On February 17, 2026, Judge Jed Rakoff of the Southern District of New York did something that no ethics CLE, bar association guidance, or law firm AI policy had managed to accomplish in three years of legal AI hype: he made the data-security risk concrete. In US v. Heppner, the defendant's own prompts — typed into Anthropic's consumer Claude — were admitted as evidence at trial. He was convicted on all counts. The privilege was gone not because of a leak, a hack, or a rogue associate. It was gone because Anthropic's privacy policy said it could retain data, use it for model training, and disclose it to third parties, including government authorities. That was enough.
The ruling landed like a circuit breaker across the legal tech industry. But the more important question for managing partners and CIOs right now is not whether this changes the risk calculus — it clearly does — but which specific architectural choices now carry legal exposure, and which ones don't. That distinction is more nuanced than most of the coverage has acknowledged.
What Heppner Actually Held — and Why the Details Matter
Judge Rakoff's analysis in Heppner was methodical in a way that makes it highly portable to future cases. The ruling did not hold that AI use categorically destroys privilege. It held that the specific disclosure terms of the platform used determined whether the communication retained the confidentiality necessary for privilege to attach.
The three-part framework Rakoff applied:
- Retention: Anthropic's consumer privacy policy permitted indefinite retention of conversation data.
- Training use: Retained data could be used to improve Anthropic's models — a commercial purpose entirely outside the attorney-client relationship.
- Third-party disclosure: The policy explicitly permitted disclosure to government authorities under applicable law, eliminating any reasonable expectation of confidentiality.
Each factor independently undermined privilege. Together, they were fatal. The court analogized the situation to a lawyer dictating privileged strategy to a third-party transcription service that had contractually reserved the right to sell recordings to law enforcement. No court would protect that communication. Rakoff found no meaningful distinction here.
This is not an outlier. Federal courts issued four significant and diverging rulings on AI and privilege in Q1 2026 alone. The D. Kansas court in Jeffries v. Harcros Chemicals went further still, ordering that only 'closed' AI tools — systems that do not transmit data to external parties — could be used in discovery proceedings. That is a court directly mandating a deployment architecture by judicial order. For firms still running matters on consumer-tier AI subscriptions, that order would disqualify their entire AI workflow the moment they entered discovery.
The divergence across circuits also means this is not a problem with a single, clean answer yet. Firms operating in multiple jurisdictions are now managing a patchwork of privilege standards layered on top of an already complex AI vendor landscape. That complexity itself is a liability.
The Architecture Is the Argument
Most of the post-Heppner commentary has framed this as a binary: public AI bad, private AI good. That framing is too simple, and for sophisticated buyers, it obscures the actual decision points.
The meaningful architectural question is not where the model lives — it is where your data lives, who controls it, and what the governing terms permit. A firm that moves from ChatGPT's consumer interface to an enterprise API subscription has changed the interface, not necessarily the risk profile, if the API terms still permit data retention or training use.
Conversely, a firm running a properly architected private deployment may still use frontier models from Anthropic, OpenAI, or Google — and do so without recreating the Heppner fact pattern — if the architecture ensures that full client documents never leave firm-controlled infrastructure, and only minimized, retrieved chunks are transmitted to the model provider under zero-retention API terms.
This is the distinction that matters legally, and it is one that most AI vendor marketing obscures:
| Architectural Layer | Consumer/SaaS AI | API-Only (Standard Terms) | Private/Governed Architecture |
|---|---|---|---|
| Full document corpus | Uploaded to vendor servers | Often transmitted in context | Stays on firm infrastructure |
| Vector stores & indexes | Vendor-controlled | Vendor-controlled | Firm-controlled |
| Retrieval & agent layer | Vendor-controlled | Vendor-controlled | Firm-controlled |
| Prompts & query history | Retained by vendor | Retained per API terms | Firm-controlled, logged internally |
| LLM inference | Vendor servers | Vendor servers | Minimized chunks only, under zero-retention terms |
| Audit logs & permissions | Vendor-controlled | Vendor-controlled | Firm-controlled |
| Disclosure risk | High (Heppner risk) | Medium-High | Low (by architecture) |
The critical column is the last one. A private AI deployment does not have to avoid LLM providers entirely. It has to ensure that the agentic scaffolding, the retrieval and index layer, the vector stores, the permissions model, the full client document corpus, and the audit logs remain on infrastructure the firm controls — and that what reaches any external model provider is the minimum necessary context, governed by API terms the firm has reviewed and accepted.
