imadethisup.org Retain →
LAW · 2026-06-15

AI tools and attorney-client privilege: keeping confidences confidential

The privilege is the oldest confidence the common law protects. Generative AI gives every lawyer a frictionless way to hand that confidence to a stranger — and the doctrine has not paused to wait for the technology.

~ 8 min read · LAW BUSINESS

The attorney-client privilege protects confidential communications between a lawyer and client made to obtain or provide legal advice. The Supreme Court has called it “the oldest of the privileges for confidential communications known to the common law,” grounded in the idea that sound advice depends on the client being able to speak freely.[1] The work-product doctrine, recognized in Hickman v. Taylor, runs alongside it, shielding the materials a lawyer prepares in anticipation of litigation — and giving heightened protection to a lawyer's mental impressions, conclusions, and legal theories.[2] Both protections share a single load-bearing assumption: that the confidence stays inside the circle.

Generative AI quietly tests that assumption thousands of times a day. When a lawyer or an in-house team pastes a draft contract, a witness memo, or a set of deposition notes into a consumer chatbot to “summarize this” or “tighten this argument,” the confidential material may leave the firm's control entirely — flowing to a third-party provider that stores it, logs it, and in some product tiers uses it to train future models. The legal question is whether that disclosure breaks confidentiality, waives privilege, or both.

The confidentiality duty comes first

Before privilege is ever litigated, the ethics rules impose a broader duty. ABA Model Rule 1.6 bars a lawyer from revealing “information relating to the representation of a client” absent informed consent or a recognized exception, and Rule 1.6(c) requires “reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to,” that information.[3] That duty is far wider than the privilege: it covers all information about the matter, whatever its source, not just confidential lawyer-client communications. A tool that ingests client information can implicate Rule 1.6 even where no privileged communication is involved at all.

The competence rule reinforces the point. Comment 8 to Model Rule 1.1 requires lawyers to keep abreast of “the benefits and risks associated with relevant technology” — the so-called duty of technological competence, now adopted in some form by a large majority of states.[4] Using an AI tool without understanding where the data goes is not a neutral act; it is a competence question.

What ABA Formal Opinion 512 actually says

In July 2024 the ABA Standing Committee on Ethics and Professional Responsibility issued Formal Opinion 512, its first comprehensive guidance on generative AI.[5] On confidentiality the opinion is direct: because the duty under Rule 1.6 attaches to all information relating to the representation, a lawyer must evaluate the risk that a generative-AI tool will disclose or expose that information before inputting it. Self-learning tools that train on user inputs raise a particular hazard — client information fed in today could surface in an output generated for a different user, even an adverse party, tomorrow.[5]

The opinion's practical instructions are worth reading closely. Before entering client information into a tool, a lawyer should understand the tool's terms of use, privacy policy, and data-handling practices; should consider whether the tool retains or trains on inputs; and, critically, may need the client's informed consent — not mere boilerplate — before submitting that client's confidential information to a third-party model. The opinion also flags supervisory duties under Rules 5.1 and 5.3: a firm that adopts AI tools must train and oversee the lawyers and staff who use them.[5]

Confidential client data Rule 1.6 information PRIVILEGE GATE data handling reviewed? no-training / no-retention? informed consent on file? enterprise terms in place? PASS Input permitted confidence preserved FAIL Input blocked waiver / disclosure risk no gate = client confidence leaves the circle
FIG. 1 — A privilege-preservation gate. Client information should clear data-handling, consent, and contractual checks before it ever reaches a third-party model.

The third party as a waiver trigger

Confidentiality and privilege overlap, but they are not the same — and privilege has its own unforgiving logic. The privilege protects only communications kept confidential, and voluntary disclosure to a third party outside the circle of representation generally waives it. That is why courts have repeatedly warned that a corporation cannot manufacture privilege simply by routing material through counsel, and why intermixing legal and business purposes invites a waiver fight in the first place. The same principle cuts the other way when client material is handed to an outside vendor.

