# Privilege risk when legal teams use external AI vendors[^about] Privilege risks when legal teams use external AI vendors, including public tools, work product, enterprise terms, Kovel agents, and controls. ## Can using a public AI tool waive attorney-client privilege? {#public-ai-tool-privilege-waiver} **Short answer.** Yes, using a public AI tool can waive privilege when the tool receives legal communications under terms that defeat confidentiality. The key facts are whether the user acted independently, whether counsel directed the use, and whether the vendor could retain, train on, or disclose the material. Federal Rule of Evidence 502 does the waiver mechanics. Rule 502(b) protects an inadvertent disclosure only if the holder took "reasonable steps to prevent disclosure"[^federal-rule-of-evidence-502-b], and Rule 502(d) lets a court order that a disclosure in the case is not a waiver anywhere else. [^federal-rule-of-evidence-502-b] California's evidentiary analogue pushes in a similar direction. Evidence Code section 912(d) says disclosure does not waive privilege if it was reasonably necessary for the accomplishment of the purpose for which the lawyer ... was consulted. [^california-evidence-code-912-d] Those phrases explain why vendor architecture now matters so much. A record showing consumer terms, model training, or broad vendor-side access looks very different from a record showing contractual limits, restricted access, and no reuse. The first 2026 federal case most firms treat as the opening marker is `United States v. Heppner, No. 25 Cr. 503 (JSR), 2026 WL 436479 (S.D.N.Y. Feb. 17, 2026)`. On the descriptions in the source set, Judge Rakoff held that a defendant's Claude-generated materials were neither privileged nor protected work product after he independently used a consumer AI tool and later sent the results to counsel. [^united-states-v-heppner-no-25-cr-503-jsr-2026-wl][^proskauer-rose-recent-federal-privilege-ruling-r][^gibson-dunn-ai-privilege-waivers-sdny-rules-agai] The reported reasons were conventional: Claude is not a lawyer; the user lacked a reasonable basis to expect confidentiality; and the materials were not prepared by or at counsel's direction in the way work-product doctrine usually requires. [^gibson-dunn-ai-privilege-waivers-sdny-rules-agai][^proskauer-rose-recent-federal-privilege-ruling-r] On one point, the firms are very close to unanimous. Proskauer, Gibson Dunn, Ogletree, and Hinckley Allen all read `Heppner` as an application of ordinary privilege rules, not as a one-off anti-AI exception. [^proskauer-rose-recent-federal-privilege-ruling-r][^gibson-dunn-ai-privilege-waivers-sdny-rules-agai][^ogletree-deakins-the-intersection-of-ai-and-atto][^hinckley-allen-ai-platforms-and-the-risk-of-priv] Their common point is that consumer tools with training or disclosure rights are hard to distinguish from any other third party that receives the substance of a legal communication. That is why Proskauer says the case has implications beyond AI itself, including other advisor arrangements where the tool's terms make the vendor a real recipient of the information. [^proskauer-rose-recent-federal-privilege-ruling-r] ## Can AI-assisted litigation drafts still be protected work product? {#ai-litigation-draft-work-product} **Short answer.** Often yes, but the work-product argument is separate from privilege and depends on whether the AI-assisted materials stayed within litigation preparation. A bad vendor-confidentiality record can still defeat privilege even when internal drafting materials remain protected. `Warner v. Gilbarco Inc. et al., Case No. 2:24-cv-12333 (E.D. Mich. Feb. 10, 2026)` points the other way on work product. The court denied a motion to compel AI-assisted drafting materials and treated ChatGPT and similar systems as tools rather than persons for the waiver analysis. [^warner-v-gilbarco-inc-et-al-case-no-2-24-cv-1233] That leaves an important split already visible: privilege doctrine asks whether confidentiality survived disclosure to the vendor, while work-product doctrine may sometimes survive if the material remains internal litigation preparation and never reaches an adversary. [^warner-v-gilbarco-inc-et-al-case-no-2-24-cv-1233] The other consensus point is that work product and privilege are no longer moving in lockstep. `Heppner` is the headline because it denied both. But commentary that reads `Heppner` together with `Warner` tends to separate the questions: a bad confidentiality record can defeat privilege, while internal litigation-preparation materials may still have a work-product argument if the record does not show