Can using a public AI tool waive attorney-client privilege?
Yes, using a public AI tool can waive privilege when the tool receives legal communications under terms that defeat confidentiality. The key facts are whether the user acted independently, whether counsel directed the use, and whether the vendor could retain, train on, or disclose the material.
Federal Rule of Evidence 502 does the waiver mechanics. Rule 502(b) protects an inadvertent disclosure only if the holder took “reasonable steps to prevent disclosure”, and Rule 502(d) lets a court order that a disclosure in the case is not a waiver anywhere else. California's evidentiary analogue pushes in a similar direction. Evidence Code section 912(d) says disclosure does not waive privilege if it was reasonably necessary for the accomplishment of the purpose for which the lawyer ... was consulted. Those phrases explain why vendor architecture now matters so much. A record showing consumer terms, model training, or broad vendor-side access looks very different from a record showing contractual limits, restricted access, and no reuse.
The first 2026 federal case most firms treat as the opening marker is United States v. Heppner, No. 25 Cr. 503 (JSR), 2026 WL 436479 (S.D.N.Y. Feb. 17, 2026). On the descriptions in the source set, Judge Rakoff held that a defendant's Claude-generated materials were neither privileged nor protected work product after he independently used a consumer AI tool and later sent the results to counsel. The reported reasons were conventional: Claude is not a lawyer; the user lacked a reasonable basis to expect confidentiality; and the materials were not prepared by or at counsel's direction in the way work-product doctrine usually requires.
On one point, the firms are very close to unanimous. Proskauer, Gibson Dunn, Ogletree, and Hinckley Allen all read Heppner as an application of ordinary privilege rules, not as a one-off anti-AI exception. Their common point is that consumer tools with training or disclosure rights are hard to distinguish from any other third party that receives the substance of a legal communication. That is why Proskauer says the case has implications beyond AI itself, including other advisor arrangements where the tool's terms make the vendor a real recipient of the information.
Sources for this answer
Primary law
A.1 Federal Rule of Evidence 502(b)Supports the cited proposition. (Federal Rule of Evidence 502(b))
reasonable steps to prevent disclosure
See Federal Rule of Evidence 502(b).
Primary law
A.2 California Evidence Code § 912(d)Under California Evidence Code § 912(d), a disclosure of a privileged communication does not constitute a waiver of the privilege if the disclosure is made in confidence and is reasonably necessary to accomplish the purpose for which the professional was consulted.
A disclosure in confidence of a communication that is protected by a privilege provided by Section 954 (lawyer-client privilege), 966 (lawyer referral service-client privilege), 994 (physician-patient privilege), 1014 (psychotherapist-patient privilege), 1035.8 (sexual assault counselor-victim privilege), 1037.5 (domestic violence counselor-victim privilege), or 1038 (human trafficking caseworker-victim privilege), when disclosure is reasonably necessary for the accomplishment of the purpose for which the lawyer, lawyer referral service, physician, psychotherapist, sexual assault counselor, domestic violence counselor, or human trafficking caseworker was consulted, is not a waiver of the privilege.
See California Evidence Code § 912(d).
Case law
A.3 United States v. Heppner, No. 25 Cr. 503 (JSR), 2026 WL 436479 (S.D.N.Y. Feb....In United States v. Heppner, the court held that inputting information into a generative AI platform constitutes a waiver of attorney-client privilege because the platform is treated as a third party and the user lacks a reasonable expectation of confidentiality.
Heppner had "waived the privilege by sharing that information with Claude and Anthropic, just as if he had shared it with any other third party."
See United States v. Heppner, No. 25 Cr. 503 (JSR), 2026 WL 436479 (S.D.N.Y. Feb. 17, 2026), discussed in Reuters.
Law-firm commentary
A.4 Proskauer Rose commentaryThe decision in United States v. Heppner underscores that using consumer-grade AI tools to process privileged information may result in a waiver of attorney-client privilege and work-product protections due to the lack of a reasonable expectation of confidentiality and the absence of attorney direction.
disclosure of privileged communications to a third party in circumstances that undermine confidentiality (here, the corporation operating the AI tool) may result in waiver.
See Proskauer Rose, Recent Federal Privilege Ruling Related to AI Tools Has Implications for Routine Tax Advisor Arrangements.
