Legal AI: Protecting Attorney-Client Privilege + Work Product in 2026

By the close of 2026 the legal profession has accumulated a meaningful body of authoritative guidance on generative AI: ABA Formal Opinion 512 (July 2024), the California State Bar's Practical Guidance for the Use of Generative Artificial Intelligence in the Practice of Law (November 2023), the State Bar of Texas guidance, the Florida Bar guidance, and an expanding set of state-level opinions. Together with the sanctions decisions in Mata v. Avianca (S.D.N.Y. June 2023) and Park v. Kim (E.D.N.Y. January 2024), they have crystallised the ethical and procedural standards. This guide maps ABA Model Rules 1.1 (competence), 1.6 (confidentiality), and 5.3 (responsibilities regarding nonlawyer assistance) onto contemporary LLM usage and walks through the practical controls that protect privilege and work product. Updated 2026-05-20.

Lawyers face a layered set of obligations that most other professions do not. The attorney-client privilege protects confidential communications between lawyer and client for the purpose of legal advice. The work-product doctrine, descending from Hickman v. Taylor (1947) and codified at Federal Rule of Civil Procedure 26(b)(3), protects materials prepared in anticipation of litigation. The duty of confidentiality under ABA Model Rule 1.6 is broader than either - it covers any information relating to the representation regardless of source. And ABA Model Rule 1.1 imposes a duty of competence that the ABA in 2012 amended explicitly to include "the benefits and risks associated with relevant technology."

Generative AI complicates each of these duties in ways that do not arise with paralegal staff, document review platforms, or even cloud storage. Foundation model providers may retain prompt content. Their data handling practices vary across providers, deployment modes (consumer versus API versus enterprise), and tenancy models. Retrieval pipelines pull source documents - some privileged, some not - through unfamiliar processing layers. Outputs may contain hallucinated citations, fabricated quotations, or reasoning that does not reflect the underlying authority. Each of these introduces a distinct privilege or work-product risk that competent use must address.

The Areebi legal AI learning track covers the operational mechanics of running AI inside a law firm; this post focuses on the privilege and work-product framing that sits underneath every deployment decision.

ABA Model Rule 1.1 requires "the legal knowledge, skill, thoroughness and preparation reasonably necessary for the representation." Comment 8 to the rule (adopted 2012) added that "to maintain the requisite knowledge and skill, a lawyer should keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology." Forty-plus states have now adopted Comment 8 or analogous language.

For generative AI in 2026 the operational implication is that a lawyer using AI must understand, at a minimum, what data classes the tool may receive, how the provider handles inputs and outputs, what the tool can and cannot do reliably, and what verification steps the lawyer must take before relying on AI output. The ABA Formal Opinion 512 reading of this duty is direct: "Lawyers' uses of GAI tools require an understanding of the capabilities and limitations of the specific GAI tools used in their practices, including the tools' data input and output protocols, the source and reliability of the data used to train the tools, and the risks of disclosing client information." Lawyers who delegate this understanding to "whichever associate is most enthusiastic about ChatGPT" are creating a competence problem.

The minimum competence baseline a firm should now formalise includes: identification of approved AI tools, documented data handling practices per tool, training for every attorney with AI access, and a regular refresh cycle as the tools and their providers' practices evolve. The Areebi policy engine records which tools are approved at which scope, and the learning library ships the lawyer-focused modules.

ABA Model Rule 1.6(a) prohibits disclosure of "information relating to the representation of a client" without informed consent or another exception. Rule 1.6(c) requires the lawyer to "make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client." The duty is broader than privilege - it covers any information relating to the representation, whether or not communicated in confidence.

Generative AI introduces three distinct confidentiality risks. Risk 1: provider retention of prompts. Consumer-grade LLM offerings frequently retain prompts and outputs for model improvement or quality monitoring. Enterprise offerings typically offer zero-data-retention or limited-retention modes, but the lawyer must know which mode is in effect and on what contractual basis. Inputting privileged content into a consumer tool with default retention is, in most state bar interpretations, a Rule 1.6(c) violation regardless of whether disclosure to a third party ever materialises.