disclosure to an adversary. [^perkins-coie-heppner-and-gilbarco-courts-apply-p][^warner-v-gilbarco-inc-et-al-case-no-2-24-cv-1233] - Work product may now be easier to preserve than attorney-client privilege in AI-assisted workflows. `Heppner` involved a client acting on his own in a consumer system. `Warner` involved internal drafting materials and a failed motion to compel. Companies using AI inside litigation preparation are therefore exposed on two different axes: whether the vendor received the material under confidentiality-destroying terms, and whether the material was ever exposed beyond internal preparation. [^united-states-v-heppner-no-25-cr-503-jsr-2026-wl-2][^warner-v-gilbarco-inc-et-al-case-no-2-24-cv-1233] - `Warner` may or may not travel far. It arose in a civil discovery posture and on a record where the court did not treat AI use alone as disclosure to an adversary. [^warner-v-gilbarco-inc-et-al-case-no-2-24-cv-1233] Perhaps courts will keep that logic for internal litigation drafting. Perhaps they will limit it once vendor retention, monitoring, or model-improvement rights are more clearly in the record. ## Do enterprise AI vendor terms protect privileged legal work? {#enterprise-ai-vendor-terms-privilege} **Short answer.** Enterprise terms do not create privilege on their own, but they can improve the disclosure record. No-training commitments, DPAs, and zero-data-retention endpoints make the vendor look more like infrastructure than a recipient of legal communications. - The legal divide is increasingly between public and contractually bounded systems, not between `AI` and `non-AI`. OpenAI says it do not use your business data for training our models by default, while Anthropic's October 2025 consumer-terms update reportedly put Free, Pro, and Team usage into model-improvement pathways unless the customer is on a different commercial track. [^openai-enterprise-privacy][^anthropic-updates-to-our-consumer-terms][^anthropic-privacy-dpa-information] The word `team` on a pricing page is therefore not a privilege fact. - No-training promises, DPAs, and zero-data-retention endpoints do not create privilege by themselves. What they do is change the disclosure record. OpenAI's own account of the `New York Times` preservation dispute is telling: data processed under Zero Data Retention could not be preserved because it was not retained on OpenAI's servers after inference. [^openai-response-to-nyt-data-demands] That makes the vendor look more like processing infrastructure and less like a repository of legal communications. The same is true, perhaps, of Azure-style private-tenant deployments with enterprise controls and processor commitments. [^microsoft-learn-data-privacy-for-anthropic-claud][^microsoft-learn-azure-openai-limited-access] - Fine-tuning remains a harder case than mere inference. If privileged matter becomes part of a tuned model, an opponent could argue that the data has been structurally absorbed into a third party's technical asset even when the instance is ring-fenced. The answer may turn on whether the tuned environment is actually inaccessible to the vendor and whether the tuning is provider-reusable or purely tenant-specific. [^hinckley-allen-ai-platforms-and-the-risk-of-priv-2][^openai-enterprise-privacy][^anthropic-privacy-dpa-information] ## Can a counsel-directed AI vendor qualify as a Kovel agent? {#counsel-directed-ai-kovel-agent} **Short answer.** Maybe, but no US court has yet settled the theory for a counsel-directed AI deployment. The strongest record treats the vendor as a supervised processor needed for legal work, not as a public service chosen for convenience. Privilege still begins with confidentiality, not with software labels. `United States v. Kovel, 296 F.2d 918 (2d Cir. 1961)` remains the main reason some third-party assistance does not destroy privilege: an outside intermediary can fall inside the relationship when the intermediary is needed to help lawyer and client communicate for legal advice. [^united-states-v-kovel-296-f-2d-918-2d-cir-1961] The limiting principle matters just as much. Narrower lines of authority do not protect a consultant merely because the consultant is useful or commercially convenient. [^cavallaro-v-united-states-284-f-3d-236-1st-cir-2] That is why AI vendors create a real doctrinal problem. Many are bought for speed, synthesis, or scale rather than for the sort of translation function `Kovel` originally contemplated. The more useful disagreement is not over public chat tools. It is over what follows from well-governed enterprise deployments. Hinckley Allen treats private deployments, contractual