AI in Legal: Deploying LLMs Under Attorney-Client Privilege and Bar Ethics Rules
Lawyers are adopting AI tools faster than the bar's ethics infrastructure can keep up. Multiple state bars and the ABA have issued formal guidance on generative AI, and courts have begun sanctioning attorneys for AI-related failures. The question for law firms and in-house legal teams is not whether to use AI, but how to structure that use so it satisfies three obligations that do not bend: competence under Rule 1.1, confidentiality under Rule 1.6, and supervisory responsibility under Rules 5.1 and 5.3 of the ABA Model Rules of Professional Conduct.
This post works through each obligation, explains what it requires in the specific context of LLM deployment, and maps the architecture and process decisions that satisfy it. It is written for General Counsel, Chief Legal Officers, and the legal technology and IT leaders who support them. It is not legal advice and does not substitute for review by bar counsel. It is a technology and governance framework for building AI deployment practices that are defensible under current ethics guidance.
The practical stakes are clear. Attorneys have been sanctioned in federal courts for citing hallucinated cases generated by AI tools. The ABA's Formal Opinion 512 on generative AI, issued in July 2024, makes explicit that confidentiality obligations apply to AI tools in the same way they apply to other third-party services. The bars of California, Florida, New York, and others have issued their own guidance, some more restrictive than the ABA's. What was a forward-looking compliance question in 2023 is now a live professional responsibility risk.
The Three Obligations and What They Mean for AI
Competence: ABA Model Rule 1.1 and Hallucination Risk
ABA Model Rule 1.1 requires lawyers to provide competent representation, defined as "the legal knowledge, skill, thoroughness and preparation reasonably necessary for the representation." Comment 8 to Rule 1.1, added in 2012, specifies that competence includes "keeping abreast of changes in the law and its practice, including the benefits and risks of relevant technology." Most state bars have adopted this comment verbatim or in substance.
For generative AI, the competence obligation has two specific implications. First, attorneys must understand the technology well enough to use it appropriately and to recognize its failure modes. An attorney who submits an AI-generated brief without understanding that LLMs can generate plausible-sounding but factually incorrect citations is not exercising the technological competence that Rule 1.1 requires. This is not a theoretical risk. Federal courts including the Southern District of New York (Mata v. Avianca, 2023, and subsequent cases) have imposed sanctions on attorneys who submitted briefs containing fabricated AI-generated citations without adequate verification.
Second, competence requires that attorneys supervise AI output before it reaches clients, courts, or counterparties. The specific verification workflow depends on the task. For legal research and case citation, every cited case must be independently verified through a primary legal research service before inclusion in any filing. For contract drafting and review, AI-generated language must be reviewed against the specific jurisdiction's law and the client's commercial context by an attorney with relevant domain knowledge. For regulatory analysis, AI summaries must be verified against the primary regulatory text. The competence standard does not require that AI not be used; it requires that the attorney takes responsibility for the final work product as if the attorney had produced it without AI assistance.
"To maintain the requisite knowledge and skill, a lawyer should keep abreast of changes in the law and its practice, including the benefits and risks of relevant technology, engage in continuing study and education and comply with all continuing legal education requirements to which the lawyer is subject."
Confidentiality: ABA Model Rule 1.6 and the Data Boundary Problem
ABA Model Rule 1.6(c) requires lawyers to "make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client." The scope of this obligation is broad: it covers all information relating to the representation, not just privileged communications, and it applies regardless of whether the client has requested confidentiality.
ABA Formal Opinion 512, issued in July 2024, addresses generative AI directly. The Opinion states that before using a generative AI tool in client matters, lawyers must evaluate the tool's data practices with respect to client information, specifically: whether the tool uses submitted data to train its models, whether the tool stores submitted data and for how long, who at the provider organization has access to submitted data, and whether the tool's data handling practices are consistent with the lawyer's confidentiality obligations. The Opinion treats generative AI tools as analogous to cloud storage and other third-party technology services that lawyers have been using for years, subject to the same "reasonable efforts" standard.
