AI & Confidentiality

What the 2026 Case Law Actually Says About AI and Attorney-Client Privilege

The conventional wisdom — "only use legal AI, never general AI" — turns out to be wrong as a matter of doctrine. Three 2026 federal decisions clarify the real standard, and it's more workable than the CLE circuit suggests. Here's what practicing attorneys actually need to know.

Analysis based on: Elefant, Why Attorneys Can Ethically Use General-Purpose GenAI for Client Matters (2026). Not legal advice — consult qualified counsel for your jurisdiction.

The Three 2026 Cases

Three federal decisions issued in early 2026 define the current judicial landscape on AI and privilege. Read together, they are more favorable to attorney AI use than any single case suggests — and the one most frequently cited as a warning turns out to have the narrowest application.

Most Important

Morgan v. V2X, Inc.

No. 25-1991 · D. Colo. · Mar. 30, 2026

The court held that AI tool use does not automatically waive work product protection, specifically rejecting the broad categorical reasoning of Heppner. Judge Braswell held that "AI interactions do not automatically compromise work product protections."

Morgan established a concrete contractual standard for AI use: no training on inputs, restricted third-party disclosure, and deletion rights on demand. That standard is what enterprise-tier Data Processing Agreements already provide.

The Morgan standard requires written documentation of these protections — which is precisely what a firm-level AI policy provides.

Favorable

Warner v. Gilbarco, Inc.

No. 2:2024-cv-12333 · E.D. Mich. · Feb. 2026

The court denied a motion to compel discovery into a party's use of ChatGPT, holding that AI-assisted internal analysis and drafting were protected by the work product doctrine.

Use of a general-purpose platform did not waive that protection absent disclosure to an adversary. Attorney-directed AI use is work product — full stop.

Combined with Morgan: attorney-directed AI use on a platform that meets the contractual standard is fully protected.

Cautionary Tale

United States v. Heppner

No. 25-cr-XXX · S.D.N.Y. · Feb. 2026

An unrepresented litigant using a consumer-grade Claude account — which permitted training and third-party disclosure — lost both privilege and work product protection.

Its applicability to attorneys using enterprise AI is marginal. The court's ruling turned on the absence of any contractual confidentiality protections, not on AI use itself.

Morgan explicitly declined to adopt Heppner's broad categorical reasoning. Heppner is a cautionary tale about consumer accounts — not a rule about professional practice.

What the Morgan Standard Actually Requires

Morgan didn't just rule in favor of AI use — it defined the specific contractual terms that make AI use defensible. These three requirements determine whether your AI use is protected.

The Morgan Contractual Standard
1
The provider contractually prohibits storing or using your inputs to train or improve its model. This must be a contractual commitment, not a toggle or a default that can change.
2
The provider contractually restricts disclosure of your inputs to third parties except as strictly essential to delivering the service — with no unrestricted access.
3
The provider contractually affords deletion rights — you can require that all confidential information be deleted on demand.
What satisfies this standard: Enterprise-tier Data Processing Agreements from major platforms (ChatGPT Business/Enterprise, Claude Teams/Enterprise, Gemini Workspace, Perplexity Enterprise Pro) contractually provide all three. What does not: Consumer accounts — even paid ones — which typically lack enforceable contractual commitments on these terms.

The ABA Model Rules in Play

Three Model Rules govern attorney AI use. None of them require perfect security or prohibit AI outright — they require reasonable efforts and documented professional judgment.

1.6
Confidentiality

Requires "reasonable efforts" to prevent unauthorized disclosure — not the most secure technology available, not elimination of all risk. ABA Formal Opinion 477R's five-factor test defines reasonable efforts: sensitivity of the matter, likelihood of compromise, cost of safeguards, difficulty of implementation, and impact on representation.

1.1
Competence

Requires attorneys to understand the benefits and risks of relevant technology. You don't need to be a technologist, but you do need to understand what tier of AI you're using, what your DPA actually says, and what protections are and aren't in place for your clients.

5.3
Vendor Supervision

Requires attorneys to supervise non-lawyer staff and vendors — including AI tools — to ensure conduct compatible with the attorney's professional obligations. Staff can use AI tools under attorney direction; the attorney remains responsible for directing the work and reviewing outputs.

1.4
Communication

Governs the duty to keep clients informed. ABA Formal Opinion 512 imposed specific AI consent requirements — but notably, no disciplinary decision in fifteen years of cloud computing enforcement has turned on failure to disclose routine technology choices to clients.

The paper trail matters. Rule 1.6 doesn't require the most secure option — it requires evidence that you made a reasoned choice. A written AI policy is how you preserve that evidence. Without one, "reasonable efforts" is a post-hoc rationalization in front of a disciplinary panel. With one, it's a contemporaneous record of the platforms you evaluated, why you approved them, and the conditions under which they may be used.

The Sub-processor Factor: A Risk Most Guidance Ignores

Purpose-built "legal AI" products are often marketed on the strength of their confidentiality protections. But most of them are wrappers around general-purpose foundational models — which means client data travels through more contractual relationships, not fewer.

