A Federal Judge Just Ruled Your AI Chats Are Not Privileged. Here Is What That Means for How Your Firm Runs AI.

On February 10, 2026, a federal judge in the Southern District of New York ruled that a criminal defendant's chats with Claude were not protected by attorney-client privilege. The chats included defense strategy material the defendant had received from his lawyers. The FBI seized the transcripts. The court let the government read them.

United States v. Heppner is the first federal ruling in the country to test whether conversations with a generative AI tool fall inside attorney-client privilege or the work product doctrine. Judge Jed Rakoff said they do not. The opinion turns on three independent failures, any one of which kills the privilege claim on its own. Two of those failures are about how the firm uses AI. One is about which AI the firm is using.

Every law firm in the country is going to have to answer one question for every matter they touch this year. Which AI did the lawyer or the client run this through, and what did the terms of service of that AI permit. This post is for the people at a firm who own that question. Not the lawyers (we are not one, and this is not legal advice). The people who decide what software the firm runs on.

Below is a plain-English read on what Heppner actually said, the three failure legs every firm should be auditing against, and the architecture decision that flows out of the ruling. We work on the infrastructure side. So we will talk about it as a software question, because that is what it has become.

Here is the 30-second version.

What happened. A criminal defendant pasted defense strategy into the public consumer version of Claude after he had received a grand jury subpoena and after he knew he was the target of the investigation. The FBI seized the chats. He claimed privilege. The court rejected the claim on three grounds.

The three grounds. (1) Claude is not a lawyer, so the communication was not between client and counsel. (2) The consumer terms of service permitted Anthropic to log the data, train on it, and disclose it to regulators, so there was no reasonable expectation of confidentiality. (3) The defendant acted on his own without his attorneys telling him to, so the AI was not functioning as the lawyer's agent under the Kovel doctrine.

What it means for AI architecture. Cloud consumer tools fail leg 2 structurally and cannot be repaired by policy. Enterprise cloud with a signed DPA and a no-training covenant mitigates leg 2 contractually, but the protection has not been tested in court. On-device AI that never leaves the firm's own infrastructure eliminates leg 2 entirely because there is no third party to disclose to.

What it means for workflow. Legs 1 and 3 are not solved by any architecture. They are solved by an acceptable use policy that requires attorney direction for any AI use on a matter. A firm that buys a local AI box and then lets associates noodle on public ChatGPT still loses on the next Heppner-style motion. The right answer is box plus workflow, not one or the other.

Bradley Heppner was indicted in November 2025 in the Southern District of New York for securities fraud, wire fraud, conspiracy to commit securities and wire fraud, lying to auditors, and falsifying records, in connection with the alleged fraud that bankrupted GWG Holdings. The case is in front of Judge Jed Rakoff.

When the FBI searched Heppner's home, agents seized 31 documents that his counsel later flagged as privileged or work product. A subset of those documents were chat transcripts between Heppner and the publicly available version of Anthropic's Claude. The transcripts laid out defense strategy. They walked through what the government might charge. They argued the facts and the law of his own case. Heppner had not been told by his lawyers to do any of this. He started the chats after he received a grand jury subpoena and after his lawyers had told him he was the target.

The government moved to inspect the chats. The defense moved to suppress them under attorney-client privilege and the work product doctrine.

On February 10, 2026, Judge Rakoff granted the government's motion from the bench, with a written opinion following shortly after walking through the reasoning. He called the question one of first impression nationwide. The DOJ's case page is at justice.gov/usao-sdny/us-v-heppner-25-cr-503. The cleanest academic walk-through is on the Harvard Law Review blog. Practitioner takes from Covington's privacy team and Proskauer's privilege practice walk through the doctrine in more depth. Every BigLaw firm in the country published a client alert within 30 days.

That is the case. Now the doctrine.

Attorney-client privilege has three elements that any first-year associate could recite. The communication has to be between a client and an attorney, made in confidence, and for the purpose of seeking or providing legal advice. Work product doctrine is a sibling protection covering material prepared by or at the direction of an attorney in anticipation of litigation.

Heppner failed three different parts of that test. Rakoff said any one of them was enough on its own to dispose of the privilege claim.

Leg 1. The AI is not a lawyer. The first line of the ruling on this point reads, in effect, that the communication was not between a client and an attorney because Claude is not an attorney. That alone disposes of the privilege claim. A person typing into an AI tool is talking to a non-lawyer. Talking to a non-lawyer about your case is not a privileged conversation, no matter how good the AI's advice is. This is the part of the ruling that does not change when the AI changes. A locally hosted, encrypted, never-touched-the-internet model still is not an attorney. Privilege is not a secrecy test. It is a who-is-talking-to-whom test.

