Your AI Chats Probably Aren't Privileged. Good. They Don't Need to Be.
For everyday work the duty isn't privilege, it's protecting the client's information, and your commercial terms are built for it. Here's where the line actually sits.
What the Heppner AI Ruling Actually Means for Your Firm
TL;DR. Your firm can confidently use commercial AI, including Claude Team or Enterprise and ChatGPT Business or Enterprise, as an everyday part of practice. The Heppner headline scared a lot of lawyers out of that, but the case was about a consumer tool used without a lawyer’s direction, under terms the court found inconsistent with confidentiality. Your commercial terms are materially different: the provider doesn’t train on your content and treats it as confidential. They won’t make every chat privileged, and for most of your work they don’t need to. With the right settings and matter controls, these tools belong in your firm’s daily work.
You probably saw the headline. “Federal judge rules AI conversations aren’t privileged.” Maybe a partner forwarded it with a one-line note: “Should we be worried about this?”
And for a second, you wondered. You’ve got associates running research through Claude, someone in litigation support summarizing depositions with ChatGPT, the whole firm quietly building these tools into the day. Now a federal judge is putting the words “not privileged” on the front page.
The bottom line: your firm can use these tools with confidence
Here’s the good news, stated plainly. If your firm runs Claude Team or Enterprise, or ChatGPT Business or Enterprise, under the applicable commercial terms and firm-approved settings, your lawyers can use these tools as a normal, everyday part of practice. Research, drafting, summarizing, review, working through a problem. Use them. The defendant in Heppner independently used a publicly available AI service, without counsel’s direction, under terms the court found inconsistent with a reasonable expectation of confidentiality. That is not the normal law-firm workflow addressed here.
Why is that defensible? Because the threshold question for everyday firm use is usually not whether every prompt becomes privileged. It is whether the firm has taken reasonable steps to protect information relating to the representation. Commercial terms provide the core protections missing in Heppner: no model training on customer content absent agreement, restricted use, and contractual confidentiality. Paired with appropriate vendor diligence, settings, matter-level controls, and supervision, that gives a firm a strong basis for using these tools consistently with its confidentiality obligations.
The honest boundary is narrower than the headlines suggest. A commercial contract gives you a strong confidentiality framework, not blanket privilege. Privilege can still matter when an AI workflow contains or facilitates lawyer-client communications. In litigation, qualifying prompts and exploratory analysis may also receive work-product protection, with counsel-created prompts presenting the strongest case. The rest of this piece is about getting those distinctions right.
What the case was actually about
The case is United States v. Heppner, decided by Judge Jed Rakoff in the Southern District of New York. A represented criminal defendant, Bradley Heppner, used a publicly available version of Claude on his own, without counsel’s direction. His lawyers later argued that some of his inputs incorporated information he had learned from them. After a grand jury subpoena, knowing he was a target, he generated 31 documents working through his defense. Possible arguments. Facts. Strategy. Then he shared them with his lawyers.
Federal agents seized the documents. Heppner’s lawyers said they were privileged. The judge said no.
He gave more than one reason, and that matters for what comes next. The chats weren’t communications with his lawyer, because Claude isn’t a lawyer. They weren’t confidential, because the version he used ran under a consumer privacy policy that let the company collect his inputs, use them for training, and disclose them in specified circumstances, including to regulators and in litigation. And although his lawyers said he meant to use the material in later conversations with them, they hadn’t directed the exercise, and Claude wasn’t their agent. Rakoff said the chats failed at least two, and maybe all three, requirements for privilege.
Then it got worse. The court added that, to the extent any information Heppner entered was privileged when counsel communicated it to him, he waived that privilege by sharing it with Claude and Anthropic.
So the real lesson, buried under the scary headline, is narrow. Drop your lawyer’s advice into a consumer chatbot and you may have placed that advice outside the privilege and exposed it to government or third-party inspection. Worth telling clients. Not a reason to pull AI out of your firm.
And here’s the part almost nobody quoted. In dicta, not in his holding, Rakoff floated a path: when counsel selects the system, directs its use, and uses it for a defined job in support of legal advice, the tool might be treated like another professional assisting counsel, the way a translator or an accountant sits inside the privilege. That wasn’t a ruling, and telling a client to “use Claude” wouldn’t be enough on its own. The safer pattern has lawyer selection, a defined legal purpose, confidential commercial terms, supervision, and use limited to that one matter.
Five questions hiding in one headline
Untangle something the coverage keeps mashing together. There are five different questions in these AI stories, not one.
Attorney-client privilege asks whether there was a confidential communication for legal advice between counsel, the client, and any qualifying agent. Work product asks whether material was prepared in anticipation of litigation by or for a party or its representative, and, where mental impressions are involved, whose strategy or analysis it reveals. The ethical duty of confidentiality asks whether the firm took reasonable precautions with all client information, privileged or not. A protective order can forbid an upload even when privilege and ethics rules would allow it. And discovery and preservation ask whether prompts, outputs, uploads, and activity logs are records that must be preserved, collected, or produced. A tool can pass one of these and fail another. Keep them separate and the rest of this gets easier to read.
