The Prompt Is Now Evidence: GenAI Meets Attorney-Client Privilege, Work Product, and ESI Production
Editor’s Note: Generative AI (GenAI) is quickly becoming part of how legal professionals research issues, prepare analyses, and communicate with clients, but the legal frameworks governing privilege and work product were not designed with these technologies in mind. Drawing on insights from a recent HaystackID® webcast, this article explores the emerging case law shaping how courts view AI-generated content, attorney-client communications, and AI-assisted legal workflows. The discussion highlights a growing reality for legal departments and law firms alike: the choice of AI tool, its deployment, and the controls governing its use can have significant legal consequences. As organizations adopt AI across discovery, investigations, and legal operations, governance, documentation, and defensible processes are becoming equally as important as the technology itself. These issues are increasingly central to HaystackID’s AI Governance Services, which help organizations establish policies, controls, and audit-ready frameworks for responsible AI use.
The Prompt Is Now Evidence: GenAI Meets Attorney-Client Privilege, Work Product, and ESI Production
By HaystackID Staff
A client, anticipating criminal charges, sits down with an AI tool and generates 31 detailed documents: questions about securities fraud law, topics he planned to raise with his attorney. The FBI seizes those documents. When his defense counsel tries to protect them as privileged, a federal court says no.
That is what happened in United States v. Heppner, decided in the Southern District of New York in February 2026. And while it may be the first major ruling at this intersection, it almost certainly will not be the last. As GenAI tools migrate deeper into legal workflows, the privilege and work product frameworks governing what stays out of discovery were built for a world where attorneys talked to clients, not a world where both of them consult large language models first.
The gap between those two realities was the subject of HaystackID’s recent webcast, “The AI eDiscovery Sea Change: Privilege, Work Product, and Hyperlink Productions.” During the discussion, legal experts provided a candid, technically precise breakdown of where existing doctrine holds, where it strains, and what practitioners should be doing differently right now.
The Analytical Fork in the Road
In the Heppner case, the court denied privilege on three grounds:
- Claude is not an attorney.
- The communications were not made for the purpose of obtaining legal advice.
- Anthropic’s privacy policies defeated any reasonable expectation of confidentiality.
Clean reasoning on its face, but expert panelist Adam Gajadharsingh, Discovery Counsel at Google, took issue with the premise underlying all of it.
“I think there are two ways you can view the communication,” he said. “One is whether a communication with a GenAI tool can be privileged, versus a very different question, which is whether you can use a tool for the purpose of seeking or facilitating legal advice with counsel.”
The court spent its energy on the first question—effectively asking whether a conversation with Claude itself can be privileged—when, in Gajadharsingh’s view, the more defensible and analytically useful question is whether a client used an AI tool as part of a protected communication with counsel. The difference matters enormously in practice.
Drafting notes before a client meeting, sending yourself a rough outline of issues to raise with your attorney—courts have protected those before. In United States v. DeFonte, 441 F.3d 92 (2d Cir. 2006), a court held that a witness’s personal journal entries were work product because, even though they were never shared with her attorney, they functioned as “an outline for an attorney-client conversation.” Heppner’s AI-generated documents were doing something functionally similar: capturing his thinking in anticipation of discussions with counsel. The Heppner court actually cited DeFonte but didn’t disturb its reasoning; confidentiality concerns were what ultimately sank the claim.
Worth noting: the court’s primary cited authority on the communication question was “Against an AI Privilege”, a Harvard Journal of Law & Technology piece by American University law professor Ira P. Robbins, arguing that communications with AI tools should not receive their own protected status. The choice of authority tells you something. The court was litigating whether a new privilege should exist, not whether an old one already fits. Gajadharsingh thinks existing doctrine fits just fine.
“Using a GenAI tool to help craft a question for your lawyer is really no different than using a word processing tool, or email, or other modern electronic techniques or tools as part of the overall attempt to seek or communicate with counsel for advice,” he said.
Confidentiality, Third Parties, and a Rude Awakening
The Heppner court’s third ground—that Anthropic’s privacy policies defeated any reasonable expectation of confidentiality—generated the most debate on the panel and also the most pushback.
Gajadharsingh urged practitioners to read the actual policy rather than react to its existence.
“My quick reading of it was not that they were going to use this data for training for some commercial use,” he said. “It was using it for trust and safety counter-abuse issues, and that’s what every service provider does.”
He pushed the point further: “If disclosure is going to be a concern for people, then if anyone uses Westlaw and Lexis, I have a rude awakening for you—go read their privacy policies. They have the right to disclose your data for all kinds of different governmental reasons, subpoena reasons, and legal reasons.”
