Attorney Client Privilege and AI Tools
Attorney-client privilege rests on a single fragile condition: the communication stayed confidential. Disclose it to the wrong third party and the protection can evaporate, sometimes across an entire subject matter rather than a single document.
Most AI tools are, structurally, that third party. Feeding matter information into a cloud model hands it to infrastructure someone else operates, which makes the architecture behind an AI tool a question of professional responsibility, not just IT procurement.
Privilege Is Easy to Lose
Privilege takes years to establish and a single careless channel to waive. It survives only as long as confidential communications stay confidential, and a disclosure to an outside party can break it.
That asymmetry is the whole reason to scrutinize the tools that touch matter data. No amount of convenience is worth risking a waiver you cannot take back.
The profession is already a target. The American Bar Association's 2023 Legal Technology Survey Report found that 29% of firms had experienced a security breach, up from 27% the year before.1
How Cloud AI Risks Waiver
A cloud AI tool routes privileged content through systems a third party owns and operates. When you submit a client's documents to an external model, that material leaves your control and enters someone else's infrastructure, passing through their servers and potentially their staff.
Whether that amounts to disclosure is a question you do not want to be litigating after the fact. Building privilege protection on a vendor's shifting terms of service is building on sand.
The Third Party Is the Problem
The difficulty is not bad intentions, it is structure: a cloud tool is by definition an outside party. Even with assurances and agreements in place, the data physically sits on machines you do not own and moves through a chain you cannot fully vouch for.
The privilege model assumes a confidentiality you can stand behind. Every additional party who touches the data weakens that claim, so the most direct protection is to reduce the number of hands to zero.
Keeping Matter Data In-House
On-premises AI removes the third party from the equation entirely. When the model runs on hardware the firm owns, privileged documents are read, indexed, and analyzed without ever leaving the office, so there is no external processor to disclose to.
FactoryOS is built for exactly this posture: ingest the firm's files locally, serve them from local models, and let nothing cross the boundary. The tool conforms to the obligation instead of asking the obligation to bend.
Confidentiality in the Architecture
Run locally, confidentiality becomes a property of the system rather than a rule people follow. Combined with channels and permissions, matter data can be walled off by client and by team, so even inside the firm access follows need-to-know.
This is the same move that turns compliance into architecture, applied to privilege. Structural protection does not get distracted, rushed, or talked into an exception.
Diligence Before You Adopt
Vetting an AI tool before it touches client data is part of the duty of competence, not an optional extra. Before adoption, you should be able to state where the data goes, who can see it, and whether it ever leaves your control.
A tool that cannot answer those plainly has already answered the most important one. The safest answer is that the data never leaves at all, so could your current tools survive that standard of diligence?