That is not a product feature. It is a legal architecture. And after Heppner, it is the architecture that privilege doctrine is selecting for.
The 91% Problem: Firms Flying Without a Policy
If Heppner is the legal catalyst, the operational picture underneath it is genuinely alarming. 69% of legal professionals now use AI tools in their work — more than double the 31% adoption rate recorded in 2025. That is a remarkable diffusion curve for any professional tool, let alone one with unresolved privilege implications.
But the governance infrastructure has not followed the adoption curve. Only 9% of firms have a written, actively enforced AI policy. That means 91% of firms where AI is being used — likely by associates, paralegals, and partners running their own individual subscriptions — have no formal framework governing which tools are permissible, which matter types are excluded, or what the data handling requirements are.
This is not primarily a technology failure. It is a policy failure that technology can enable or constrain. The 46% of legal professionals who cite data security as their top barrier to AI adoption have the right instinct. They are sensing the risk that Heppner has now validated. But sensing a risk and having a governed response to it are different things.
For a managing partner or CIO thinking through the exposure:
- Associate using Harvey or CoCounsel on a personal subscription for a sensitive M&A matter? Check whether the firm's enterprise agreement with that vendor covers that use, and whether the data terms are Heppner-safe.
- Partner uploading a draft agreement to ChatGPT Plus to clean up language? Unless the firm is on an enterprise agreement with explicit zero-retention terms, that document has potentially left the firm's control.
- Litigation team using a case search tool that also ingests matter documents for context? The question is where those ingested documents go and who can access them.
The Jeffries court order in D. Kansas is instructive here. When a court reaches into a firm's workflow and orders that only closed AI tools may be used in a specific proceeding, a firm without a pre-existing governed AI architecture has days — not months — to comply. Firms that have built the governance layer in advance are in a materially different position.
What a Privilege-Safe AI Architecture Looks Like in Practice
The Heppner framework gives us a checklist that is almost precise enough to map directly onto vendor evaluation criteria. For each AI tool or deployment a firm uses, the privilege analysis now requires answering four questions:
1. Where Does the Full Document Corpus Reside?
If you are doing AI-assisted document review, contract analysis, or litigation support, you are working with large volumes of client-privileged material. That corpus — the complete set of documents the AI can access — must be indexed, stored, and retrieved on infrastructure the firm controls. The moment that corpus lives on a vendor's servers, you have a Heppner fact: a third party with access to privileged material and their own governing terms about what they can do with it.
2. What Leaves the Firm's Infrastructure, and Under What Terms?
This is where the architecture becomes nuanced. Even a private deployment needs a frontier language model to generate useful responses. The privilege-safe version of this is: the retrieval layer identifies the specific document chunks most relevant to a query, and only those minimized chunks — not the full corpus — are sent to the model provider, under API terms that explicitly prohibit retention and training use. This is meaningfully different from uploading a full deal room to a SaaS platform.
3. Who Controls the Audit Log?
Privilege disputes are evidentiary disputes. The question of who accessed what, when, and for what purpose is exactly the kind of question a court will ask when privilege is challenged. A firm that controls its own audit logs can answer that question authoritatively. A firm whose audit logs live on a vendor's servers cannot.
4. What Do the Vendor's Terms Actually Say?
This is the Heppner question. Not what the sales team says, not what the marketing page implies — what do the operative privacy policy and data processing agreement actually permit the vendor to do with data submitted to the platform? If the answer includes retention, training, or disclosure to third parties, you have the Heppner fact pattern, and no amount of internal policy language changes that.
For firms building out their AI for law firms strategy, these four questions should be part of every vendor evaluation, not just the enterprise security questionnaire.