Judge Michelle Peterson, Magistrate Judge in the U.S. District Court for the Western District of Washington, was less troubled by the confidentiality question than the court appeared to be. Her reasoning came from the criminal side of her docket.
“As a magistrate judge, I do a lot of criminal work, and the third-party doctrine with respect to search and seizure law has really been evolving with all of our new technologies,” she said. “The fact that most of our data and most of what we do is in some way housed by some other third party. I would be less concerned about that as an issue that would defeat the attorney-client privilege or even the work-product doctrine.”
Her point cuts to something practitioners often overlook: attorneys already send privileged communications through Gmail, store client files in cloud platforms, and run research through services that reserve disclosure rights in their terms. If housing data with a third party were enough to defeat confidentiality, the architecture of modern legal practice would make privilege nearly impossible to maintain. The standard that Judge Peterson suggested courts are moving toward focuses on whether a reasonable expectation of confidentiality existed, given the specific tool and context, not whether a third party touched the data at all.
Giving Work Product More Breathing Room
Before the panel turned to the case law, expert moderator Phil Favro, founder of Favro Law PLLC, laid out the terrain by differentiating between the two types of work product: fact work product and core work product.
“With fact work product, maybe you’ve prepared some sort of notes from a witness interview or an analysis of certain issues in the case. And then there’s core work product or opinion work product, where it reflects mental impressions, particularly of counsel. Those are typically absolutely privileged, or a very high bar to overcome,” he said.
That distinction matters more than ever when AI is generating or refining the underlying material because the type of work product at issue shapes both how courts analyze protection and how hard it is for an opposing party to overcome it.
Heppner’s work product claim fared no better. The court found the documents were not prepared by or at the direction of counsel—Heppner’s own attorneys conceded they never asked him to use Claude—and therefore did not reflect defense counsel’s mental impressions or litigation strategy at the time of their creation. The practical implication is clear: a client who independently consults with an AI tool, even one who has already retained counsel and intends to share the results with that counsel, may receive no work-product protection at all. The attorney’s involvement has to come before the prompting, not after.
If attorney-client privilege runs into structural problems with AI use, work product doctrine is where the more durable protections may lie, and where the case law is developing more favorably. It is also where the criminal/civil divide matters most: Heppner was governed by criminal Rule 16, which applies a narrower framework than the civil work product protections in Rule 26(b)(3) that most practitioners encounter. The cases that follow — Warner, Morgan — operate under civil rules, and their more favorable outcomes reflect that difference.
Warner v. Gilbarco, Inc. offers the clearest counterpoint to Heppner so far. In that case, a pro se civil litigant’s AI prompts and outputs were challenged, and the court protected them as work product on the ground that AI systems are tools rather than persons, and disclosure to a tool is not disclosure to an adversary.
“The Warner Court specifically said the AI systems are tools, not persons. Disclosure to them is inherently not disclosure to an adversary, which would be a standard trigger for waiver,” said Michelle Six, Of Counsel at Gunster.
That framing sidesteps the confidentiality problem that plagued Heppner entirely and focuses instead on whether information has actually reached an opposing party or a conduit to one.
Six was quick to add a note of caution, however. The Warner plaintiff was a self-represented individual in an employment dispute—a sympathetic posture that may have shaped the analysis.
“I don’t know if we would see this same analysis extended to maybe a giant company in the midst of some sort of massive class action or multidistrict litigation,” she said.
Practitioners should treat Warner as an encouraging data point, not a guarantee.
Waiver standards for privilege and work product are fundamentally different—a point Gajadharsingh made explicit.
“Just because you expose something to a third party, it’s not a per se waiver of work product. They have to be an adversary or a conduit to an adversary. This has been recognized as law for years and years and years,” he said.
Practitioners sometimes conflate the two standards, and the practical consequences of that confusion are significant. Work product can, in many circumstances, tolerate more exposure to third parties than privilege can, and that flexibility may be exactly what gives AI-assisted legal work some protection even in less controlled environments.
One point that often gets overlooked: work-product protection does not require an attorney to create the document. Federal Rule of Civil Procedure 26(b)(3)(a) extends protection to materials prepared by “a party or its attorneys, consultants, surety, indemnitor, insurer, agents.”
Employees compiling information in anticipation of litigation, even without explicit attorney direction, can generate protected work product. That matters considerably when a company’s legal team asks business-side employees to use AI tools to help prepare for litigation; the protection may extend to the purpose, not just to the person who prompted the tool.
The Legal Stakes of RAG vs. LLM
While privilege analysis has focused heavily on how practitioners use AI tools, it is important to consider how these tools are built. During the webcast, Gajadharsingh drew a distinction between pure LLM deployments and retrieval-augmented generation (RAG) systems, a distinction with genuine legal significance that courts have not yet addressed directly.
