Full profile
The privilege problem in Heppner did not begin with an exotic AI failure. It began with a familiar discovery move: a requesting party asked for materials, and 31 AI-generated documents created through Anthropic’s Claude consumer platform became the disputed evidence in a $150 million fraud case. The Southern District of New York treated those materials as discoverable because the record did not show the confidentiality structure that attorney-client privilege or work-product protection usually requires: Claude was not a lawyer, the interaction was not for obtaining legal advice from Claude, and Anthropic’s terms permitted data collection and disclosure in ways the court found incompatible with a reasonable expectation of confidentiality.[1]

That is why the ruling matters for law-firm controls over prompt logging and confidentiality. A prompt log is no longer just a convenience artifact sitting somewhere inside a tool interface or vendor account. In litigation, it can become electronically stored information that must be preserved, collected, reviewed, withheld, logged, produced, or defended. The uncomfortable part is that privilege may turn less on whether the prompt involved legal work in a loose sense and more on whether the firm can prove, at the time the log is demanded, that the interaction was confidential, lawyer-directed, and created for a protected purpose.
What the Heppner Court Saw
Heppner is not a general ban on AI use in legal matters. It is narrower and, for law firm operations, more useful than that. The court looked at the actual platform, the actual vendor terms, the actual role of counsel, and the actual purpose of the communications. On that record, consumer Claude use did not resemble a confidential communication with counsel or a protected litigation-support arrangement.[1]
The court’s reasoning also left an important opening. Commentary on the decision has noted that the result might have been different if counsel had directed the client to use the AI tool, raising the possibility that some AI-assisted work could be analyzed more like a protected agent or consultant arrangement when the record supports that structure.[2] That is not the same as saying every lawyer-approved chatbot session becomes privileged. It means the missing documentation in Heppner is now the documentation privilege reviewers should expect to need.
The five factors now circulating from Heppner should be treated as a practical synthesis of the court’s reasoning, not as a numbered test the court formally announced. They are still useful because they convert a messy ruling into questions a legal team can actually ask before prompts are written and after a discovery demand arrives.

The Five Questions a Privilege Reviewer Will Need Answered
Was the tool a consumer platform or a controlled enterprise environment?
Platform type matters because the discovery fight will not happen in the abstract category of “AI.” It will happen around a specific account, product tier, workspace, admin setting, contract, and retention configuration. In Heppner, the disputed materials came from Claude’s consumer platform, which gave the court less reason to infer a professional confidentiality framework.[1]
For a law firm, the operational consequence is simple but not small: prompt logs should be traceable to an approved environment. A reviewer should be able to tell whether the user worked in a personal account, a client-approved workspace, a firm enterprise tenant, or a matter-specific environment with negotiated controls. If that cannot be reconstructed later, the privilege argument starts with a gap.
What did the vendor terms allow the provider to do?
The court’s reliance on Anthropic’s data-use and disclosure terms is the part of Heppner that should make risk officers reach for their intake forms. The issue was not that an AI vendor existed somewhere in the communication chain. The problem was that the governing terms allowed uses and disclosures that undercut a reasonable expectation that the information would remain confidential.[1]
A law firm cannot fix that after the fact with a privilege label. Before client information goes into a system, someone needs to know whether prompts and outputs may be retained, reviewed, used for training, shared with subprocessors, disclosed to third parties, or excluded from those uses by enterprise settings or contract terms. ABA Formal Opinion 512, issued in July 2024, separately anchors this as a professional-responsibility issue: lawyers must understand an AI tool’s terms of use before entering client information.[3]
Did counsel direct and supervise the use?
Attorney direction is where Heppner becomes less a technology ruling than a recordkeeping warning. If a client, witness, consultant, or business-side employee uses a public AI tool on their own initiative, the later argument for privilege may have to overcome the absence of a lawyer-controlled purpose and process. If counsel directed the use, selected the tool, limited the inputs, instructed the user, and kept the resulting materials within the legal team’s workflow, the record looks different.
That difference should be documented contemporaneously. Matter-opening forms, AI-use approvals, engagement letters, outside-counsel guidelines, and litigation-hold notices can all carry the same basic information: who authorized the tool, for what matter, under what confidentiality controls, and with what limits on copying or reuse. The point is not to make every prompt solemn. The point is to avoid asking a court to infer supervision from silence.