How Legal AI Wrappers Actually Work

Harvey AI routes through OpenAI (Azure), Anthropic (AWS Bedrock), and Google (Vertex AI). LexisNexis Protégé uses a "Best Fit" auto-routing system that selects in real time from five separate providers — OpenAI, Anthropic, Mistral, Google, and Microsoft — meaning you may not know which provider processes any given document.

Your firm
Legal AI vendor
(Contract A — DPA)
Foundational model provider(s)
(Contract B — subprocessor)
Your firm has no direct
contract here

When you use ChatGPT Business or Claude Teams directly, the foundational model provider and your contracting party are the same entity — your DPA covers the full data path. With a legal AI wrapper, your DPA is with the vendor, and the vendor's subprocessor agreements with the foundational model providers are what govern how your client data is actually handled at the point of inference.

Morgan's protective order specifically requires that subprocessors be "bound by obligations no less protective" than the order itself — meaning flow-down protections must be verified, not assumed. California's State Bar guidance lists sub-processor identification as a mandatory element of AI due diligence.

What Defensible AI Use Looks Like in Practice

The Morgan and Warner decisions together define a workable standard. Meeting it doesn't require expensive purpose-built legal AI — it requires the right account tier, the right contractual terms, and documented professional judgment.

📋
Enterprise or business account with a DPA in place
Consumer accounts — even paid ones — generally lack the contractual training prohibitions, restricted human review, and deletion rights that the Morgan standard requires. The tier distinction is the entire analysis.
🚫
No training on inputs — contractually, not just as a setting
A toggle that turns off training is not the same as a contractual prohibition. Your DPA should explicitly state that the provider will not use customer content to develop or improve its services.
👨‍⚖️
Attorney directs the work; staff may operate under that direction
Work product protection derives from attorney direction, not from who types the prompt. Paralegals and legal assistants can use AI tools — but the attorney must direct what the AI is used for, and review outputs before they affect any substantive decision or leave the firm. Rule 5.3 makes the supervising attorney responsible throughout.
🔍
Attorney reviews all outputs before they go anywhere
Both Morgan and Warner presuppose attorney supervision. The work product doctrine protects the attorney's mental impressions and judgment — not the tool's output. AI assists; attorneys decide.
📝
Written AI policy documenting the firm's analysis
The policy is your contemporaneous record of which platforms you evaluated, why you approved them, and the conditions for use. Without it, you cannot demonstrate the "reasonable efforts" that Rule 1.6 requires.
🏗️
Self-hosted or isolated infrastructure for the most sensitive work
For matters where "defensible" isn't sufficient and "verifiable" is the standard — a self-hosted automation environment with direct API calls gives you complete control over where data travels, eliminates sub-processor ambiguity, and gives you a clear answer to "where does our client data go?"
Note: This page provides a plain-English summary of publicly available case law and ethics guidance for informational purposes only. It is not legal advice and is not a substitute for review by qualified counsel familiar with your jurisdiction's Rules of Professional Conduct. Case law and bar guidance in this area is evolving rapidly — verify current authority before relying on any specific ruling or opinion cited here.

How Built Smart by Rob Uses AI — and Why Your Clients Are Covered

A question that comes up: does using a consumer AI tool like Claude Max to build client automations create a confidentiality problem? It doesn't — and the reason why is straightforward.

Think of It Like a Contractor Who Builds a Safe

When a contractor builds a safe for a bank, they use their own tools — drills, welders, measuring tape — to build the safe. Those tools never touch the bank's money. The money only goes inside the safe after it's built and installed.

Rob is the contractor. Claude Max is his tools. The safe is the automation system. The client's information is the money.

🔨
Building the system
Claude Max is used to write the code — like a carpenter uses a saw. No client information ever goes into that conversation. It's just building.
🔒
Running the system
When the automation is actually handling real client files, it runs on a completely separate, far more secure setup — the Claude API on a private server. That's the finished, locked safe. Client data only ever flows through that secure system, never through the tools used to build it.
Claude Max
Build phase — no client data
Your isolated system + Claude API
Run phase — isolated infrastructure
The Simple Test

One question settles it: "Did any real client information pass through Claude Max?" If the answer is no — and Rob keeps it that way — there's no problem. Full stop.

The diagram below shows exactly how this separation works in practice — and why it matters for attorney-client privilege.

Visual guide: how Claude AI builds automations without exposing client data — Consumer Claude for the build phase, Claude API for the secure run phase

Consumer Claude is used only to build the system. Client data flows exclusively through the private Claude API in your secure environment.

For Practices That Can't Afford to Get This Wrong

Private Managed Hosting

An isolated system with direct API connections gives you complete data isolation, no sub-processor ambiguity, and a clear audit trail — the architecture the Morgan standard was written to protect.

See How It Works Talk to Rob

Free templates for your practice

AI Use Policy Template Engagement Letter Language Data Processing Agreement