In a standard LLM interaction, a user prompts the model and receives a generated response. A RAG system works differently: it grounds its outputs in specific documents the user uploads and often cites those source materials in its response. That architectural difference changes the privilege analysis considerably.
“If you’re using a RAG model or a retrieval-augmented generation tool, many of these tools provide an output, but it also provides citations to the specific source material that was used to generate that output,” Gajadharsingh said. “That’s a very different thing to think about because if that source material is privileged to begin with, and the user obviously is privy to allow that privileged information, it has generated an output that is based on pointing to a privileged source document. I think there’s a very good argument that that output is going to be privileged and remain privileged.”
Gajadharsingh’s view is that a system that grounds its outputs in an attorney-client memo and cites that memo isn’t generating something new and unprivileged—it’s a sophisticated interface on top of existing privileged content, and the privilege analysis should follow the source material, not just the output format. No court has yet validated that reasoning directly. For legal departments evaluating which AI tools to deploy, that distinction is not abstract.
SharePoint Changed the Rules. The Protocols Haven’t.
The webcast’s second major topic steered the conversation away from privilege entirely and toward a production problem that has quietly vexed eDiscovery practitioners for years. If an email contains a hyperlink to a SharePoint document rather than an inline attachment, should that document be produced as part of the email’s family?
The intuitive answer is yes. But Gajadharsingh laid out why the analogy breaks down.
“The big issue that the industry has been trying to deal with is something called versioning,” he said. “That is the reality that if you’re pointing to a live document that is in some document repository like SharePoint or somewhere else, that document may have been edited 100 times since the date the original email was sent to the point where that email is actually collected in discovery. That’s very different from a traditional attachment, which is static.”
Collecting and producing the contemporaneous version of a hyperlinked document—the version that existed when the email was sent—may be technically possible but operationally expensive. Collecting the current version may be easy, but it can be legally misleading. Neither option maps cleanly onto ESI protocols negotiated before collaborative platforms like SharePoint and Google Drive became part of the infrastructure—agreements drafted when static attachments were still the norm.
Six added a preservation dimension that compounds the problem further. Even when a party has made thorough and defensible preservation efforts, a legal hold placed after a hyperlinked document was created may not capture the version that was live when the email was sent. With a traditional attachment, what you collect is what exists. With a hyperlink, that certainty disappears entirely.
United Association National Pension Fund v. Carvana (No. 2:22-cv-02126, D. Ariz.) illustrates what happens when parties can’t resolve this on their own. The dispute arose from an ESI protocol the parties had agreed to as a court order—one that required cooperation on whether hyperlinked documents should be produced in a family relationship. When they couldn’t reach an agreement, the court ordered a test: run the plaintiff’s preferred collection tool against two of the defendant’s custodians to see whether it could produce hyperlinked documents in proportion. The defendant ran the test, found the results far too burdensome, and returned to the court to say so. The court’s response splits the difference: require the defendant to produce 250 hyperlinked documents using whatever method the defendant chooses and allow the plaintiff to select 200 more for reverse-engineered production.
Judge Peterson drew the line at intent. An email asking a recipient to review and respond to a linked document creates a much stronger production argument than one dropping in a reference document for background context. The degree to which the sender expected the recipient to actually engage with the linked file, she suggested, is what should drive the proportionality analysis, not the mere fact that a hyperlink appears in the email.
That functional test—how actively the recipient was expected to engage with the linked document—gives practitioners a workable starting point for meet-and-confer conversations well before a production dispute reaches the court.
Translating AI Privilege Doctrine into Governance
The doctrine discussed above was largely developed in the context of individual litigants: a criminal defendant, a pro se plaintiff. But the more pressing practical question for many readers is how these holdings translate to an institutional setting: a legal department that has already rolled out AI tools or is deciding whether to.
Gajadharsingh offered a scenario that maps directly onto the in-house context. An in-house counsel who creates a closed AI tool for a small team and directs that team to use it to craft questions for counsel operates in fundamentally different territory from Heppner. The attorney’s direction exists before AI use begins. The purpose is defined in advance. The tool is not a public-facing consumer product. Each of those factors—direction, purpose, and architecture—is one that the Heppner court found missing, and each is one that in-house legal teams can deliberately build in.
The choice of tool is now a legal decision, not just a technological one. A consumer-grade LLM and a closed enterprise RAG system are not interchangeable from a privilege standpoint. The former presents the confidentiality exposure that the Heppner court penalized. The latter, particularly where outputs are grounded in and cited to existing privileged materials, presents a much stronger argument for protection, though, as noted, no court has yet validated that reasoning directly.