confidentiality, and express counsel direction as the facts that make an AI workflow legally defensible. [^hinckley-allen-ai-platforms-and-the-risk-of-priv-3] Ogletree puts more weight on why the `Kovel` theory failed in `Heppner`: the client used the tool on his own, and the tool was not necessary for counsel to understand him. [^ogletree-deakins-the-intersection-of-ai-and-atto-2] That leaves room for a narrower claim. The better the system looks like a supervised processor and the less it looks like an autonomous public service, the better the privilege record becomes, even if no court has yet endorsed the full theory. DLA Piper adds a useful comparative caution. Its view is that English legal advice privilege could be even less hospitable than the American `Kovel` line because English courts may be less willing to treat generative AI as a mere conduit for communication. [^dla-piper-us-court-holds-privilege-doesn-t-apply] That does not decide US law, but it does show how much the enterprise-friendly argument still depends on analogy rather than settled doctrine. - ## What AI vendor controls should legal teams require before use? {#legal-team-ai-vendor-controls} **Short answer.** Legal teams should treat AI controls as privilege safeguards, not just security preferences. Review data use, recording, acceptable-use limits, and shadow-AI pressure before privileged material enters a tool. The ethics layer is not itself privilege law, but it will likely influence what courts treat as reasonable safeguards. ABA Formal Opinion 512 says lawyers must understand how generative AI tools use data and guard against unwitting or unauthorized disclosure to third parties. [^american-bar-association-formal-opinion-512] It also says boilerplate engagement-letter consent is not enough for generative AI use. [^american-bar-association-formal-opinion-512] New York City Bar Formal Opinion 2025-6 carries the same reasoning into AI recording and summarization of client conversations, where consumer tools can turn an informal conversation into a persistent third-party record outside counsel's custody. [^new-york-city-bar-formal-opinion-2025-6] - Vendor acceptable-use language matters even on secure platforms. Box says its AI tools are not trained explicitly for legal advice and bars "automated consequential decisions regarding legal matters"[^box-box-ai-acceptable-use-policy]. [^box-box-ai-acceptable-use-policy] So a system can be enterprise-safe enough for summarization, search, or document organization while still being contractually awkward as a substitute for legal judgment. The stronger the company relies on the output as substantive legal reasoning, the weaker the simple `tool of counsel` story may become. - Company-wide AI adoption pressure sharpens the privilege question because it increases the value of shadow use controls without changing the doctrine. The more a business treats AI as a baseline productivity layer, the more the worst facts become unsupervised use of consumer tools rather than supervised use of enterprise ones. [^forrester-what-you-can-learn-from-shopify-s-ceo][^digital-commerce-360-internal-memo-shopify-ceo-d] `Heppner` is a litigation case, but the factual pattern it punishes is also the ordinary `shadow AI` pattern. - Ethics rules could make secure AI use look more ordinary over time. ABA Formal Opinion 512 is already treating vendor review, contractual terms, and tool supervision as part of competent legal practice rather than as exotic exceptions. [^american-bar-association-formal-opinion-512] If that continues, courts may eventually view tightly managed AI vendors more like existing legal-service vendors and less like strangers. We do not think the cases are there yet. [^about]: By Steven Obiajulu, J.D. Published by [openagreements.org](https://openagreements.org). Last reviewed 2026-04-20. License: CC BY 4.0. Steven Obiajulu, J.D. edits this topic article for Federal + multi-state coverage. It synthesizes legal sources and is not legal advice. This article is for informational purposes only and does not create an attorney-client relationship. [^federal-rule-of-evidence-502-b]: **Federal Rule of Evidence 502(b)** — "reasonable steps to prevent disclosure" *Federal Rule of Evidence 502(b).