Home / Insights / AI restrictions in protective orders: the new e-discovery battleground

AI restrictions in protective orders: the new e-discovery battleground

By Jamie Kloncz, Founder, RankShield · Updated July 14, 2026 · Informational, not legal advice.

Protective orders in federal e-discovery now routinely confront generative AI. In 2026, courts have conditioned AI use on contractual no-training safeguards, deletion capability, and onward-disclosure limits before produced material may touch AI tools, and a District of Colorado decision known as Morgan charted a detailed path on AI, protective orders, and work product. Because federal courts are issuing diverging first-impression rulings, litigants should negotiate explicit AI clauses and be ready to prove compliance after entry [1][2][3]. Protective order AI provisions have become one of the fastest-moving fronts in discovery practice. For decades, the standard stipulated protective order changed little from matter to matter: confidentiality tiers, attorneys’ eyes only designations, clawback terms. Generative AI broke that equilibrium. When a receiving party’s review platform, drafting assistant, or analytics vendor runs on a third-party model, the producing party suddenly has a new question to ask: where does our confidential material go, who retains it, and can it ever come back out? This article walks through why courts are intervening, what the Morgan decision required, where the case law is splitting, which clauses to negotiate, and how to demonstrate compliance once the order is signed.

Why are protective orders suddenly addressing generative AI?

Sidley Austin reported in April 2026 that protective orders have become an emerging point of dispute in discovery, with courts requiring contractual no-training safeguards, deletion capability, and onward-disclosure limits before produced material may touch AI tools [1]. That is a significant shift. Historically, a protective order governed people and paper: who could see designated documents, how they were stored, and what happened at the end of the case. The new disputes are about software supply chains. A single produced document routed through an AI-assisted workflow may pass through a review platform, a hosted model, and one or more sub-processors, each with its own retention behavior.

The producing party’s concern is straightforward: if confidential material is used to train or improve a third-party model, no clawback provision can retrieve it. Deletion at matter end becomes meaningless if the information has already influenced model weights or persists in vendor logs. Courts responding to these disputes are effectively asking the receiving party to prove, contractually and operationally, that the AI pipeline is a closed loop [1]. That is why the fight now happens at the protective order stage, before a single document is produced, rather than after a problem surfaces.

What did the court require in the Morgan case?

Kirkland & Ellis analyzed the leading example in May 2026: a District of Colorado decision, referred to as Morgan, that charted a path on AI, protective orders, and work product in discovery [2]. The court required that AI tools processing confidential discovery material carry three concrete protections: no-training safeguards, so produced material cannot be used to train or improve the underlying models; onward-disclosure limits, so the material does not flow to additional parties or processors beyond those contemplated; and deletion capability, so the material can actually be removed when the obligation to destroy it arises [2].

Morgan matters because it converts abstract anxiety about AI into a checklist a court was willing to enforce. Litigants on both sides can now anchor negotiations to a judicially articulated baseline: if you want AI tools to touch produced documents, come to the table with training, disclosure, and deletion answers. It also signals that courts will engage with the technical architecture of AI vendors rather than treating “no AI” or “any AI” as the only options. A receiving party that can satisfy the Morgan-style conditions has a credible route to using modern tooling; one that cannot may face categorical restrictions.

Where are federal courts diverging on AI, privilege, and work product?

Morgan is not the whole picture. Akin reported in February 2026 that federal courts are issuing diverging first-impression rulings on generative AI in the context of privilege, work product, and protective orders [3]. These are questions of first impression in most districts, which means individual judges are reasoning from analogy, and their analogies differ. The result is a genuinely unsettled landscape: the treatment your AI workflow receives may depend heavily on which courthouse you are standing in, and a favorable ruling in one district is no assurance of the same outcome in the next.

For practitioners, divergence changes strategy in two ways. First, silence is risk. If the case law does not reliably supply an answer on whether AI processing is permissible, waives protection, or requires safeguards, the protective order itself must supply one. Second, precedent from another district is a negotiating aid, not a safety net. Citing Morgan may persuade, but a party that builds its entire AI workflow on the assumption that every court will follow it is making a bet the current case law does not support [2][3]. Negotiated, explicit terms remain the only dependable protection.

Which AI clauses should you negotiate into your next protective order?

