Back to Blog
By Anil Konur
May 27, 2026

When Your AI Chat Becomes Evidence: Discovery, Privilege, and the Case for Controlling Your Own Data

Two early-2026 federal rulings just redrew the line between a convenient AI prompt and a discoverable document — and the deciding factors are all things law firms can control in advance.

Two early-2026 federal rulings just redrew the line between a convenient AI prompt and a discoverable document

In February 2026, two federal courts reached opposite conclusions on the same question: are documents a person creates with an AI chatbot protected from discovery? The deciding factors weren't about the technology itself — they were about who directed the work, whether the tool's data-handling terms preserved confidentiality, and whether the material ever reached an adversary. The practical lesson for law firms is blunt: treat anything typed into a public, consumer AI tool as potentially discoverable, and start treating your choice of AI tooling as a data-governance decision, not a convenience one. Local and private LLMs are one answer. They are not the only one — and not always the right one.

The Konur Consulting take: The headlines say "AI chats can be used against you." The real story is quieter and more useful: courts are applying old rules — attorney-client privilege and work product — to a new tool, and the rules turn on data control and counsel direction. That makes this a governance problem before it's a technology problem. Firms that can document how their AI handles client data will be fine. Firms that can't will be explaining their chat history to opposing counsel.

Why this matters

Discovery is the part of litigation where each side must hand over relevant, non-privileged information. For decades, the cardinal rule was simple: don't put anything in an email you wouldn't want read aloud in court. That rule now extends to AI prompts.

Generative AI has quietly become a first stop for legal-flavored questions — is this clause enforceable, how do I respond to this demand letter, what should I say in this investigation. When a lawyer, a client, or a client's staff types those questions into a public chatbot, they may be creating a record. And in early 2026, courts started ruling on whether that record is fair game.

The answer, so far, is: it depends entirely on how the tool was used.

The four truths the 2026 rulings establish

  • Public AI chatbot use can strip away confidentiality — and with it, privilege. In United States v. Heppner (S.D.N.Y., Feb. 17, 2026), a former CEO under criminal investigation used a public AI chatbot to prepare roughly 31 documents about his own case. Judge Jed Rakoff held they were protected by neither attorney-client privilege nor the work product doctrine. A central reason: the tool's privacy policy permitted data collection, use for model training, and disclosure to third parties — including government regulators. The court reasoned that a user cannot expect confidentiality from a service that retains and may disclose their inputs.

  • Sharing AI output with your lawyer afterward does not retroactively protect it. The Heppner court was explicit that non-privileged communications are not "alchemically" transformed into privileged ones simply by later forwarding them to counsel. If it wasn't protected when created, looping in your attorney later doesn't fix it.

  • Counsel direction is the hinge. The same court noted that had counsel directed the defendant to use the tool, the analysis "might arguably" have come out differently — the AI could have functioned as an agent of the lawyer. Work product protection, in particular, attaches to materials prepared by or at the behest of counsel in anticipation of litigation. Self-initiated AI use by a client, with no lawyer in the loop, generally fails that test.

  • The protection is not automatic — but it is not hopeless either. A week before Heppner, in Warner v. Gilbarco, Inc. (E.D. Mich., Feb. 10, 2026), a self-represented litigant used a chatbot to prepare litigation materials, and the court denied the motion to compel — finding work product protection applied. The distinction: attorney-client privilege is waived by disclosure to almost any third party, but work product protection is waived only by disclosure to an adversary or in a way likely to reach one. Using an AI tool, by itself, didn't hand the material to the other side.

Taken together, these decisions don't invent new law. They confirm that courts are treating AI-generated materials as ordinary evidence subject to ordinary discovery rules. That should be reassuring and sobering in equal measure.

Reading the operating model behind the rulings

Strip away the case captions and a pattern emerges. The factors courts are weighing are all things a firm can control in advance:

  • Was the tool public or enterprise-grade? The confidentiality analysis in Heppner turned heavily on a consumer tool's data-retention and disclosure terms. An enterprise tool with contractual restrictions on retention and training presents a materially different fact pattern. (Worth noting: in Heppner the consumer-tier terms of a specific platform were what the court examined — enterprise and API agreements for the same vendors often carry very different data commitments.)

  • Was use directed and documented by counsel? A lawyer-directed workflow has a privilege and work-product argument a self-serve one does not.

  • Where did the data go, and who could see it? Retention, training use, sub-processor disclosure, and the realistic path to an adversary are the variables that decide the outcome.

