Artificial Intelligence (AI) tools have quickly become part of everyday business practice and are now routinely used in business to draft documents, analyse information, and transcribe meeting discussions with astonishing ease and speed. While these tools offer undeniable efficiencies, they also create a significant and often overlooked legal risk. For legal teams and their clients, the unmanaged use of consumer-grade AI tools can result in the loss of confidentiality and unintended waiver of legal professional privilege.
Before exploring how AI tools pose such a risk in practice, it is important to define the legal foundation they threaten. That inquiry centres on the scope of confidentiality and legal professional privilege and the circumstances in which it can be lost.
With that foundation established, in this bulletin, we set out clear, practical guidance for boards, executives and legal teams. Drawing on the principles analysed below, recent case law, and the contractual terms of leading AI platforms, the following key considerations should guide any use of AI tools in contexts involving legal advice, anticipated litigation, or regulatory exposure:
- Do not input legal advice, dispute‑related facts, or regulatory analysis into consumer‑grade AI tools. Doing so constitutes disclosure to a third party and may result in an irrevocable waiver of privilege.
- Enterprise‑grade AI tools reduce confidentiality risk, but they do not create privilege. Privilege depends on legal purpose and lawyer involvement, not technology labels.
- Independent AI use by executives or business teams will not attract legal advice or litigation privilege.
- AI note‑takers and transcription tools should be disabled during attorney‑client meetings. Automated recording can silently convert privileged discussions into discoverable third‑party records.
Once confidentiality or privilege is lost, it cannot be restored. The legal risk rests with the user, not the AI provider.
The law places lawyers in a unique position of trust, as custodians of their clients most sensitive information. Consequently, the protection of confidential communications between lawyer and client is an indispensable feature of legal systems and rests on the enduring premise that clients may speak freely and make frank disclosures in order to obtain appropriate legal advice.
While closely related, confidentiality and legal professional privilege are distinct concepts. Confidentiality is a broad ethical and contractual obligation that rests on the recipient of information to preserve its secrecy. Legal professional privilege, by contrast, is a substantive legal right vested in the client, which may be asserted to prevent the disclosure of certain communications. More specifically it is:
“…a general law of our common law which states that communications between a legal advisor and his or her client are protected from disclosure, provided that certain requirements are met.”
Those requirements are well established. Privilege will attach only where:
- The legal adviser must have been acting in a professional capacity at the time;
- The adviser must have been consulted in confidence;
- The advice must not facilitate the commission of a crime or fraud; and
- Privilege must be claimed.
South African law recognises two forms of legal professional privilege:
- The first is legal advice privilege, which protects communications made by a client to a legal adviser acting in a professional capacity for the purpose of obtaining legal advice; and
- The second is litigation privilege, which extends to communications between a client, their legal advisers, and third parties, where those communications are made for the dominant purpose of pending or reasonably contemplated litigation.
Legal professional privilege is narrower in scope than confidentiality. While information or documents may be confidential, they are not necessarily privileged. Confidentiality alone does not create privilege. For privilege to attach, the communication must have been made to a lawyer acting in that capacity and for a qualifying legal purpose.
Privilege functions as a legal shield against disclosure. While lawyers are duty‑bound to respect it, privilege belongs to the client, not the lawyer. What this means is that it is the client who controls the privilege and who bears the risk of losing it. As such privilege may be waived by clients:
- Expressly, by agreeing to disclose information; or
- Impliedly, by behaving inconsistently with maintaining confidentiality.
South African courts have held that implied waiver involves elements of publication, meaning, once privileged information is shared with a third party or exposed beyond the confidential lawyer-client relationships, the privilege may be lost.
This principle was authoritatively affirmed and applied by the Supreme Court of Appeal in Ibex RSA Holdco Ltd and Another v Tiso Blackstar Group (Pty) Ltd and Others 2025 (2) SA 408 (SCA) (Ibex).
The warning in Ibex is clear, where information is shared, repurposed, or exposed for reasons other than legal advice or litigation, privilege may never attach or may be irretrievably lost. This is the exact danger posed by consumer-grade AI tools.
Recent court decisions around the world have signalled a clear warning; information shared with consumer-grade AI platforms is not confidential, not protected, and may result in an implied waiver of privilege, permanently.
