Protecting Attorney-Client Privilege When Lawyers Use AI: Control the Disclosure, Keep the Record
When a lawyer pastes privileged material into an external AI tool, the concern is disclosure to a third party and the risk that raises to attorney-client privilege and work-product protection. Privilege determinations belong to courts and counsel. What a firm controls is which privileged content reaches which model endpoint, and whether there is a record of it. Both are decisions on the AI request path.
When a lawyer pastes a privileged memo into a consumer AI tool to summarize it, the content has been disclosed to whoever operates that tool. Whether that disclosure affects attorney-client privilege or work-product protection is a question for courts and counsel, and it turns on facts like who the recipient is, what agreement governs the data, and whether the disclosure was reasonable. I am not going to resolve the doctrine here. What a firm can control, before any of those questions arise, is narrower and concrete: which privileged content reaches which model endpoint, and whether there is a record of what was sent where. Both are decisions on the AI request path.
The disclosure is the API call
Privilege risk with AI starts at a specific moment: the request that carries privileged content to a model endpoint. Everything a firm worries about downstream, retention, training on the data, subpoena of the vendor, follows from that call having happened. Locating the risk at the call is useful, because it locates the control. A firm governs its AI privilege posture by governing which calls carry privileged material and where those calls go, not by circulating a memo asking associates to be careful. The reasonable-precautions standard that courts apply to inadvertent disclosure is more defensible when the precautions are enforced at the point of disclosure rather than left to individual judgment.
Endpoint control
Not all model endpoints are equal for privileged work. A model running under an enterprise agreement with confidentiality terms and no training on inputs is a different recipient than a consumer chatbot with broad usage rights. Controlling which endpoints may receive privileged content is a policy decision on the destination of each AI call. A control on the request path can permit privileged material to reach an approved, contractually covered endpoint and block it from reaching a consumer tool. That distinction, enforced automatically, is a large part of what "reasonable precautions" looks like in practice.
Content control
Some privileged detail does not need to leave at all for the task at hand. A lawyer asking a model to check the structure of an argument may not need client names and matter identifiers in the prompt. Redacting those before the call reduces what is disclosed while preserving the utility of the request. Content policy on the request path, the same egress discipline described in AI egress control implementation, lets a firm strip identifiers and hold back categories of privileged detail that the task does not require. Less privileged content in the prompt is less exposure to argue about later.
The record is the defense
If a firm ever has to defend a disclosure, the argument depends on facts about what was disclosed and what precautions applied. A record showing which endpoint received the content, under what policy, which identity sent it, and when, is the difference between demonstrating a controlled process and asserting one. This is the same reason regulated industries keep per-decision AI logs, applied to privilege: the AI DLP discipline of knowing what sensitive data went where becomes a privilege-defense artifact. A record written at the AI request boundary captures the facts a waiver argument would turn on, at the moment they occur.
Autonomous legal agents raise the stakes
Legal AI is moving toward agents that pull documents and draft filings without a lawyer approving each retrieval. When an agent acts on its own, the privilege question multiplies across every document it touches, and the need for per-action attribution grows. Binding each agent call to a verified identity and recording what privileged content it accessed and sent is what keeps an autonomous legal workflow defensible. The control is the same as for a lawyer at a keyboard; the volume and the need for automation are higher.
DeepInspect
This is the gap DeepInspect closes. DeepInspect sits inline between your legal AI tools and the models they call. For every request it checks the destination endpoint against your approved list for privileged content, applies redaction policy to strip identifiers the task does not require, and makes a pass or block decision before the content reaches the model. Privileged material is kept from consumer endpoints; approved endpoints receive only what the task needs.
The same decision point writes the record. Every call becomes a logged event naming the identity, the endpoint, the policy applied, and the outcome, which is the documented, reasonable-precautions trail a privilege defense relies on. DeepInspect does not make privilege determinations; those stay with your counsel. It enforces where privileged content may go and records where it went.
If your firm is putting privileged work through AI tools, let's talk today.
Frequently asked questions
- Does using AI waive attorney-client privilege?
That is a determination for courts and counsel, and it depends on the facts: who received the content, what agreement governed it, and whether the disclosure and precautions were reasonable. A firm cannot resolve the doctrine in advance, but it can control the facts that feed it, by governing which privileged content reaches which model endpoint and by keeping a record of each disclosure.
- What are reasonable precautions for AI and privilege?
Enforced control over where privileged content goes and what it contains. Permitting privileged material to reach only approved, contractually covered endpoints, redacting identifiers the task does not need, and recording each call. Precautions enforced at the point of disclosure are more defensible than a policy memo asking individuals to be careful.
- Which model endpoints are safe for privileged work?
The distinction is contractual and technical, not about brand. An endpoint under an enterprise agreement with confidentiality terms and no training on inputs is a different recipient than a consumer tool with broad usage rights. The control is to enforce which endpoints may receive privileged content, as a policy decision on the destination of each AI call.
- Why keep a record of AI calls for privilege?
Because a privilege defense argues from facts about what was disclosed and what precautions applied. A per-call record of the endpoint, the identity, the policy, and the outcome demonstrates a controlled process rather than asserting one. Written at the AI request boundary, it captures the facts a waiver argument turns on at the moment they occur.