79% of lawyers use AI in their practice. Only 10% of firms have written a policy about it. That gap is closing fast in 2026 — driven by ABA Formal Opinion 512, the cascade of state bar parallel rules, and February 2026's federal ruling in United States v. Heppner that conversations with public AI tools carry no expectation of privacy and are not protected by attorney-client privilege.

This guide covers the practical workflows lawyers are actually using AI for in 2026 — across litigation, transactional work, regulatory practice, and client counseling — and how to do each one without waiving privilege or violating ABA and state bar rules.

The Privilege Question, Settled

In United States v. Heppner (S.D.N.Y. Feb 2026), the court held that public AI platforms have no confidentiality obligation, so submitting privileged material to them constitutes voluntary disclosure to a third party — waiving the privilege. The court ordered 31 ChatGPT-drafted documents discoverable.1

This isn't a hypothetical risk anymore. It's an articulated federal ruling. Any law firm using AI for privileged work needs a tool selection framework that accounts for this directly.

ABA Formal Opinion 512 (July 2024) requires lawyers to obtain informed client consent before inputting confidential client information into AI tools with self-learning capabilities. Arkansas, California, New York, and several other state bars have adopted parallel rules.2

The architecture rule for privileged work: Privileged material may go to (a) tools that operate entirely on your local hardware, (b) enterprise AI under written contracts with zero-retention provisions and documented vendor diligence, or (c) nothing else.

Workflow 1: Legal Research

The use case: researching unfamiliar areas of law, finding controlling authority, identifying relevant secondary sources. AI accelerates the first 80% of legal research — getting from question to relevant case names and statutory citations — though the verification step using Westlaw, Lexis, or primary sources remains essential.

The AI workflow: pose research questions in abstract form (no client identification), get a fast plain-English explanation with case citations, verify each citation in your authoritative research tool.

Compliance check: Abstract research with no client identification poses no privilege or confidentiality issue. Any AI tier works.

Critical warning: AI hallucination of case citations is the most documented professional risk. Roberto Mata v. Avianca (2023) set the precedent that lawyers will be sanctioned for filing AI-generated briefs without verification. By late 2025, nearly 800 documented cases of AI-related citation errors had been logged worldwide.3 Every AI-generated citation must be verified against primary sources before use.

Workflow 2: Document Review

The use case: reviewing contracts, agreements, discovery productions, due diligence materials. The first-pass review that consumes enormous junior associate and contract attorney time.

The AI workflow: feed documents into AI for issue spotting, summary generation, risk flagging, and comparison against deal-standard templates.

Compliance check: Documents under review almost always contain confidential client information. Privileged communications or privileged work product require Tier 2 (enterprise AI under contract) or Tier 3 (on-device AI). Tier 1 public AI is contraindicated.

Practical pattern: On-device AI works particularly well for document review because the document never leaves your machine. For large-volume document review beyond what a single workstation can handle, e-discovery platforms with enterprise AI contracts are the alternative.

Workflow 3: Drafting and Editing

The use case: first-draft generation of letters, memos, briefs, motions, responses to discovery. Editing for clarity, structure, tone, and concision.

The AI workflow: provide the AI with the substance (often including client facts and legal strategy) and ask for first drafts or structural edits.

Compliance check: The substance fed to AI typically includes privileged work product, client communications, or both. Tier 2 or Tier 3 AI required.

Privilege implication: Under Heppner, drafting a privileged memo in public AI may waive privilege over the underlying thoughts and analysis. Drafting it in on-device AI doesn't create the third-party disclosure that breaks privilege. The choice is dispositive.

Workflow 4: Client Counseling and Communication

The use case: explaining legal positions to clients, preparing for client meetings, drafting client-facing communications that translate legal complexity into actionable advice.

The AI workflow: think through how to explain a complex topic clearly, draft the communication, get the AI to suggest revisions for tone and clarity.

Compliance check: Often involves client-specific facts and the substance of legal advice. Tier 2 or 3 required for confidential client matters.

Workflow 5: Discovery Preparation

The use case: drafting discovery requests, responses, and objections. Preparing privilege logs. Identifying responsive documents. Issue-spotting across productions.