The practical consequence is that the default settings of most consumer-facing AI tools do not satisfy ABA Formal Opinion 512's requirements. Consumer versions of major AI chat products typically use submitted conversations to improve their models and retain conversation data for extended periods. These practices are incompatible with Rule 1.6 when client information is involved. Enterprise versions of the same products, typically offered under different terms that prohibit training use and provide contractual data handling commitments, are more likely to satisfy the standard. On-premise deployments of open-weight models, where client data never leaves the firm's controlled infrastructure, satisfy the standard most clearly.
"The confidentiality obligation doesn't stop at your firewall. It extends to every service provider who touches client data, including AI providers."
California State Bar Formal Opinion 2023-204 takes a similar approach, noting that lawyers must conduct due diligence on AI tools' data practices and must not submit confidential client information to AI tools that use submitted data for training or that cannot provide adequate security commitments. The Florida Bar's Ethics Opinion 24-1 and New York City Bar Association Formal Opinion 2024-5 reach comparable conclusions, establishing a clear cross-jurisdictional consensus that the standard consumer AI product presents Rule 1.6 compliance risks when client information is involved.
Supervision: Rules 5.1 and 5.3
ABA Model Rule 5.1 requires partners and supervising lawyers to make reasonable efforts to ensure that the firm has measures in place to give reasonable assurance that all lawyers in the firm conform to the Rules of Professional Conduct. Rule 5.3 extends this obligation to nonlawyer assistance: lawyers who direct the work of nonlawyers must ensure that the nonlawyer's conduct is compatible with the lawyer's professional obligations.
ABA Formal Opinion 512 treats AI tools as a form of nonlawyer assistance for purposes of Rule 5.3. This is a significant framing: it means that the supervising attorney is professionally responsible for reviewing AI-generated work product before it reaches clients or courts, just as they would be responsible for reviewing work product generated by a paralegal or contract attorney. The supervision obligation cannot be delegated; it attaches to the attorney who directs the AI's use and who represents the output as their work product.
The governance implication for law firms and in-house legal departments is that AI use policies must address supervision requirements explicitly. A policy that permits attorneys to use AI tools without specifying the review obligations for AI-generated work product is incomplete under Rule 5.3's framework. The policy must specify: which tasks AI tools may be used for, what verification steps are required before AI-generated output is used in client work, who is responsible for that verification, and how the verification is documented.
The Data Architecture That Satisfies Rule 1.6
Three deployment architectures are available to legal organizations, each with a different risk profile under Rule 1.6.
Consumer AI Products with Default Settings
Consumer AI products, including the free or standard tiers of major AI chat services, typically use submitted conversations to improve their models and retain data for periods defined in their consumer terms of service. Using these products for client matters, with client names, matter details, or substantive legal analysis, almost certainly violates Rule 1.6. The "reasonable efforts" standard requires taking reasonable precautions against inadvertent disclosure; using a service that is contractually permitted to train on your submissions does not satisfy that standard. This architecture should be categorically prohibited by firm AI use policy for all client-related work.
Enterprise AI Products with Data Processing Agreements
Enterprise tiers of major AI providers typically offer contractual commitments that prohibit training use of submitted data, specify data retention periods, and provide audit rights over data handling. These commitments, formalized in a data processing agreement or enterprise service agreement, bring the tool into the same category as other third-party cloud services that firms routinely use for client data under appropriate contractual protections. The firm's due diligence review of the DPA must confirm: no training use of client data, defined and appropriate retention limits, access controls over provider personnel who could view submitted data, and notification obligations in the event of a data incident.
This architecture can satisfy Rule 1.6 for most legal AI use cases, provided the DPA terms are adequate and the firm has verified them. It requires ongoing vendor management to ensure that contract terms remain in effect as the provider updates their service and terms. It does not satisfy data residency requirements in some international jurisdictions, where client data may be subject to additional restrictions on processing outside specific geographic boundaries.
On-Premise Deployment
On-premise deployment of an open-weight LLM, within the firm's own controlled infrastructure, provides the strongest confidentiality protection because client data never leaves the firm's environment. There is no third-party data processing agreement to evaluate, no training use risk, and no dependence on a vendor's contractual commitments. The firm's existing information security infrastructure, which already handles privileged client documents, governs the AI system.