Was the interaction for legal analysis, or merely useful work?
Privilege does not protect material because it is helpful to a lawyer. It protects communications and work product meeting particular legal standards. That distinction matters for AI prompts because the same tool can summarize a contract, draft a client alert, translate a witness statement, classify documents for review, brainstorm deposition questions, or generate litigation strategy. Those uses do not all carry the same privilege posture.
The closer the prompt and output are to counsel’s legal analysis, mental impressions, litigation strategy, or confidential client communication, the stronger the potential claim. The more the interaction resembles administrative work, public-source research, formatting, or general business drafting, the harder it becomes to rely on the mere presence of a legal matter to carry the privilege argument. A prompt log policy should therefore ask for purpose at creation, not as a reconstruction exercise after collection.
When was privilege asserted?
Retroactive privilege designations are a weak substitute for contemporaneous treatment. If prompts and outputs were stored in a general project folder, copied to non-legal personnel, left in a personal account, or treated as ordinary business records until discovery arrived, a later privilege label may not answer the confidentiality problem. Timing is not cosmetic; it is evidence of how the material was understood when created.
For e-discovery teams, that means AI-generated materials need a route into the same control systems as other sensitive matter materials. If a log contains protected content, the team needs to know where it lives, whether it is subject to legal hold, who can access it, whether the vendor can delete it, and how it will be described if withheld.
| Heppner factor | What a law firm should be able to show |
|---|---|
| Platform type | The prompt was created in an approved consumer, enterprise, or matter-specific environment, with the account type identifiable. |
| Vendor confidentiality terms | The firm reviewed current terms, training use, disclosure rights, retention settings, and available contractual controls. |
| Attorney direction | Counsel authorized or supervised the AI use and limited who could input, review, or share the material. |
| Purpose of interaction | The prompt and output were tied to legal advice, litigation strategy, or protected work product rather than general business use. |
| Timing of privilege treatment | The material was treated as protected when created or collected, not only after a dispute over production arose. |
The Same-Day Split: Heppner and Warner
Heppner would be easier to operationalize if it stood alone. It does not. On the same day, the Eastern District of Michigan reached the opposite result in Warner v. Gilbarco, treating ChatGPT-assisted analysis as protected work product and reasoning that AI was a “tool, not a person.”[4]

The split should make firms cautious rather than celebratory. Heppner focuses attention on confidentiality, vendor terms, and the absence of a legal-advice relationship with the tool. Warner gives more weight to the lawyer’s use of AI as an instrument in legal analysis. Both approaches can matter in a real dispute because a prompt log can contain confidential client facts, counsel’s mental impressions, vendor-held records, and ordinary nonprivileged text in the same thread.
That uncertainty is not academic. A national litigation team may have matters in courts that treat AI-assisted work product differently, and a single client may use multiple platforms across business, legal, and outside-counsel environments. A policy that assumes Heppner always controls may over-restrict useful tools. A policy that assumes Warner always protects lawyer use may leave the firm exposed when a court asks what the vendor terms allowed and who had access.
Morgan v. V2X, decided in the District of Colorado in March 2026, has been described as part of the early effort to reconcile the Heppner-Warner divide.[5] Prompt logs are also appearing as discovery targets in other AI disputes, including materials associated with OpenAI litigation.[5][6] Those developments do not produce a stable national rule. They do confirm that courts and requesting parties now know where to look.
Privilege Logs Need Better AI Descriptions
The practical question after Heppner is not only whether a prompt log can be withheld. It is how the withholding party will describe the material without either waiving protection or offering a useless label. K&L Gates has advised that privilege logs for generative AI data should identify the platform type, whether counsel directed the use, the confidentiality controls in place, and the purpose of creation.[7]
That guidance is valuable because it moves the privilege log away from vague entries such as “AI output re legal issue.” A more defensible entry does not need to reveal the protected strategy, but it should give the opposing party and the court enough information to evaluate the claim: the role of counsel, the controlled environment, the legal purpose, and the basis for confidentiality.
For example, a hypothetical privilege-log description might identify an enterprise AI workspace used at counsel’s direction to analyze litigation strategy for a specified matter, with access limited to the legal team and confidentiality controls enabled. That is not a magic phrase. It is the kind of structured description that matches the facts Heppner made important.