Why commercial terms change one part of the math
Hold the Heppner facts next to what your firm uses.
The consumer privacy policy was one of the things that sank him. Collect, train, disclose. That’s the opposite of the commercial plans.
Under their standard commercial terms, absent the customer agreeing otherwise, the providers don’t use your workspace content to train their models. Anthropic’s commercial terms put Claude for Work, meaning Team and Enterprise, outside the consumer training policy and treat your content as your confidential information. OpenAI draws the same line for ChatGPT Business and Enterprise: no use of your content to develop or improve the service unless you explicitly agree, plus confidentiality obligations. Both commercial agreements incorporate a data processing addendum, the contract your privacy and security people already know how to read.
So what does that do to the Heppner analysis? It changes one part of it: confidentiality. No-training commitments, restricted use, contractual confidentiality, and deletion controls give you a much stronger fact pattern than Rakoff faced.
But here’s where I had to correct my own first instinct. Better terms don’t satisfy the other privilege requirements. You still need a communication with counsel, or a qualifying agent, for the purpose of getting legal advice. The contract gives you a materially stronger confidentiality argument. It does not, by itself, turn a chat into an attorney-client communication. And that data processing addendum, useful as it is, is evidence of careful vendor handling, not a privilege agreement.
One more thing. Approving the core platform isn’t approving everything bolted onto it. Both providers separate their own service from third-party apps, connectors, and actions, which carry their own terms and recipients.
The case that matters most for your firm’s controls
If you read one decision after Heppner, make it Morgan v. V2X.
Colorado, March. An employment case, a plaintiff representing himself, both sides using AI. The defendant wanted limits on what the plaintiff could feed into chatbots, and the magistrate judge did something useful: she wrote AI language into the protective order.
Under her order, you can put confidential discovery material into an AI tool only if the provider is contractually barred from storing your inputs or using them to train the model, from disclosing your inputs except where essential to running the service, and from using downstream providers unless they’re bound by equally protective terms. The provider also has to let you delete the information on request. And you have to keep written proof of all of it.
Read it carefully, though. The order didn’t say enterprise accounts are automatically safe. It said a qualifying enterprise-tier account could fall on the permissible side, that many ordinary consumer subscriptions may not, and that the product label alone proves nothing. The contract and the configuration do the work. That is still highly useful for a firm: a judge drew a contract-based line and recognized that an enterprise-tier account might qualify if its actual contract and configuration satisfy every requirement.
But look at the first item again. Training or storing. That word does a lot of work, and it’s where I’d slow you down. A no-training promise is not the same as no storage. A standard commercial workspace may retain chat history so you can use it, even while it refuses to train on it. That can be entirely appropriate, as long as the retention is deliberate and consistent with your policy and preservation duties. But Morgan’s language isn’t a national standard. It was written for one order, and read literally, its ban on “storing” could rule out ordinary enterprise chat tools that keep history without training on it. Don’t agree to that wording without reading it. And don’t tell a client your tool is “zero retention” unless the contract actually says so.
The case for your represented clients
Here’s the one your research-minded partners will care about most, and almost nobody is talking about it yet.
Most of the decisions so far involved someone representing themselves or a criminal defendant acting alone. The far more common setup is a represented civil litigant whose own AI conversations are at issue. In June, the Texas Business Court took that up. In Tate Group Automotive v. Legacy Automotive Capital, Judge Grant Dorfman reviewed the ChatGPT conversations of the plaintiff company’s principal, a non-lawyer, in a commercial dispute.
Tate is the clearest post-Heppner ruling involving a represented commercial party’s own AI conversations. Dorfman protected most of the principal’s chats under Texas’s work-product rule and held that using ChatGPT did not waive that protection. He expressly disagreed with the defendants’ reliance on Heppner as waiver authority and emphasized that Texas’s rule protects material prepared “by or for a party.” The minute entry did not decide attorney-client privilege. Be honest about its weight, too: this informal entry says on its face it isn’t a final ruling, evidence of where this is heading, not binding precedent.
It wasn’t a free pass either. The court made the plaintiff hand over the pages that weren’t real work product and, borrowing from Morgan, identify all discovery materials or products it had shared with ChatGPT, by Bates number where applicable. That’s the pattern worth remembering. The analysis can be protected. The fact of which produced documents you uploaded may not be.
The lawyer-use case everyone overlooks
There’s one more, and it predates the 2026 run, which is probably why it gets missed. It’s also the most on point if what you’re worried about is your own lawyers.
In Tremblay v. OpenAI, lawyers used ChatGPT in a pre-suit investigation. The court held that counsel’s prompts, and the testing that didn’t pan out, were opinion work product, because the questions a lawyer chooses reveal how that lawyer is thinking. That’s about as strong as protection gets. But the same case marks the limit: the prompts and outputs the plaintiffs leaned on in their complaint had to be produced. Lean on the AI testing in your allegations, or put the testing itself at issue, and you can lose the protection. So an associate’s exploratory prompts can be opinion work product. The screenshot you paste into a filing is a different thing. A later California decision, Concord Music Group v. Anthropic, took the same approach with attorney-created prompts and outputs.