Law-firm commentary
A.5 Gibson Dunn commentaryIn United States v. Heppner, the Southern District of New York held that materials generated through a consumer AI tool by a defendant acting independently were not protected by attorney-client privilege or the work product doctrine due to the lack of a professional relationship, the absence of a reasonable expectation of confidentiality, and the failure to act at the direction of counsel.
the Court concluded that attorney-client privilege protection was unavailable because: (1) the AI tool was not a lawyer and could not establish an attorney-client relationship; (2) there was no expectation of confidentiality
See Gibson Dunn, AI Privilege Waivers: SDNY Rules Against Privilege Protection for Consumer AI Outputs.
Law-firm commentary
A.6 Ogletree Deakins commentaryIn United States v. Heppner, the court held that documents generated by a client using a publicly available, consumer-grade AI tool are not protected by attorney-client privilege or the work product doctrine because the use of such tools without attorney supervision and with terms of service permitting data retention negates the expectation of confidentiality.
A federal judge in New York ruled that documents generated using a publicly available AI tool are not protected by attorney-client privilege or the work product doctrine.
See Ogletree Deakins, The Intersection of AI and Attorney-Client Privilege: A Cautionary Tale.
Case law
A.7 Hinckley Allen, AI Platforms and the Risk of Privilege Waiver: Critical Lesso...The use of publicly available generative AI platforms to process sensitive legal information can result in a waiver of attorney-client privilege and the loss of work product protection because such interactions lack the requisite attorney-client relationship and reasonable expectation of confidentiality.
the court ruled that a defendant’s written exchanges with the publicly accessible generative AI platform Claude are not protected by either the attorney-client privilege or the work product doctrine.
See Hinckley Allen, AI Platforms and the Risk of Privilege Waiver: Critical Lessons from United States v. Heppner.
Can AI-assisted litigation drafts still be protected work product?
Often yes, but the work-product argument is separate from privilege and depends on whether the AI-assisted materials stayed within litigation preparation. A bad vendor-confidentiality record can still defeat privilege even when internal drafting materials remain protected.
Warner v. Gilbarco Inc. et al., Case No. 2:24-cv-12333 (E.D. Mich. Feb. 10, 2026) points the other way on work product. The court denied a motion to compel AI-assisted drafting materials and treated ChatGPT and similar systems as tools rather than persons for the waiver analysis. That leaves an important split already visible: privilege doctrine asks whether confidentiality survived disclosure to the vendor, while work-product doctrine may sometimes survive if the material remains internal litigation preparation and never reaches an adversary.
The other consensus point is that work product and privilege are no longer moving in lockstep. Heppner is the headline because it denied both. But commentary that reads Heppner together with Warner tends to separate the questions: a bad confidentiality record can defeat privilege, while internal litigation-preparation materials may still have a work-product argument if the record does not show disclosure to an adversary.
Work product may now be easier to preserve than attorney-client privilege in AI-assisted workflows.
Heppnerinvolved a client acting on his own in a consumer system.Warnerinvolved internal drafting materials and a failed motion to compel. Companies using AI inside litigation preparation are therefore exposed on two different axes: whether the vendor received the material under confidentiality-destroying terms, and whether the material was ever exposed beyond internal preparation.Warnermay or may not travel far. It arose in a civil discovery posture and on a record where the court did not treat AI use alone as disclosure to an adversary. Perhaps courts will keep that logic for internal litigation drafting. Perhaps they will limit it once vendor retention, monitoring, or model-improvement rights are more clearly in the record.
Sources for this answer
Case law
B.1 Warner v. Gilbarco Inc. et al., Case No. 2:24-cv-12333 (E.D. Mich. Feb. 10, 2...PDFA pro se litigant is entitled to assert work-product protection over materials, and courts will generally deny motions to compel that seek to discover an opposing party's internal litigation thought processes.
Plaintiff, as a pro se litigant, has a right to assert work product protection over such material.
See Warner v. Gilbarco Inc. et al., Case No. 2:24-cv-12333 (E.D. Mich. Feb. 10, 2026).
Law-firm commentary
B.2 Perkins Coie commentaryCourts are applying existing legal frameworks for attorney-client privilege and work product doctrine to generative AI tools, treating them as instruments rather than third-party recipients that automatically waive protections.
The decisions show courts beginning to apply the law of attorney-client privilege and work product doctrine to generative AI and, thus far, viewing the tasks and their outcomes as neither expanding nor contracting the protections long recognized under existing frameworks.
See Perkins Coie, Heppner and Gilbarco: Courts Apply Privilege and Work Product Protection to Generative AI Tools.
Case law
B.3 United States v. Heppner, No. 25 Cr. 503 (JSR), 2026 WL 436479 (S.D.N.Y. Feb....In United States v. Heppner, the court held that inputting information into a generative AI platform constitutes a waiver of attorney-client privilege because the platform is treated as a third party and the user lacks a reasonable expectation of confidentiality.