Risk 2: sub-processing and downstream training. Even with retention disabled at the primary provider, content may flow to sub-processors, evaluators, or evaluation pipelines that the lawyer has not assessed. The provider's data processing addendum (DPA) and any sub-processor list become discoverable elements of the firm's confidentiality posture. ABA Formal Opinion 512 specifically flags the need to understand "where the lawyer's input information and any output information is being stored."

Risk 3: model leakage and training data exposure. Foundation models trained on user data have, in published research, been shown to be susceptible to membership inference and extraction attacks under certain conditions. The risk is contested in the legal community but it is not zero. A prudent confidentiality posture either keeps client data out of training pipelines entirely or relies on contractual and technical assurances that data is not used for training.

The practical control set most firms have settled on in 2026 includes: an enterprise-tier AI platform with contractual no-training and limited-retention guarantees; a DLP layer that prevents specific data classes from reaching the AI perimeter; and per-matter access controls that prevent unrelated matter data from cross-pollinating retrieval pipelines. The Areebi DLP module and tenancy controls support each of these.

ABA Model Rule 5.3 imposes responsibility for the conduct of nonlawyer assistants - paralegals, secretaries, court reporters, copy services, and (now) AI tools. ABA Formal Opinion 512 reads Rule 5.3 to extend to AI tools used by the lawyer, requiring partners and managing lawyers to "make reasonable efforts to ensure that the firm has in effect measures giving reasonable assurance" that the conduct of the AI - or more accurately, the conduct of those using the AI - is compatible with the lawyer's professional obligations.

Operationally, Rule 5.3 means the firm must have policies governing AI use, training for lawyers and staff, supervision of the AI-assisted work product, and accountability when the AI produces problematic output. The duty is not delegable to the AI vendor. Even if the vendor is sophisticated and the contract is thorough, the firm remains responsible for what its lawyers do with the tool.

The supervision pattern most firms now adopt includes: documented AI policies; mandatory training; per-matter approval for high-stakes AI use; explicit review and verification of AI output before it leaves the firm; and an audit trail that captures who used what tool on what matter. The Areebi audit log records the per-interaction metadata that supports this supervision pattern, including the identity of the lawyer, the matter context, the tool used, the policy version active at the time, and the data classes touched.

Mata v. Avianca, Inc. (S.D.N.Y. June 22, 2023) is the foundational case in the modern AI ethics canon for one reason: a New York lawyer submitted a brief citing six cases that did not exist, generated by ChatGPT, without verifying them. Judge Castel sanctioned the lawyers and the firm, imposed monetary penalties, and required disclosure of the order to the affected judges. The opinion focuses on the lawyers' failure to verify - "the lawyers fell down on the job" - rather than the AI itself.

Park v. Kim, 91 F.4th 610 (2d Cir. January 2024), is the Second Circuit's follow-up. The court affirmed sanctions against an attorney who cited a fabricated case in an appellate brief, reinforcing that Rule 11 and the standard of professional conduct apply equally regardless of the tool that produced the citation. The opinion is short and unambiguous: an attorney signs the brief and the attorney verifies the citations.

By 2026 several dozen reported sanctions decisions have followed the same pattern. The lessons for AI-using attorneys are not new but have hardened: any citation produced by an AI tool must be independently verified in an authoritative database; any quotation must be checked against the source; any factual claim must be confirmed. The Areebi policy engine can block submission of AI-generated content that has not been routed through a citation-verification workflow, and the AI incident response runbook covers the firm response to a hallucination-derived sanctions exposure.

ABA Formal Opinion 512 (July 29, 2024) is the most authoritative single document on generative AI ethics in the United States as of 2026. It is organised around six themes: competence, confidentiality, communication with clients, candour, supervision of nonlawyer assistance, and fees.

The operational takeaways most firms now treat as baseline include: (1) a duty to understand the technology before using it on client work; (2) a duty to obtain informed client consent before inputting confidential information into a GAI tool, in cases where the input creates a "reasonable risk of disclosure" under the firm's policies and the tool's behaviour; (3) a duty to disclose AI use to courts when court rules or judicial orders require it; (4) a duty to verify outputs before relying on them; (5) a duty to supervise lawyers and staff using GAI tools; (6) a duty to charge reasonable fees, including not billing time saved by AI as if it were time spent by a human.

