data sovereignty

Your Cloud AI Tool Could Be Exhibit A Against Your Client

US v. Heppner confirms public AI chatbots destroy attorney-client privilege. Here's why private AI architecture is now a privilege-preservation necessity for law firms.

RAGbase Legal Research TeamJuly 11, 2026 11 min read

On February 17, 2026, Judge Jed Rakoff of the Southern District of New York did something that no ethics CLE, bar association guidance, or law firm AI policy had managed to accomplish in three years of legal AI hype: he made the data-security risk concrete. In US v. Heppner, the defendant's own prompts — typed into Anthropic's consumer Claude — were admitted as evidence at trial. He was convicted on all counts. The privilege was gone not because of a leak, a hack, or a rogue associate. It was gone because Anthropic's privacy policy said it could retain data, use it for model training, and disclose it to third parties, including government authorities. That was enough.

The ruling landed like a circuit breaker across the legal tech industry. But the more important question for managing partners and CIOs right now is not whether this changes the risk calculus — it clearly does — but which specific architectural choices now carry legal exposure, and which ones don't. That distinction is more nuanced than most of the coverage has acknowledged.

What Heppner Actually Held — and Why the Details Matter

Judge Rakoff's analysis in Heppner was methodical in a way that makes it highly portable to future cases. The ruling did not hold that AI use categorically destroys privilege. It held that the specific disclosure terms of the platform used determined whether the communication retained the confidentiality necessary for privilege to attach.

The three-part framework Rakoff applied:

  1. Retention: Anthropic's consumer privacy policy permitted indefinite retention of conversation data.
  2. Training use: Retained data could be used to improve Anthropic's models — a commercial purpose entirely outside the attorney-client relationship.
  3. Third-party disclosure: The policy explicitly permitted disclosure to government authorities under applicable law, eliminating any reasonable expectation of confidentiality.

Each factor independently undermined privilege. Together, they were fatal. The court analogized the situation to a lawyer dictating privileged strategy to a third-party transcription service that had contractually reserved the right to sell recordings to law enforcement. No court would protect that communication. Rakoff found no meaningful distinction here.

This is not an outlier. Federal courts issued four significant and diverging rulings on AI and privilege in Q1 2026 alone. The D. Kansas court in Jeffries v. Harcros Chemicals went further still, ordering that only 'closed' AI tools — systems that do not transmit data to external parties — could be used in discovery proceedings. That is a court directly mandating a deployment architecture by judicial order. For firms still running matters on consumer-tier AI subscriptions, that order would disqualify their entire AI workflow the moment they entered discovery.

The divergence across circuits also means this is not a problem with a single, clean answer yet. Firms operating in multiple jurisdictions are now managing a patchwork of privilege standards layered on top of an already complex AI vendor landscape. That complexity itself is a liability.

The Architecture Is the Argument

Most of the post-Heppner commentary has framed this as a binary: public AI bad, private AI good. That framing is too simple, and for sophisticated buyers, it obscures the actual decision points.

The meaningful architectural question is not where the model lives — it is where your data lives, who controls it, and what the governing terms permit. A firm that moves from ChatGPT's consumer interface to an enterprise API subscription has changed the interface, not necessarily the risk profile, if the API terms still permit data retention or training use.

Conversely, a firm running a properly architected private deployment may still use frontier models from Anthropic, OpenAI, or Google — and do so without recreating the Heppner fact pattern — if the architecture ensures that full client documents never leave firm-controlled infrastructure, and only minimized, retrieved chunks are transmitted to the model provider under zero-retention API terms.

This is the distinction that matters legally, and it is one that most AI vendor marketing obscures:

Architectural LayerConsumer/SaaS AIAPI-Only (Standard Terms)Private/Governed Architecture
Full document corpusUploaded to vendor serversOften transmitted in contextStays on firm infrastructure
Vector stores & indexesVendor-controlledVendor-controlledFirm-controlled
Retrieval & agent layerVendor-controlledVendor-controlledFirm-controlled
Prompts & query historyRetained by vendorRetained per API termsFirm-controlled, logged internally
LLM inferenceVendor serversVendor serversMinimized chunks only, under zero-retention terms
Audit logs & permissionsVendor-controlledVendor-controlledFirm-controlled
Disclosure riskHigh (Heppner risk)Medium-HighLow (by architecture)

The critical column is the last one. A private AI deployment does not have to avoid LLM providers entirely. It has to ensure that the agentic scaffolding, the retrieval and index layer, the vector stores, the permissions model, the full client document corpus, and the audit logs remain on infrastructure the firm controls — and that what reaches any external model provider is the minimum necessary context, governed by API terms the firm has reviewed and accepted.