The Market the Ruling Has Created
Step back from the legal analysis for a moment and look at the market structure Heppner has created. You have:
- 69% AI adoption with essentially no policy governance infrastructure
- A binding federal precedent that converts specific vendor terms into privilege waivers
- At least one court order explicitly mandating closed AI architecture
- Circuit-level divergence that means the risk is jurisdiction-specific and unpredictable
- 46% of legal professionals who already identify data security as their primary AI concern
That is a large population of sophisticated buyers who have a real, validated legal risk, a regulatory signal pointing toward a specific solution architecture, and no current solution in place. The firms that move first to build governed, private AI infrastructure are not just buying insurance against the next Heppner. They are building the compliance infrastructure that will become table stakes as courts continue to develop this doctrine.
The tools that sit in the middle of the current market — Harvey, CoCounsel, Lexis+ AI, and similar enterprise-tier platforms — have made genuine progress on data security. Enterprise agreements with these vendors typically offer better data handling terms than consumer subscriptions. But the architectural limitation remains: the full agentic scaffolding, the retrieval and indexing layer, the vector stores, and the permissions model all live on their infrastructure, not yours. When a court asks what Westlaw's servers contain about your client's merger negotiation, you are answering that question on Westlaw's terms, not your own.
The alternative is not to abandon these tools entirely — for many workflow categories, they deliver real efficiency. The alternative is to identify sovereignty-critical workloads — matters where privilege, confidentiality, or regulatory exposure makes third-party data control unacceptable — and route those workloads through infrastructure where the firm is in full control of the data layer.
That bifurcated approach — public AI for routine, low-sensitivity tasks; private architecture for privileged, sensitive, or discovery-relevant work — is the realistic operating model for a post-Heppner firm. It requires knowing which category each matter falls into, which requires exactly the kind of written, enforced AI policy that 91% of firms currently lack.
The Heppner ruling will not be the last word. The circuit split developing around AI and privilege will likely produce more divergent outcomes before appellate courts bring clarity, and bar associations are still working through the ethics guidance implications. But the direction is clear: courts are looking at the data handling terms of the AI platforms attorneys use, and they are treating those terms as determinative of whether confidentiality — and therefore privilege — survives.
For firms evaluating their AI posture right now, the right questions are architectural, not just contractual. Which workloads require your firm to control the full data layer? What do your current vendors' operative terms actually permit? And if a court in your jurisdiction issues a Jeffries-style order tomorrow, what is your compliance posture? Those answers should inform your AI infrastructure decisions before the next ruling, not after it. If you are working through that evaluation, the framework for a privilege-safe architecture is worth examining in detail — starting with the specific question of what leaves your infrastructure and under precisely what terms.
Frequently Asked Questions
Did US v. Heppner really destroy attorney-client privilege for AI-generated documents?
What AI tools are safe to use after the Heppner ruling?
Does using an LLM API instead of a consumer chatbot protect attorney-client privilege?
Related Articles
Heppner v. United States: Why Your Firm's AI Infrastructure Now Determines Privilege
The SDNY ruling that changes how every law firm should think about AI — Judge Rakoff held that documents generated using consumer AI chatbots are not protected by attorney-client privilege.
Your AI Vendor's Moat Is Your Data. Here's How to Take It Back.
How SaaS AI vendors build competitive moats from your firm's usage data — the shared learning paradox, the dilution problem, and why proprietary AI keeps the compounding advantage with you.
AI for Law Firms in 2026: The Complete Guide to Choosing, Deploying, and Owning Legal AI
Comprehensive guide to AI adoption for law firms in 2026 — agentic AI, proprietary vs SaaS, privilege implications, pricing, and the ownership model.
98% of AmLaw 200 Firms Use AI — But Most Still Can't Search Their Own Files
98% AI adoption, but most law firms still can't search their own institutional knowledge. The gap between external AI tools and internal document access — and how to close it.
RAGbase Legal builds proprietary AI systems for law firms — deployed on the firm's own infrastructure, zero data retention, full code ownership. 80+ enterprise deployments.
See How RAGbase Legal Works on Your Data
Free 3-5 day proof of concept. Your data, your infrastructure, working results.