* [^california-evidence-code-912-d]: **California Evidence Code § 912(d)** — "A disclosure in confidence of a communication that is protected by a privilege provided by Section 954 (lawyer-client privilege), 966 (lawyer referral service-client privilege), 994 (physician-patient privilege), 1014 (psychotherapist-patient privilege), 1035.8 (sexual assault counselor-victim privilege), 1037.5 (domestic violence counselor-victim privilege), or 1038 (human trafficking caseworker-victim privilege), when disclosure is reasonably necessary for the accomplishment of the purpose for which the lawyer, lawyer referral service, physician, psychotherapist, sexual assault counselor, domestic violence counselor, or human trafficking caseworker was consulted, is not a waiver of the privilege." *California Evidence Code § 912(d).* [^united-states-v-heppner-no-25-cr-503-jsr-2026-wl]: **United States v. Heppner, No. 25 Cr. 503 (JSR), 2026 WL 436479 (S.D.N.Y. Feb....** — "Heppner had ‘waived the privilege by sharing that information with Claude and Anthropic, just as if he had shared it with any other third party.’" *United States v. Heppner, No. 25 Cr. 503 (JSR), 2026 WL 436479 (S.D.N.Y. Feb. 17, 2026), discussed in Reuters.* [^proskauer-rose-recent-federal-privilege-ruling-r]: **Proskauer Rose commentary** — "disclosure of privileged communications to a third party in circumstances that undermine confidentiality (here, the corporation operating the AI tool) may result in waiver." *Proskauer Rose, Recent Federal Privilege Ruling Related to AI Tools Has Implications for Routine Tax Advisor Arrangements.* [^gibson-dunn-ai-privilege-waivers-sdny-rules-agai]: **Gibson Dunn commentary** — "the Court concluded that attorney-client privilege protection was unavailable because: (1) the AI tool was not a lawyer and could not establish an attorney-client relationship; (2) there was no expectation of confidentiality" *Gibson Dunn, AI Privilege Waivers: SDNY Rules Against Privilege Protection for Consumer AI Outputs.* [^ogletree-deakins-the-intersection-of-ai-and-atto]: **Ogletree Deakins commentary** — "A federal judge in New York ruled that documents generated using a publicly available AI tool are not protected by attorney-client privilege or the work product doctrine." *Ogletree Deakins, The Intersection of AI and Attorney-Client Privilege: A Cautionary Tale.* [^hinckley-allen-ai-platforms-and-the-risk-of-priv]: **Hinckley Allen, AI Platforms and the Risk of Privilege Waiver: Critical Lesso...** — "the court ruled that a defendant’s written exchanges with the publicly accessible generative AI platform Claude are not protected by either the attorney-client privilege or the work product doctrine." *Hinckley Allen, AI Platforms and the Risk of Privilege Waiver: Critical Lessons from United States v. Heppner.* [^warner-v-gilbarco-inc-et-al-case-no-2-24-cv-1233]: **Warner v. Gilbarco Inc. et al., Case No. 2:24-cv-12333 (E.D. Mich. Feb. 10, 2...** — "Plaintiff, as a pro se litigant, has a right to assert work product protection over such material." *Warner v. Gilbarco Inc. et al., Case No. 2:24-cv-12333 (E.D. Mich. Feb. 10, 2026).* [^perkins-coie-heppner-and-gilbarco-courts-apply-p]: **Perkins Coie commentary** — "The decisions show courts beginning to apply the law of attorney-client privilege and work product doctrine to generative AI and, thus far, viewing the tasks and their outcomes as neither expanding nor contracting the protections long recognized under existing frameworks." *Perkins Coie, Heppner and Gilbarco: Courts Apply Privilege and Work Product Protection to Generative AI Tools.* [^united-states-v-heppner-no-25-cr-503-jsr-2026-wl-2]: **United States v. Heppner, No. 25 Cr. 503 (JSR), 2026 WL 436479 (S.D.N.Y. Feb....** — "Heppner had ‘waived the privilege by sharing that information with Claude and Anthropic, just as if he had shared it with any other third party.’" *United States v. Heppner, No. 25 Cr. 503 (JSR), 2026 WL 436479 (S.D.N.Y. Feb. 17, 2026), discussed in Reuters.* [^openai-enterprise-privacy]: **OpenAI, Enterprise privacy** — "We do not train our models on your data by default" *OpenAI, Enterprise privacy.* [^anthropic-updates-to-our-consumer-terms]: **Anthropic, Updates to our consumer terms** — "We’re now giving users the choice to allow their data to be used to improve Claude and strengthen our safeguards against harmful usage like scams and abuse." *Anthropic, Updates to our consumer terms.* [^anthropic-privacy-dpa-information]: **Anthropic Privacy, DPA Information** — "When you accept Anthropic’s Commercial Terms of Service, you also accept our DPA." *Anthropic Privacy, DPA Information.* [^openai-response-to-nyt-data-demands]: **OpenAI, Response to NYT data demands** — "The New York Times and other plaintiffs have made a sweeping and unnecessary demand in their baseless lawsuit against us: retain consumer ChatGPT and API customer data indefinitely." *OpenAI, Response to NYT data demands.