Privilege in the Age of AI: What Clients Need to Understand Before They Press “Submit”

The recent decision in United States v. Heppner should prompt every company, executive, founder, investor, and professional to revisit how they use artificial intelligence tools for legal and compliance issues.

The basic point is familiar: an AI platform is not a lawyer. Asking ChatGPT, Claude, Gemini, or any similar tool for legal guidance does not create an attorney-client relationship. It does not transform the user’s prompt into a privileged communication. And it does not place the exchange beyond the reach of prosecutors, regulators, civil litigants, or discovery subpoenas.

The more serious point is less widely understood.

A user may also risk waiving privilege over legal advice or work product that was privileged before it entered the AI platform. That is the practical danger. If a client uploads attorney advice, a privileged memorandum, an internal investigation summary, board materials prepared for counsel, witness interview notes, a Wells strategy draft, or a litigation analysis into an AI tool without adequate confidentiality protections, the issue is no longer merely whether the AI output is privileged. The issue is whether the client has disclosed protected material to a third party in a manner inconsistent with confidentiality.

That is a privilege problem of the first order.

I. Attorney-Client Privilege Protects Confidential Legal Communications, Not Legal Topics

In federal proceedings, privilege is generally governed by “the common law — as interpreted by United States courts in the light of reason and experience,” unless the Constitution, a federal statute, or Supreme Court-prescribed rules provide otherwise. Fed. R. Evid. 501.

The attorney-client privilege protects confidential communications between attorney and client made for the purpose of obtaining or providing legal advice. See Upjohn Co. v. United States, 449 U.S. 383, 389 (1981); Fisher v. United States, 425 U.S. 391, 403 (1976). The Second Circuit has stated the formulation plainly: the privilege protects communications “(1) between a client and his or her attorney (2) that are intended to be, and in fact were, kept confidential (3) for the purpose of obtaining or providing legal advice.” United States v. Mejia, 655 F.3d 126, 132 (2d Cir. 2011).

That definition matters. Privilege does not attach because a communication concerns the law. It attaches because the communication is made within a protected legal relationship and under circumstances preserving confidentiality.

A person who asks an AI tool, “What should I do if I received a subpoena?” may be discussing a legal subject. But the user has not communicated with counsel. The user has communicated with a technology platform. Unless some separate privilege-preserving structure applies, that exchange should not be treated as privileged.

II. Heppner Applies Traditional Privilege Principles to AI Use

In United States v. Heppner, No. 25 Cr. 503 (JSR), 2026 WL 436479 (S.D.N.Y. Feb. 17, 2026), Judge Rakoff rejected a privilege claim over documents generated through Claude. The defendant argued that the materials were protected because he used Claude in connection with legal issues and later shared materials with counsel.

The court rejected that argument on traditional privilege grounds. The AI exchanges were not communications between client and attorney. The court stated the point directly: “Because Claude is not an attorney, that alone disposes of Heppner’s claim of privilege.” Id. at *1.

The court also focused on confidentiality. Even assuming the defendant had included privileged information in the prompts, the court reasoned that sharing the information with Claude and Anthropic waived privilege. As the court explained, “even if certain information that Heppner input into Claude was privileged, he waived the privilege by sharing that information with Claude and Anthropic.” Id. at *2 n.3.

That is the part clients need to absorb. The risk is not confined to people who ask AI for legal advice before hiring a lawyer. The risk extends to people who already have counsel and then place counsel’s advice, counsel’s analysis, or litigation-preparation materials into an AI platform.

III. Confidentiality Is the Structural Requirement

Privilege depends on confidentiality. A client may waive privilege by voluntarily disclosing protected communications to a third party. See In re Columbia/HCA Healthcare Corp. Billing Practices Litig., 293 F.3d 289, 302 (6th Cir. 2002); United States v. Jacobs, 117 F.3d 82, 91 (2d Cir. 1997).

That rule is not new. What is new is how casually sensitive legal information can now be disclosed.

In the analog world, a client generally understands that handing a privileged memorandum to a stranger may create waiver risk. In the AI context, the same client may paste the same memorandum into a prompt box without appreciating that the platform may be a third party for privilege purposes.

The legal issue is not whether the user subjectively hoped the exchange would remain private. The issue is whether the circumstances objectively support confidentiality. Relevant facts may include the platform’s terms of use, privacy policy, data-retention rules, training practices, access controls, enterprise agreement, confidentiality commitments, deletion rights, audit rights, and whether counsel directed and supervised the use of the tool.

Those facts matter because attorney-client privilege is not a mood. It is a doctrine with elements.

IV. Privacy and Privilege Are Related, But They Are Not the Same

Clients often collapse privacy and privilege into one concept. They are distinct.

A communication may feel private because it occurs behind a password. That does not necessarily make it privileged. A communication may occur on a secure system and still fail privilege analysis if it is not between privileged persons for the purpose of legal advice. Conversely, a communication that begins as privileged may lose protection if it is later disclosed in a way inconsistent with confidentiality.

That distinction is essential for AI use.

A consumer AI account, a free chatbot, an enterprise deployment, and a law-firm-approved AI environment may present different privilege risks. The correct analysis is platform-specific and fact-specific. But the default rule should be conservative: privileged information should not be entered into any AI system unless counsel has reviewed the platform and approved the workflow.

V. Work Product Presents a Parallel Risk

The work-product doctrine protects documents and tangible things prepared in anticipation of litigation or for trial by or for a party or its representative. Fed. R. Civ. P. 26(b)(3)(A). The rule gives heightened protection to counsel’s “mental impressions, conclusions, opinions, or legal theories.” Fed. R. Civ. P. 26(b)(3)(B). The doctrine reflects the Supreme Court’s recognition that lawyers require a protected zone to prepare cases without undue intrusion by adversaries. See Hickman v. Taylor, 329 U.S. 495, 510–11 (1947).

But work-product protection can also be compromised by disclosure. The waiver analysis differs from attorney-client privilege, but disclosure that substantially increases the likelihood that an adversary will obtain the material may threaten protection. See United States v. Nobles, 422 U.S. 225, 239–40 (1975).

That matters for AI. A litigation chronology, witness outline, interview memorandum, draft submission to a regulator, internal investigation report, or enforcement strategy memo may qualify as work product in counsel’s hands. Uploading it into an AI platform without appropriate safeguards may give an adversary a serious argument that protection has been weakened or lost.

VI. Rule 502 Does Not Solve the Problem

Federal Rule of Evidence 502 addresses the scope of waiver for attorney-client privilege and work-product protection. Fed. R. Evid. 502. It can be important in litigation, especially where parties negotiate Rule 502(d) orders to protect against broad waiver from inadvertent production.

But Rule 502 is not a general license to disclose privileged material into any technology platform. It does not eliminate the need to preserve confidentiality in the first instance. Nor does it guarantee that voluntary disclosure to an AI provider will be treated as harmless. Once privileged information is placed outside the privilege circle, the producing party may be forced to litigate waiver under uncertain facts and law.

That is an avoidable problem.

VII. Practical Guidance for AI Users

AI can be useful for general legal education. A person can use it to understand basic terminology, learn what type of lawyer may be needed, prepare general questions for counsel, or identify publicly available resources.

For example, a user can ask:

“What kind of lawyer handles SEC subpoenas?”

“What is a Wells notice?”

“What is the difference between a civil subpoena and a grand jury subpoena?”

“What documents should I gather before speaking to counsel?”

Those questions generally do not require disclosure of sensitive facts.

The danger begins when the user supplies names, dates, admissions, documents, internal communications, transaction details, privileged emails, counsel’s advice, investigation findings, strategy assessments, or other confidential facts. At that point, the AI tool is no longer being used merely for general education. It is being used as a repository for sensitive legal information.

That should not happen without counsel’s involvement.

VIII. Practical Guidance for Companies

Companies should adopt clear AI privilege protocols. At minimum, those protocols should address:

1. which AI tools may be used for legal, compliance, regulatory, investigation, or litigation-related work;

2. whether consumer AI tools are prohibited for privileged or confidential matters;

3. whether enterprise AI tools have appropriate contractual confidentiality, retention, deletion, access-control, and non-training commitments;

4. whether legal department approval is required before privileged or work-product material is entered into any AI system;

5. whether outside counsel must approve AI workflows for active litigation, investigations, subpoenas, regulatory examinations, or enforcement matters;

6. how employees should label, store, and transmit privileged materials;

7. how AI outputs should be reviewed before being circulated internally or externally; and

8. how the company will document counsel-directed AI use when AI is functioning as a legal-support tool.

These are governance questions, but they are also litigation questions. The company that cannot explain who approved the tool, what protections applied, and why the workflow preserved confidentiality will be poorly positioned when a regulator, prosecutor, or adversary asks for the prompts, outputs, or uploaded source materials.

IX. The Bottom Line

Heppner should not be read to mean that every use of AI destroys privilege. That would overstate the decision and oversimplify the doctrine.

The better reading is more precise and more important: courts are likely to apply traditional privilege and work-product principles to AI use. Those principles require a privileged relationship, a legal-advice purpose, and confidentiality. When a user independently shares legal information with a third-party AI platform, especially a consumer platform without adequate confidentiality protections, privilege may fail or be waived.

That is the lesson.

Use AI to become a better-informed client. Use it to learn vocabulary, frame issues, and prepare to speak with counsel. But do not upload privileged communications, attorney work product, investigation materials, litigation strategy, subpoena responses, regulatory drafts, or sensitive legal facts into an AI tool unless counsel has reviewed the platform and approved the workflow.

Privilege is preserved by discipline. It can be lost with a single careless disclosure.