That is not a product feature. It is a legal architecture. And after Heppner, it is the architecture that privilege doctrine is selecting for.

The 91% Problem: Firms Flying Without a Policy

If Heppner is the legal catalyst, the operational picture underneath it is genuinely alarming. 69% of legal professionals now use AI tools in their work — more than double the 31% adoption rate recorded in 2025. That is a remarkable diffusion curve for any professional tool, let alone one with unresolved privilege implications.

But the governance infrastructure has not followed the adoption curve. Only 9% of firms have a written, actively enforced AI policy. That means 91% of firms where AI is being used — likely by associates, paralegals, and partners running their own individual subscriptions — have no formal framework governing which tools are permissible, which matter types are excluded, or what the data handling requirements are.

This is not primarily a technology failure. It is a policy failure that technology can enable or constrain. The 46% of legal professionals who cite data security as their top barrier to AI adoption have the right instinct. They are sensing the risk that Heppner has now validated. But sensing a risk and having a governed response to it are different things.

For a managing partner or CIO thinking through the exposure:

  • Associate using Harvey or CoCounsel on a personal subscription for a sensitive M&A matter? Check whether the firm's enterprise agreement with that vendor covers that use, and whether the data terms are Heppner-safe.
  • Partner uploading a draft agreement to ChatGPT Plus to clean up language? Unless the firm is on an enterprise agreement with explicit zero-retention terms, that document has potentially left the firm's control.
  • Litigation team using a case search tool that also ingests matter documents for context? The question is where those ingested documents go and who can access them.

The Jeffries court order in D. Kansas is instructive here. When a court reaches into a firm's workflow and orders that only closed AI tools may be used in a specific proceeding, a firm without a pre-existing governed AI architecture has days — not months — to comply. Firms that have built the governance layer in advance are in a materially different position.

What a Privilege-Safe AI Architecture Looks Like in Practice

The Heppner framework gives us a checklist that is almost precise enough to map directly onto vendor evaluation criteria. For each AI tool or deployment a firm uses, the privilege analysis now requires answering four questions:

1. Where Does the Full Document Corpus Reside?

If you are doing AI-assisted document review, contract analysis, or litigation support, you are working with large volumes of client-privileged material. That corpus — the complete set of documents the AI can access — must be indexed, stored, and retrieved on infrastructure the firm controls. The moment that corpus lives on a vendor's servers, you have a Heppner fact: a third party with access to privileged material and their own governing terms about what they can do with it.

2. What Leaves the Firm's Infrastructure, and Under What Terms?

This is where the architecture becomes nuanced. Even a private deployment needs a frontier language model to generate useful responses. The privilege-safe version of this is: the retrieval layer identifies the specific document chunks most relevant to a query, and only those minimized chunks — not the full corpus — are sent to the model provider, under API terms that explicitly prohibit retention and training use. This is meaningfully different from uploading a full deal room to a SaaS platform.

3. Who Controls the Audit Log?

Privilege disputes are evidentiary disputes. The question of who accessed what, when, and for what purpose is exactly the kind of question a court will ask when privilege is challenged. A firm that controls its own audit logs can answer that question authoritatively. A firm whose audit logs live on a vendor's servers cannot.

4. What Do the Vendor's Terms Actually Say?

This is the Heppner question. Not what the sales team says, not what the marketing page implies — what do the operative privacy policy and data processing agreement actually permit the vendor to do with data submitted to the platform? If the answer includes retention, training, or disclosure to third parties, you have the Heppner fact pattern, and no amount of internal policy language changes that.

For firms building out their AI for law firms strategy, these four questions should be part of every vendor evaluation, not just the enterprise security questionnaire.