* [^microsoft-learn-data-privacy-for-anthropic-claud]: **Microsoft Learn, Data privacy for Anthropic Claude models** — "When you transact for Claude in Foundry, you will agree to Anthropic's terms of use and Anthropic (not Microsoft) is the processor of the data." *Microsoft Learn, Data privacy for Anthropic Claude models.* [^microsoft-learn-azure-openai-limited-access]: **Microsoft Learn, Azure OpenAI limited access** — "certain Azure Direct Models (or versions of them) are designated as Limited Access Services, and access and use are subject to eligibility criteria determined by Microsoft." *Microsoft Learn, Azure OpenAI limited access.* [^hinckley-allen-ai-platforms-and-the-risk-of-priv-2]: **Hinckley Allen, AI Platforms and the Risk of Privilege Waiver: Critical Lesso...** — "the court ruled that a defendant’s written exchanges with the publicly accessible generative AI platform Claude are not protected by either the attorney-client privilege or the work product doctrine." *Hinckley Allen, AI Platforms and the Risk of Privilege Waiver: Critical Lessons from United States v. Heppner.* [^united-states-v-kovel-296-f-2d-918-2d-cir-1961]: **United States v. Kovel, 296 F.2d 918 (2d Cir. 1961)** — "What is vital to the privilege is that the communication be made in confidence for the purpose of obtaining legal advice from the lawyer." *United States v. Kovel, 296 F.2d 918 (2d Cir. 1961).* [^cavallaro-v-united-states-284-f-3d-236-1st-cir-2]: **Cavallaro v. United States, 284 F.3d 236 (1st Cir. 2002)** — "Kovel requires that to sustain a privilege an accountant must be ‘necessary, or at least highly useful, for the effective consultation between the client and the lawyer which the privilege is designed to permit.’" *Cavallaro v. United States, 284 F.3d 236 (1st Cir. 2002).* [^hinckley-allen-ai-platforms-and-the-risk-of-priv-3]: **Hinckley Allen, AI Platforms and the Risk of Privilege Waiver: Critical Lesso...** — "the court ruled that a defendant’s written exchanges with the publicly accessible generative AI platform Claude are not protected by either the attorney-client privilege or the work product doctrine." *Hinckley Allen, AI Platforms and the Risk of Privilege Waiver: Critical Lessons from United States v. Heppner.* [^ogletree-deakins-the-intersection-of-ai-and-atto-2]: **Ogletree Deakins commentary** — "A federal judge in New York ruled that documents generated using a publicly available AI tool are not protected by attorney-client privilege or the work product doctrine." *Ogletree Deakins, The Intersection of AI and Attorney-Client Privilege: A Cautionary Tale.* [^dla-piper-us-court-holds-privilege-doesn-t-apply]: **DLA Piper commentary** — "An AI System cannot itself give privileged legal advice – whether in the context of litigation or otherwise; there is no ‘AI Privilege’." *DLA Piper, US Court Holds Privilege Doesn't Apply to Public AI-Generated Documents.* [^american-bar-association-formal-opinion-512]: **American Bar Association, Formal Opinion 512** — "To ensure clients are protected, lawyers using generative artificial intelligence tools must fully consider their applicable ethical obligations, including their duties to provide competent legal representation, to protect client information, to communicate with clients, to supervise their employees and agents, to advance only meritorious claims and contentions, to ensure candor toward the tribunal, and to charge reasonable fees." *American Bar Association, Formal Opinion 512.* [^new-york-city-bar-formal-opinion-2025-6]: **New York City Bar, Formal Opinion 2025-6** — "we conclude that clients must be notified, and their consent obtained, whenever their calls are being recorded by an AI-empowered system." *New York City Bar, Formal Opinion 2025-6.* [^box-box-ai-acceptable-use-policy]: **Box, Box AI Acceptable Use Policy** — "automated consequential decisions regarding legal matters" *Box, Box AI Acceptable Use Policy.* [^forrester-what-you-can-learn-from-shopify-s-ceo]: **Forrester, What You Can Learn From Shopify's CEO's Memo On Workforce AI** — "Executive leadership is crucial to workforce AI efforts: Demystifying myths (such as ‘AI will steal my job if I use it’), establishing the benefits to both the organization and to employees, and painting a picture of the future state are all crucial to driving adoption success." *Forrester, What You Can Learn From Shopify's CEO's Memo On Workforce AI.* [^digital-commerce-360-internal-memo-shopify-ceo-d]: **Digital Commerce 360, Internal Memo: Shopify CEO Declares AI Non-Optional** — "Artificial intelligence is no longer optional at the ecommerce technology company." *Digital Commerce 360, Internal Memo: Shopify CEO Declares AI Non-Optional.*