The client consent point is the one that has caused most operational change. A firm using an enterprise AI platform with strong no-training and limited-retention guarantees may not require per-matter client consent, depending on the engagement letter language and the firm's risk tolerance. A firm using a consumer-grade tool, or any tool without clear data handling commitments, almost certainly does. Many large firms have updated their engagement letters to include explicit consent language for AI-assisted work, and the consent question is now a standard intake item.

The Areebi platform is designed for the enterprise-tier scenario - contractual no-training and zero-data-retention by default, tenancy isolation, configurable DLP, and a full audit log per interaction.

The California State Bar's Practical Guidance for the Use of Generative Artificial Intelligence in the Practice of Law (November 2023) is the most operationally detailed state guidance to date. It addresses confidentiality and discrimination concerns more aggressively than the ABA Formal Opinion 512, includes specific recommendations on supervised use of AI by paraprofessionals, and is widely read in jurisdictions outside California as a de facto standard of practice.

Other state guidance worth tracking includes the Florida Bar's January 2024 advisory opinion on generative AI; the State Bar of Texas Opinion 705 (February 2024); the New York State Bar Association report on artificial intelligence (April 2024); and the Pennsylvania Bar Association Formal Opinion 2024-200 (June 2024). The picture by mid-2026 is that the major state bars have spoken, the central themes are consistent (competence, confidentiality, supervision, verification), and the operational standard of practice is now well enough defined that a firm cannot credibly plead ignorance.

The design patterns below are the ones Areebi most often recommends to law firms and in-house legal teams in 2026.

Pattern 1: Tenancy isolation per matter. Each matter (or each client) operates in its own logical tenant, with retrieval scoped to documents inside that tenant. Cross-matter contamination is structurally prevented rather than discouraged by policy. This pattern is critical when multiple matters at the firm could create conflicts.

Pattern 2: DLP at the prompt layer. Specific data classes - SSNs, financial account numbers, named individuals on watchlists, classified opposing-counsel materials - are blocked from reaching any AI tool, regardless of which lawyer attempts to use the tool. The DLP rules are versioned, auditable, and enforced before the prompt leaves the firm perimeter.

Pattern 3: Verification workflows for citations and quotations. Every AI-generated citation is automatically routed through a verification step against an authoritative database before it can be inserted into a draft. Quotations are checked against the source. The workflow is enforced rather than recommended.

Pattern 4: Per-interaction audit logging. Every AI interaction is logged with lawyer identity, matter context, tool identifier, policy version, input data classes, output, and verification status. The audit log is the artefact that supports both internal supervision and any post-hoc privilege defence.

Pattern 5: Client consent intake. Engagement letters include explicit AI-use language. Where a matter involves data classes or risk levels that fall outside the default consent, a per-matter consent is obtained and logged. The Areebi audit log records the consent state per matter so that a partner can confirm consent before AI use begins.

The work-product doctrine protects materials "prepared in anticipation of litigation or for trial" under Federal Rule of Civil Procedure 26(b)(3) and the state-law analogues. The doctrine has two tiers: ordinary work product, discoverable only upon a showing of substantial need and inability to obtain the equivalent without undue hardship; and opinion work product, protected almost absolutely.

AI-assisted work product creates two doctrinal questions. The first is whether an AI tool's drafting output, generated in response to a lawyer's prompt, retains work-product protection. The strong consensus in 2026 is yes - the AI is acting under the lawyer's direction and the resulting draft reflects the lawyer's mental processes in selecting the prompt, evaluating the output, and integrating it into the litigation file. The work-product doctrine has long protected materials prepared by paralegals, investigators, and consultants at the lawyer's direction; AI tools sit in the same lineage.

The second question is whether the prompt itself, the AI output before lawyer review, and the underlying retrieval are discoverable. The cautious answer is that all of these may carry work-product protection in principle but that the protection can be waived by careless handling - particularly when AI interactions are stored in third-party systems whose discovery posture is uncertain. The design pattern that mitigates this risk is to keep AI interaction logs inside the firm's own controlled environment, retain them under the same retention policy as other privileged materials, and produce them only under court order or with explicit privilege review.

The Areebi audit log is structured so that AI interactions are stored alongside other privileged materials in the firm's tenant, with the same retention and access controls. The trust centre documents the data handling commitments that underpin this design.