Every one of those is a data-governance question. None of them is really about whether AI is "good" or "bad" for legal work.

This is also where the state-level layer comes in. The courtroom rulings above are federal, but the ethics rules vary by state and are moving fast. The ABA's Formal Opinion 512 set a national baseline on competence and confidentiality. California is weighing a rule amendment that would treat inputting client information into an AI tool as a revelation of confidential information where there's a material risk the system or its other users could access, retain, or use that data. Florida's Opinion 24-1 permits AI use but requires protecting confidentiality and disclosing AI's impact on billing. Texas (Opinion 705) and New York (Formal Opinion 2025-6) have added guidance on human oversight and on AI transcription of client meetings. The throughline across all of them is the same as the courts': you are responsible for where your clients' data goes.

Is a local or private LLM the answer?

It can be. Vendors are now marketing private deployments to firms precisely on this risk — on-premises, air-gapped, private-cloud, or hybrid hosting that keeps prompts and outputs inside the firm's own perimeter so client data never traverses a third party's servers. For firms handling especially sensitive matters, that architecture cleanly resolves the confidentiality problem the Heppner court flagged.

But local hosting is one option among several, not a default answer — and for many firms it's the most expensive and operationally heavy one. The same confidentiality objective can often be met with enterprise-grade AI under the right contractual and security controls:

  • Zero-data-retention agreements with the underlying model provider, confirmed in writing, not just claimed as policy.
  • No training on client data — get the answer contractually.
  • Recognized security certifications — SOC 2 Type 2 as the baseline, ideally ISO 27001, with encryption in transit and at rest and enforced multi-factor authentication.
  • Data residency and access controls — knowing where data is processed, and who inside and outside the firm can reach it.

In other words, the question a firm should ask is not "should we go local?" but "can we prove how our AI handles client data — and would that proof survive a motion to compel or a bar inquiry?" Local LLMs are one way to answer yes. A properly vetted enterprise tool is another. An unvetted consumer chatbot is how you answer no.

What to do Monday

  • Inventory the tools already in use. Lawyers and staff are very likely using consumer AI today, whether or not the firm sanctioned it. You can't govern what you haven't found.
  • Draw a bright line on consumer tools. No client facts, matter details, strategy notes, draft timelines, or witness summaries go into a public chatbot. Treat those inputs as if they could be produced in discovery — because they might be.
  • Route sanctioned AI use through counsel. Where AI assists litigation work, make the direction explicit and documented so the work-product argument is available if you ever need it.
  • Run real vendor diligence. Before adopting any AI tool, get written answers on data retention, training use, sub-processors, certifications, and data residency. This is a security review, not a procurement formality.
  • Write the policy down. A short, enforced AI governance policy — tool selection, confidential-data handling, counsel's role — is both an ethics safeguard and the document you'll be glad to have if a court or a client ever asks how you handle their data.

FAQ

Is ChatGPT (or any AI chatbot) discoverable in litigation?

It can be. In United States v. Heppner (2026), a federal court ordered production of documents a defendant created with a public AI chatbot, finding they were not privileged. Whether AI material is discoverable depends on how it was created and the tool's data-handling terms — not on a blanket rule.

Does attorney-client privilege protect what I type into an AI tool?

Generally no, for public consumer tools. Privilege protects confidential communications between a client and attorney for legal advice. A public chatbot is a third party, its disclaimers say it isn't giving legal advice, and its data policies often defeat any expectation of confidentiality.

If I share the AI's output with my lawyer, is it protected then?

No. Courts have held that non-privileged material doesn't become privileged just because you later share it with counsel. Protection generally has to exist at the moment of creation.

Can AI-assisted work ever be protected?

Yes. In Warner v. Gilbarco (2026), work product protection was upheld for materials a litigant prepared with AI, because they weren't disclosed to an adversary. And work directed by counsel, using a tool with strong confidentiality controls, stands a far better chance of protection.

Do we have to host our own local LLM to be safe?

Not necessarily. A local or private LLM is one strong option, but enterprise AI tools with zero-data-retention terms, no-training commitments, and SOC 2 / ISO 27001 controls can meet the same confidentiality goal. The right answer depends on your matters, budget, and risk tolerance.

What does our state bar require?

It varies and is changing quickly. The ABA's Opinion 512 is the national baseline; California, Florida, Texas, and New York have issued more specific guidance. All of them center on the same duty: protecting client confidentiality and understanding where your data goes.

This article is for general information and is not legal advice. Case outcomes turn on their specific facts, and the law in this area is developing rapidly.

Sources