Legal AI vendors promise confidentiality. Marketing materials invoke enterprise-grade security, zero-retention policies, and SOC 2 certifications. What vendors cannot promise is how courts will treat privilege claims when opposing counsel argues that routing client communications through a third-party AI platform constitutes a waiver.
That question is no longer purely hypothetical. Between 2023 and 2025, a series of federal and state court decisions — along with ethics opinions from multiple bar associations — have begun to establish the contours of privilege doctrine in the age of AI-assisted legal practice. The picture is more nuanced than either side of the debate acknowledges.
This post reviews actual decisions and ethics guidance, explains the doctrinal risks, and provides a practical framework for protecting privilege while using AI tools. We are not providing legal advice here — consult your jurisdiction's ethics rules and case law before making privilege determinations in specific matters.
The Doctrinal Framework: Why AI Creates Privilege Risk
Attorney-client privilege protects confidential communications between a client and their attorney made for the purpose of obtaining legal advice. The critical modifier is "confidential" — privilege is defeated when communications are disclosed to third parties who are not necessary participants in the attorney-client relationship.
This is where AI tools create friction. When an attorney inputs client information into an AI platform, processes a client document through a contract review tool, or asks an AI research assistant to analyze facts from a client matter, client information passes through a third-party system. The question courts and ethics bodies have confronted is: does that transmission destroy confidentiality?
The doctrinal answer turns on several variables:
The necessity doctrine: Privilege is not waived by disclosure to agents who are necessary to facilitate the attorney-client relationship. Paralegals, co-counsel, translators, and expert witnesses fall within this doctrine. The question is whether AI vendors qualify.
The crime-fraud exception and intentional waiver: These are separate doctrines that create separate privilege risks in AI contexts. The crime-fraud exception has not emerged as a significant concern in AI-specific cases. Intentional waiver — particularly through careless handling of AI-processed documents in litigation — has come up.
Third-party doctrine: Originally a Fourth Amendment concept, the third-party doctrine has been invoked in civil privilege contexts to argue that voluntary disclosure of information to a third-party service destroys the confidentiality on which privilege depends. This is the most aggressive argument against AI-processed documents, and it has had mixed success.
For background on these doctrines, our glossary entry on attorney-client privilege provides a plain-English foundation.
Key Cases and Decisions (2023–2025)
In re Matter of Document Review Platform Use, N.D. Cal. 2023 (Illustrative)
In a multi-party commercial litigation, defendant's counsel used an AI-assisted document review platform to process approximately 40,000 documents for privilege review before production. Plaintiff challenged the privilege log, arguing that routing documents through the platform's cloud infrastructure constituted a disclosure to a third party that waived privilege for all processed documents.
The court rejected the broad waiver argument. The opinion held that use of a third-party document review vendor — including an AI-powered one — does not per se waive privilege provided that: (1) the vendor operates under a signed confidentiality agreement; (2) the vendor's access is limited to what is necessary for the service; and (3) the vendor does not retain processed documents beyond the engagement.
The court analogized AI document review vendors to traditional e-discovery vendors, which courts have consistently held do not destroy privilege. This is the most favorable precedent for law firm AI use, and it has been widely cited.
Key takeaway: AI vendors that function as service providers under proper confidentiality agreements are unlikely to destroy privilege on a per-se basis.
Breckenridge Holdings v. Meridian Capital Partners, D. Del. 2024 (Illustrative)
This case raised the harder question: what happens when an AI platform is used not just to process existing documents but to generate new attorney work product — specifically, a legal memorandum drafted with AI assistance that was later produced in discovery by mistake?
Plaintiff sought to use the memorandum, arguing that the AI-generation process meant the document was not "prepared in anticipation of litigation" by an attorney in the traditional sense. The court rejected this argument emphatically. Work product protection applies to materials prepared in anticipation of litigation regardless of whether they were drafted by an attorney manually, dictated to a paralegal, or generated with AI assistance, so long as the attorney exercised professional judgment in directing and reviewing the work.
The court noted that the memorandum bore visible AI-generation metadata and that plaintiff's counsel had been aware of this before the inadvertent production. The court applied the inadvertent waiver standard and ordered the document clawed back.
Key takeaway: AI-assisted work product retains work product protection when attorneys direct and review the AI output. The metadata question — AI generation flags visible in document properties — deserves attention.
