Trial lawyers really have little choice; they must adapt to the changing technology environment or fall behind. But recent court guidance reveals that in important areas, old rules still apply to new challenges posed by using artificial intelligence, even if the adequacy of old rules is debatable.  So far, courts are not creating a special AI privilege; instead, they are applying old doctrines to new tools. The practical lesson is that courts are applying ordinary privilege and discovery rules and common confidentiality and privacy protections rather than creating special AI rules.

Privilege and Attorney Work Product Issues

The two most useful recent decisions on attorney-client privilege and attorney work product issues are United States v. Heppner and Warner v. Gilbarco. These cases (and prior AI-testing cases like Tremblay v. OpenAI and Concord Music Group v. Anthropic) illustrate how courts treat prompts, outputs, and logs under ordinary privilege and work-product rules. The main takeaway is that AI use is not privileged by default; protection turns on confidentiality, counsel direction, purpose, and whether the material reveals litigation strategy.

Heppner: Public AI Tools and the Attorney-Client Privilege

In United States v. Heppner, 2026 WL 436479 (S.D.N.Y. April 6, 2026), the District Court held that a criminal defendant’s exchanges with a publicly available AI tool did not qualify as attorney-client privileged communications and did not constitute work product because:

  1. the tool functioned as a third-party platform
  2. Heppner did not create the materials at counsel’s direction
  3. later sharing the AI output with counsel did not retroactively create protection

The FBI executed a search warrant and seized a number of documents and electronic devices. The documents included 31 communications Heppner had with Claude (a generative AI platform), including “prepared reports that outlined defense strategy” and potential arguments against anticipated indictment charges.

Heppner asserted privilege and work product objections, urging that his inputs into Claude were shaped by communications from his attorney, served to facilitate discussions with his attorney, and subsequently shared with counsel for advice. The Court rejected each assertion under traditional privilege and work product rules.

First, the court held that no attorney-client relationship could exist between an AI user and an AI platform. Second, Heppner had no expectation of privacy because Claude’s terms and conditions for use anticipate disclosure to third parties, including for training the platform and in response to subpoenas. Finally, no attorney participated with Claude at the time of the interaction. Claude itself disclaims provision of any legal advice: “I’m not a lawyer and can’t provide formal legal advice or recommendations… [users] should consult with a qualified attorney who can properly assess your specific circumstances.” The queries were not made at the direction of an attorney. The court also rejected work product protection because the inquiries were not made at the behest of counsel.

Warner: AI as a Drafting Tool and Preserved Work Product

Warner v. Gilbarco, 2026 WL 373403 (E.D. Mich February 10, 2026), points in the opposite direction while considering work product protection for AI information. There, the District Court denied discovery into a pro se litigant’s ChatGPT use, holding that AI-assisted internal analysis and drafting were protected work product and that using ChatGPT did not waive protection absent disclosure to an adversary.

The discovery request sought “all documents and information concerning her use of third-party AI tools in connection with this lawsuit.” The Court acknowledged that disclosures to a third party may result in waiver of the attorney-client privilege, but it noted that the disclosure must be to the adversary or likely to get into the hands of the adversary to waive work product protection.

ChatGPT is a tool, not a person to whom such a disclosure could be made, and the Court noted the requests at issue sought mental impressions, rather than any existing document. Warner is important because it suggests courts may protect AI-assisted litigation preparation when the AI  functions more like a drafting aid than a repository of waived confidential communications.

Morgan: Reconciling Heppner and Warner

Morgan v. V2X, Inc., 2026 U.S. Dist. LEXIS 67939 (D. Col. March 30, 2026), noted the tension between Heppner and Warner. It did, however, distinguish their application based on whether federal criminal or civil discovery rules applied and emphasized that there was no gap between the Heppner’s inquiry and his disclosure to his attorney. Warner was a pro se case, and a pro se party is entitled to work product protection. The Court stressed that mental impressions, opinions, and theories of pro se parties are protected, and that “condition[ing] work product protection over AI materials on the involvement of counsel finds no support in the rule’s text and would further disadvantage unrepresented litigants.” *9, citing Fed. R. Civ. P. 26(b)(3). As to waiver, the Court noted that “nearly all electronic interaction passes through third-party systems.” The mere fact that an intermediary may hold information does not eliminate a reasonable expectation of privacy.

Tremblay and Concord: Prompt Discovery

Many of the other litigated cases focus on the content and use of AI prompts. Tremblay v. OpenAI, 2025 WL 729682 (N.D. Cal. February 27, 2025), is the leading prompt-discovery case for lawyers. The Court held that attorney-written prompts used for litigation-related testing could be opinion work product because they reflected counsel’s mental impressions and strategy, while also finding waiver as to certain prompts and outputs that plaintiffs affirmatively put at issue in their pleading. Tremblay is especially useful for explaining why selective use of prompts both can protect and expose them depending on how they are deployed.

Concord Music Group v. Anthropic, 2025 U.S. Dist. LEXIS 201671(N.D. Cal. October 12, 2025), reinforces the same theme. The court treated investigative prompts and related outputs as protected work product, but the later waiver analysis turned on what the party had put at issue and what had been disclosed. Together with Tremblay, it shows that prompt content can be protected but not if counsel uses it selectively and then relies on it in a way that opens the door to broader discovery.

Discovery Protective Measures for AI Prompts

The practical discovery issue is that prompts are usually treated as ESI, so ordinary relevance and proportionality principles still apply. Courts are skeptical of broad fishing expeditions into AI use unless the requesting party can tie the request to specific claims or defenses. At the same time, if a prompt contains counsel’s strategic thinking, it may qualify as work product, especially opinion work product.

The second issue is waiver. If a prompt is entered into a public or consumer AI tool with weak confidentiality terms, the argument for privilege becomes much harder. If the prompt is later shared with counsel, that doesn’t necessarily cure the problem because privilege generally depends on whether the original communication was confidential. Work-product waiver is usually narrower but can still happen if the material is disclosed in a way that substantially increases the chance it reaches an adversary.

Counsel can anticipate GenAI discovery issues in the development of appropriate ESI protocols and protective order agreements. The Morgan case includes an interesting discussion of competing protective order provisions and the Court’s imposition of the following terms:

No party or authorized recipient may input, upload, or submit CONFIDENTIAL Information into any modern artificial intelligence platform, including any generative, analytical, or larger language model based tool (“AI”), unless the AI provider is contractually prohibited from: (1) storing or using inputs to train or improve its model; and (2) disclosing inputs to any third party except where such disclosure is essential to facilitating delivery of the service. Where disclosure to a third party is essential to the service delivery, any such third party shall be bound by obligations no less protective than those required by this Order. In addition, the AI provider must contractually afford the party or authorized recipient the ability to remove or delete all CONFIDENTIAL information upon request. A party intending to use AI that it contends meets these requirements must retain written documentation of these contractual provisions.

Guidance for Protection from Disclosure

GenAI terms can either support or undermine privilege because they determine whether the platform looks like a protected vendor or a third-party disclosure. In practice, litigators should assume that a public chatbot with broad data-use rights creates real waiver risk. An enterprise tool with strict confidentiality terms is a better option.

Public Platforms versus Enterprise Tools

Courts treat public GenAI systems as third-party tools, not as lawyer or client confidants. The platform’s terms and privacy settings can be decisive in a waiver analysis. In Heppner, the court emphasized that sharing information with a consumer AI platform could waive privilege because the disclosure was to a third party, and later sharing with counsel did not undo that disclosure. The precise terms of an AI platform’s data-handling terms are not just a procurement issue; they may be determinative of privilege issues.

Enterprise Agreements and the Vendor-As-Agent Argument

Enterprise agreements with contractual confidentiality obligations, zero- or limited-retention terms, and non-training commitments support arguments that the platform is a secure vendor (agent) rather than a public third party. Courts and commentators also point to access controls, encryption, audit rights, and data residency as relevant facts when evaluating whether confidentiality was reasonably preserved. Those protections don’t guarantee privilege, but they materially improve the position that the communication remained confidential.

A privilege-supportive agreement should say the provider:

  • won’t use prompts or uploads to train or improve models
  • won’t disclose inputs to third parties
  • will retain data only for a short, defined period or not at all
  • will limit human access to narrow support or security purposes
  • will maintain confidentiality and security controls that align with professional-duty obligations.

Conversely, risk increases when lawyers or their clients use public, consumer platforms that allow the provider to store, reuse, or train on prompts and uploads. That kind of use can look like voluntary disclosure outside the privileged relationship, especially if the prompt includes client facts, draft arguments, or attorney analysis. Even if the output is never shared externally, the initial disclosure may be enough to trigger waiver arguments under ordinary privilege doctrine.

Client Data and Privacy Concerns

Effective Anonymization for Litigation Prompts

The safest way to anonymize client data for GenAI prompts is to remove direct identifiers, generalize unusual or idiosyncratic details, and preserve only the facts the model needs. Simply substituting different names is usually not enough; effective anonymization usually requires masking, tokenization, or contextual substitution so the prompt still makes sense without revealing the client or matter. A useful rule: if the prompt would still identify the client, the matter, or counsel’s strategy if leaked, it is not anonymized enough. For litigation work, aim for “minimum necessary facts,” not just “different names.”