The Market the Ruling Has Created

Step back from the legal analysis for a moment and look at the market structure Heppner has created. You have:

  • 69% AI adoption with essentially no policy governance infrastructure
  • A binding federal precedent that converts specific vendor terms into privilege waivers
  • At least one court order explicitly mandating closed AI architecture
  • Circuit-level divergence that means the risk is jurisdiction-specific and unpredictable
  • 46% of legal professionals who already identify data security as their primary AI concern

That is a large population of sophisticated buyers who have a real, validated legal risk, a regulatory signal pointing toward a specific solution architecture, and no current solution in place. The firms that move first to build governed, private AI infrastructure are not just buying insurance against the next Heppner. They are building the compliance infrastructure that will become table stakes as courts continue to develop this doctrine.

The tools that sit in the middle of the current market — Harvey, CoCounsel, Lexis+ AI, and similar enterprise-tier platforms — have made genuine progress on data security. Enterprise agreements with these vendors typically offer better data handling terms than consumer subscriptions. But the architectural limitation remains: the full agentic scaffolding, the retrieval and indexing layer, the vector stores, and the permissions model all live on their infrastructure, not yours. When a court asks what Westlaw's servers contain about your client's merger negotiation, you are answering that question on Westlaw's terms, not your own.

The alternative is not to abandon these tools entirely — for many workflow categories, they deliver real efficiency. The alternative is to identify sovereignty-critical workloads — matters where privilege, confidentiality, or regulatory exposure makes third-party data control unacceptable — and route those workloads through infrastructure where the firm is in full control of the data layer.

That bifurcated approach — public AI for routine, low-sensitivity tasks; private architecture for privileged, sensitive, or discovery-relevant work — is the realistic operating model for a post-Heppner firm. It requires knowing which category each matter falls into, which requires exactly the kind of written, enforced AI policy that 91% of firms currently lack.


The Heppner ruling will not be the last word. The circuit split developing around AI and privilege will likely produce more divergent outcomes before appellate courts bring clarity, and bar associations are still working through the ethics guidance implications. But the direction is clear: courts are looking at the data handling terms of the AI platforms attorneys use, and they are treating those terms as determinative of whether confidentiality — and therefore privilege — survives.

For firms evaluating their AI posture right now, the right questions are architectural, not just contractual. Which workloads require your firm to control the full data layer? What do your current vendors' operative terms actually permit? And if a court in your jurisdiction issues a Jeffries-style order tomorrow, what is your compliance posture? Those answers should inform your AI infrastructure decisions before the next ruling, not after it. If you are working through that evaluation, the framework for a privilege-safe architecture is worth examining in detail — starting with the specific question of what leaves your infrastructure and under precisely what terms.

Frequently Asked Questions

Did US v. Heppner really destroy attorney-client privilege for AI-generated documents?
Yes. In US v. Heppner (S.D.N.Y., Feb. 17, 2026), Judge Rakoff ruled that documents created using Anthropic's consumer Claude were not protected by attorney-client privilege or work-product doctrine, because Anthropic's privacy policy permitted data retention, model training, and disclosure to third parties including government authorities. The defendant's own AI prompts were admitted as trial evidence, and he was convicted on all counts.
What AI tools are safe to use after the Heppner ruling?
Courts are increasingly distinguishing between 'open' AI tools with third-party data retention and 'closed' or private AI deployments where data never leaves the firm's infrastructure. The D. Kansas court in Jeffries v. Harcros Chemicals went so far as to order that only closed AI tools could be used in discovery. A private/on-premise AI architecture — where the agentic layer, document corpus, vector stores, and retrieval indexes remain on firm-controlled infrastructure — is the architecture courts are implicitly and explicitly endorsing.
Does using an LLM API instead of a consumer chatbot protect attorney-client privilege?
It depends on the architecture and the API terms. Simply switching from a consumer chatbot to an API call does not guarantee privilege protection if full client documents are transmitted to the model provider and retained. The privilege-safe approach is architectural: keep the full document corpus, retrieval layer, and agent scaffolding on firm-controlled infrastructure, and send only the minimized retrieved chunks necessary to answer a query — under API terms that explicitly prohibit training on and retention of that data.

Related Articles

R
RAGbase Legal Research Team
Research

RAGbase Legal builds proprietary AI systems for law firms — deployed on the firm's own infrastructure, zero data retention, full code ownership. 80+ enterprise deployments.

See How RAGbase Legal Works on Your Data

Free 3-5 day proof of concept. Your data, your infrastructure, working results.