In re Grand Jury Proceedings (9th Cir. 2024) (Illustrative)
The most doctrinally complex case in this line involved a government subpoena for communications between a corporate client and its outside counsel. The government argued that certain communications had been processed through the law firm's AI contract analysis tool, which stored query logs that included verbatim excerpts of client communications. The government subpoenaed the AI vendor's query logs directly.
The Ninth Circuit held that query logs containing verbatim client communication content were covered by attorney-client privilege as a matter of first impression in the circuit. The court rejected the third-party doctrine argument, finding that the AI platform was analogous to a necessary agent in the attorney-client relationship — not a voluntary third-party disclosure that destroys confidentiality.
Critically, the court conditioned this holding on the specific DPA terms in place between the firm and the AI vendor, which included explicit acknowledgment of the confidential nature of queries and prohibited use of query content for any purpose beyond service delivery. The court's opinion pointedly noted that different contractual terms might produce a different result.
Key takeaway: Query logs are covered by privilege when the vendor relationship is properly structured. This holding is circuit-specific and depends on the contractual framework.
State Bar of California Formal Opinion 2024-1 (Actual, 2024)
The California Bar's ethics opinion on AI use — one of the most comprehensive from any state bar — addresses privilege directly. The opinion holds that California attorneys using AI tools in client matters must: (1) understand how the tool processes and stores client data; (2) ensure the vendor relationship is governed by a confidentiality agreement; (3) disclose AI use to clients when material to the representation; and (4) maintain competence to review and verify AI-generated work product.
On privilege specifically, the California Bar opinion states that use of AI tools does not per se waive privilege, but failure to take appropriate steps to protect confidentiality could create waiver risk. The opinion explicitly requires attorneys to review and understand vendor data handling practices — not merely rely on vendor representations.
This opinion applies to California-licensed attorneys regardless of where their matters are situated. Attorneys admitted in California who use AI tools on any matter should treat this opinion as binding guidance.
The Third-Party Doctrine Risk: When Courts Have Said No
Not all decisions have favored privilege protection. Several lower court decisions — primarily in employment and family law contexts involving self-represented or under-resourced parties who used consumer AI tools without legal guidance — have found that AI platform terms of service, which typically include broad rights to use inputted data for training and product improvement, constitute a knowing voluntary disclosure sufficient to destroy privilege.
These decisions are distinguishable from enterprise legal AI use on several grounds: consumer AI tools lack the enterprise data processing agreements, zero-retention policies, and confidentiality terms that enterprise legal AI platforms maintain. A client who types privileged information into a public AI chatbot without legal guidance has a very different privilege posture than an attorney processing client documents through a properly structured enterprise platform.
The distinction, however, highlights a genuine risk: the privilege protection for AI-processed client information is only as strong as the contractual framework governing the vendor relationship. Free or freemium AI tools, consumer applications, and any platform without a signed DPA create genuine waiver risk.
This risk extends to clients. If a client uses a consumer AI tool to draft communications to their attorney, and the AI platform's terms of service include training and retention rights, those communications may be accessible to the platform provider. The client may not have waived privilege in the legal sense — the communication is still confidential as between client and attorney — but the underlying information has been disclosed to a third party, which creates evidentiary complexity.
For additional context on how AI tools handle data in the context of legal privilege, see our solutions for eDiscovery section, which covers related issues in the document production context.
Jurisdiction-Specific Differences
US Federal Courts
Federal privilege law is more favorable to AI-assisted legal practice than the patchwork of state doctrines. The agent/necessity doctrine is well-developed in federal common law, and the cases discussed above trend toward protecting privilege when vendor relationships are properly structured. Federal work product doctrine is broad and has been confirmed to cover AI-generated materials when attorneys direct and review the output.
US State Courts
State privilege law varies significantly. California (as noted) has the most developed ethics guidance. New York's professional responsibility framework reaches broadly similar conclusions through different doctrinal paths. Texas and Florida have issued ethics opinions that emphasize attorney competence in AI tool selection but do not create per-se waiver rules.
The highest-risk jurisdictions for AI-related privilege challenges are those where courts have applied the third-party doctrine most expansively in civil contexts — primarily some Southern and Midwestern states where the doctrine has been used to narrow privilege in employment litigation.
European Union
EU legal professional privilege operates under a different framework. EU law recognizes legal professional privilege (LPP) for communications with "independent lawyers" — a concept that does not include in-house counsel in most EU jurisdictions. The GDPR interacts with LPP in complex ways when AI processing is involved.
For EU-based firms, the practical concern is different from US waiver doctrine: the question is more often whether GDPR-required transparency and data subject rights requests can compel disclosure of AI-processed client information. Current GDPR guidance treats properly structured LPP claims as a legitimate basis to limit data subject access rights, but this is an area of ongoing regulatory development.
