TL;DR: Attorney-client privilege and the broader duty of confidentiality are related but distinct, and AI tools implicate both. Used carefully, routing client material through a vendor that does not train on your data and controls access does not waive privilege. The risk lives in the details - training on inputs, sub-processors, and who can see your files. This guide explains the reasonable-efforts standard and the diligence questions to ask before you upload.
Few questions make lawyers more nervous about AI than this one: if I paste a client's contract or facts into an AI tool, have I just handed privileged information to a third party? It is the right instinct and the wrong framing. The real analysis turns on two separate duties - the evidentiary privilege that protects confidential lawyer-client communications from compelled disclosure, and the far broader ethical duty of confidentiality under the rules of professional conduct. Understanding how each applies to AI is the difference between using these tools defensibly and avoiding them out of vague fear.
What is the difference between privilege and the duty of confidentiality?
Attorney-client privilege is a rule of evidence. It protects confidential communications between a lawyer and client made for the purpose of seeking or giving legal advice, and it shields those communications from compelled disclosure in litigation. It is narrow, it can be waived, and it belongs to the client. The duty of confidentiality is much broader. Under the American Bar Association's Model Rule 1.6, a lawyer must not reveal information relating to the representation of a client - whatever its source - unless the client gives informed consent or an exception applies. That duty covers everything you learn about a matter, not just privileged communications, and it applies all the time, not only in court.
The distinction matters for AI because the two duties fail in different ways. You can breach confidentiality without waiving privilege, and you can waive privilege over material that was never especially sensitive. When you evaluate an AI tool, you are really asking two questions at once: could using this tool be treated as a disclosure that waives privilege, and does using it satisfy my ongoing duty to protect client information? The good news is that, handled properly, the answer to the first is almost always no, and the second is a matter of diligence you already know how to perform. The ABA's Model Rules of Professional Conduct frame both duties.
Does sending client data to an AI vendor waive privilege?
Privilege is waived when a confidential communication is disclosed to a third party in a way that is inconsistent with maintaining its secrecy. The fear is that an AI vendor is exactly such a third party. But courts and bar authorities have long recognised that sharing privileged material with agents who assist the lawyer - copy services, e-discovery vendors, interpreters, outside printers, cloud storage providers - does not waive privilege when the disclosure is reasonably necessary to the representation and made under an expectation of confidentiality. A well-governed AI vendor sits comfortably in that established category of confidential service providers.
The third-party disclosure question
The waiver question is not whether a third party touched the data, but whether the disclosure was consistent with keeping the communication confidential. Using a vendor under a contract that forbids training on your data, limits access, and keeps the material secure looks like every other confidential-agent relationship lawyers already rely on. Pasting a client's facts into a free, public chatbot whose terms let the provider read and reuse inputs is the opposite - that can look like a voluntary disclosure to the world, and it is the scenario that should worry you. The control you exercise over the tool is what keeps you on the safe side of the line.
Why confidentiality is the bigger exposure
Even where privilege stays intact, the duty of confidentiality is the one you are more likely to strain. Rule 1.6 protects all information relating to the representation, so a tool that logs your prompts, trains on your uploads, or exposes files to staff can breach confidentiality even if no privileged communication is ever compelled in court. In practice, this is the duty to design around. If a vendor's practices satisfy Rule 1.6 - no training, controlled access, secure hosting - the narrower privilege question usually takes care of itself. Our guide to legal AI data security and confidentiality goes deeper on the controls that matter.
What does the reasonable-efforts standard require?
Confidentiality is not an absolute guarantee against every conceivable breach; it is a duty to make reasonable efforts. Model Rule 1.6(c) requires a lawyer to make reasonable efforts to prevent the inadvertent or unauthorised disclosure of, or access to, client information. The comments list factors: the sensitivity of the information, the likelihood of disclosure absent safeguards, the cost and difficulty of additional safeguards, and whether they would impede the representation. The duty of competence under Model Rule 1.1 now expressly includes understanding the benefits and risks of relevant technology, so AI literacy is itself part of the standard.
What reasonable efforts demand scales with the stakes. Routine, low-sensitivity material needs less; a matter involving trade secrets, a high-profile client, or sensitive personal data needs more. The standard does not require you to become a security engineer. It requires you to ask sensible questions, choose vendors whose practices fit the sensitivity of the work, and document that you did so. A lawyer who picks a tool that does not train on client data, hosts it securely, and controls access has taken reasonable efforts; one who pastes confidential facts into whatever free tool is open in the browser has not.
Which AI practices actually threaten client confidences?
