Govern · Legal AI Governance

Can a law firm use LLMs with privileged documents?

July 2026 · Jason Lee

Yes. No ethics rule prohibits using large language models on client matters. What the rules — and the privilege doctrine — punish is how many firms are doing it today: attorneys pasting client facts into personal AI accounts with no confidentiality terms, no matter-level controls, and no record of what was disclosed to whom.

For a law firm the stakes are different in kind, not just degree. A healthcare breach costs money. Disclosing privileged material to a third party without adequate protective terms can put the privilege itself at risk — and privilege, once waived, does not come back. The difference between that exposure and a defensible deployment is architecture.

What the profession actually requires

  • Confidentiality (Rule 1.6). A lawyer must make reasonable efforts to prevent unauthorized disclosure of client information. Sending client facts to an AI vendor is a disclosure to a third party; whether it is a protected disclosure depends entirely on the terms and controls around it.
  • Competence (Rule 1.1). The duty of technological competence now explicitly reaches AI. Bar associations, including the ABA in its formal guidance on generative AI, have made clear that lawyers must understand the tools well enough to protect clients — “the AI did it” is not a defense.
  • Supervision (Rules 5.1/5.3). Associates and staff using AI are practicing under your supervision whether you sanctioned the tool or not. Unsanctioned use is unsupervised use.
  • The privilege analysis. Privilege survives disclosure to agents and vendors assisting the representation when confidentiality is preserved — that is why your copy service and e-discovery vendor don’t waive it. An AI vendor can sit in the same protected category, but only under confidentiality terms, no-training commitments, and access controls that make the “reasonable efforts” argument credible. A free consumer account whose terms permit training on your inputs makes the opposite argument for you.

None of this is a new duty. It is the same analysis you run on every vendor that touches client files — applied to a vendor category your associates adopted before anyone ran it.

The reference architecture

The design principle: client confidences never leave your protective boundary — instead, confidentiality terms and a DPA extend the boundary to the vendor, and every use is attributable to a matter.

REFERENCE ARCHITECTURE LLMs with privileged documents, done defensibly Client confidences never leave your protective boundary — confidentiality terms extend the boundary to the vendor. YOUR PROTECTIVE BOUNDARY EXTENDED BY CONFIDENTIALITY TERMS 1 · YOUR SYSTEMS Document management matters, work product, walls Practice mgmt + billing matters, time, engagement terms Email + intake client communications, conflicts Attorneys + staff partners, associates, paralegals 2 · AI GATEWAY — FIRM-OWNED Identity + matter access SSO, RBAC, ethical walls mirrored Privilege screen client facts minimized per task Use-case allowlist client AI restrictions honored Audit log, per matter every prompt + response, attributed 3 · LLM PROVIDER, UNDER TERMS Enterprise API endpoint not a consumer chat app Confidentiality terms + DPA Zero data retention No training on your inputs Encrypted in transit + at rest Verified in the terms of your actual tier — not assumed. matter log → lawyer review before client or court Consumer AI tools personal accounts, free tiers — no confidentiality terms, no matter record, privilege at risk BLOCKED by policy + network controls

Zone 1 — Your systems. The document management system with its matter walls, practice management and billing, email and intake. Nothing here changes.

Zone 2 — The AI gateway. Every AI request passes through a control layer the firm owns:

  • Identity and matter context. SSO, role-based access, and — the legal-specific control — matter-level permissioning that mirrors your DMS ethical walls. The associate walled off from a matter is walled off from prompting about it.
  • Privilege screen. Data minimization per task: a brief-formatting request doesn’t need the client’s name attached; a research question rarely needs the facts at full fidelity. The gateway strips what the task doesn’t require.
  • Approved use cases, client-aware. Some engagement letters and outside counsel guidelines now speak to AI use; the allowlist carries those flags so a restricted client’s matters route accordingly.
  • Audit log, per matter. Every prompt and response, attributed to a person and a matter number. When opposing counsel or a client asks how AI touched the matter, the answer is a report, not a reconstruction.

Zone 3 — The LLM provider, under confidentiality terms. An enterprise API endpoint with the vendor file to match: confidentiality and data-processing terms, zero data retention, no training on your inputs, encryption in transit and at rest — verified in the actual terms of the tier you are on, not assumed from the vendor’s reputation.

The return path. Output routes back through the gateway, is logged to the matter, and lands in front of a lawyer before it reaches a client, a filing, or the record. The sanctions cases that made headlines were not AI failures; they were review failures.

And the blocked lane. Personal accounts, free tiers, browser extensions: no confidentiality terms, no matter attribution, terms that may permit training on your inputs. Blocked by policy and network controls — with the gateway as the sanctioned alternative, because attorneys will not surrender the hours these tools save.

The five conditions, as a checklist

  1. Confidentiality and data-processing terms with every AI vendor touching client information
  2. Zero-retention, no-training configuration, verified in the vendor’s terms for your actual tier
  3. A gateway the firm controls: SSO, matter-level access mirroring your ethical walls, data minimization
  4. Per-matter audit logging of every prompt and response
  5. Lawyer review before AI output reaches a client, a court, or a work-product file

Meet all five and the question becomes which workflows first. Miss one and you are litigating whether “reasonable efforts” describes what your firm did.

Where firms get this wrong

  • The silent default. Associates are already using consumer tools on client work because it saves hours. The exposure exists today; the only question is whether the firm can see it.
  • Terms-by-assumption. The consumer and enterprise tiers of the same product carry different training and retention terms. The tier your people actually use is the one that matters.
  • Policy without walls. An AI policy that ignores matter-level access recreates the ethical-wall problem in a new system.
  • Review theater. Citing what the model produced without checking it has already produced sanctions. Review means read.

What this makes possible

With the architecture in place: first-draft discovery responses and privilege-log descriptions, deposition and transcript summarization, intake and conflicts triage, brief formatting and citation checking, and contract review at scale — each measured in billable hours redirected from process to judgment, each with a lawyer in the loop.

This article describes a reference architecture, not legal advice — a sentence that lands differently when the readers are lawyers. Your GC and ethics counsel own the final call; this is the material to bring them.

Want this mapped to your DMS and your engagement terms?

That is the first deliverable of the AI Readiness Assessment — a privilege-safe usage policy and this architecture, adapted to your systems, with one working automation deployed.