The emerging disputes and the Morgan framework point to a concrete negotiating agenda [1][2]. Rather than arguing about AI in the abstract, counsel can propose specific provisions that allocate risk and make compliance testable. The goal is a protective order that permits efficient, modern review while giving the producing party enforceable assurances about where its material can and cannot go. Five clauses recur across the current disputes:

Each clause maps to a failure mode the courts have already confronted: unknown tooling, irreversible training, uncontrolled vendor sprawl, undeletable copies, and unverifiable promises [1][2]. Parties will reasonably disagree on scope, for example whether restrictions cover all AI-assisted tools or only generative models, and on how audit rights are exercised. But a protective order that addresses all five topics, in either direction, is far less likely to generate motion practice later than one that never mentions AI at all.

How do you demonstrate compliance after the order is entered?

Signing the order is the easy part. The operational question arrives months later, when opposing counsel, or the court, asks whether the confidential material produced in the case ever entered a retraining-capable model. A contractual no-training clause tells you what was promised; it does not tell anyone what actually happened inside your workflow. Vendor terms of service, marketing pages, and after-the-fact declarations are representations. If the protective order includes audit or verification rights, the receiving party needs something stronger than assertions: contemporaneous records showing which tool processed which material, under which policy, with what isolation.

This is where verifiable attestation earns its place in litigation workflows. A signed attestation that binds each AI interaction to the approved tool, the governing policy, and the isolation method turns a compliance representation into a verifiable record that can be checked by someone who does not trust your infrastructure. RankShield produces those attestations: signed, independently verifiable evidence that confidential material was architecturally isolated from third-party AI models and handled under informed consent controls. That demonstrates a compliance posture; it does not guarantee how any court will rule, and courts and parties decide what satisfies a given order. But when the question is asked, the firm holding verifiable records is in a categorically better position than the firm holding assurances.

Frequently asked questions

What are protective order AI provisions?

They are clauses in a discovery protective order that govern whether and how produced documents may be processed by generative AI tools. Emerging examples reported by Sidley in April 2026 include contractual no-training safeguards, deletion capability, and onward-disclosure limits that must be in place before produced material may touch AI tools [1]. Because federal courts are issuing diverging first-impression rulings in this area, parties increasingly negotiate these terms explicitly rather than relying on a standard form order [3].

What did the Morgan decision require for AI tools in discovery?

As analyzed by Kirkland & Ellis in May 2026, a District of Colorado decision referred to as Morgan charted a path on AI, protective orders, and work product in discovery. It required that AI tools processing confidential discovery material have no-training safeguards, onward-disclosure limits, and deletion capability [2]. The decision is a useful reference point for negotiations, but it is one court’s ruling; other courts have reached differing first-impression conclusions, so it should not be treated as a national standard [3].

How can a law firm prove compliance with AI restrictions in a protective order?

Contracts and vendor certifications state what should happen; proof requires records of what actually happened. A firm can maintain signed, independently verifiable attestations binding each AI interaction to the approved tool, the governing policy, and the isolation method used. RankShield produces attestations of that kind, demonstrating a compliance posture that architectural isolation and consent controls were in place. Courts and opposing parties ultimately decide what satisfies a particular order, so the attestation is evidence of compliance, not a guarantee of a ruling.

RankShield Legal is a verifiable AI and quantum security platform for law firms: it produces signed, independently verifiable attestations that confidential material was isolated from third-party AI models. This article is general information, not legal advice; consult a licensed attorney about your situation.

References

[1] Sidley. Generative AI in discovery: protective orders as an emerging point of dispute. https://www.sidley.com/en/insights/newsupdates/2026/04/generative-ai-in-discovery-protective-orders-as-an-emerging-point-of-dispute

[2] Kirkland & Ellis. A federal court charts a path on AI, protective orders, and work product in discovery. https://www.kirkland.com/publications/kirkland-alert/2026/05/a-federal-court-charts-a-path-on-ai-protective-orders-and-work-product-in-discovery

[3] Akin. Federal courts issue diverging rulings on generative AI (privilege, work product, protective orders). https://www.akingump.com/en/insights/alerts/federal-courts-issue-diverging-rulings-on-the-use-of-generative-ai-in-the-context-of-privilege-work-product-and-protective-orders

Verify your filings before you sign them.

RankShield Legal certifies that cited authorities exist, are quoted accurately, and are good law before you file, and proves privileged material never reached a third-party AI model. Request early access to the legal pillar of the RankShield Network.

Request early access