AI Discovery Privilege

State of play.

• Judge Rakoff's Heppner ruling is the anchor case. The SDNY held in United States v. Heppner that a client's unattended use of Anthropic's Claude destroyed both attorney-client privilege and work product protection — on three independent grounds: Claude is not a lawyer, Anthropic's terms of service eliminate any reasonable expectation of confidentiality, and the documents were not prepared at counsel's direction (→ SDNY Rules AI Tools Waive Privilege in US v. Heppner, Federal Court Rules AI Chatbot Communications Not Protected by Attorney-Client Privilege).
• A direct circuit-level split is already forming at the district court level. Warner v. Gilbarco (E.D. Mich.) reached the opposite conclusion days after Heppner, shielding a pro se plaintiff's ChatGPT-assisted materials as opinion work product and treating AI as a neutral tool — not a third party capable of waiving privilege (→ SDNY Rules AI Tools Waive Privilege in US v. Heppner).
• Federal courts are now amending protective orders to regulate AI tool architecture. Morgan v. V2X, Inc. (D. Colo.) and Jeffries v. Harcros Chemicals, Inc. (D. Kan.) establish the first judicial models — one requiring contractual data-retention prohibitions on any AI tool touching confidential materials, the other banning submission of any discovery materials into open or public AI systems .
• England and Wales courts are moving in parallel. A UK Upper Tribunal ruling has found that uploading documents to public AI systems constitutes privilege waiver, and the judiciary's PD 57AD working group is actively soliciting industry feedback on AI disclosure parameters — with formal guidance expected .
• For counsel advising litigation clients or enterprise AI deployers, the practical baseline is that consumer AI platform use by clients — without attorney direction — now carries documented privilege-waiver risk across multiple federal courts, and existing protective orders almost certainly lack the AI-specific language courts are beginning to require.

Where things stand.

• The Heppner framework turns on three variables: who used the tool, under whose direction, and what the platform's terms of service permit. Rakoff explicitly reserved judgment on whether attorney-directed AI use could preserve privilege by positioning the platform as counsel's agent — leaving that question open for the next case (→ Federal Court Rules AI Chatbot Communications Not Protected by Attorney-Client Privilege, SDNY Rules AI Tools Waive Privilege in US v. Heppner).
• AI-generated materials and prompts are treated as standard ESI under FRCP 26. Courts have applied relevance and proportionality analysis without carving out AI-specific exemptions; In re OpenAI Copyright Infringement Litigation compelled production of millions of anonymized user prompts under ordinary discovery rules .
• The open/closed system distinction is now legally operative. Jeffries draws a hard line between open/public AI tools (banned for any discovery materials) and closed/enterprise systems (permitted) — a distinction that did not exist in standard protective order templates before March 2026 .
• Existing protective orders in most jurisdictions have a structural gap. California model orders, for example, address disclosure recipients but say nothing about AI tools or their underlying data architecture — creating exposure in every active matter where AI is being used for document review or analysis .
• The Warner v. Gilbarco counterweight matters for work product specifically. The Michigan magistrate's "neutral tool" framing — analogizing AI to word processors — is the strongest available argument for protecting attorney-supervised AI outputs, but it has not been tested at the circuit level (→ SDNY Rules AI Tools Waive Privilege in US v. Heppner).
• Hit-report obligations are not automatic. The Eastern District of California held in United Farm Workers v. Noem that facially overbroad search terms do not trigger a duty to produce hit reports, shifting the burden to requesting parties to propose tailored searches before demanding proportionality data .
• No federal statute or rule amendment has codified AI privilege or discoverability standards. Proposed Rule of Evidence 707 addresses AI evidence reliability but has not been enacted; the field is developing entirely through case-by-case judicial interpretation .
• The legal tech market is responding to the privilege risk environment. Enterprise AI platforms with negotiated confidentiality protections are attracting investment — Haast secured new venture funding, LegalMation has processed over 1.1 million litigation requests — as firms seek tools that can withstand the open/closed scrutiny courts are now applying .

Latest developments.

