If anyone at your organization has ever discussed a legal matter with a consumer AI chatbot, a federal judge just confirmed what nearly half of in-house counsel already feared: those conversations are likely not privileged.

In a September 2024 survey, the Association of Corporate Counsel asked in-house counsel which category of AI tools poses the greatest risk of compromising attorney-client privilege. Forty-nine percent chose generative AI — by far the largest response.

On February 10, Judge Jed Rakoff of the Southern District of New York proved them right. In United States v. Heppner, No. 25 Cr. 503 (S.D.N.Y.), he ruled from the bench that approximately 31 documents a criminal defendant created using a consumer AI chatbot are protected by neither attorney-client privilege nor the work product doctrine. It is the first federal court decision to directly address whether privilege attaches to materials generated through a consumer AI platform.[1]

The facts

Bradley Heppner was arrested in November 2025 on securities and wire fraud charges related to the collapse of GWG Holdings, an alleged $150 million scheme. After his arrest and after retaining defense counsel, Heppner used a consumer AI chatbot to prepare reports outlining his defense strategy and potential legal arguments. He then shared the AI-generated reports with his lawyers.

When the government sought production of the 31 documents, Heppner asserted both attorney-client privilege and work product protection. Judge Rakoff rejected both.

Why privilege failed

The court’s reasoning turned on a basic feature of consumer AI platforms: they do not promise confidentiality.

Judge Rakoff found that sharing information with a consumer AI tool is inconsistent with the confidentiality requirement of privilege. As the court stated, the defendant “disclosed it to a third-party, in effect, AI, which had an express provision that what was submitted was not confidential.” The government pointed to the AI provider’s privacy policy, which permits use of inputs for model training and allows disclosure to governmental authorities and third parties. Under well-established law, voluntary disclosure of privileged information to a third party that does not maintain confidentiality waives the privilege.[2]

The court also rejected the argument that Heppner could retroactively cloak the AI-generated documents with privilege by later transmitting them to counsel. Preexisting, non-privileged materials do not become privileged merely because a client eventually shares them with an attorney.

Why work product failed

The work product doctrine fared no better. Defense counsel represented that Heppner created the documents on his own initiative, not at counsel’s direction. The doctrine protects materials prepared by or for a party’s attorney in anticipation of litigation. A layperson’s independent AI-assisted research falls outside that scope, and the work was not performed at counsel’s behest.

What the ruling does not address

Heppner involved a narrow set of facts: a criminal defendant using a consumer AI platform, on his own initiative, without attorney involvement. The court did not address whether the analysis would change if:

• An enterprise AI deployment contractually guarantees that user inputs will not be used for training and will be kept confidential. Some enterprise agreements expressly provide for data isolation and prohibit disclosure, which could preserve the confidentiality element that consumer platforms lack.

• An attorney directs a client or employee to use an AI tool as part of the legal representation. Under the Kovel doctrine, communications through intermediaries necessary for the provision of legal advice may retain privilege protection.[3]

• The AI tool is used by an attorney as part of legal analysis, akin to a legal research database.

As enterprise AI adoption accelerates, the consumer-enterprise distinction may prove decisive for privilege.

What organizations should do now

Heppner is a single bench ruling in one district, but its reasoning tracks settled privilege doctrine. Organizations may not want to wait for an appellate decision to act.

Review AI use policies through a privilege lens. Most corporate AI use policies focus on data security, accuracy, and intellectual property. Few address the privilege implications of employees using AI tools to analyze legal questions. If an employee pastes a privileged communication into a consumer AI chatbot, Heppner suggests the privilege may be waived for the underlying information, not just the AI-generated output.

Distinguish consumer from enterprise deployments. The ruling’s logic depends on the terms of service and privacy policy of the AI platform. Enterprise agreements that contractually guarantee input confidentiality, prohibit use for model training, and restrict disclosure, may support a different privilege analysis. Organizations may wish to ensure their enterprise AI contracts explicitly address these points.

Route legal questions through counsel. The work product analysis in Heppner failed because the defendant acted on his own initiative. When AI is used at the direction of counsel, as part of the attorney-client relationship, both privilege and work product protections are more likely to attach. Organizations may wish to establish clear protocols for when AI-assisted legal analysis flows through the legal department.

Audit existing AI governance documentation. Internal AI risk assessments, bias audits, and compliance reviews are increasingly required by state law. If these assessments are conducted outside the attorney-client relationship, they will be fully discoverable. Structuring governance programs so that at least the legal risk analysis is conducted under privilege is a practical step that Heppner makes more urgent.[4]

The broader significance

To be clear, Heppner is a narrow ruling on unusual facts — a criminal defendant, acting alone, using a consumer AI platform, without attorney involvement. Some commentators have rightly cautioned against reading it as a categorical death knell for privilege in all AI contexts. But the court’s reasoning did not break new doctrinal ground. It applied long-settled third-party disclosure principles to a new technology. The outcome was predictable — and the same logic applies every time an employee pastes privileged material into a consumer AI tool.

Heppner is the privilege corollary to the well-publicized incidents in which employees inadvertently disclosed source code and proprietary data through consumer AI tools. Those tools are not confidential channels. What employees type into a consumer AI chatbot is shared with a third party under terms that permit broad use. For trade secrets, that sharing may destroy the “reasonable measures” required for protection.[5] For privileged communications, Heppner now confirms it may destroy the privilege itself.

The question is no longer whether organizations need AI governance programs. It is whether those programs are structured to preserve the legal protections that matter most when things go wrong.