Not every AI tool carries the same risk. The exposures that matter are specific and identifiable, and each has a straightforward mitigation. The table below maps the practices that actually threaten client confidences to what you can do about them.
| Risky practice | Why it threatens confidentiality | Mitigation |
|---|---|---|
| Vendor trains models on your inputs | Your client's text can resurface in another user's output and leaves your control | Choose a vendor that contractually does not train on customer data |
| Undisclosed sub-processors | Data flows to fourth parties you never vetted | Require a current sub-processor list and notice of changes |
| Broad internal access | Staff or contractors can read matter files at will | Insist on role-based, least-privilege access controls |
| Unclear retention and deletion | Old client data lingers and widens the breach surface | Get documented retention and deletion terms |
| Consumer or free tiers | Inputs may be logged or used to improve the service | Use enterprise terms that disclaim training and logging |
| No audit trail | You cannot prove who accessed what if challenged | Require a full audit trail of access and actions |
The common thread is control and visibility. A vendor that trains on your inputs, hides its sub-processors, or cannot tell you who accessed a file is asking you to take confidentiality on faith. A vendor that disclaims training, documents its data flows, and gives you an audit trail lets you verify rather than trust - which is exactly what the reasonable-efforts standard rewards.
What should you ask an AI vendor before you upload?
Before client data goes anywhere near a new tool, run it through a short due-diligence checklist. These are the questions that separate a confidential service provider from a confidentiality risk, and they are the same questions a careful firm asks of any outside vendor. For a fuller programme, see our note on building AI governance for law firms.
| Question to ask | Why it matters |
|---|---|
| Do you train models on our uploads or prompts? | Training on inputs is the clearest confidentiality risk; a clean no is the baseline |
| Where is our data hosted, and in which regions? | Hosting and location affect security posture and any cross-border obligations |
| Who are your sub-processors, and how are we notified of changes? | Undisclosed fourth parties extend the chain of custody beyond your control |
| How is internal access controlled? | Role-based, least-privilege access limits who can ever see client files |
| What is your retention and deletion policy? | You need to know data can be purged when a matter ends |
| Is there a full audit trail? | An audit trail lets you demonstrate reasonable efforts if challenged |
| Will you sign a confidentiality agreement or DPA? | Written terms turn verbal assurances into enforceable commitments |
You do not need flawless answers to every question, but you do need answers. A vendor that cannot or will not tell you whether it trains on your data, who its sub-processors are, or how access is controlled has answered the most important question by its silence. Keep the responses on file; if your handling is ever questioned, that record is the evidence of reasonable efforts.
How does Judicio protect privilege and confidentiality?
Judicio is built so that the confidentiality answers are short and verifiable. It does not train on your data. It is hosted on Google Cloud Platform. Access is governed by role-based permissions, and every action is recorded in a full audit trail, so you can show who did what with a file. One upload into the File Library feeds every tool - Document Review, Legal Research, the Review Matrix, and the rest - so client material does not have to be scattered across several services to get the work done.
Those properties line up with the reasonable-efforts standard and with the duty of confidentiality under Rule 1.6. No training means your client's text never becomes someone else's output. Role-based access plus an audit trail means you can demonstrate control rather than assert it. None of this removes your judgment - the platform assumes you remain responsible for the matter - but it gives you the documented, controllable foundation the rules expect. For how this connects to wider obligations, see our overview of AI regulatory compliance under GDPR and HIPAA.
What does a privilege-safe AI workflow look like?
Pulling it together, a privilege-safe workflow is mostly habit. Choose an approved tool that does not train on your data before any client material is involved. Match the tool to the sensitivity of the matter, and for the most sensitive work, consider client consent or de-identifying facts where practical. Keep client data inside vetted, access-controlled systems rather than public chatbots. And document your diligence so reasonable efforts are provable, not just performed. Whether AI use is ethical in the first place is a related question we take up in our look at AI ethics under the ABA rules.
Handled this way, AI is not a privilege problem; it is a confidential service like any other, used under controls you can defend. The lawyers who get into trouble are not the ones who used AI - they are the ones who used the wrong tool, without diligence, on sensitive material. Get the tool and the diligence right, and the duty largely takes care of itself.
You can evaluate Judicio on your own terms with a 7-day free trial - 500 credits, no credit card required - and review the security and data-handling terms before any sensitive matter touches the platform. For a walkthrough of how it fits your confidentiality obligations, contact us.
Judicio provides legal technology tools, not legal advice. Verify every output and apply your own professional judgment before relying on it.