Heppner had "waived the privilege by sharing that information with Claude and Anthropic, just as if he had shared it with any other third party."
See United States v. Heppner, No. 25 Cr. 503 (JSR), 2026 WL 436479 (S.D.N.Y. Feb. 17, 2026), discussed in Reuters.
Do enterprise AI vendor terms protect privileged legal work?
Enterprise terms do not create privilege on their own, but they can improve the disclosure record. No-training commitments, DPAs, and zero-data-retention endpoints make the vendor look more like infrastructure than a recipient of legal communications.
The legal divide is increasingly between public and contractually bounded systems, not between
AIandnon-AI. OpenAI says it do not use your business data for training our models by default, while Anthropic's October 2025 consumer-terms update reportedly put Free, Pro, and Team usage into model-improvement pathways unless the customer is on a different commercial track. The wordteamon a pricing page is therefore not a privilege fact.No-training promises, DPAs, and zero-data-retention endpoints do not create privilege by themselves. What they do is change the disclosure record. OpenAI's own account of the
New York Timespreservation dispute is telling: data processed under Zero Data Retention could not be preserved because it was not retained on OpenAI's servers after inference. That makes the vendor look more like processing infrastructure and less like a repository of legal communications. The same is true, perhaps, of Azure-style private-tenant deployments with enterprise controls and processor commitments.Fine-tuning remains a harder case than mere inference. If privileged matter becomes part of a tuned model, an opponent could argue that the data has been structurally absorbed into a third party's technical asset even when the instance is ring-fenced. The answer may turn on whether the tuned environment is actually inaccessible to the vendor and whether the tuning is provider-reusable or purely tenant-specific.
Sources for this answer
Vendor documentation
C.1 OpenAI, Enterprise privacyOpenAI provides enterprise customers with ownership and control over their business data, including protections against the use of such data for model training.
We do not train our models on your data by default
See OpenAI, Enterprise privacy.
Vendor documentation
C.2 Anthropic, Updates to our consumer termsAnthropic has updated its consumer terms to provide users with the option to permit the use of their data for model training, which concurrently extends the data retention period for those users to five years.
We’re now giving users the choice to allow their data to be used to improve Claude and strengthen our safeguards against harmful usage like scams and abuse.
See Anthropic, Updates to our consumer terms.
Vendor documentation
C.3 Anthropic Privacy, DPA InformationAnthropic's Data Processing Addendum is automatically incorporated into its Commercial Terms of Service, meaning acceptance of the terms constitutes acceptance of the DPA.
When you accept Anthropic’s Commercial Terms of Service, you also accept our DPA.
See Anthropic Privacy, DPA Information.
Vendor documentation
C.4 OpenAI, Response to NYT data demandsOpenAI contends that the court-ordered indefinite retention of consumer ChatGPT and API data in the New York Times litigation constitutes an overbroad demand that conflicts with established privacy commitments and industry norms.
The New York Times and other plaintiffs have made a sweeping and unnecessary demand in their baseless lawsuit against us: retain consumer ChatGPT and API customer data indefinitely.
See OpenAI, Response to NYT data demands.
Vendor documentation
C.5 Microsoft Learn, Data privacy for Anthropic Claude modelsWhen using Anthropic Claude models via Microsoft Foundry, Anthropic serves as the data processor for model inputs and outputs, while Microsoft's role in managing the underlying infrastructure is governed by the Microsoft Products and Services Data Protection Addendum.
When you transact for Claude in Foundry, you will agree to Anthropic's terms of use and Anthropic (not Microsoft) is the processor of the data.
See Microsoft Learn, Data privacy for Anthropic Claude models.
Vendor documentation
C.6 Microsoft Learn, Azure OpenAI limited accessAccess to certain Azure Direct Models and the ability to modify safety guardrails or abuse monitoring are subject to specific eligibility criteria and contractual terms established by Microsoft.
certain Azure Direct Models (or versions of them) are designated as Limited Access Services, and access and use are subject to eligibility criteria determined by Microsoft.
See Microsoft Learn, Azure OpenAI limited access.
Case law
C.7 Hinckley Allen, AI Platforms and the Risk of Privilege Waiver: Critical Lesso...The use of publicly available generative AI platforms to process sensitive legal information can result in a waiver of attorney-client privilege and the loss of work product protection because such interactions lack the requisite attorney-client relationship and reasonable expectation of confidentiality.
the court ruled that a defendant’s written exchanges with the publicly accessible generative AI platform Claude are not protected by either the attorney-client privilege or the work product doctrine.
