This is not legal advice. It is a technical and architectural explainer for firms evaluating AI workflows. Whether a specific use waives privilege in your jurisdiction depends on the facts and your rules of professional conduct. Talk to your own counsel and your bar's guidance before relying on any AI workflow for privileged matters.
We build AI integrations for law firms, including open-source connectors that let Claude work inside Clio and MyCase. The most common question we get is no longer "what can it do?" It is "did the recent rulings just make this a malpractice risk?" That question got sharper in February 2026, when two courts answered it and did not agree.
The instinct after reading either headline is to overcorrect. Ban it, or ignore it. Neither is right, because the two cases together tell a more precise story than either tells alone.
United States v. Heppner: the outputs were not privileged
In United States v. Heppner, decided in the Southern District of New York by Judge Jed Rakoff, a criminal defendant had received a grand jury subpoena and retained counsel. On his own, he then used a consumer version of an AI assistant to research the matter. He typed in things he had learned from his attorneys, generated reports outlining defense strategy and arguments on the facts and the law, and later shared those reports with his lawyers.
The court held that those AI-generated materials were not protected. The reasoning had two parts. The attorney-client privilege did not apply because the communications were not confidential. The work product doctrine did not apply because the work was not done at the direction of counsel. It is widely described as the first ruling to find that interactions with a publicly accessible AI tool, based on prompts containing privileged information, are not themselves privileged.
Read carefully, the ruling is narrower than the panic around it. The problem was not "he used AI." The problem was a specific combination: a consumer surface, prompts that exposed privileged information without a confidentiality framework, and a defendant generating strategy on his own rather than counsel directing the work.
Warner v. Gilbarco: the work product was protected
The same week, in Warner v. Gilbarco, Inc., the Eastern District of Michigan went the other way on work product. There, a self-represented plaintiff in an employment dispute acknowledged using a public AI chatbot to help draft her filings. The defendant moved to compel broad discovery of everything related to her AI use.
The court refused. It held that using a generative AI tool did not waive work product protection, on the reasoning that AI platforms are "tools, not persons," so disclosing information to them is not disclosure to an adversary. Because she was preparing materials in anticipation of litigation, the work product protection held.
If you only read Heppner, you would conclude AI is radioactive. If you only read Warner, you would conclude it is fine. The honest reading is that they are not actually in conflict about the underlying principle. They are applying the same factors to very different facts.
What actually separated the two
Line the cases up and the dividing lines are not subtle.
| Factor | Heppner (not protected) | Warner (protected) |
|---|---|---|
| Directed by counsel? | No, the defendant acted on his own | It was the litigant's own litigation prep |
| Confidentiality maintained? | No, the court found the communications not confidential | Treated as use of a tool, not disclosure to an adversary |
| Which protection? | Privilege and work product, both failed | Work product, upheld |
| Core question | Was the communication confidential and counsel-directed? | Was it prepared in anticipation of litigation? |
The takeaway is the same one that has always governed privilege and work product. It just now applies to a new surface. Protection follows confidentiality, counsel direction, and litigation purpose. It does not attach or detach because the word "AI" is involved. The model is not the variable. The process and the surface are.
The questions to answer before client data touches a model
If protection follows confidentiality, direction, and purpose, then an AI workflow should be designed around those three things. These questions are vendor-neutral. They apply whether you are using a consumer chat plan, an enterprise plan, a provider's API, or a self-hosted setup.
1. Is the surface confidential, or is it consumer chat?
A consumer chat tier and a controlled API workflow can run the identical model and still carry very different confidentiality properties. Consumer tiers generally retain conversation data under their own policies and are not built around legal confidentiality. The relevant questions are whether your prompts are retained, for how long, whether they can be used to train a model, and who can access them. Heppner turned in part on the communications not being confidential. The surface you pick is the first place confidentiality is won or lost.
2. Is the work directed and supervised by counsel?
Heppner's work product holding failed because the defendant generated strategy independently. A workflow where counsel frames the task, reviews the output, and treats the AI as an instrument of legal work sits on the right side of that line. Mandatory human verification of AI output is not just good practice, it is the spine of ABA Formal Opinion 512 and most state bar guidance. Build the human gate in. Do not bolt it on.