The AI workflow: AI accelerates the drafting and the issue-spotting passes. The substantive judgment calls remain human, but the volume work moves faster.

Compliance check: Discovery materials are virtually always confidential. Many also contain privileged matter. Tier 2 or Tier 3 only.

Discovery implication: Under the May 2025 federal preservation order against OpenAI, every prompt submitted to ChatGPT since June 2025 is being preserved. Lawyers using ChatGPT for discovery prep have potentially created discoverable records of their own work product analysis. On-device AI doesn't create that footprint.4

Workflow 6: Continuing Legal Education

The use case: staying current on case law, statutory changes, regulatory developments, ethics rules updates.

The AI workflow: summarize CLE materials, recent rulings, and bar publications for the practice-relevant takeaways.

Compliance check: Public materials, no client information. Lowest risk tier. Any AI tool works.

79%
of lawyers use AI in practice (2025) — only 10% of firms have a formal AI policy
31
privileged documents ordered discoverable in US v. Heppner (Feb 2026)
800+
documented AI citation errors in court filings worldwide (late 2025)

The Three-Tier System for Law Firm AI Use

Adapt the same tier framework other regulated professions use:

Tier 1 — Public AI (ChatGPT free, Claude.ai, Gemini, Perplexity):Approved for abstract research with zero client identification, public-source document analysis (court opinions, statutes, regulations), CLE summarization, marketing content drafting. Prohibited for any client matter.

Tier 2 — Enterprise AI (Westlaw Co-Counsel, Lexis+ AI, ChatGPT Enterprise, Claude for Enterprise, Microsoft Copilot for M365):Approved for client work if contracts include zero-retention provisions, engagement letters disclose AI use, and the firm has documented vendor diligence appropriate to ABA Opinion 512.

Tier 3 — On-Device AI (Hey Eduardo, Ollama-based tools):Approved for any client work without restriction. No third-party disclosure occurs. Strongest position post-Heppner.

Engagement Letter Language Every Firm Should Add

Suggested language to adapt for your jurisdiction:

“[Firm] uses artificial intelligence (AI) tools to assist with legal research, document drafting, analysis, and related tasks. For confidential and privileged client matters, [Firm] uses AI tools that either operate entirely on local hardware so that Client information is not transmitted to any third party, or are subject to written agreements with the AI vendor prohibiting use of Client information for model training and requiring deletion of inputs after processing. [Firm] reviews all AI-generated work product before use and remains fully responsible for its accuracy. Client consents to [Firm]'s AI use as described.”

For jurisdictions that have specifically adopted ABA Opinion 512's informed-consent requirement, additional disclosure may be required.

The Hallucination Defense Protocol

No matter which AI tier you use, citation verification is non-negotiable. Establish a firm-wide protocol:

  1. Every AI-generated case citation is verified in Westlaw or Lexis before any use.
  2. Every AI-generated quotation is verified against the original source.
  3. Every AI-generated statutory citation is verified against the official code.
  4. The verifying attorney (not just the drafting attorney) signs off on submitted briefs.
  5. Quarterly random-sample review confirms protocol adherence.

The Mata v. Avianca sanctions exist because verification was skipped. Don't skip verification.5

Part of our AI by Profession cluster: See the pillar guide. For the Heppner ruling in depth, see the privilege risks deep dive. For the broader compliance framework, see the step-by-step compliance guide. For the architectural foundation, see the On-Device AI pillar and our Lawyers landing page.

Sources & Citations

  1. Chapman and Cutler LLP. “Federal Court Rules That AI-Generated Documents Are Not Protected by Privilege.” February 2026. chapman.com
  2. American Bar Association. “ABA Issues First Ethics Guidance on AI Tools (Formal Opinion 512).” July 2024. americanbar.org
  3. International Tax Journal. “Citing the Unseen: AI hallucinations in tax and legal practice.” internationaltaxjournal.online
  4. Huntress. “What the OpenAI Court Order Means for Cybersecurity and Privacy.” May 2025. huntress.com
  5. LeanLaw. “AI Privacy Risks: Protecting Client Data in 2025.” leanlaw.co
  6. American Bar Association. “Checklist for Using AI Responsibly in Your Law Firm (2026).” americanbar.org