Skip to main content

Meeting Generative AI Confidentiality Obligations: A Lawyer's Compliance Framework Under ABA Opinion 512

Understanding how generative AI affects the duty of confidentiality under Model Rule 1.6 is essential for any lawyer using these tools. This article provides a structured compliance framework based on ABA Formal Opinion 512 and state bar guidance, covering tool vetting, informed consent, verification protocols, and client communication.

  • contract review
  • legal research
  • compliance monitoring
  • document drafting
  • e-discovery
  • litigation support
  • law firm
  • in-house legal
  • enterprise
  • small firm
  • free tier
  • cloud
  • on-premise
  • RAG
  • agentic

Profile summary

Primary use cases
document drafting, legal research, contract review, compliance monitoring
Pricing tier
enterprise/custom
Target audience
law firm
Data & confidentiality notes
Vendor must provide contractual guarantees against training on inputs, zero-retention, and confidentiality; informed consent required for self-learning tools per ABA Opinion 512. (Model Rule 1.6 context →)
Last reviewed
2026-07-04

Full profile

The practical question for lawyers in 2026 is no longer whether generative AI can ever be used in legal work. It is what must be true before confidential client information is placed into an AI system at all. ABA Formal Opinion 512, issued in July 2024, answers that question by keeping the old duty in place while making the operational burden harder to ignore: lawyers remain bound by Model Rule 1.6, and they must obtain informed client consent before entering confidential information into a self-learning generative AI tool that could use or reveal that information beyond the representation.[1]

That sounds straightforward until it reaches an actual office. A lawyer may know not to paste a merger agreement, medical record, witness chronology, or draft settlement memo into a public chatbot. But a firm also has to know whether the tool stores prompts, whether inputs are used for training, whether a vendor can review or disclose data, whether an enterprise setting is actually enabled, and who checked the contract after the product demonstration ended.

The governance gap is already visible. The North Carolina Bar Association, citing Clio Legal Trends data, reported that 79% of legal professionals use AI tools while 44% of law firms lack formal AI governance policies.[2] That is not a reason to panic. It is a reason to stop treating confidentiality as a personal instinct and start treating it as a documented workflow.

Law book, gavel, laptop, and shield icon illustrating legal confidentiality obligations and generative AI

The Duty Has Not Changed, but the Intake Point Has

Model Rule 1.6 does not become more forgiving because a disclosure happens through a prompt box instead of an email, a file transfer, or a vendor portal. The lawyer still may not reveal information relating to the representation unless the client gives informed consent, the disclosure is impliedly authorized, or another exception applies. Generative AI changes the risk analysis because the lawyer may not know, without investigation, where the information goes after submission.

ABA Formal Opinion 512 treats generative AI as a technology that can be used consistently with the Model Rules, but not casually. Its confidentiality guidance is especially important for tools that are “self-learning,” meaning that user inputs may be retained or used to improve the system. In that setting, the opinion calls for informed client consent before confidential information is entered.[1]

California’s practical guidance points in the same direction. It warns lawyers not to input confidential client information into a generative AI solution without first ensuring that adequate confidentiality and security protections are in place.[3] Florida Opinion 24-1 also reinforces the same basic frame: lawyers may use generative AI, but they must protect confidentiality, supervise the tool’s use, and communicate with clients when the circumstances require it.

The useful compliance move is to stop asking whether a product is “AI” and start asking what kind of disclosure the lawyer is making. Some AI use involves no client information at all. Some use involves anonymized or hypothetical material. Some use places client-identifying facts, strategy, documents, or legal advice into a third-party system. Those are different acts, and they should not be approved under the same vague label.

Classify the Tool Before Classifying the Task

A firm policy that says “use only approved AI tools” is only useful if approval means something. The approval file should show what was reviewed, who reviewed it, and what kinds of client information the tool may receive. Otherwise, “approved” becomes another comfort word.

QuestionWhy it matters for confidentiality
Will the tool retain prompts, uploaded files, outputs, or metadata?Retention can affect both confidentiality risk and later privilege arguments.
Can user inputs be used to train or improve the model?Self-learning use is the point at which ABA Opinion 512 makes informed consent especially important.
Can vendor personnel review user content?Human review may be a disclosure to a third party unless protected by contract and purpose.
Can the vendor disclose data to affiliates, subprocessors, regulators, or other third parties?The answer bears directly on whether the lawyer can claim a reasonable expectation of confidentiality.
Is zero-data-retention or no-training contractually promised, or merely described in marketing material?Operational settings and contractual terms are not interchangeable.
Is the tool covered by security controls such as SOC 2 certification?Security certification is not a complete ethics answer, but it is relevant to reasonable safeguards.

The classification should be task-specific. A public tool used to generate a generic first draft of a CLE announcement is not the same risk as the same tool used to summarize a client’s sealed complaint. A legal research assistant with enterprise terms, no-training commitments, access controls, and audit logs still needs supervision, but it occupies a different risk category than a personal account governed by consumer terms.

For smaller firms, this does not require an innovation department. It requires a short written record: the tool name, account type, reviewed terms, permitted uses, prohibited inputs, responsible approver, date of review, and next review date. If the vendor changes its privacy terms or launches a new training setting, the approval should not silently carry forward.

A consumer chatbot account is usually the hardest environment in which to justify entering confidential client information. The lawyer may have little control over retention, training, subprocessors, or data access. Even where a vendor offers opt-out controls, the firm must know whether those controls were actually enabled for the account being used.

Enterprise tools may reduce the risk if the contract provides no-training-on-inputs, limited retention, administrative controls, access restrictions, security commitments, and auditability. But enterprise branding is not itself a safeguard. The relevant question is what the governing agreement and configured settings actually permit.

Legal-specific AI products deserve the same review. A vendor’s specialization in legal work does not answer whether the lawyer’s client information is used to improve models, reviewed by vendor staff, stored outside the expected environment, or disclosed to subprocessors. A legal logo does not substitute for a data-processing review.

Informed consent is not a sentence buried in an engagement agreement saying the firm “may use technology.” For generative AI confidentiality obligations, consent has to track the real disclosure. The client should understand what type of AI system may be used, what information may be submitted, whether the information may be retained or used for training, what protections exist, and what reasonably foreseeable risks remain.

ABA Formal Opinion 512 does not require client consent for every possible use of generative AI. A lawyer using an AI tool to draft a generic internal checklist without client information has not necessarily disclosed protected information. But when confidential information is entered into a self-learning tool, the opinion identifies informed consent as the necessary step.[1]

A practical consent process should avoid both extremes: it should not frighten clients with speculative technology language, and it should not flatten real risks into “we use secure AI tools.” A useful disclosure might explain that the firm uses an approved AI platform for document summarization or drafting support, that the platform is contractually restricted from training on client inputs, that lawyers review all outputs, and that certain uses will not occur without separate approval. If the tool lacks those protections, the disclosure must say so or the information should not be submitted.

Consent also has a timing problem. It is easiest to address ordinary, approved uses in an engagement letter or outside counsel guidelines. It is harder, and often more important, to obtain matter-specific consent before using a new tool for a sensitive task: trial strategy, privileged communications, health information, trade secrets, source code, deal terms, internal investigation materials, or any data subject to a protective order.

For engagement-letter drafting, the consent language should be tied to actual firm practice rather than copied from a generic AI clause. A firm that has not completed tool vetting should not promise enterprise safeguards. A firm that allows lawyers to use public tools for nonconfidential tasks should say where the boundary is. For a deeper treatment of client-facing language, see the site’s separate guide to generative AI billing policies and engagement letter language.

Supervision Means More Than Reviewing the Final Answer

ABA Opinion 512 frames generative AI through the familiar obligation to supervise nonlawyer assistance under Rule 5.3.[1] That framing is useful because it moves the discussion away from the mystique of the tool. The lawyer remains responsible for how the work is delegated, what information is provided, what output is accepted, and whether the process was reasonable.

The supervision file should identify who is allowed to use the tool, for which tasks, with what categories of information, under what account, and with what review requirements. A firm that would never let an unsupervised contract reviewer email client files to an unknown vendor should not allow the same result through a prompt window.

  • Limit access to approved accounts rather than personal logins.
  • Define prohibited inputs, including privileged communications, sealed material, protected health information, trade secrets, and unredacted client identifiers unless specifically approved.
  • Require matter-level approval for sensitive uses.
  • Train lawyers and staff on the difference between anonymized prompts, client-confidential prompts, and privileged material.
  • Keep a review log for tools that may receive confidential information.

This is also where blanket bans can fail. The North Carolina Bar Association warned in January 2026 that prohibition can drive AI use underground, while clear policies bring it into the open where it can be supervised.[2] That observation matches what many firm technology committees have already seen: lawyers under deadline will experiment. The choice is whether the firm can see and govern the experiment.

Prompt, Verify, Audit

A confidentiality program cannot stop at vendor review. Lawyers also need a routine for how AI-assisted work moves through the matter. The Prompt→Verify→Audit framework is useful because it separates three questions that are too often collapsed: what information went into the system, whether the output is reliable, and whether the firm can later show what happened.[4]

Three-step workflow showing Prompt, Verify, and Audit stages connected by arrows

Prompt

The prompt stage is where confidentiality is most easily lost. The lawyer or staff member decides what to paste, upload, summarize, or ask the system to infer. A good policy does not merely say “do not enter confidential information.” It tells users what to do instead: redact, anonymize, use an approved enterprise tool, obtain matter approval, or do not use AI for that task.

For example, a lawyer may be able to ask for a generic structure for a motion without disclosing client information. The same lawyer may not be able to upload the client’s draft affidavit to a consumer chatbot without consent and safeguards. The legal analysis may be similar; the data exposure is not.

Verify

Verification is often discussed as a hallucination problem, but it also matters for confidentiality. A lawyer who relies on an AI summary of a production set, an internal investigation file, or a deposition transcript needs to know whether the tool omitted, distorted, or invented facts. If the output is wrong, the client may bear the consequence.

Verification should be calibrated to the use. A brainstorming output may need light review. A filing, legal memo, contract revision, privilege log, or client advice requires source-level checking by a lawyer competent to evaluate the substance. For the competence dimension of that review, the site’s separate article on subject-matter expertise and AI cite-checking goes further than this confidentiality-focused discussion.

Audit

Audit is the step that turns a good intention into evidence of a reasonable process. The firm should be able to identify which tool was used, what category of information was submitted, whether client consent was obtained if required, who reviewed the output, and whether the use complied with the firm’s policy.

That does not mean every prompt belongs in the client file. In some matters, preserving prompts may create its own sensitivity. But the firm should make a deliberate retention decision. If the later question is whether the lawyer acted reasonably, an undocumented “we thought it was secure” will not be much help.

Sanctions Are a Warning Signal, Not the Whole Confidentiality Story

The sanctions cases involving generative AI are now part of the professional-responsibility landscape. Mata v. Avianca produced a $5,000 sanction in 2023 after fabricated citations appeared in a filing. Lacey v. State Farm involved a $31,100 sanction in 2025. Couvrette v. Wisnovsky involved a $110,000 sanction in 2025.[4]

Those cases should not be overread. Hallucinated citation sanctions are not the same thing as a confidentiality breach, and three cases do not prove a neat linear escalation. Their value here is narrower and more practical: courts are becoming less patient with lawyers who use AI without a controlled process for checking what the tool produced.

The same professional posture matters for confidentiality. A lawyer who cannot explain what tool was used, what information entered it, what protections applied, and who reviewed the output will have difficulty persuading a court, client, regulator, or disciplinary authority that the use was reasonable.

Heppner Shows Why Vendor Terms Matter

The privilege issue is where abstract data-handling language becomes concrete. In United States v. Heppner, a Southern District of New York court held in February 2026 that a defendant’s use of consumer Claude to draft 31 strategy documents was not privileged because the platform’s privacy policy permitted data collection and potential third-party disclosure, undermining any reasonable expectation of confidentiality. Recent New York City Bar analysis also treats AI, privacy, and privilege as an active area of professional concern rather than a settled technicality.[5]

Heppner is important because it refuses to let the user’s subjective expectation do all the work. If the governing terms permit the platform to collect, retain, review, or disclose content, a court may ask whether confidentiality was objectively reasonable. That inquiry reaches the questions lawyers sometimes leave to procurement: which account was used, what terms applied, whether data could be used beyond the immediate task, and whether a third party received access inconsistent with privilege.