See Hinckley Allen, AI Platforms and the Risk of Privilege Waiver: Critical Lessons from United States v. Heppner.
Can a counsel-directed AI vendor qualify as a Kovel agent?
Maybe, but no US court has yet settled the theory for a counsel-directed AI deployment. The strongest record treats the vendor as a supervised processor needed for legal work, not as a public service chosen for convenience.
Privilege still begins with confidentiality, not with software labels. United States v. Kovel, 296 F.2d 918 (2d Cir. 1961) remains the main reason some third-party assistance does not destroy privilege: an outside intermediary can fall inside the relationship when the intermediary is needed to help lawyer and client communicate for legal advice. The limiting principle matters just as much. Narrower lines of authority do not protect a consultant merely because the consultant is useful or commercially convenient. That is why AI vendors create a real doctrinal problem. Many are bought for speed, synthesis, or scale rather than for the sort of translation function Kovel originally contemplated.
The more useful disagreement is not over public chat tools. It is over what follows from well-governed enterprise deployments. Hinckley Allen treats private deployments, contractual confidentiality, and express counsel direction as the facts that make an AI workflow legally defensible. Ogletree puts more weight on why the Kovel theory failed in Heppner: the client used the tool on his own, and the tool was not necessary for counsel to understand him. That leaves room for a narrower claim. The better the system looks like a supervised processor and the less it looks like an autonomous public service, the better the privilege record becomes, even if no court has yet endorsed the full theory.
DLA Piper adds a useful comparative caution. Its view is that English legal advice privilege could be even less hospitable than the American Kovel line because English courts may be less willing to treat generative AI as a mere conduit for communication. That does not decide US law, but it does show how much the enterprise-friendly argument still depends on analogy rather than settled doctrine.
- The central doctrinal question is whether a zero-retention, single-tenant, counsel-directed AI deployment can qualify as a
Kovelagent. The argument for yes is functional: the system may do what a paralegal, translator, or e-discovery vendor does at machine scale. The argument against is thatKovelwas built around human intermediaries inside a professional relationship, not commercial software products.
Sources for this answer
Case law
D.1 United States v. Kovel, 296 F.2d 918 (2d Cir. 1961)The attorney-client privilege may extend to communications made to a non-lawyer, such as an accountant, when that person's assistance is necessary for the effective consultation between the client and the lawyer for the purpose of obtaining legal advice.
What is vital to the privilege is that the communication be made in confidence for the purpose of obtaining legal advice from the lawyer.
See United States v. Kovel, 296 F.2d 918 (2d Cir. 1961).
Case law
D.2 Cavallaro v. United States, 284 F.3d 236 (1st Cir. 2002)The attorney-client privilege does not extend to communications with an accountant unless the accountant is necessary to facilitate legal advice, and the common-interest doctrine cannot be used to create a privilege where none exists.
Kovel requires that to sustain a privilege an accountant must be "necessary, or at least highly useful, for the effective consultation between the client and the lawyer which the privilege is designed to permit."
See Cavallaro v. United States, 284 F.3d 236 (1st Cir. 2002).
Case law
D.3 Hinckley Allen, AI Platforms and the Risk of Privilege Waiver: Critical Lesso...The use of publicly available generative AI platforms to process sensitive legal information can result in a waiver of attorney-client privilege and the loss of work product protection because such interactions lack the requisite attorney-client relationship and reasonable expectation of confidentiality.
the court ruled that a defendant’s written exchanges with the publicly accessible generative AI platform Claude are not protected by either the attorney-client privilege or the work product doctrine.
See Hinckley Allen, AI Platforms and the Risk of Privilege Waiver: Critical Lessons from United States v. Heppner.
Law-firm commentary
D.4 Ogletree Deakins commentaryIn United States v. Heppner, the court held that documents generated by a client using a publicly available, consumer-grade AI tool are not protected by attorney-client privilege or the work product doctrine because the use of such tools without attorney supervision and with terms of service permitting data retention negates the expectation of confidentiality.
A federal judge in New York ruled that documents generated using a publicly available AI tool are not protected by attorney-client privilege or the work product doctrine.
See Ogletree Deakins, The Intersection of AI and Attorney-Client Privilege: A Cautionary Tale.
Law-firm commentary
D.5 DLA Piper commentaryWhile English law does not recognize AI-generated content as privileged legal advice, it may potentially afford litigation privilege to confidential AI-assisted materials created for the purpose of pending litigation, provided the AI system used maintains confidentiality.
An AI System cannot itself give privileged legal advice – whether in the context of litigation or otherwise; there is no "AI Privilege".
