between confidentiality and privilege — and why keep repeating it?
These two ideas get used interchangeably in hallway conversation, and conflating them is exactly how firms talk themselves into false comfort. They are not the same, and the distinction runs through every honest claim anyone can make about AI and client data.
The duty of confidentiality is an ethical obligation you owe your client under Model Rule 1.6. It is broad — it covers essentially all information relating to the representation, whatever the source — and it is yours to manage through the choices you make about tools, disclosure, and consent. Evidentiary privilege, by contrast, is a rule of evidence that a court applies to decide whether a communication can be compelled in litigation. Privilege is narrower, it can be waived, and whether it survives a given circumstance is decided by a judge under the law of a particular jurisdiction. ABA Opinion 512 speaks to the first. It is not authority about the second.
Why hammer on this? Because a vendor that blurs the line is selling you a guarantee it cannot deliver. No one can promise that entering client information into an AI tool preserves privilege, because that outcome is unsettled and situational. What a well-built system can do is honor the confidentiality duty by design and produce evidence that it did so. When you see the difference clearly, you stop asking technology to answer a legal question and start asking it to do the one thing it can actually do: keep privileged material inside a boundary and leave a checkable trail. For the mechanics of that boundary, see [privilege isolation](https://rankshieldlegal.com/privilege-isolation/).

## What counts as informed consent under Model Rule 1.6?
Informed consent is more than a checkbox. In the AI context it means the client understands, in plain terms, that a generative tool may process information relating to their matter, what that tool does with inputs, and the material risks and benefits — and then agrees. A buried sentence in a fee agreement that no one reads is a weak version of this; a specific, contemporaneous acknowledgment tied to the actual use is a strong one.
Practically, firms are handling consent in a few ways: updating engagement letters to describe AI use in general, capturing matter-specific consent when a particular tool will touch sensitive material, and building a prompt into the workflow so the decision is made before data is entered rather than reconstructed afterward. Which approach fits depends on your practice and your clients — a firm handling routine transactional work may standardize disclosure, while a firm handling sensitive litigation may want consent per matter.
The weakness in every one of these approaches is the same: proof. A signed letter shows the client agreed in principle; it does not show that consent actually preceded a specific interaction with a specific tool. RankShield closes that gap by binding the consent record to the interaction itself, so the evidence is “consent was captured, for this tool, before this input” rather than “there is a clause somewhere in the file.”

## Why is a zero-retention contract a promise and not proof?
A zero-retention or no-train contract is a representation about what a vendor did with your data after it arrived at the model. It presumes the data got there, and it asks the client to trust that the term was honored. That is a reasonable baseline, and firms should negotiate for it. But when a client audit or an outside-counsel guideline asks you to demonstrate confidentiality, a contract clause is an assurance, not evidence — it describes an intended state of the world, not a verified one.
Consider the difference from the client’s side of the table. A no-train agreement tells the client what your vendor committed to. It does not tell them what happened to their specific material in a specific interaction, and it gives them nothing to check independently. If the vendor’s controls failed, misconfigured, or were bypassed, the contract reads exactly the same the day after as the day before. An attestation inverts the burden: instead of asking the client to trust a term, it produces a signed, checkable record that privileged material was withheld, redacted, tokenized, or kept on a local model — never transmitted to a third-party model in retrievable form.
This is not an argument against contracts. Contracts set the terms; attestations produce the evidence. The two are complementary, and a mature posture uses both. What the contract cannot do — and what a client audit increasingly asks for — is show, after the fact, that the boundary held for the interaction in question.

- Myth A no-train clause in our AI vendor contract proves client data stayed confidential. Truth It states an intended term. It does not produce a checkable record that the boundary actually held for a specific interaction.
- Myth ABA Opinion 512 settles whether AI use waives attorney-client privilege. Truth It addresses the ethical confidentiality duty under Model Rule 1.6. Privilege waiver is a separate, unsettled question a court decides.
- Myth If a tool is “enterprise” and “secure,” consent is unnecessary. Truth Opinion 512 ties the need for informed consent to the tool and the information, not to a marketing tier.

## How do you prove isolation instead of promising it?
RankShield Legal binds each AI interaction to four things — a fingerprint of the interaction, the approved tool that handled it, the governing policy, and the client’s informed consent — and signs and seals that attestation to a tamper-evident log. The result is a record a client, an auditor, or opposing counsel can verify without trusting your say-so.
The honest boundary is explicit, and worth stating plainly: this proves the isolation architecture and the consent process functioned, not that a court will ultimately find privilege preserved. The attestation is evidence of what your firm did — how the material was handled, under what policy, with what consent — which is exactly the kind of support a firm wants when a question is later raised. It is not, and cannot be, a ruling on privilege. Anyone who tells you a signature can guarantee a judicial outcome is overselling.
For a small firm answering a client’s AI questionnaire, that verifiable record is the enterprise-grade answer without the enterprise-grade team. You do not need a security committee to produce it; you need a checkpoint that runs at the moment of use and leaves an artifact behind. See [how it works](https://rankshieldlegal.com/how-it-works/) for the end-to-end flow, and [AI tool attestation](https://rankshieldlegal.com/ai-tool-attestation/) for what the signed record contains.

## What are the four ways to keep privileged material out of a third-party model?
**The method is part of the evidence.** The attestation records which of the four isolation methods governed an interaction, so “how was this handled” has a checkable answer rather than a recollection. Isolation is not a single switch; it is a set of methods, chosen per interaction based on what the work actually requires. RankShield supports four, and the right one depends on how much of the client’s material the task genuinely needs to see.

- **Withholding** — the material never enters the tool at all. When a task can be accomplished without the sensitive facts, the strongest isolation is simply not sending them.
- **Redaction** — identifying details are removed before anything is transmitted, so the model works on a scrubbed version and the privileged specifics stay inside the firm.
- **Tokenization** — sensitive values are replaced with non-reversible tokens, so the model can reason about structure and relationships without ever receiving the underlying client data in retrievable form.
- **Local-model processing** — the interaction runs on a model that stays within a controlled boundary, so the material is never handed to a third-party service in the first place.

## What actually goes into an attestation — and what never does?
A reasonable objection to any “we log your AI use” system is that the log itself becomes a new pile of confidential material. RankShield is built to avoid that by design: the records store digests and enumerated values, never client material.
Concretely, the attestation binds an interaction digest — a fingerprint that lets you confirm a specific interaction without revealing its contents — to the approved tool that handled it, the governing policy in force, and the client’s informed consent. It is signed with post-quantum digital signatures (ML-DSA and SLH-DSA) and sealed to an RFC 6962 transparency log, so the record is both tamper-evident and independently verifiable. What it does not contain is the client’s text. There is no privileged passage sitting inside the attestation waiting to leak, because the system was designed to prove that an interaction met the policy without becoming a second copy of the sensitive data.
That design choice matters for the confidentiality duty itself. A verification layer that hoarded client content would multiply your exposure rather than reduce it. By storing digests and enums instead, the attestation can be shared with an auditor or referenced in a client conversation without disclosing anything privileged — the evidence travels, the client’s material stays put.
What the attestation binds What that gives you
Interaction digest Confirm a specific interaction occurred without exposing its contents
Approved tool Show the material was handled by a sanctioned tool, not an ad-hoc one
Governing policy Demonstrate which confidentiality rules were in force at the time
Informed consent Evidence that consent was captured before the input, tied to this interaction
PQ signature + RFC 6962 log Tamper-evident, independently verifiable — no need to trust the firm’s word

## Does putting client information into AI waive attorney-client privilege?
This is the question firms most want a clean answer to, and the honest one is that it is unsettled. Whether disclosing information to a third-party AI service affects privilege is a legal question that turns on the facts, the jurisdiction, and how courts come to treat these tools — and the case law is still developing. No vendor can truthfully promise that AI use does not waive privilege, and you should be wary of any that does.
What can be said is narrower and more useful. Privilege analysis often looks at whether a party took reasonable steps to keep a communication confidential and to limit disclosure. A firm that isolated privileged material by design, restricted it to an approved tool under a stated policy, and captured the client’s informed consent is in a materially stronger position to describe its conduct than a firm relying on an unverified contract term and a recollection. RankShield produces evidence of exactly those steps. It supports your position; it does not decide the question. We describe how isolation works in general terms and do not assert what any court has held, because privilege and waiver case law is genuinely unsettled.