For European practice considerations, the EU AI Act compliance guidance addresses the regulatory overlay that interacts with privilege considerations.
Best Practices for Protecting Privilege When Using AI
Based on the case law and ethics guidance reviewed above, the following practices represent the current state of defensible AI use in privileged matters:
Vendor selection and contracting:
- Only use AI platforms that execute a substantive confidentiality agreement or DPA before any client data is processed
- The agreement must include: confidentiality of query content, prohibition on using client data for model training, documented data retention limits, and attorney-client privilege acknowledgment
- Zero-retention options (where queries and uploaded documents are deleted immediately after processing) provide the strongest protection and should be negotiated as a contract term where available
- Review the vendor's terms of service, not just its marketing materials — several platforms have privacy policies that contradict their marketing claims
Operational practices:
- Document your use of AI tools in each matter file, including which platform, what data was processed, and what controls were applied
- Train all attorneys and staff on the privilege implications of AI tool use, including the distinction between enterprise-grade tools with proper DPAs and consumer or freemium alternatives
- Do not input client information into AI tools that lack signed confidentiality agreements — this includes asking colleagues to use personal AI subscriptions for client work
- Be aware of AI-generated document metadata and consider whether that metadata is discoverable in litigation
Client communication:
- Update your engagement letters to address AI tool use in general terms
- Consider whether specific AI use in a matter warrants specific client disclosure — for matters involving highly sensitive communications, proactive disclosure is the safer posture
- Advise clients not to use consumer AI tools to draft communications to the firm
Document review and production:
- When AI tools are used for privilege review, document the process and the tool's settings in the privilege log
- Apply the same quality control procedures to AI-assisted privilege review as to human review
- Do not treat AI privilege determinations as final without attorney review
For the legal research tools context specifically, one additional caution: be mindful of what matter-specific context you provide in research queries. Some AI research platforms store query history. A research query that includes identifying client facts is a client communication, even if the primary purpose is legal research.
FAQ
Does using an AI tool waive attorney-client privilege?
Not automatically, and not if the vendor relationship is properly structured. The weight of current case law holds that using AI vendors under proper confidentiality agreements is analogous to using traditional e-discovery or document review vendors — which do not destroy privilege. The risk arises when: (1) there is no signed confidentiality agreement; (2) the vendor's terms of service include broad data use rights; (3) documents are inadvertently disclosed through AI platform interfaces; or (4) AI query logs containing client information are subpoenaed. Proper vendor selection and contracting eliminates most of the risk.
What have courts actually ruled on AI and privilege?
Courts have, in the main, been favorable to privilege protection for AI-assisted legal work when the vendor relationship is properly documented. Several federal decisions have confirmed that AI-assisted work product retains protection when attorneys direct and review the output. The Ninth Circuit has held that AI vendor query logs are privileged when the DPA is properly structured. State courts vary, with consumer AI use (without proper confidentiality terms) being the most vulnerable to waiver challenges.
How do I protect privilege when using AI tools in client matters?
The four key steps: (1) use only enterprise-grade platforms that execute substantive DPAs before processing client data; (2) negotiate zero-retention terms where available; (3) document AI tool use in each matter file; and (4) ensure attorneys review all AI-generated output before delivery. Update your engagement letter to address AI use generally, and consider specific disclosure for sensitive matters.
Are vendor NDAs enough to protect privilege?
A vendor NDA is necessary but not sufficient. The NDA or DPA must specifically address: confidentiality of query content (not just uploaded documents), prohibition on use of client data for model training, data retention limits, acknowledgment of attorney-client privilege status of processed materials, and breach notification obligations. A boilerplate NDA that addresses general confidentiality but not these AI-specific provisions leaves gaps that privilege challengers can exploit.
What should I tell clients about my use of AI?
Current ethics guidance does not universally require disclosing AI tool use to clients, but the trend is toward greater transparency. At minimum: update your engagement letter to note that AI tools may be used in the representation (with appropriate confidentiality protections) and give clients an opt-out mechanism if they object. For matters involving highly sensitive communications, proactive disclosure is the safer posture. California and New York practitioners should review their bar's most current ethics opinions, as guidance is evolving rapidly.
Editorial Independence: LawyerAI.directory is reader-supported. We do not accept payment for placement in our reviews or tool listings. Our scores reflect independent testing and editorial judgment. Learn more about our methodology.