Enterprise AI adoption has a legal exposure that most deployment checklists miss. If your legal team, HR department, or executive leadership is using consumer AI chatbots for work involving confidential matters, those conversations may be discoverable in litigation, and the privilege argument against that discovery is weak.
The legal principle
Attorney-client privilege protects communications between a client and their attorney from compelled disclosure in legal proceedings. The doctrine has a well-established exception: when a communication is shared with a third party, privilege is generally waived. Legal advisors note that chatbot inputs may be treated as third-party disclosures under established evidence doctrine, potentially waiving privilege protection. You’re not talking to your lawyer. You’re talking to a vendor’s model, routed through vendor infrastructure, subject to vendor data policies.
Major U.S. law firms have begun issuing formal guidance warning clients of this risk. The guidance reflects settled legal analysis, this isn’t an emerging theory, it’s an application of existing doctrine to a new context. The exposure is real regardless of how the specific question gets litigated.
Vendor privacy policies compound the problem
Legal guidance notes that many AI vendor privacy policies include provisions allowing data access by third parties, which legal advisors say creates additional exposure. If a vendor’s terms permit data review by human trainers, auditors, or law enforcement (with appropriate process), the “confidential communication” argument becomes harder still to sustain.
This is verifiable directly: OpenAI’s privacy policy and comparable documents from other major vendors are public. Legal teams should review their deployed tools’ policies specifically for data retention, third-party access, and training data use provisions before drawing conclusions about their own exposure.
Three things enterprise legal teams should do now
First, audit which AI tools your attorneys and staff are using for matters involving privileged content. Second, update your AI acceptable use policy to designate consumer chatbots as inappropriate for privileged communications. Third, if your organization uses enterprise-tier AI tools with data processing agreements, review whether those agreements create a stronger confidentiality posture, they may not, but they should be evaluated. TJS’s 2026 AI compliance program guide covers multi-framework policy design in detail.
What to watch
Courts haven’t resolved every dimension of this question. Watch for discovery rulings in commercial litigation and employment cases where AI-assisted communications are contested. Those rulings will build the case law that eventually clarifies what “privilege” means in an AI-assisted legal environment. Until then, the conservative posture is the correct one.
TJS synthesis
The privilege gap isn’t a future risk, it’s a current one. Law firms are issuing guidance now because the exposure exists now. The tools are already deployed; the legal analysis has arrived. Organizations that treat this as a “wait and see” issue are making a documented choice to accept an unquantified litigation risk.