## What we attest, and what a court decides
**The clean division of labor.** We attest isolation and consent — facts about what your firm did. A court decides privilege — a legal conclusion no signature can promise. Keeping those separate is the whole point. Because this is the line that matters most, it deserves its own plain statement. RankShield attests two things and no more: that privileged material was architecturally isolated using an approved method under a governing policy, and that the client’s informed consent was captured and bound to the interaction. Both are matters of fact about what your firm and its tools did, and both are independently verifiable.
What RankShield does not attest — and what no attestation can — is any legal conclusion. Whether privilege is preserved, whether a disclosure was reasonable, whether consent was legally sufficient in a given dispute: those are for a court to decide under the law that governs the matter. The value of the attestation is that when such a question arises, you are not reconstructing events from memory or pointing to a contract clause. You are producing a signed, sealed, time-anchored record of what actually happened. It is the difference between “we believe we handled this correctly” and “here is verifiable evidence of how we handled it.” One is an assurance; the other is evidence a court can check. And to be equally plain about the cryptography: post-quantum signing makes the record quantum-safe, not quantum-proof — it is designed to resist anticipated quantum attacks, not to make any absolute guarantee.

## How should a small firm answer a client’s AI questionnaire?
Client security questionnaires increasingly ask whether outside counsel uses AI and how confidential information is protected when it does. For a firm without a dedicated security function, these can feel like a demand to produce documentation you have never had reason to create.
The workable answer has three parts. First, describe your policy: which tools are approved, how privileged material is isolated, and how consent is handled. Second, point to your contractual baseline — the no-train or zero-retention terms you have negotiated. Third, and this is what most firms cannot yet offer, provide verifiable evidence that the policy was followed in practice: an attestation, per interaction, that isolation and consent occurred, signed and sealed so the client can check it themselves. The first two parts are promises. The third is proof, and it is what turns a nervous questionnaire response into a confident one.
This is also where a small firm can look, to a client, like a much larger one. The evidence is the same evidence a well-resourced firm would produce; it simply comes from a checkpoint you switched on rather than a team you had to hire. See [law firm cybersecurity](https://rankshieldlegal.com/law-firm-cybersecurity/) for how this fits the broader risk map, and [security](https://rankshieldlegal.com/security/) for the underlying controls.

## What does confidential AI use look like day to day?
The controls only matter if they fit the way lawyers actually work, so the workflow is built to run at the moment of use rather than as a separate compliance chore afterward.

- **Decide before you input** At the point of use, the workflow surfaces whether this tool and this information call for informed consent, so the decision is made first — not reconstructed from a file later.
- **Choose the isolation method** Withhold, redact, tokenize, or keep it on a local model, based on what the task genuinely needs. The material that does not need to leave the firm does not leave the firm.
- **Bind consent to the interaction** Where consent is required, it is captured and tied to the specific interaction, so the record shows consent preceded the input for this tool.
- **Sign, seal, and store the evidence** The attestation — digest, approved tool, policy, consent — is signed and sealed to a tamper-evident log, storing digests and enums, never the client’s material.

## Where does this leave a firm that wants to use AI responsibly?
The honest conclusion is neither “avoid AI” nor “trust the vendor.” Generative tools are useful, the professional duties are clear enough to plan around, and the practical gap is proof. ABA Opinion 512 tells you the confidentiality duty is engaged and that informed consent may be required; it does not, and should not be read to, settle the separate question of privilege. Contracts set terms you should negotiate for; they do not produce the evidence a client audit now asks for. The missing piece is a way to isolate privileged material by design and attest that isolation in a form anyone can verify.
That is the narrow, defensible thing RankShield Legal does: it makes confidential AI use provable rather than merely promised, while being explicit about the line it will not cross — it evidences your conduct, and leaves the legal conclusions to the courts that decide them. For the full picture of how the records are generated and checked, see [transparency](https://rankshieldlegal.com/transparency/). None of this is legal advice; it is a description of how a verifiable control works, and how it maps to duties you already carry.

Early access · Law firms
### Prove it, don't promise it
Certify every citation, attest privilege isolation, and seal each result to a log a court or client can verify. Enterprise-grade protection, firm-sized.
[Request early access →](https://rankshieldlegal.com/contact/) [hello@seoeliteagency.com](mailto:hello@seoeliteagency.com)

Ask anything
## Client Confidentiality & AI, answered
The questions law firms ask about client confidentiality & ai, answered directly. **No forms, no sales pitch.**

JAMIE KLONCZ · SEO AGENCY NAPLES ************** ONLINE
Pick a question on the left, or search above. You will get the direct answer, the way an answer engine would give it.

← PREV NEXT → [REQUEST ACCESS →](https://rankshieldlegal.com/contact/)

- **Do I need client consent to use AI on their matter?** It depends on the tool and the information. ABA Formal Opinion 512 indicates that inputting information relating to a representation into a self-learning generative AI tool may require the client’s informed consent, alongside duties of competence and confidentiality. It is not a single yes-or-no rule — a tool that trains on your inputs is treated differently from one that does not. Many firms are updating engagement letters and building a consent prompt into the AI workflow so the decision is made before data is entered. RankShield attests that the consent step occurred and binds it to the interaction, so the record is verifiable rather than a note in a file.
- **Does using generative AI waive attorney-client privilege?** That is an unsettled legal question, and no vendor can honestly promise it does not. ABA Opinion 512 addresses the ethical confidentiality duty under Model Rule 1.6, which is distinct from evidentiary privilege — the opinion is not authority that AI use waives privilege. Waiver is decided by a court under the law of the relevant jurisdiction, and the case law is still developing. What RankShield provides is verifiable evidence that privileged material was architecturally isolated and consent was captured. That supports your position and describes what your firm actually did; it is not a guarantee about how a court will rule.
- **What is the difference between confidentiality and privilege here?** Confidentiality is an ethical duty you owe the client under Model Rule 1.6. It is broad, covers information relating to the representation, and is yours to manage through your choices about tools and consent — this is what ABA Opinion 512 addresses. Privilege is a rule of evidence a court applies to decide whether a communication can be compelled; it is narrower and can be waived. The distinction matters because a vendor that blurs it is selling a guarantee it cannot deliver. RankShield attests the confidentiality architecture and consent, never a privilege outcome, because privilege is a legal conclusion no signature can promise.
- **What if my firm already uses an enterprise AI tool with a no-train agreement?** That is a good baseline, and it is still a promise rather than proof. A no-train agreement tells a client what the vendor committed to; an isolation attestation shows what actually happened to their material for a specific interaction. If the vendor’s controls failed or were misconfigured, the contract reads the same afterward as before, because it describes an intended state, not a verified one. The two are complementary — the contract sets the terms, the attestation produces the evidence you can hand to a client or auditor. Keep the agreement, and add the record that makes each interaction checkable.
- **How do you keep the attestation itself from becoming confidential data that could leak?** By design, the records store digests and enumerated values, never client material. The attestation binds an interaction digest — a fingerprint, not the text — to the approved tool, the governing policy, and the captured consent, then signs and seals that to a transparency log. There is no privileged passage sitting inside the record, so it can be shared with an auditor or referenced with a client without disclosing anything sensitive. A verification layer that hoarded client content would multiply your exposure; storing digests and enums instead reduces it. The evidence travels while the client’s material stays inside the firm’s boundary.
- **Which isolation method should I use for a given task?** It depends on how much of the client’s material the task genuinely needs. The four methods are withholding (the material never enters the tool), redaction (identifying details removed first), tokenization (sensitive values replaced with non-reversible tokens), and local-model processing (the interaction stays within a controlled boundary). Withholding is the strongest when the sensitive facts are not needed at all; the others let the model do useful work on structure without receiving privileged specifics in retrievable form. The attestation records which method governed the interaction, so how it was handled has a checkable answer rather than a recollection.
- **Is post-quantum signing a guarantee my records are unbreakable?** No. Post-quantum signing (using ML-DSA and SLH-DSA) makes the attestation quantum-safe, meaning it is designed to resist anticipated quantum attacks — it is not quantum-proof, and no honest vendor claims absolute unbreakability. The point of sealing the record to an RFC 6962 transparency log is tamper-evidence and independent verifiability: a client, auditor, or opposing party can check that the record was not altered without having to trust your firm’s word. That is the durable value — verifiability that holds up over the long confidentiality lifetimes legal records tend to have — rather than any promise of perfect security.

Keep exploring
## Related work
[Platform Privilege Isolation A signed attestation that privileged material stayed inside the approved boundary — bound to informed consent. Explore →](https://rankshieldlegal.com/privilege-isolation/)[Solutions Law Firm Cybersecurity The AI-era risk map for small and midsize firms — and the verifiable controls that answer each risk. Explore →](https://rankshieldlegal.com/law-firm-cybersecurity/)[Platform AI Tool Attestation A single governed checkpoint designed to sit in front of research assistants, drafting copilots, and agentic tools — producing a signed attestation for each AI-assisted action. In development, not shipped. Explore →](https://rankshieldlegal.com/ai-tool-attestation/)