Anonymization should preserve the relationships the model needs, not just the labels. For example, keep role relationships intact. “Employee,” “vendor,” “insurer,” and “contractor” may matter more than the names themselves. The goal is to keep the prompt intelligible enough for the task while eliminating anything that can identify the client or matter. Suggested guidelines include:

Strip out:

  • client names, opposing parties, witnesses, and employees
  • exact dates, locations, account numbers, emails, phone numbers, and docket numbers
  • unusual facts that could identify the matter even if names are removed
  • any facts that would let the model infer the client’s identity from context
  • case caption, venue, product names, and distinctive events and replace with neutral placeholders or broader categories

The strongest data masking approaches are:

  • Generalization: Replace “April 17, 2024” with “spring 2024,” or “Chicago office” with “Midwest office.”
  • Tokenization: Replace “Acme Corp.” with “Client A” and keep a secure mapping outside the model.
  • Context-preserving substitution: Use realistic but fictitious values so the prompt still works for analysis or drafting.
  • Redaction plus reconstruction: Remove sensitive details before submission, then restore them internally after you get the output.

Key Privacy Risks in AI-Assisted Litigation

Litigants need to address five main privacy risks:

  1. unauthorized disclosure of client confidences
  2. overbroad collection of personal data
  3. insecure sharing with vendors or GenAI tools
  4. cross-border or third-party access to case data
  5. discoverability of prompts, logs, and internal communications

Client confidentiality is the biggest issue. Law firms hold highly sensitive facts, strategy, and settlement positions, and lawyers have a duty to make reasonable efforts to prevent inadvertent or unauthorized disclosure. If that material is entered into a consumer AI platform or sent through insecure intake or collaboration systems, it can lose the protection of attorney-client privilege and become discoverable.

Data security is another major concern. Weak access controls, poor encryption, missing audit trails, and broad vendor permissions can create both privacy exposure and malpractice or ethics problems. This is especially important in litigation because case files often include medical data, financial records, trade secrets, and witness information.

Discovery can turn privacy risks into litigation problems fast. Prompts, outputs, metadata, and AI logs may be requested in discovery or subpoenaed from vendors, especially if a party used AI to draft pleadings, analyze evidence, or test legal theories. Lawyers need to assume that what goes into an AI tool may later be scrutinized.

Another risk is over-collection. In litigation, teams sometimes gather more personal data than needed, then retain it too long or circulate it too widely. That creates avoidable exposure under confidentiality duties and, in some matters, broader privacy obligations. Yet, the universe of potentially relevant AI driven information is burgeoning, including notetaking features in videoconferencing platforms and other applications.

Mitigation Steps

  • Use approved enterprise tools with strong confidentiality, retention, and non-training terms.
  • Minimize inputs, and redact names, dates, identifiers, and unique facts before using any AI system.
  • Restrict access to litigation data on a need-to-know basis and use audit logs.
  • Train lawyers and staff on what can’t be pasted into AI tools or shared in insecure channels.
  • Treat prompts, outputs, and logs as potentially discoverable and preserve them.

Practical Takeaways

For litigators, the safest practice is to use a closed enterprise plan only after reviewing the actual DPA, terms of service, and data-processing addendum. If the platform reserves rights to store, review, or train on prompts, treat it as a waiver risk for privileged material, even if the tool is marketed as “enterprise.” If you would hesitate to email the information to a third-party vendor without a protective agreement, don’t paste it into a GenAI system without one.

 Consider the following mitigation strategies for using GenAI with client data:

  • Use only approved enterprise tools with contractual non-training, limited-retention, and confidentiality terms.
  • Don’t enter privileged facts, strategy, or work product into a GenAI system unless the firm has vetted the platform and the use is tightly controlled.
  • Treat prompts, outputs, and logs as potentially discoverable ESI and preserve them consistently.
  • Use GenAI under lawyer supervision and document the purpose, user, platform, and safeguards for each use.
  • Limit and label sensitive content and avoid including unnecessary client-identifying details.
  • Add confidentiality and nonwaiver language to discovery, ESI, and vendor agreements when GenAI may be used on case materials.
  • Train lawyers and staff on AI use, confidentiality, and privilege risks, and require periodic compliance review.
  • For highly sensitive matters, negotiate non-waiver terms into protective orders.