A consumer AI provider that stores inputs and reserves the right to use them to improve its products looks, doctrinally, a lot like any other third party. Not every disclosure to a service provider waives the privilege — courts have long recognized that agents who assist the lawyer in rendering legal advice can fall inside the circle, much as Upjohn extended the privilege beyond the corporate control group.[1] But that protection depends on the provider acting as a confidential agent of the representation under terms that keep the information confidential, not as an open-ended data sink. The contractual posture — retention, training rights, sub-processing, breach exposure — is doing the legal work.

Inadvertent disclosure and FRE 502

If confidential material does slip out through an AI tool, Federal Rule of Evidence 502 governs whether the leak waives privilege or work-product protection in federal proceedings. Rule 502(b) provides that an inadvertent disclosure does not operate as a waiver if the holder took reasonable steps to prevent disclosure and promptly took reasonable steps to rectify the error.[6] The phrase that should focus every general counsel's attention is “reasonable steps to prevent.” A firm that lets staff paste privileged documents into a public chatbot with no policy, no vendor diligence, and no training will struggle to show it took reasonable steps — and may forfeit the very protection 502 was written to preserve. Rule 502 is a safety net for accidents, not a cure for carelessness.

What counsel should do now

The doctrine here is not exotic; the discipline is. Several controls protect confidentiality and privilege regardless of which tool a team adopts:

  1. Read the data-handling terms before, not after. Distinguish consumer tiers that train on inputs from enterprise agreements that contractually disable training, limit retention, and bind sub-processors. The contract, not the marketing page, defines the risk — exactly the diligence Formal Opinion 512 contemplates.
  2. Get informed consent where the rules require it. When client confidential information will enter a third-party model, generic engagement-letter boilerplate may not be enough; consider specific, informed client consent and document it.
  3. Write and enforce an AI-use policy. Define which tools are approved, what data may never be entered, and who supervises use under Rules 5.1 and 5.3. A policy on paper plus real training is the record that demonstrates “reasonable steps” under FRE 502(b).
  4. Prefer architectures that keep data in the circle. Self-hosted, zero-retention, or enterprise deployments that do not train on inputs keep the confidence where the privilege requires it. See /war-room for incident-readiness resources.

None of this requires abandoning AI; the competence rule arguably points the other way. It requires treating client confidences with the same care offline and online — recognizing that the easiest button in the interface can be the one that hands the oldest privilege in the common law to a stranger. The durable defense is the same one good practice has always demanded: keep the circle closed, and be able to prove you did.

This article is general educational information about synthetic-media and technology risk, not legal advice. Rules of professional conduct vary by jurisdiction; consult counsel and your governing rules for any specific situation.

Sources

  1. [1]
    Upjohn Co. v. United States, 449 U.S. 383, 389, 394–95 (1981) (attorney-client privilege as “the oldest of the privileges for confidential communications”; rejecting the control-group test for corporations).supreme.justia.com
  2. [2]
    Hickman v. Taylor, 329 U.S. 495, 510–11 (1947) (origin of the work-product doctrine; heightened protection for an attorney's mental impressions and legal theories).supreme.justia.com
  3. [3]
    ABA Model Rule of Professional Conduct 1.6, Confidentiality of Information, including Rule 1.6(c).americanbar.org
  4. [4]
    ABA Model Rule of Professional Conduct 1.1, Competence, Comment 8 (duty to keep abreast of “the benefits and risks associated with relevant technology”; adopted 2012).americanbar.org
  5. [5]
    ABA Standing Committee on Ethics and Professional Responsibility, Formal Opinion 512, “Generative Artificial Intelligence Tools” (July 29, 2024).americanbar.org
  6. [6]
    Federal Rule of Evidence 502, Attorney-Client Privilege and Work Product; Limitations on Waiver, including Rule 502(b) (inadvertent disclosure). Legal Information Institute, Cornell Law School.law.cornell.edu
More

Keep the circle closed.