For these reasons, the unregulated use of AI tools presents a clear and escalating risk to legal privilege. With reference to the judgement we outline below a high-level, practical overview of the risk of AI tools in an uncontrolled environment and the actions businesses should be implementing now to protect privilege and manage exposure.
Lessons from United States v Heppner Case
Conversations with AI are not Privileged
In United States v Heppner (Heppner) decided on 10 February 2026, Judge Rakoff of the Southern District of New York held that documents created using the consumer version of Anthropic’s “Claude” AI platform were not protected by attorney-client privilege nor protected as “work product”.
The court’s reasoning was this:
- AI systems are not lawyers. They have no professional duties, assume no obligation of confidentiality, and can form no attorney–client relationship. Whatever their sophistication, AI tools sit entirely outside the legal advisory function and therefore outside the protections that attach to lawyer–client communications.
- Providing information to an AI system is functionally equivalent to sharing it with an uninvolved third party.
In fact, this reasoning goes beyond “free vs paid” as some products marketed as “business” or “enterprise” may offer no more legal protection than consumer-grade tools if non-lawyers use them independently; or the AI system is not structured as part of the legal advisory process. Enterprise AI tools may reduce risk and can provide stronger confidentiality protections. However, confidentiality alone does not create privilege. The remaining elements of attorney-client communication and purpose of obtaining legal advice must still be satisfied.
Moreover, this ruling builds on a broader trend. In another recent case, the same court found that 20 million ChatGPT conversation logs could be compelled in litigation, noting that users have a “diminished privacy interest” in their AI interactions.
Privilege is lost the moment you enter information into an AI System
The facts in the Heppner case illustrate the risk starkly. After receiving a grand jury subpoena and engaging defense counsel, but before his arrest, Bradley Heppner, a financial services executive charged with securities fraud and wire fraud used the consumer-grade AI large language model Claude, to research legal questions relating to the government’s investigation.
In doing so, he inserted information he received from his lawyers into the AI tool and generated 31 documents consisting of prompts and responses and subsequently shared those documents with his legal team. When the Federal Bureau of Investigation later seized the material during a search of Heppner’s home, his attorneys asserted attorney-client privilege and work-product protection over the AI generated documents.
Here’s what the court found:
The damage was done before counsel even saw the documents. Disclosure to an AI platform amounts to disclosure to a third party and prevents legal privilege from attaching. Privilege cannot be applied retrospectively by later sharing the material with attorneys. Once information is disclosed outside the confidential attorney-client relationship, the protection is waived.
Unsurprisingly and worse still, the court found that Heppner’s act of sharing privileged information with Claude constituted a waiver of privilege that reached back to the original attorney and client communication themselves. In other words, a single decision to input information into an AI system can unravel the entire fabric of privilege. This serves as an important reminder that privilege belongs to the client and so too does the responsibility to preserve it.
AI Tools themselves warn you that they are not Confidential
The risks posed by AI tools must be understood against the backdrop of the foundational distinction already drawn between confidentiality and legal professional privilege. As explained earlier, confidentiality is not assumed; it depends on the circumstances in which information is communicated and, critically, on the obligations borne by the recipient of that information. Where confidentiality falls away, privilege cannot arise and where privilege does not arise, there is nothing left to protect.
Most users never read the fine print, Anthropic’s policy explicitly states that:
- Information input into Claude may be disclosed to regulators and government authorities;
- It may be used to train AI models; and
- It is not confidential.
The court relied heavily on these terms, accepting that users assumed this risk when using the service. OpenAI’s consumer terms are materially the same. If a user is on a fee or individual paid plan (ChatGPT Free, Plus or Pro), their data may be used to train AI models, even if they opt out of training, OpenAI may still disclose the data where required by law, regulation, or government request. Opting out limits training, it does not prevent disclosure.
Put differently, there is no enforceable expectation of confidentiality for users on standard consumer plans, and the court was prepared to rely on that contractual reality. Only enterprise-grade arrangements such as ChatGPT Enterprise or Claude’s commercial and government plans contain express contractual commitments to confidentiality and exclude customer data from training. By contrast, free or individual paid plans even if branded as “Pro” or “Plus” are consumer products and do not provide confidentiality protections unless the contract expressly says so.
