Most people treat a chatbot like a private notebook. They paste in a messy situation, a draft they are nervous about, a question they would never ask out loud, and they assume the conversation stays between them and the machine. A federal court has now made clear that assumption is wrong in a way that can cost you in court.
In February 2026, in a case called United States v. Heppner, a judge in the Southern District of New York ruled that a defendant's written exchanges with the AI tool Claude were not protected by attorney-client privilege or the work product doctrine. The chats were fair game. The reasoning was almost mundane, and that is exactly why it matters for everyone, not just criminal defendants.
If your team uses ChatGPT, Claude, Copilot, or Gemini for anything sensitive, this ruling is a governance event. It tells you, in plain legal terms, that your AI conversations are probably discoverable records, not confidential advice.
TL;DR: A federal court ruled (US v. Heppner, Feb 17 2026) that AI chats are not protected by attorney-client privilege or work product, because an AI is not an attorney and consumer AI tools disclaim confidentiality. Any AI chat your team creates can potentially be subpoenaed in litigation or demanded by a regulator. Four actions: treat AI logs as discoverable, write a "what never goes in a prompt" rule into your AI acceptable use policy, use enterprise tiers with confidentiality terms for sensitive work, and route genuinely privileged analysis through counsel rather than a chatbot.
What the Heppner ruling actually said
The facts are narrow, but the logic is broad. A criminal defendant had used Claude to help work through aspects of his situation, then argued that those AI conversations were privileged and could not be handed to the government. Judge Rakoff disagreed, addressing what the court called a question of first impression nationwide.
The court gave two independent reasons.
On attorney-client privilege, the holding was blunt: the communications were not between a client and an attorney. As the opinion put it, because the AI is not an attorney, that alone disposes of the privilege claim. The court added a second problem. Privilege requires confidentiality, and the conversations were not confidential, because the AI tool's own terms disclaim confidentiality and tell users their information can be shared with third parties. You cannot claim a communication is secret when you agreed up front that it might not be.
On the work product doctrine, which protects materials prepared in anticipation of litigation, the court found the documents did not qualify because the defendant did not create them at the direction of counsel, and they did not reveal any attorney's strategy. Work product protects a lawyer's preparation. A person prompting a chatbot on their own is not doing a lawyer's preparation.
The ruling is deliberately fact-specific. It concludes that AI use by a non-attorney, not undertaken at the direction of an attorney, is not covered by privilege or work product. That narrowness is important, and we will come back to what it leaves open. But the core lesson does not depend on the criminal context at all.
Why this applies to your whole team, not just lawyers
It is tempting to file this under "law firm problem." That would be a mistake. The reasoning has nothing to do with criminal law and everything to do with what a chatbot is.
Think about what your team actually types into AI tools. A founder pastes a sensitive board situation to get advice on wording. An HR manager describes a termination and asks how to handle it. An engineer drops in proprietary code to debug it. A finance lead works through a problem with a customer contract. Each of those is the kind of thing people assume is private. Under Heppner's logic, none of it is privileged, and most of it is potentially discoverable.
The practical exposure shows up in three ways:
- Litigation discovery. If your company is sued, the other side can request relevant documents. AI chat logs are documents. If they are relevant and you cannot claim privilege, you may have to produce them.
- Regulatory demands. State attorneys general and federal regulators issue civil investigative demands and subpoenas. Recent decisions piercing AI privilege give them a clear path to ask for AI communications and data.
- Internal and third-party exposure. Consumer AI tools may retain and, under their terms, share inputs. A conversation you thought was ephemeral can persist in logs you do not control.
The chatbot feels like a private space. Legally, it behaves more like sending an email to an outside party who reserved the right to forward it.
The two doctrines, in plain language
You do not need to be a lawyer to govern this well, but it helps to understand why both protections failed.
Attorney-client privilege protects confidential communications between a client and their lawyer made to get or give legal advice. It has three moving parts: a lawyer, a client, and confidentiality. An AI chat is missing the lawyer entirely, and consumer tools undercut the confidentiality through their terms. Two of the three pillars are gone, so the privilege does not attach.
The work product doctrine protects materials prepared in anticipation of litigation, usually by or at the direction of a lawyer, especially anything that reveals legal strategy. A self-directed chatbot session is not prepared at a lawyer's direction and does not encode a lawyer's mental impressions, so it falls outside the doctrine.
The throughline is that both protections are about the involvement of counsel and the expectation of confidentiality. A chatbot, used on your own, provides neither.
What is and is not at risk
Not every AI interaction creates a problem. The risk scales with what you put in and how the tool is configured.
| AI use | Privilege/confidentiality status | Risk level |
|---|---|---|
| Employee pastes sensitive business facts into consumer ChatGPT | Not privileged; vendor terms may allow retention/sharing | High |
| Team debates a legal or HR matter in a shared AI workspace | Not privileged; discoverable if relevant | High |
| Lawyer directs AI use as part of giving legal advice, documented | May retain privilege/work product if structured carefully | Lower, fact-dependent |
| Enterprise AI with confidentiality and no-training terms, non-legal work | Confidential vs vendor by contract, still not privileged | Moderate |
| Generic, non-sensitive prompts (formatting, brainstorming public info) | No confidential content at stake | Low |
The pattern is clear. Confidentiality from your vendor and legal privilege are two different things. A strong enterprise contract can keep your data away from the vendor and third parties, which matters enormously for trade secrets and data protection. It still does not make the conversation privileged in litigation.
Four governance actions
1. Treat AI chat logs as discoverable records. Fold them into your records and retention policy the same way you treat email and chat. Know where AI logs live, how long they persist, and who can export them. If a litigation hold lands, AI logs are in scope.
2. Write a "what never goes in a prompt" rule into your AI acceptable use policy. Be specific. No client confidences, no privileged legal analysis, no trade secrets, no personal data beyond what your DPA allows, and nothing you would not want read aloud in a deposition, unless the use goes through an approved channel. A short, concrete list beats a vague "be careful."
3. Use enterprise tiers with the right terms for sensitive work. Enterprise and business plans typically offer no-training-by-default and stronger confidentiality commitments. That does not create privilege, but it materially reduces the third-party exposure that helped sink the privilege claim in Heppner. Match the tool tier to the sensitivity of the work.
4. Route genuinely privileged work through counsel. Privilege did not vanish for everyone. The opening Heppner leaves is that a lawyer can direct AI use as part of providing legal advice, in a way that may preserve protection. If a matter is truly privileged, your lawyer should own how AI is used on it, document that direction, and keep the work within the attorney-client relationship rather than a personal chatbot session.
The narrow scope, and why it still matters
To be precise about what the court did and did not decide: Heppner is a fact-specific ruling about a non-attorney using AI on his own, outside any attorney's direction. It does not hold that AI can never touch privileged work. A careful lawyer who incorporates an AI tool into legal analysis, under their direction and within a confidential relationship, may still be able to argue for protection. Other courts may also reach different conclusions, and the law here is young.
But you should not build your governance around the narrow exception. Build it around the default the court announced: a person prompting a chatbot is not creating a privileged or protected communication. For the vast majority of how teams actually use AI, day to day, by employees who are not lawyers and are not acting at a lawyer's direction, the safe and correct assumption is that the conversation is discoverable.
The chatbot is a powerful tool. It is not a confidant, and it is not your lawyer. Govern it like the record-generating system it is, and the Heppner ruling becomes a prompt to tighten your policy rather than a surprise in someone else's document request.