The tradeoff is capability: on-premise models are generally less capable than frontier commercial models, and deploying them requires GPU infrastructure and technical expertise that most law firms and legal departments do not have in-house. The capability gap is narrowing as open-weight models improve, and for specific high-volume, well-defined legal tasks (contract clause extraction, document classification, deposition summary generation), specialized on-premise models can perform well enough for professional use. For complex legal research, nuanced contract drafting, and multi-jurisdictional analysis, frontier commercial models with enterprise DPAs remain the practical choice for most organizations.
Privilege Waiver: The Training Data Risk
Attorney-client privilege protects confidential communications between a lawyer and client made for the purpose of obtaining or providing legal advice. Privilege can be waived by voluntary disclosure to a third party who does not share a common legal interest. The application of this doctrine to AI tool providers is not fully settled by case law, but the risk is real and has been analyzed in bar ethics opinions.
When a lawyer submits a privileged client communication to an AI tool that uses submitted data for training, the communication has been disclosed to a third party: the AI provider, whose systems process and potentially retain the communication. Whether this constitutes a waiver of privilege depends on the facts, the jurisdiction, and the terms of service governing the disclosure. Courts have generally required that a voluntary disclosure be "knowing" to constitute a waiver, and some courts have applied a "reasonable expectation of confidentiality" standard that may protect inadvertent disclosures. But no court has squarely held that AI training disclosures do not waive privilege, and the risk of adverse rulings in privilege disputes where AI tool usage is disclosed is real.
The conservative approach, endorsed implicitly by ABA Formal Opinion 512's confidentiality analysis, is to treat AI tools that train on submitted data as third parties to whom disclosure waives privilege, and therefore to prohibit their use with privileged client communications. Enterprise tools that contractually prohibit training use do not present this risk because there is no disclosure for training purposes. On-premise tools where no data leaves the firm present no third-party disclosure at all.
What the Courts Have Said
Courts are developing their own standards for AI use in practice. In Mata v. Avianca, Inc. (S.D.N.Y. 2023), Judge Kevin Castel sanctioned plaintiff's attorneys for submitting a brief containing six fabricated case citations generated by an AI tool. The court found that the attorneys had failed to verify the citations through any primary legal research service before submission and that this failure violated their duty of candor to the tribunal under Federal Rule of Civil Procedure 11 and the relevant professional conduct rules. The sanctions included monetary penalties and required continuing legal education in AI.
Subsequent courts in multiple jurisdictions have cited Mata v. Avianca when addressing AI-related compliance requirements. Several courts have adopted local rules requiring disclosure when AI tools are used to draft court filings, or requiring attorneys to certify that AI-generated content has been verified. The Judicial Conference of the United States addressed AI use in a 2024 guidance document noting that courts may require disclosure and that attorneys remain responsible for the accuracy of all filed documents regardless of how they were produced.
The pattern from early case law is consistent: courts are not prohibiting AI use in legal practice, but they are holding attorneys to the same accuracy and candor standards regardless of how the work product was produced. An attorney cannot successfully argue that a fabricated citation was AI-generated as a defense to sanctions for submitting a false citation. The AI produced the error; the attorney signed the filing.
"Courts are not interested in how the work product was generated. They are interested in whether it is accurate. The attorney's signature is the warranty."
Building a Compliant Legal AI Program
A compliant legal AI program requires four elements: an approved tool policy, a data classification protocol, a verification workflow by task type, and a training program that satisfies the competence obligation under Rule 1.1.
Approved Tool Policy
The approved tool policy must distinguish between tools approved for client-matter work (enterprise products with verified DPAs, or on-premise tools) and tools prohibited for client-matter work (consumer products with default terms). The policy must specify that the distinction applies to any client information, not only privileged communications. It must address the use of AI tools on personal devices and personal accounts, which is a common vector for inadvertent consumer-tier use. And it must include a process for evaluating and approving new AI tools as they become available, with the DPA review as a mandatory step in the approval process.
Data Classification
Not all information in a legal organization carries the same confidentiality sensitivity. Matter-specific client information, including documents, communications, and strategy memoranda, requires the highest level of protection. Publicly available legal research, form templates, and general legal analysis that does not reference specific clients can be handled with less restrictive controls. A data classification protocol that defines these tiers and specifies which AI tools are approved for each tier gives practitioners clear guidance without prohibiting all AI use in matters where lower-sensitivity information is involved.
Verification Workflows
Different legal tasks require different verification workflows. For case law research, the verification workflow is clear: every citation generated by an AI tool must be verified through Westlaw, LexisNexis, or another primary legal research service before inclusion in any filing or client advice. For contract review and drafting, AI-generated language should be reviewed clause by clause against the client's prior agreements, the applicable jurisdiction's law, and the specific commercial context of the transaction. For regulatory analysis, AI summaries should be verified against the primary regulatory text and official agency guidance. The verification workflow for each task type should be documented in the approved tool policy so that supervising attorneys can confirm that subordinates are following it.
Competence Training
ABA Formal Opinion 512 notes that the competence obligation of Rule 1.1 requires lawyers to understand both the benefits and the risks of AI tools they use in practice. This means that any attorney using AI tools in client matters should receive training that covers: how the tool generates outputs and why hallucination occurs, what the tool's terms of service permit and require, how to verify AI-generated outputs for the specific tasks the attorney performs, and what the firm's approved tool policy requires. Many state bars are beginning to offer CLE credit for AI ethics and competence training, creating an incentive structure that supports compliance.
What to Ask Your General Counsel and Legal Technology Leaders
- Have we reviewed the data processing terms of every AI tool in use in the firm, including tools adopted by individual attorneys? The approved tool policy is only effective if it captures actual usage. Shadow AI adoption, where individual attorneys use personal accounts on consumer AI tools, is the most common compliance gap in legal AI deployments.
- Do our AI tool DPAs explicitly prohibit training use, specify retention periods, and provide incident notification? A DPA that does not address all three of these elements does not fully satisfy the due diligence standard implied by ABA Formal Opinion 512.
- What is our verification workflow for AI-generated case citations, and is it documented in writing? In light of Mata v. Avianca and subsequent sanctions cases, the absence of a documented verification workflow for case citations is a professional responsibility risk that supervising partners cannot ignore.
- Do our AI use policies address privilege waiver risk for tools that train on submitted data? The privilege waiver risk from AI training disclosures is not fully settled by case law, but the conservative position is well-supported and should be reflected in firm policy.
- Have we provided competence training to attorneys using AI tools, and do we have documentation of that training? Documented training creates a record that the firm took reasonable steps to satisfy its Rule 1.1 and 5.1 obligations, which matters in a professional responsibility investigation or malpractice claim.
Building a legal AI governance program?
Translating bar ethics obligations into practical AI deployment policies requires both regulatory knowledge and AI architecture experience. I work with General Counsel and legal technology leaders on AI governance frameworks that satisfy current bar ethics requirements and scale as the tool portfolio grows.
Book a Working SessionReferences
- American Bar Association. Formal Opinion 512: Generative Artificial Intelligence Tools. July 29, 2024. americanbar.org
- American Bar Association. Model Rules of Professional Conduct. Rule 1.1 (Competence), Rule 1.6 (Confidentiality of Information), Rule 5.1 (Responsibilities of Partners, Managers, and Supervisory Lawyers), Rule 5.3 (Responsibilities Regarding Nonlawyer Assistance). americanbar.org
- Schwartz v. Mata v. Avianca, Inc. No. 22-cv-1461 (S.D.N.Y. June 22, 2023). Sanctions order by Judge P. Kevin Castel.
- State Bar of California. Practical Guidance for the Use of Generative Artificial Intelligence in the Practice of Law. State Bar of California Formal Opinion 2023-204. November 2023. calbar.ca.gov
- The Florida Bar. Ethics Opinion 24-1: Use of Artificial Intelligence by Florida Lawyers. 2024. floridabar.org
- New York City Bar Association. Formal Opinion 2024-5: Use of Artificial Intelligence by Lawyers and Law Firms. 2024. nycbar.org
- Judicial Conference of the United States. Guidance on Use of Artificial Intelligence in Federal Courts. 2024. uscourts.gov
- European Parliament and Council. Regulation (EU) 2024/1689 on Artificial Intelligence (EU AI Act). July 12, 2024. OJ L 2024/1689. Annex III (high-risk AI systems). eur-lex.europa.eu