• Morgan v. V2X and Jeffries v. Harcros establish the first judicial models for AI-specific protective order language, distinguishing open from closed systems and requiring contractual data-retention prohibitions .
• Comprehensive practitioner analysis of Heppner confirms the ruling does not categorically waive privilege for all AI use — only unattended consumer platform use by non-attorneys — but flags GDPR and CCPA exposure for companies feeding confidential data into public tools (→ Federal Court Rules AI Chatbot Communications Not Protected by Attorney-Client Privilege).
• United Farm Workers v. Noem (E.D. Cal.) holds that defendants have no obligation to generate hit reports for facially overbroad search terms, rebalancing e-discovery leverage toward producing parties .
• The Heppner/Warner split is now the central unresolved question in AI privilege law — two federal courts reaching opposite conclusions on whether AI functions as a third party or a neutral tool (→ SDNY Rules AI Tools Waive Privilege in US v. Heppner).
• England and Wales PD 57AD working group is soliciting industry feedback on AI disclosure parameters; a UK Upper Tribunal ruling has already found public AI uploads constitute privilege waiver .
• A consolidated framework for AI discoverability across Heppner, In re OpenAI, Concord Music Group v. Anthropic, and Tremblay v. OpenAI establishes that AI prompts and outputs are standard ESI subject to FRCP 26 without privilege carve-outs .
• A third court has addressed AI privilege and protective order issues, adding to the developing body of district court authority .
• Legal tech investment in enterprise AI platforms is accelerating as firms seek tools that satisfy the open/closed system distinction courts are now enforcing .

Active questions and open splits.

• Does attorney direction of AI use preserve privilege? Heppner explicitly reserves this question — Rakoff acknowledged the analysis might differ if counsel directed the AI use, potentially treating the platform as counsel's agent. No court has yet answered it (→ Federal Court Rules AI Chatbot Communications Not Protected by Attorney-Client Privilege, SDNY Rules AI Tools Waive Privilege in US v. Heppner).
• Third party or neutral tool — which framing governs work product? Heppner treats Claude as a third party destroying confidentiality; Warner v. Gilbarco treats ChatGPT as a neutral tool like a word processor. The split is unresolved at the circuit level and will determine whether attorney-supervised AI outputs can be protected as opinion work product (→ SDNY Rules AI Tools Waive Privilege in US v. Heppner).
• What contractual terms are sufficient to preserve confidentiality under an enterprise AI deployment? Morgan v. V2X requires contractual prohibitions on data storage, model training, and third-party sharing with on-demand deletion — but no court has yet tested whether a specific enterprise agreement satisfies that standard .
• Do existing protective orders require amendment in every active matter? The gap identified in California model orders — and implicitly in most jurisdictions — raises the question of whether counsel have an affirmative obligation to seek amendment when AI tools are in use, and what the consequence of failing to do so is .
• What is the scope of waiver when a client feeds attorney communications into a public AI tool? Heppner ordered disclosure of the AI outputs and the underlying attorney communications. Whether the waiver extends further — to all communications on the same subject matter — has not been resolved (→ SDNY Rules AI Tools Waive Privilege in US v. Heppner).
• How will courts treat AI use in internal investigations? Companies routinely use AI to process documents in internal investigations before counsel involvement. Whether that use — and the resulting outputs — is discoverable and whether privilege can attach is unaddressed by the current case law (→ Federal Court Rules AI Chatbot Communications Not Protected by Attorney-Client Privilege).
• Will the UK PD 57AD reforms impose cooperation obligations on AI parameters that US courts will look to as persuasive authority? The England and Wales working group is the most structured judicial rulemaking effort on AI disclosure globally; its output may influence US judicial thinking before any federal rule amendment .

What to watch.

• Any appellate court — Second Circuit most likely given Heppner — taking up the attorney-direction question or the third-party-versus-neutral-tool split; that ruling will set the framework for all subsequent AI privilege disputes.
• Whether courts begin requiring parties to disclose AI tool use and platform terms of service as part of Rule 26(f) conferences, formalizing what is currently an informal practice.
• The England and Wales PD 57AD working group's publication of findings and proposed rule amendments — the first formal judicial rulemaking on AI disclosure parameters in any major common law jurisdiction.
• Whether any court extends Heppner-style waiver analysis to corporate internal investigations where AI processed documents before counsel engagement.
• Motions practice testing whether specific enterprise AI agreements — Azure GPT-4, Harvey, and similar platforms with negotiated data protections — satisfy the Morgan v. V2X contractual standard for use with confidential discovery materials.
• State bar ethics opinions on attorney obligations when clients have already used public AI tools with privileged information — a gap that bar counsel are beginning to address.