3. Is the purpose, and the process, documented?
Warner held because the materials were prepared in anticipation of litigation. If your AI use is part of delivering legal advice or preparing for a matter, that purpose should be reflected in how the workflow is set up and recorded. A short, contemporaneous record of what tool was used, under what terms, and that counsel directed and reviewed it is cheap insurance against a later discovery fight.
4. Where does the data go, and what stays behind?
Confidentiality is not only about who can read a prompt today. It is about what is stored and where. A workflow built on an API with a zero-data-retention arrangement leaves nothing on a third-party server after the request. That is a stronger confidentiality posture than a chat tier that keeps a transcript. Retention and residency are separate questions from training, and for privileged data you generally want all of them controlled.
The one-line version: Neither court punished the use of AI. Heppner punished unconfidential, undirected use on a consumer surface. Warner protected counsel-purposed use of AI as a tool. Design for confidentiality, direction, and documented purpose, and the surface follows.
What this does not mean
It does not mean a consumer chat plan is automatically a waiver in every case. Warner shows it can survive. It does not mean an enterprise plan or API is automatically safe either; if counsel never directs or reviews the work, the Heppner problem can recur on any surface. And it does not resolve every open question. Courts are still working out the frameworks, and reasonable practitioners are writing that Heppner and Warner reached defensible results through different doctrines, which is its own warning that this area is unsettled.
What it does mean is that "should we use AI" is the wrong question. The right one is "how do we use it so that confidentiality, counsel direction, and litigation purpose are preserved." That is an architecture and process question, and it has good answers.
The short version
- Two federal courts ruled on AI and privilege in the same week of February 2026 and reached opposite results.
- Heppner: consumer-tier, undirected, unconfidential use, not protected.
- Warner: AI treated as a tool, used in anticipation of litigation, work product protected.
- The outcome turned on confidentiality, counsel direction, and purpose, not on the use of AI itself.
- Design workflows around a confidential surface, a human verification gate, documented purpose, and controlled retention.
Frequently asked questions
Does using ChatGPT or Claude waive attorney-client privilege?
Not automatically. In United States v. Heppner (S.D.N.Y., February 2026) the court held a defendant's outputs from a consumer AI tool were not privileged, because the communications were not confidential and were not directed by counsel. In Warner v. Gilbarco (E.D. Mich., February 2026) the court protected work product, treating the AI as a tool used in anticipation of litigation. The dividing lines were confidentiality, counsel direction, and exposure to a third party, not the use of AI itself.
What separated Heppner from Warner?
In Heppner, a criminal defendant used a consumer tool on his own, without counsel directing the work, and put privileged information into it. No privilege, no work product. In Warner, a self-represented plaintiff used a public chatbot to prepare litigation filings, and the court held work product still applied because an AI platform is a tool, not a person. How the tool was used governed the outcome.
How can a firm use AI without waiving privilege?
Design around the three factors the courts cared about. Keep the work confidential, which means controlling exposure and retention rather than using a consumer chat tier. Keep it directed and supervised by counsel, with human verification on every output. Document that it was part of preparing legal advice or litigation materials. In practice that points toward a controlled API workflow with zero data retention, consistent with ABA Formal Opinion 512 and state bar guidance.
Is a consumer AI chat plan safe for client data?
It depends on the plan's confidentiality and retention terms, which was central to Heppner. Consumer tiers typically retain conversation data and are not designed around legal confidentiality. A controlled API workflow with a zero-data-retention arrangement, used under counsel's direction, is a materially different risk profile even with the identical model underneath.
Designing an AI workflow you can defend?
We build AI integrations for legal and healthcare firms, with confidentiality, retention, and human verification designed in from the start rather than bolted on. If you want a straight technical answer on what a defensible setup looks like for your firm, not a sales pitch, we are happy to walk through it. Simple integrations start at $1,700; custom builds run $17K to $53K depending on scope.
Book a 30-minute architecture call →
Related reading from our legal-tech practice: