Can Law Firms Use AI Without Waiving Attorney-Client Privilege?
Yes, law firms can use AI without waiving attorney-client privilege, but only with deliberate boundaries. Privilege and confidentiality are separate duties, and feeding client material into a third-party model can threaten both. The safest path pairs informed client consent with an architecture that isolates privileged data from any self-learning model, and, increasingly, proof that the isolation held.
Privilege and confidentiality are two different things
Attorney-client privilege and the duty of confidentiality are related but distinct, and conflating them causes most AI missteps. Privilege is an evidentiary protection: it can keep certain lawyer-client communications out of court, and it can be waived by disclosure to a third party. Confidentiality is a broader ethical duty under Model Rule 1.6 [4] that covers all information relating to a representation, regardless of whether litigation is involved.
When a lawyer pastes client facts into a public AI chatbot, both duties are in play, but they fail in different ways. The ethical duty of confidentiality is engaged the moment information leaves the firm's control, which is why the ABA grounded its AI guidance in Rule 1.6 [4]. Evidentiary privilege, by contrast, turns on whether a communication qualified for protection and whether disclosure to an outside system waived it. Treating "we used enterprise AI" as if it resolves both questions is a category error. A firm can satisfy one duty while quietly compromising the other, and courts and bar regulators evaluate them on separate tracks.
What US v. Heppner signals about AI and privilege
A 2026 U.S. District Court ruling (S.D.N.Y.), reported as United States v. Heppner, is reported to hold that AI-generated documents are not privileged and not attorney work product [9]. Read narrowly, that reporting suggests a court may decline to extend privilege or work-product protection to material a generative model produced, even when a lawyer prompted it. Treat this as a signal, not settled nationwide law.
The distinction that matters is between a lawyer's protected thinking and an AI system's output. Privilege and work-product doctrine historically shield attorney communications and mental impressions. Reporting on Heppner suggests that machine-generated text may sit outside those protections [9]. If that framing holds and spreads, drafts, memos, and analyses produced by an AI could be discoverable in ways a lawyer's own work would not be. The practical takeaway is caution: one district court's reported ruling is not binding across jurisdictions, and appellate review could reshape it. But firms should not assume that routing work through AI automatically inherits the protections that attach to a lawyer's own hand.
What ABA Opinion 512 actually requires
ABA Formal Opinion 512, issued July 29, 2024, requires lawyers to obtain client informed consent before inputting client information into a self-learning generative AI tool [4]. It is grounded in the Model Rule 1.6 duty of confidentiality, and it makes clear that boilerplate consent buried in an engagement letter is not enough [4]. Consent must be informed and specific to the risk.
The opinion reaches further than consent. It also implicates competence under Model Rule 1.1, meaning lawyers must understand the AI tools they use well enough to judge the risks, and supervision under Rules 5.1 and 5.3, meaning firms must oversee both lawyers and nonlawyer staff who deploy these tools [4]. Crucially, Opinion 512 is an ethical guidance document about the confidentiality duty. It is not a rule about evidentiary privilege waiver, and it does not decide when privilege is lost. A firm can be fully compliant with 512's consent and competence expectations and still face a separate, unresolved question about whether a given disclosure waived privilege in court. Both analyses have to be run.
Why an "enterprise" AI tier is not the same as privilege
An enterprise AI subscription with zero data retention reduces one risk, but it does not, by itself, establish that privilege is preserved. Enterprise contracts and no-training commitments are procurement facts. Privilege is a legal conclusion a court reaches later, based on whether a communication qualified and whether disclosure waived it. The two live on different tracks, and vendors cannot promise the second.
Much of the guidance aimed at large firms stops at "use enterprise-grade tools with zero data retention." That advice is reasonable, but incomplete. It reduces the confidentiality exposure that Opinion 512 targets [4] by limiting where client data flows and whether a model trains on it. It does not resolve the evidentiary question that reporting on Heppner raises [9]. It also leaves a proof gap: a contractual promise is not the same as demonstrable evidence that privileged material never reached a third-party model in retrievable form. When a dispute arises, "the vendor said it wouldn't retain data" is an assertion. Firms increasingly need something they can show, not just something they were told.
A defensible AI-confidentiality setup for a firm
A defensible setup layers people, contracts, and architecture. Start with informed client consent that names the specific AI use, satisfying Opinion 512 rather than relying on engagement-letter boilerplate [4]. Add competence and supervision controls so lawyers understand the tools and firms oversee staff use [4]. Then isolate privileged material architecturally so it never trains a self-learning model, and keep records that show what happened.
Concretely, that means classifying matters so the most sensitive material is walled off from general-purpose AI, using tools with contractual no-training and retention terms, and documenting which model saw which data and when. Competence obligations mean the responsible lawyer should be able to explain, at a basic level, how the tool handles inputs [4]. Supervision means associates and staff operate inside firm policy, not ad hoc [4]. Because Opinion 512 is ethical guidance and one district court's reported holding is not nationwide law [4][9], build for the strict case: assume a court may later scrutinize both whether you preserved confidentiality and whether AI-touched work retains any protection. Design so the answers are defensible in either analysis.
Proving isolation, not just promising it
The gap most guidance leaves open is proof. A firm can consent correctly and buy the right tier and still be unable to demonstrate, after the fact, that privileged material never reached a third-party model in retrievable form. RankShield Legal's RS-211 approach attests to architectural isolation and informed consent, producing cryptographic evidence of how data was handled rather than a promise that it was handled well.
The honest framing matters here. RankShield does not prevent privilege waiver and does not guarantee that privilege is preserved, because waiver is a legal determination a court makes, not a control a vendor can enforce. What it can do is attest that the isolation architecture functioned as designed and that consent was captured, then anchor that record so it can be verified independently later. That converts "the vendor said so" into evidence you can produce. It closes the proof gap that BigLaw guidance stops short of, without overstating what any technology can promise about a court's eventual privilege ruling.
Frequently asked questions
Does ChatGPT have legal privilege?
No. A consumer AI chatbot does not carry attorney-client privilege, and using one can undermine both privilege and the ethical duty of confidentiality. Privilege protects certain communications between a lawyer and client; it is not a property of a software tool. When a lawyer inputs client information into a self-learning generative AI, the ABA's Formal Opinion 512 requires informed client consent first, precisely because that disclosure implicates the Rule 1.6 confidentiality duty [4]. Separately, reporting on United States v. Heppner suggests a court may treat AI-generated documents as not privileged and not work product [9]. The safe assumption is that a public chatbot conversation is not privileged, and that routing client material through one can create both ethical and evidentiary exposure. Treat consumer AI as unprotected by default.
Can using AI tools waive attorney-client privilege?
Potentially, yes. Disclosing a privileged communication to a third party can waive privilege, and sending client material to an outside AI system may qualify as such a disclosure depending on the facts and jurisdiction. This is separate from the ethical confidentiality duty that ABA Opinion 512 addresses through its informed-consent requirement [4]. Reporting on United States v. Heppner also suggests that AI-generated documents may not be privileged or protected as work product in the first place [9]. Because privilege waiver is a legal determination courts make case by case, no vendor can guarantee privilege is preserved. What a firm can do is limit exposure through isolation architecture and consent, and keep verifiable records of how data was handled, so it can make the strongest possible argument if the question is ever litigated.
Do I have to tell my client I used AI?
In many situations, yes. Under ABA Formal Opinion 512, a lawyer must obtain a client's informed consent before inputting that client's information into a self-learning generative AI tool, and generic language in an engagement letter is not sufficient [4]. The consent has to be informed and specific enough that the client understands the risk. The opinion also ties in competence and supervision duties, so the obligation is not just disclosure but understanding the tool and overseeing its use within the firm [4]. Requirements vary because ABA opinions are non-binding guidance that states adopt differently, so check your jurisdiction's rules. As a practical matter, transparent, specific consent both satisfies the ethical duty and builds a defensible record that you handled client information responsibly.
RankShield Legal is a verifiable AI and quantum security platform for law firms: it certifies that cited authorities exist, are quoted accurately, and are good law before a filing is signed, and proves privileged material never reached a third-party AI model in retrievable form. This article is general information, not legal advice; rules vary by jurisdiction and change over time, so consult a licensed attorney about your situation.
References
[4] ABA Standing Committee on Ethics & Prof'l Responsibility. Formal Opinion 512: Generative Artificial Intelligence Tools. July 29, 2024. https://www.americanbar.org/news/abanews/aba-news-archives/2024/07/aba-issues-first-ethics-guidance-ai-tools/
[9] Reporting on United States v. Heppner (S.D.N.Y. 2026). Secondary: https://www.dlapiper.com/en-us/insights/publications/2026/02/are-ai-generated-documents-privileged-key-takeaways-from-heppner