Retention Is Part of the Privilege Problem
Retention settings are volatile, product-specific, and often changed by vendors. They should not be treated as universal compliance schedules. Still, current retention information is relevant because a firm cannot preserve, collect, review, or delete prompt logs responsibly if it does not know where the logs are and how long the system keeps them.
Portal26 has reported differing retention defaults across major tools, including Copilot retention ranging from 180 days to one year, Gemini retention up to three years, ChatGPT Enterprise retention of 30 days, and Claude Free retention described as indefinite.[8] Those figures should be verified against current vendor terms before any matter decision because the relevant setting may depend on product tier, admin configuration, geography, contract, or feature.
Hanzo/JD Supra has recommended retaining audit logs for at least 12 months and prompt/response data for 90 days to one year as a baseline best practice.[9] That is not a regulatory command, and it should not override litigation holds, client obligations, professional rules, or sector-specific retention requirements. It is better understood as a starting point for designing a defensible schedule before a subpoena or request for production forces the issue.
Sanctions Context Is Real, but Not the Main Point
Courts were already showing little patience for careless legal AI use before Heppner. One synthesis tracks AI-related sanctions rising from $5,000 in Mata v. Avianca in 2023, to $31,000 in Lacey v. State Farm in May 2025, to $110,000 in Couvrette v. Wisnovsky in December 2025.[10] Those cases mostly sit in the hallucination, verification, and litigation-conduct lane. Heppner adds a different lane: confidentiality and discoverability.
That distinction matters. A perfectly accurate AI-generated analysis can still create a privilege problem if it was produced in a consumer tool under terms that permit retention, training, or disclosure. Conversely, an enterprise system with stronger confidentiality controls does not excuse lawyers from verifying outputs. The sanction cases explain why courts are attentive to AI misuse; Heppner explains why prompt logs may become evidence in the first place.
What Firms Should Change Now
After Heppner, firms should assume that prompt logs can enter the discovery system. That does not mean every prompt is discoverable or that every AI-assisted legal analysis is unprotected. It means prompt logs need the same front-end discipline as other potentially sensitive ESI: approved systems, current vendor review, role-based access, matter-level supervision, legal-hold treatment, and privilege-log conventions.
- Classify approved AI tools by platform type, including whether the tool is consumer, enterprise, client-provided, or matter-specific.
- Require vendor-term review before client information, litigation strategy, or confidential facts are entered into any AI system.
- Document attorney direction when AI use is connected to legal advice, litigation preparation, or work-product analysis.
- Separate legal-analysis prompts from administrative or business prompts so later privilege review does not depend on guesswork.
- Build prompt logs into preservation, collection, review, redaction, and privilege-log workflows before a discovery request arrives.
The broader AI governance work can live in a firmwide AI policy, but the privilege piece deserves its own specificity. A general instruction to “use AI responsibly” will not answer a motion to compel. The record should show which tool was used, why that tool was acceptable, who supervised the work, what confidentiality controls applied, and how the resulting material was treated when created.
This article is informational and is not legal advice. The immediate operating judgment is narrower than a firmwide AI manifesto: after Heppner, law firms should not treat prompt logs as informal byproducts outside discovery; after Warner, they should not assume one national privilege answer. Preservation will depend less on whether AI was used and more on whether confidentiality, purpose, supervision, and timing can be shown when the log is demanded.
References
- AI Privilege Waivers: SDNY Rules Against Privilege Protection for Consumer AI Outputs, Gibson Dunn
- United States v. Heppner, Harvard Law Review, March 2026
- Formal Opinion 512, American Bar Association, July 2024
- Your AI Prompts May Be Discoverable: What Every Client Must Know, Baker Donelson
- Courts Are Starting to Define What AI Discovery Means, Arnold & Porter, November 2025
- E-Discovery’s Next Frontier Is Your AI Tool’s Output Prompt Log, Bloomberg Law
- Litigation Minute: Generative AI Data, Attorney-Client Privilege, and the Work Product Doctrine, K&L Gates, February 23, 2026
- GenAI Prompt Retention, Portal26
- AI Logs and Legal Holds: How to Build a Defensible Retention Strategy, JD Supra
- AI Legal Ethics, GC AI
Comments
Join the discussion with an anonymous comment.