◆Legal
Attorney-client privilege and work-product protection are not formalities. They are substantive rights that courts can strip away if a firm or legal department handles confidential material carelessly. Deploying an AI model for contract review or discovery support introduces real exposure — unless the deployment is designed from the start around confidentiality boundaries, human oversight, and a defensible record of how every output was produced.
Privilege doctrine turns on control and intent. If confidential communications or attorney mental impressions are disclosed to a third party without adequate protection, a court may find waiver — intentional or inadvertent. An AI vendor whose infrastructure ingests client documents, logs prompts, or uses interaction data for model training is a third party for this purpose.
This is not a hypothetical. Legal teams evaluating AI tools need to ask a specific question before any document touches a model: does the vendor's data handling create a disclosure that a court could characterize as waiver? The answer depends entirely on how the system is architected, not on the vendor's marketing language.
A governed deployment addresses this at the infrastructure layer. Client data must not be used to train or fine-tune the underlying model. Retrieval must be scoped to matter-specific document sets with strict access controls. Every query, retrieval event, and model output must be logged in a way the supervising attorney can inspect and, if necessary, produce under a privilege log framework.
Work-product protection under FRCP 26(b)(3) covers documents and tangible things prepared in anticipation of litigation. Opinion work product — material reflecting attorney mental impressions, conclusions, or legal theories — receives near-absolute protection. The moment an AI model is asked to summarize deposition strategy, flag litigation risk, or draft a legal theory, it is operating in opinion work-product territory.
Two governance controls matter here. First, prompts that contain attorney mental impressions must themselves be treated as protected work product. Prompt logs should be stored with the same access restrictions as the underlying legal memoranda. Second, model outputs in this category must never be treated as final. They are drafts that require attorney review, annotation, and sign-off before they carry any legal weight.
Human oversight is not a compliance checkbox in this context. It is the mechanism that keeps the attorney as the author of the legal work product, with the model functioning as a research and drafting aid — not as a decision-maker.
Retrieval-augmented generation (RAG) is the standard architecture for legal document review because it grounds the model in the actual documents rather than relying on parametric memory. But RAG introduces its own privilege risk if retrieval boundaries are not enforced at the data layer.
A privilege-aware retrieval design enforces matter-level isolation: the model can only retrieve from the document corpus explicitly authorized for a given matter. Cross-matter retrieval — where a query about one client's contract inadvertently surfaces documents from another — is a confidentiality failure, not just a quality problem. Role-based access controls must mirror the ethical walls already in place in the firm or legal department.
Citations are the accountability mechanism that makes retrieval auditable. Every factual claim or document reference in a model output should include a pointer to the specific source chunk — document name, section, page or paragraph. The supervising attorney can then verify the citation against the original, catch any hallucination, and confirm that the retrieved material was within scope. A model that produces confident summaries without citations is not suitable for legal work.
FRCP 26 and 34 govern the discovery of electronically stored information. If AI-assisted review is used to make privilege calls — deciding which documents to withhold — the process must be defensible if challenged. Courts have increasingly scrutinized technology-assisted review workflows, and the standard is whether the process was reasonable and consistently applied.
A defensible AI-assisted privilege review requires an audit trail that can answer three questions: what documents did the model see, what did it output, and who made the final call? The model's role should be clearly documented as a first-pass triage tool. Every privilege determination that results in withholding a document must carry a human attorney's sign-off, not just a model confidence score.
FRCP 26(b)(5) requires a privilege log that identifies withheld documents with enough detail to assess the claim without revealing protected content. An AI system that generates privilege log entries must produce entries that meet this standard — and those entries must be reviewed by counsel before production. Engagements designed to support FRCP workflows build this review step into the process rather than treating it as optional.
The governance controls described above are not independent features — they have to be designed together. A deployment that has good retrieval isolation but no prompt-log protection leaves opinion work product exposed. A deployment with strong audit trails but no human sign-off workflow produces outputs that an attorney cannot defensibly rely on in court.
AI Definitive's Governed-by-Design framework addresses this as an integrated architecture: data protection (client data is never used to train models), access and role controls enforced at the data layer, cited and logged outputs, and mandatory human oversight checkpoints. The Regulated RAG Accelerator applies this framework to document-intensive legal workflows, and the Model Governance and Audit Pack provides the documentation layer needed to support privilege logs and process defensibility.
A Governed Pilot is the practical starting point. It runs against a defined matter type — contract review, privilege triage, or a specific discovery workstream — with agreed success criteria. If those criteria are not met, the client does not pay. That structure forces specificity about what the model is actually being asked to do and what good looks like before any production documents are at risk.
Privilege is not waived by using AI — it is waived by using AI carelessly. The architecture of the deployment is the protection, and getting that architecture right before the first document is ingested is the only defensible approach.