The limits matter just as much. Heppner is a district-court ruling, not a nationwide final answer. The emerging uncertainty identified around Warner and Morgan means privilege outcomes remain unsettled until higher courts give firmer guidance. Heppner also leaves open questions about attorney-directed use, enterprise-grade tools with contractual confidentiality protections, and whether a Kovel-style necessary-intermediary argument could apply in a different record.

Those limits should prevent overclaiming, not complacency. The lesson is not that every AI interaction waives privilege. The lesson is that privilege arguments may turn on the same operational details that should have been reviewed before the tool was approved: retention, training, access, disclosure rights, contractual restrictions, and the purpose for which the AI system was used.

A Workable Compliance File

A lawyer trying to meet generative AI confidentiality obligations does not need a perfect system. The lawyer needs a system that matches the sensitivity of the information and can be explained later. For many firms, that means keeping a short compliance file for each approved tool and a matter-level note for sensitive uses.

  • Tool approval: product name, account type, vendor terms reviewed, privacy policy reviewed, security materials reviewed, and approval date.
  • Data rules: permitted inputs, prohibited inputs, retention terms, training terms, vendor access, subprocessors, and disclosure rights.
  • Contractual protections: no-training commitments, zero- or limited-retention terms, confidentiality obligations, access controls, and audit rights where available.
  • Client communication: when general disclosure is enough, when matter-specific informed consent is required, and who is authorized to obtain it.
  • Supervision: approved users, training requirements, output review standards, escalation path, and periodic reapproval.
  • Audit record: what category of task was performed, whether confidential information was used, who verified the output, and whether any exception or client consent supported the use.

The compliance file should be short enough that lawyers will use it and specific enough that it constrains behavior. A policy that requires ethics committee approval for every harmless brainstorm will be ignored. A policy that says “be careful with AI” will be useless. The middle ground is a traffic-controlled system: low-risk uses are permitted under standing rules, higher-risk uses require approved tools, and sensitive client information requires matter-level review and consent where the rules call for it.

Firms building that broader structure can separate this article’s confidentiality analysis from adjacent issues. Rule 5.3 supervision, AI policy construction, billing, competence, and engagement-letter drafting each deserve their own treatment. The confidentiality question is narrower: what information enters the system, under what protections, with whose consent, and with what record of review.

No Safe Harbor, but a Disciplined Standard

ABA Formal Opinion 512 and state guidance do not create a magic approval label. A lawyer can use generative AI consistently with confidentiality obligations only when the tool’s data practices are understood, protections are documented, client consent is obtained where required, users are supervised, outputs and workflows are verified, and the firm can later show what it did.

References

  1. ABA issues first ethics guidance on a lawyer’s use of AI tools, American Bar Association, July 2024, https://www.americanbar.org/news/abanews/aba-news-archives/2024/07/aba-issues-first-ethics-guidance-ai-tools/
  2. Beyond the Ban: Why Your Law Firm Needs a Realistic AI Policy in 2026, North Carolina Bar Association, January 13, 2026, https://www.ncbar.org/2026/01/13/beyond-the-ban-why-your-law-firm-needs-a-realistic-ai-policy-in-2026/
  3. Practical Guidance for the Use of Generative Artificial Intelligence in the Practice of Law, California State Bar, https://www.calbar.ca.gov/Portals/0/documents/ethics/Generative-AI-Practical-Guidance.pdf
  4. AI Legal Ethics: Prompt, Verify, Audit, GC AI, https://gc.ai/blog/ai-legal-ethics
  5. The Intersection of Artificial Intelligence, Privacy and Privilege, New York City Bar Association, June 2026, https://www.nycbar.org/reports/the-intersection-of-artificial-intelligence-privacy-and-privilege/

Corrections & feedback

Submit corrections to factual information, flag stale data, or share deployment experience. Comments are moderated. Nothing in comments constitutes legal advice.

Comments

Join the discussion with an anonymous comment.

Loading comments...
Blogarama - Blog Directory