The cautionary tale nobody at your firm should repeat
The last case is the one your clients will hear about at a conference, so be the one who explains it. And start with what it is: Fortis was not a privilege ruling. It was a warning about discoverability, intent, and preservation.
In Fortis Advisors v. Krafton, a Delaware Chancery case from March, Krafton’s CEO, Changhan Kim, was looking for a way around an earnout of up to $250 million. He turned to ChatGPT. When ChatGPT initially told him the earnout would be difficult to cancel, he kept pushing. At ChatGPT’s suggestion, Kim formed an internal task force called “Project X,” and Krafton subsequently followed most of the chatbot’s recommendations. The chats became trial exhibits, the court relied on them in finding Krafton’s later justifications were pretextual, and Kim admitted he’d deleted some of the relevant logs.
That’s the risk picture in one story. AI chats are records. They can be sought in discovery, subpoenaed, or pulled from devices and company systems. They can become the best evidence against you. And deleting them once litigation is anticipated can create a preservation problem worse than the original conversation. None of which argues against using AI. It argues for treating it as potentially discoverable ESI, not private scratch paper.
Where this honestly leaves you
I’m bullish on this, and I’ll tell you why in a second. But here are the caveats straight, because anyone who skips them is selling you something.
No appellate court has yet squarely resolved whether generative-AI prompts or outputs are protected by attorney-client privilege or work product. No reported decision squarely holds that a firm using ChatGPT Enterprise or Claude Enterprise gets privilege. Several of the early work-product wins involved people representing themselves, though that’s shifting now that Texas has extended the reasoning to a represented party. And privilege, work product, the ethical duty of confidentiality, and a protective order stay separate questions. A tool can pass one and fail another.
On work product, the direction is real. Warner, Morgan, Tate, and Assini, the last a June New York decision that quashed a broad subpoena to OpenAI for a self-represented litigant’s prompts, uploads, outputs, drafts, legal research, strategy, and account materials, point the same way: using an AI provider doesn’t by itself waive qualifying litigation-preparation material. The harder questions are whether it was genuinely prepared because of litigation, whose thinking it reflects, and whether sending it out made an adversary meaningfully more likely to get it.
So I wouldn’t promise a client that every chat is privileged. The sturdier, more useful claim: in litigation, the stronger argument isn’t privilege, it’s work product. Your prompts show which facts you think matter, which theories you tested, where you think the case is soft. That’s the mental-impression material the rules were built to protect. The cases since Heppner support that protection when the material was prepared by or for a party because litigation was anticipated. When the prompts reflect counsel’s own selection of facts, theories, and questions, the case for protected opinion work product is stronger still. Keep that separate from a business person brainstorming, which is how those Krafton logs became evidence.
One more limit. Don’t assume an expert’s prompts get a lawyer’s treatment. In Conservation Law Foundation v. Shell, a magistrate ordered production of the prompts a testifying expert used to cull Shell’s document production into a working set for the report. That order is stayed pending review, so it isn’t settled, but experts may sit in a different discovery category than your lawyers.
And the confidentiality from a commercial contract is real. It’s the same diligence you already run for cloud storage and contract attorneys, pointed at one more vendor. The ABA lands in the same place: under Formal Opinion 512, a lawyer using these tools still owns competence, confidentiality, supervision, client communication, verification, and the protection of client information. None of that says ban the technology. It says review the vendor and put reasonable safeguards in place, which is what a commercial contract and a real policy give you.
What to do Monday morning
You don’t need a six-month study. You need three decisions.
Approve the exact product, and document it. “Claude is approved” isn’t a policy; “Claude Enterprise on our contract” is. Name the plan and account type so nobody does sensitive work on a personal login, and remember that approving the platform doesn’t approve every app or connector attached to it. Keep the agreement, the data processing addendum, and your retention settings in one place, because Morgan says you may have to prove those protections one day, and don’t take the defaults on faith.
Check the matter, then put a lawyer on the sensitive work. A firm-approved platform doesn’t override a protective order, a client guideline, or a data-use restriction, so someone has to check those before discovery material, trade secrets, or medical records go into a tool. And when privilege or strategy is in play, have the attorney pick the tool, define the task, supervise the work, and review the output. That is the pattern Rakoff suggested might support treating the tool as counsel’s agent, although no court has yet turned that suggestion into a general safe harbor.
Treat the chats as evidence. Fold AI prompts and outputs into your litigation holds, and teach everyone a basic preservation rule: once a duty to preserve has attached, do not delete.
The dividing line was never free AI against paid AI. It's unmanaged use against an approved, contractually protected system, under settings and matter controls matched to the work. Get that right and the question stops being whether you're allowed to use these tools and becomes how well you use them, because for everyday work the duty isn't privilege, it's protecting the client's information, and your commercial terms are built for that. If you want a second set of eyes on where your firm draws that line, before a protective order or a partner draws it for you, I'm at steve@intelligencebyintent.com. Send this to the partner who forwarded you that headline.