The practical implication is clear consumer AI platforms deliver functionality, not legal protection, regardless of branding or payment tier.
AI use without lawyer direction does not create a “Work Product”
The work-product doctrine also failed in Heppner because the AI tool was used independently, not at the direction of counsel. Where a lawyer does not supervise or direct the research, AI – generated outputs do not qualify as protected work product. They are simply materials created by a party in the ordinary course, and are therefore discoverable.
AI use can even create new legal complications
Judge Rakoff went further and warned of a practical nightmare flowing from the waiver of privilege. He pointed out that, because the AI documents contained information given to the client by his lawyers, using those documents at trial risked compelling the lawyers to testify about what advise they had given to their client creating a witness-advocate conflict. In short, once privilege is waived, it does not merely disappear; it can trigger cascading legal complications that undermine both the integrity of the trial and counsel’s role within it.
AI Note-takers in Microsoft Teams Are a Hidden Privilege Destroyer
The Heppner judgment addresses only one dimension of AI‑related privilege risk. A further, and potentially more corrosive, risk arises from the growing use of AI‑powered meeting note‑takers. Unlike the overt act of consulting an AI system, these tools can capture, transcribe and store privileged communications automatically and invisibly, converting confidential legal discussions into enduring third‑party records. In doing so, they threaten privilege not through poor judgment, but through routine corporate automation.
As such it is strongly recommended that such AI Note-takers be turned off during attorney-client meetings particularly where legally sensitive matters are being discussed.
In Summary
In a South Africa context, our Courts may not be inclined to adopt an approach that an AI tool may be considered to be an agent of a lawyer. Independent use of AI tools by clients to analyse or prepare litigation material particularly consumer-grade tools not subject to confidentiality is unlikely to satisfy this dominant-purpose requirement for privilege. Even where enterprise-grade AI tools are used, litigation privilege will depend on whether the AI is deployed under legal direction and as part of the litigation process, or as a stand-alone analytical tool. However, this issue is untested in South African Courts and given the recent AI cases that have passed through our Courts they may apply a much stricter measure.
What organisations must do now to protect privilege
To protect your interests, we ask you to proceed with care. For South African corporates, a credible roadmap for protecting legal rights and interests in an AI‑enabled environment lies in approaching AI use through governance discipline rather than technological convenience.
Boards and senior leadership should recognise that preserving confidentiality and legal professional privilege in an AI‑enabled environment is a governance responsibility. This risk cannot be delegated to technology teams or cured after the fact; failures in oversight can have lasting consequences for litigation strategy, investigations, regulatory engagement and reputational standing. A practical response requires clear organisational rules prohibiting the use of AI tools to test legal positions, summarise counsel advice, draft dispute‑related material or analyse regulatory exposure without legal oversight, and re‑asserting lawyer direction as the essential anchor for any AI use touching legal advice or anticipated disputes. This risk should be elevated beyond legal policy into enterprise risk management and audit oversight, so that AI‑related privilege exposure is monitored with the same seriousness as other material legal risks. Particular attention should be paid to AI recording, transcription and summarisation tools, which can silently convert privileged oral communications into stored third‑party records. Where AI is used in a legal context, its deployment should be confined to a narrow, legally supervised lane, segregated from general business AI usage and supported by training, disciplined governance and accountability mechanisms. In a legal environment where privilege is strictly construed and easily waived, preserving legal rights in the age of AI is a core leadership responsibility, not a technical afterthought.
The Bottom Line
AI can improve efficiency, but convenience does not preserve confidentiality and legal privilege. If information is entered into AI without appropriate safeguards, the legal consequences rest with the user. In an environment where privilege is strictly construed and easily waived, disciplined governance - not technological enthusiasm - is the only effective safeguard.
AI is powerful, it offers speed, but not privacy. Prompts constitute disclosure, outputs may be discoverable, and each interaction places privilege at risk.
If you are unsure whether a particular AI tool or use is appropriate, stop and speak to us first – once confidentiality and legal privilege is lost, the position cannot be undone.
This bulletin was authored by Partner Rakhee Bhoora, Partner Andricia Hinckemann-Dlamini and Candidate Attorney Mogomotsi Latakgomo.