Leg 2. The consumer terms of service killed confidentiality. The public version of Claude (and ChatGPT, and Gemini, and every other consumer AI) ships with terms that reserve the right to log user inputs and outputs, use them for training, and disclose them to third parties including regulators on request. Rakoff held that pasting privileged material into a system that explicitly reserves those rights is a voluntary disclosure to a third party. Voluntary disclosure to a third party destroys confidentiality. No confidentiality, no privilege. This is the leg that lives or dies based on which AI the firm is using. It is structural. The reasoning has nothing to do with whether the AI actually trained on the data, whether anyone at the AI vendor ever read it, or whether the chat was eventually deleted. The terms of service were the disclosure. Once the data went into the system under those terms, the privilege was already broken.

Leg 3. The client acted without attorney direction. Heppner started the chats on his own. He pasted material his lawyers had given him into a tool his lawyers had not told him to use. The court held this also breaks work product protection, because the protection runs to material prepared by an attorney or at the attorney's direction. Independent client research is not work product just because the output was later shared with counsel. Rakoff opened a small door. If counsel had directed Heppner to use Claude, the AI might have functioned as the attorney's agent under the Kovel doctrine, which is what extends privilege to accountants and translators that lawyers hire. The opinion did not say that argument would have won. It said the door was open. With no attorney direction, the door was not open at all.

That is the doctrine. Now the engineering question.

There are three categories of AI architecture a law firm can run today. They have different exposure to Heppner. The differences are not subtle.

Category 1. Public consumer cloud. ChatGPT.com, claude.ai, gemini.google.com, anything an associate opens in a browser tab on a personal account. These tools ship with the terms that killed Heppner's confidentiality claim. They reserve the right to log, train on, and disclose user data. There is no contractual fix available on the consumer tier. The firm cannot sign a master services agreement with OpenAI's consumer product. The exposure on leg 2 is structural. Any privileged material that touches a consumer chat is, on the Heppner reading, a voluntary disclosure to a third party.

Category 2. Enterprise cloud with a signed DPA and a no-training covenant. ChatGPT Enterprise, Claude Enterprise, Microsoft Copilot for Microsoft 365, Google Workspace with Gemini, plus the specialty legal AI tools (Harvey, Casetext CoCounsel, Spellbook, Legora, and the rest). These ship with a master agreement, a data processing addendum, an explicit commitment not to train on customer data, defined retention windows, and breach notification language. They mitigate leg 2 contractually. They have not yet been tested in court the way Heppner tested the consumer tier. The same agent-economy pressure that pushed Anthropic to put Claude on a meter for programmatic usage is also pushing every enterprise vendor toward stricter consumption tracking, which means the audit trail on enterprise AI is going to keep getting better fast.

Category 3. On-device or locally-hosted AI. Models that run inside the firm's own infrastructure, in a private cloud the firm controls, or on individual machines with no outbound traffic. Practitioner commentary on Heppner has called this the lowest-risk tier, because there is no third party to disclose to. The data does not leave the firm. The reasoning that broke Heppner's confidentiality claim does not apply, because the foundational fact (voluntary submission of data to a third party with disclosure rights) is not present. This is the architecture behind our private-brain product.

The same point laid out across all three tiers. Leg 1 (the AI is not a lawyer) is identical across all three architectures. No machine is a lawyer. That problem is not solved by changing the machine. Leg 3 (attorney direction) is also identical across all three architectures. Whether the AI is on a phone or in a server closet, the firm decides whether a partner directs its use. The only leg that moves across the three categories is leg 2 (third-party disclosure). It fails structurally on consumer cloud, mitigates contractually on enterprise cloud, and disappears entirely on local.

The gap between enterprise cloud and local is not about whether the protection is strong. The gap is about whether the protection is structural or contractual. Contractual protections can be breached, can be renegotiated, can be tested in court and lost. Structural impossibility cannot be breached because the thing the contract is trying to prevent (the data leaving the building) was never possible in the first place.

For a small firm running one matter through ChatGPT, that distinction might feel academic. For a firm running thousands of matters across hundreds of users, it is the difference between a risk a partner is comfortable signing off on and a risk that ends up in a Wall Street Journal headline.

Here is the part most coverage of Heppner is getting wrong. The post-ruling content from BigLaw firms has been heavy on the architecture question and light on the workflow question. That makes architecture look like the whole answer. It is not.

A local AI box solves leg 2. It does not solve leg 1, and it does not solve leg 3. If a firm buys an on-prem AI, locks down the data, and then lets an associate paste case notes into it on their own without partner direction, the firm still loses on the next Heppner-style motion. The architecture removed the third-party disclosure. The workflow left the Kovel agency unproven and the not-a-lawyer leg untouched.