See DLA Piper, US Court Holds Privilege Doesn't Apply to Public AI-Generated Documents.
Commentary
D.6 Harvard Journal of Law & Technology, Against an AI PrivilegeCourts should not recognize a freestanding evidentiary AI privilege because AI systems lack the human relationships, fiduciary duties, and professional accountability structures that are essential prerequisites for established evidentiary privileges.
This Essay argues that—at least under current technological, social, and institutional conditions—any such privilege would be premature, unworkable, and inconsistent with the historically rooted approach to evidentiary privileges.
See Harvard Journal of Law & Technology, Against an AI Privilege.
What AI vendor controls should legal teams require before use?
Legal teams should treat AI controls as privilege safeguards, not just security preferences. Review data use, recording, acceptable-use limits, and shadow-AI pressure before privileged material enters a tool.
The ethics layer is not itself privilege law, but it will likely influence what courts treat as reasonable safeguards. ABA Formal Opinion 512 says lawyers must understand how generative AI tools use data and guard against unwitting or unauthorized disclosure to third parties. It also says boilerplate engagement-letter consent is not enough for generative AI use. New York City Bar Formal Opinion 2025-6 carries the same reasoning into AI recording and summarization of client conversations, where consumer tools can turn an informal conversation into a persistent third-party record outside counsel's custody.
Vendor acceptable-use language matters even on secure platforms. Box says its AI tools are not trained explicitly for legal advice and bars “automated consequential decisions regarding legal matters”. So a system can be enterprise-safe enough for summarization, search, or document organization while still being contractually awkward as a substitute for legal judgment. The stronger the company relies on the output as substantive legal reasoning, the weaker the simple
tool of counselstory may become.Company-wide AI adoption pressure sharpens the privilege question because it increases the value of shadow use controls without changing the doctrine. The more a business treats AI as a baseline productivity layer, the more the worst facts become unsupervised use of consumer tools rather than supervised use of enterprise ones.
Heppneris a litigation case, but the factual pattern it punishes is also the ordinaryshadow AIpattern.Ethics rules could make secure AI use look more ordinary over time. ABA Formal Opinion 512 is already treating vendor review, contractual terms, and tool supervision as part of competent legal practice rather than as exotic exceptions. If that continues, courts may eventually view tightly managed AI vendors more like existing legal-service vendors and less like strangers. We do not think the cases are there yet.
Sources for this answer
Commentary
E.1 American Bar Association, Formal Opinion 512PDFLawyers using generative artificial intelligence must adhere to the ABA Model Rules of Professional Conduct, including duties of competence, confidentiality, communication, and reasonable billing practices.
To ensure clients are protected, lawyers using generative artificial intelligence tools must fully consider their applicable ethical obligations, including their duties to provide competent legal representation, to protect client information, to communicate with clients, to supervise their employees and agents, to advance only meritorious claims and contentions, to ensure candor toward the tribunal, and to charge reasonable fees.
See American Bar Association, Formal Opinion 512.
Commentary
E.2 New York City Bar, Formal Opinion 2025-6Attorneys using AI tools to record, transcribe, or summarize client conversations must obtain client consent, ensure the accuracy of the AI-generated work product, and maintain technological competence regarding the tools employed.
we conclude that clients must be notified, and their consent obtained, whenever their calls are being recorded by an AI-empowered system.
See New York City Bar, Formal Opinion 2025-6.
Commentary
E.3 Box, Box AI Acceptable Use PolicySupports the cited proposition. (Box, Box AI Acceptable Use Policy)
automated consequential decisions regarding legal matters
See Box, Box AI Acceptable Use Policy.
Commentary
E.4 Forrester, What You Can Learn From Shopify's CEO's Memo On Workforce AISuccessful organizational adoption of workforce AI requires executive leadership, structured learning systems that combine formal and social approaches, and realistic expectations regarding the technology's current capacity to augment rather than replace human labor.
Executive leadership is crucial to workforce AI efforts: Demystifying myths (such as “AI will steal my job if I use it”), establishing the benefits to both the organization and to employees, and painting a picture of the future state are all crucial to driving adoption success.
See Forrester, What You Can Learn From Shopify's CEO's Memo On Workforce AI.
Commentary
E.5 Digital Commerce 360, Internal Memo: Shopify CEO Declares AI Non-OptionalShopify has implemented a mandatory corporate policy requiring employees to integrate artificial intelligence into their workflows and performance evaluations.
Artificial intelligence is no longer optional at the ecommerce technology company.
See Digital Commerce 360, Internal Memo: Shopify CEO Declares AI Non-Optional.