Judge Peterson’s closing observation applies with particular force to legal departments: attorney involvement strengthens every part of the analysis. The more clearly AI use is directed by counsel, scoped to a legal purpose, and documented as such, the stronger the work product argument becomes. An employee who independently decides to run discovery materials through a consumer AI tool occupies the same exposed position as Heppner. An employee directed by counsel to use a specific enterprise tool for a defined litigation purpose occupies a very different one.
For legal departments looking to formalize those distinctions before a discovery dispute forces the question, HaystackID’s AI Governance Services help organizations inventory their AI tools, document attorney direction and purpose, classify tools by risk level, and build the repeatable controls and audit-ready evidence that regulators, opposing counsel, and courts are increasingly in a position to demand.
The Takeaway is in the Terms and Conditions
Privilege claims for AI-assisted communications have the weakest footing when the AI tool is public-facing, when counsel didn’t direct or even know about the use, and when the platform’s terms of service explicitly disclaim confidentiality. Work product claims have a stronger footing across a broader range of use cases, especially in civil litigation. The architecture of the tool—closed versus open, RAG versus pure LLM—affects the analysis in ways courts haven’t fully articulated but practitioners should anticipate.
A third front is opening on expert witness methodology: Conservation Law Foundation v. Shell Oil Co., decided in May 2026, raised the question of whether AI prompts used by an expert to analyze a document production are discoverable as part of that expert’s methodology. The panel flagged it as one to watch.
The panel’s practical guidance, distilled:
- Direct first, prompt second. Attorney involvement must precede AI use, not follow it. A client who generates AI documents independently and later shares them with counsel gets no retroactive protection. The direction needs to exist—and ideally be documented—before anyone starts typing into a tool.
- Read the actual policy, not just the category. The mere fact that a platform has a privacy policy does not tell you what it says. The Heppner court turned on the specific terms of Anthropic’s policy. Read what you are actually agreeing to before clients or employees use the tool on privileged matters.
- Treat the tool choice as a legal decision. Consumer-grade and enterprise AI tools are not interchangeable from a privilege standpoint. The architecture—open versus closed, LLM versus RAG—affects the confidentiality analysis in ways that are not yet fully settled, but that courts are beginning to examine. That choice belongs in a conversation between legal and technology teams, not just IT procurement.
- On hyperlinks, negotiate before you sign. The Carvana litigation became expensive because the parties had not agreed on a framework before the ESI protocol was entered as a court order. The time to address hyperlinked document production—versioning, contemporaneous collection, family relationships—is at the meet-and-confer stage, not after a dispute has already reached the court.
- If a hyperlink dispute reaches the court, propose sampling. Judge Peterson’s suggested approach: identify a manageable set of emails and work through those before attempting a wholesale production framework. Courts are receptive to this. Parties who arrive with a concrete sampling proposal are better positioned than those who arrive with an intractable disagreement.
Six offered a caution that cuts across all of it, drawing on Morgan v. V2X, Inc., a March 2026 District of Colorado ruling that extended work product protection to a pro se litigant’s AI use while also approving protective order language barring consumer AI tools from processing confidential discovery materials.
Drawing on the court’s language in Morgan, she offered a caution that applies regardless of which tool is in use:
“These products simulate empathy, foster trust, and interact in a way that feels genuine and intimate. And I think that is something for all of us to be mindful of, whatever the tool is. We always have to take on the responsibility of looking at the terms and conditions and really thinking about what we’re putting in, why we’re putting it in, and what product we are using for the purpose,” she said.
In a legal environment where the privilege analysis now turns in part on what a platform’s terms say about data retention, the practitioners who read those terms before their clients start typing are the ones who will keep their options open.
About HaystackID®
HaystackID® solves complex data challenges related to legal, compliance, regulatory, and cyber requirements. Core offerings include Global Advisory, Cybersecurity, Core Intelligence AI™, and ReviewRight® Global Managed Review, supported by its unified CoreFlex™ service interface and eDiscovery AI™ technology. Recognized globally by industry leaders, including Chambers, Gartner, IDC, and Legaltech News, HaystackID helps corporations and legal practices manage data gravity, where information demands action, and workflow gravity, where critical requirements demand coordinated expertise, delivering innovative solutions with a continual focus on security, privacy, and integrity. Learn more at HaystackID.com.
Assisted by GAI and LLM technologies.
Source: HaystackID
Advisory Note: As the cases discussed in this article make clear, the choice of AI tool, how it is deployed, and who directs its use are now questions with direct legal consequences. HaystackID’s AI Governance Services help legal departments and law firms inventory their AI tools, document attorney direction and purpose, classify tools by risk level, and build the repeatable controls and audit-ready frameworks that courts, regulators, and opposing counsel are increasingly in a position to demand.