The complete answer is two parts. Architecture removes the failure mode that workflow cannot reach. Workflow removes the failure modes that architecture cannot reach. Neither half works without the other. This is the same shape as the build versus buy question for any business software. The right answer is rarely the simplest one, and the firms that pick well are the ones who can articulate why they picked at all.

The architecture half is a procurement decision. Replace public consumer AI with either a vetted enterprise tier or a private deployment, depending on the firm's size, risk appetite, and matter mix.

The workflow half is a policy decision. Write and enforce an acceptable use policy that says, in plain words, no privileged material gets sent to any AI tool except under partner-level direction for a specific matter, with the use documented in the matter file. Train every lawyer and every staff member on the policy. Audit compliance quarterly. The policy is what creates the attorney-direction record that opens the Kovel door if the privilege question ever gets asked.

A firm that has only the architecture is a firm with a very expensive box and a workforce that defeats it daily. A firm that has only the policy is a firm with airtight rules and an underlying tool stack that breaks the rules structurally every time anyone clicks send. Both at the same time is the standard. Either alone is not.

Three concrete moves. None of them require buying anything until the audit is done.

Move 1. Inventory the AI surface. Walk through every place AI touches a matter in your firm. The obvious entries are the firm-issued tools (Microsoft Copilot inside Word and Outlook, Harvey or CoCounsel if the firm has a seat, Casetext or Lexis AI). The non-obvious entries are the shadow IT (associates running ChatGPT on personal accounts, partners using claude.ai from a phone, paralegals dropping discovery into NotebookLM to summarize). The shadow IT is where the Heppner exposure sits. Most firms underestimate it by a factor of three or four.

Move 2. Tag every tool by tier. For each tool on the inventory, write the tier next to it (consumer, enterprise with DPA, local). For the consumer entries, you have a decision. Block the tool, migrate to the enterprise tier of the same product, or replace it with a private deployment. The decision depends on the matter sensitivity, the firm's risk appetite, and the budget. There is no universally right answer, but there is a universally wrong answer, which is leaving consumer tools in the workflow and writing a policy that says lawyers should not use them. That policy will be violated every week by someone in a hurry, and the violation is what creates the next Heppner motion.

Move 3. Write the acceptable use policy and tie it to the matter management system. The policy should specify which tools are approved, which are prohibited, and what attorney-direction language has to be in the matter file before any AI tool touches privileged material. The discipline is not the policy itself. The discipline is that the matter management system enforces it. If a matter does not have a documented AI authorization from a partner, the tool integrations should refuse to run on that matter's data. Same way conflict checks refuse to open a matter without a clearance. That is a software change, not a policy memo. It is the only kind of policy that survives associate turnover and Friday-afternoon pressure.

The three moves take 30 to 60 days for a firm under 50 lawyers. They take longer for an AmLaw 100. The longer the firm waits to do them, the higher the chance that the discovery in the next Heppner-style motion turns up something the firm did not know was happening.

If the firm has decided that local AI is the right answer for the architecture half, this is what we built Sovereign Brain for. It is the private AI tier in the comparison above. It runs inside the firm's own infrastructure, on the firm's own servers or a private cloud the firm controls. The data never touches a third-party AI vendor. We pair the box with a workflow audit and an acceptable use policy template, because that is the only configuration that actually solves the Heppner problem rather than half of it.

For firms in the personal injury and adjacent practice areas where matter volume is high and the consumer-AI temptation is highest, the box-plus-workflow setup is one of the few changes you can make in 2026 that removes a category of malpractice exposure rather than just managing it.

The short version of every conversation we have had with a firm about this ruling since March.

Heppner is not a one-off. It is the first ruling in a category. Every federal district that touches white-collar work is going to see a version of this motion in the next 18 months, because the underlying fact pattern (clients running their own AI defense before lawyers can stop them) is happening in thousands of matters right now. The firms that have already done the inventory and the policy work will be the firms that can answer the privilege motion in a paragraph instead of a panic.

The cost of the architecture decision is dropping fast. Local AI was an enterprise-only proposition two years ago. It is now in reach for any firm with the budget for a single mid-tier server, because the open-source models that came out in the last 12 months run on commodity hardware. The pricing premium for the local tier over the enterprise cloud tier is small enough that risk-averse firms can pay it without anyone in finance flinching.

The cost of waiting is rising fast. Every month a firm leaves consumer AI in its workflow is another month of accumulated voluntary disclosures sitting in OpenAI and Anthropic logs that a subpoena could pull. Cleaning that up later is harder than not creating it now.

And the honest pitch is that the box plus the workflow is one of the few changes a firm can make in 2026 that removes a category of malpractice exposure rather than just managing it.