Pitfall 1: Treating ChatGPT (or any consumer tool) as fit for client work. Consumer-grade tools, including the default consumer ChatGPT, OpenAI Plus, Anthropic Claude consumer tier, and Google Gemini consumer tier, retain prompts by default and may use them in training or evaluation pipelines. Using a consumer tool for client work is a confidentiality risk no contractual fix can undo after the fact. The standard control is to block consumer-tool URLs at the network egress and provide an enterprise-tier alternative.

Pitfall 2: Verifying citations only when they "feel" wrong. Hallucinated citations are easy to spot when the case name is implausible, but increasingly hard when the model produces plausible-looking citations for real-sounding cases. The only safe verification protocol is: every citation, every time, before submission. Automated verification workflows make this practical at scale.

Pitfall 3: Conflating tool-level data handling with provider-level data handling. A model may be hosted by a foundation model provider under one DPA and reached through a vendor's wrapper under another DPA. The lawyer's confidentiality posture depends on the actual data flow path, not the marketing material of the wrapper. The exercise of mapping every approved AI tool to its underlying provider, sub-processors, and contractual posture is the prerequisite for credible confidentiality assurance.

Pitfall 4: Underestimating the supervisory load on partners and managing lawyers. Rule 5.3 places the supervisory burden on the lawyers with authority. A firm in which AI use is widespread but supervision is delegated to "tech-savvy associates" is creating an ethics risk that surfaces only when something goes wrong. Documented supervision, with audit-log evidence, is the protective posture.

Areebi is an AI control plane built on AnythingLLM, designed for the kind of evidentiary discipline a litigation-exposed law firm requires. Three platform capabilities map directly to the ABA Model Rules and the privilege framework above.

Tenancy and DLP for Rule 1.6. Each matter operates in its own logical tenant with retrieval scoped to that tenant. DLP rules at the prompt layer prevent enumerated data classes from leaving the firm perimeter regardless of which lawyer attempts the use. The DLP overview shows the rule schema.

Audit log for Rule 5.3 supervision. Every AI interaction is logged with lawyer identity, matter context, tool identifier, policy version, data classes touched, and output. The log supports both real-time supervision and post-hoc privilege defence. The audit log overview shows the field schema.

Verification workflow for Mata v. Avianca-class risks. Citations and quotations produced by AI tools are routed through a verification step against authoritative databases before they can be incorporated into outbound work. The policy engine enforces the verification requirement at the workflow level.

The Areebi AI Governance Assessment includes a legal services module that scores your current state against the ABA Formal Opinion 512 expectations and produces a prioritised remediation plan, typically completed inside 30 minutes by a managing partner or general counsel.

We watch the legal sector closely because legal ethics is downstream of the same evidence concerns that every regulated industry will eventually face. Mata v. Avianca was a wake-up call for lawyers but it was also a preview of every adjacent profession - medicine, accounting, engineering, financial advice - that will at some point need to prove they verified an AI output before relying on it. We design the Areebi audit log and policy engine with that wider audience in mind, but we test them first against the legal use case because the standard of proof is highest there.

The references below are the primary sources cited throughout this post. All URLs were verified at the time of publication.

• ABA Formal Opinion 512 (July 2024) - the consolidated ABA reading of GAI ethics.
• ABA Model Rules of Professional Conduct - the source text of Rules 1.1, 1.6, and 5.3 and their comments.
• California State Bar Practical Guidance for Generative AI (November 2023) - the most operationally detailed state guidance.
• Mata v. Avianca, Inc. sanctions order (S.D.N.Y. June 22, 2023) - the foundational sanctions decision on AI-generated fabricated citations.
• Park v. Kim, 91 F.4th 610 (2d Cir. January 2024) - the Second Circuit affirmance on Rule 11 sanctions for AI-derived fabricated citations.
• Federal Rule of Civil Procedure 26(b)(3) - the codification of the work-product doctrine.

To take this guide from understanding to operational programme, work through this cluster.

• AI incident response runbook - the playbooks for an AI-derived sanctions or privilege exposure.
• Procurement VRQ template - the questionnaire to use on every AI vendor.
• AI control plane compliance automation - the technical patterns for tenancy and DLP.
• LLM fine-tuning versus RAG compliance trade-offs - the architecture decision that drives confidentiality posture.
• CISO 30-60-90 playbook - the time-boxed sequence for a firm-wide rollout.