Attorney-Client Privilege and AI: Why Law Firms Cannot Use Public Cloud Models
Sending privileged material to a public cloud AI service risks waiving privilege and breaching confidentiality, so the safe shape keeps that material inside the firm.
Law firms cannot safely use public cloud AI models for privileged work because sending client material to a third party is a voluntary disclosure, and voluntary disclosure is the classic route to waiving privilege and breaching the duty of confidentiality. Privilege protects communications that stay confidential, so the moment privileged text reaches a service the firm does not control, the firm can no longer prove the material never left its custody. A contract promising the provider will behave does not restore the confidentiality the transmission already spent. The safe shape keeps privileged material inside the firm.
This matters more in 2026 than it did two years ago. Firms now want AI on their most sensitive matters: litigation strategy, deal diligence and regulatory investigations. Clients increasingly ask outside counsel to prove, not assert, that privileged material is contained, yet a public cloud model answers to a different jurisdiction and owner. The question is now proof, not trust.
Does sending privileged material to a public cloud AI actually waive privilege?
It can, and the mechanism is well understood. Privilege attaches to confidential communications made for legal advice, so confidentiality is a precondition, not a decoration. When a firm sends a privileged document to a third party for processing, it has disclosed that document to someone outside the privileged relationship. Whether a court later finds waiver turns on the facts, but the firm has created the argument for the other side and handed it the record to make it.
The safer test is one a firm can state to a client without qualification: privileged material never leaves the firm's own hardware. If that is true, the waiver argument has no factual foundation. If it is not, no contractual language makes it true again.
Why does a data-processing agreement not cure the problem?
A data-processing agreement allocates liability and sets promises. It changes neither physics nor jurisdiction. Three gaps survive the contract.
- The material still physically leaves the firm. A promise about handling is not non-disclosure, and confidentiality is spent at transmission.
- The provider remains reachable by its own government. Under the US CLOUD Act, a US based provider can be compelled to produce data regardless of where it is stored, and an agreement between a firm and its vendor does not bind that vendor's home state.
- The firm cannot verify compliance. A contract gives a right to sue after a breach is discovered. It does not prove, at the moment a client asks, that a specific file was never read, copied or used for training.
An agreement is a remedy for a breach you find out about. Privilege needs a design where the breach cannot occur and its absence is provable.
What is the architecturally safe shape?
The safe shape is an on-premise system where privileged material never leaves the firm and every access is provable. Mickai is a Sovereign Intelligence Operating System, a SIOS, that runs offline on the firm's own hardware with every action cryptographically sealed. The intelligence comes to the document, not the reverse. The architecture is described in 104 filed UK patent applications, approximately 2,340 claims, owned by Mickai LTD, which are filed and not granted or patented. Four mechanisms make it hold.
- A zero-egress inbound perimeter. The system receives material to work on but has no outbound path to any external service, so privileged text has nowhere to leak to.
- Hardware-attested identity bound to the audit chain, so every access is tied to a verified device and person, not a shared login.
- A post-quantum signed audit ledger, using FIPS 204 and 203 signature and encapsulation standards, so the record of who touched what cannot be altered after the fact.
- Cross-model consensus, where sovereign models run locally and check each other, so quality does not depend on a public endpoint.
“Privilege survives only when privileged material never leaves the firm's control, and the firm can prove it, rather than promise it.”
What can an auditor or a client actually check?
Assurance becomes evidence. An auditor can inspect the audit ledger and confirm three things: that no outbound network path exists from the system holding privileged material, that every access carries a hardware-attested identity, and that the ledger entries are signed and unbroken from first ingest to present. Because the ledger is sealed, tampering shows up as a broken signature, not a missing line. A policy says the firm intends to keep material contained; a sealed ledger shows, entry by entry, that it did.
Which rules make this necessary?
Several regimes point the same direction. The professional duty of confidentiality is the baseline and it is not waivable by convenience. GDPR governs personal data in most privileged files and constrains transfers outside the firm's control. For firms serving regulated clients, DORA, in force since January 2025, and NIS2 raise the bar on operational resilience and the provable containment of critical data. ISO/IEC 42001 sets an emerging standard for governing AI systems, which an on-premise sealed architecture is built to satisfy.
The EU AI Act adds a timeline firms should read correctly. The heaviest high-risk obligations for standalone Annex III systems, once due on 2 August 2026, were deferred by the Digital Omnibus to 2 December 2027, with embedded Annex I high-risk uses moving to 2 August 2028, while the Article 50 transparency rules are largely unchanged. Firms should read that deferral as a build window, not a reprieve.
How does this compare with an enterprise cloud AI offering?
Enterprise cloud AI vendors offer private endpoints, no-training commitments and regional hosting, which are genuine improvements over consumer services. The architectural point stands regardless. The material still leaves the firm's hardware, sits in infrastructure owned by another company, and falls under that company's jurisdiction, so the firm is back to trusting a promise it cannot verify when a client asks. The choice is not vendor against vendor. It is whether privileged material leaves the building at all, and the contained answer is that it does not.
Frequently asked questions
Does using a public cloud AI service for legal work waive attorney-client privilege?
It can. Pasting privileged material into a public cloud AI service is a disclosure to a third party outside the privileged relationship, the classic basis for a waiver argument and a breach of confidentiality. Even where a court might find no waiver, the firm has created the argument and handed the opposing side a record. The safe position is that privileged material never leaves the firm.
Is a business or enterprise AI plan safe for privileged documents?
An enterprise plan with a no-training commitment and a private endpoint is better than a consumer service, but it does not change the core issue. The material still leaves the firm's hardware and sits under another company's control and jurisdiction, so the firm still cannot prove that a specific file was never accessed. Containment inside the firm removes the risk rather than reallocating it.
Does the CLOUD Act let the US government read data held by a cloud AI provider?
Under the US CLOUD Act, a US based provider can be compelled to produce data it holds regardless of where that data is physically stored. A data-processing agreement between a firm and its vendor does not bind the vendor's home government. For privileged material, that is a jurisdictional exposure the firm cannot contract away, so keeping the material on firm-owned hardware matters.
What is the deadline for the EU AI Act high-risk rules for legal AI?
The high-risk obligations for standalone Annex III systems, once due on 2 August 2026, were deferred by the Digital Omnibus to 2 December 2027, and embedded Annex I high-risk uses move to 2 August 2028. Article 50 transparency duties are largely unchanged. Firms should treat the deferral as a window to move privileged work onto contained systems.




