Skip to main content

We have rebranded from Iqidis — meet Irys. A new identity for the future of legal work.

Irys
Security

Attorney-Client Privilege and AI

Definition

Attorney-client privilege protects confidential communications between a lawyer and client made for the purpose of seeking or providing legal advice. When lawyers use AI tools, privilege concerns arise because sharing privileged information with a third-party technology provider could be construed as a waiver of the privilege if adequate confidentiality protections are not in place.

The attorney-client privilege is a foundational principle of legal practice, and its intersection with AI technology presents novel questions. When a lawyer inputs privileged information into an AI system, the data travels to servers operated by the AI vendor. If those servers retain the data, share it with third parties, or use it for model training, there is a risk that the privilege has been waived through voluntary disclosure to a third party.

Courts and bar associations are still developing guidance on this issue. The emerging consensus is that lawyers may use AI tools without waiving privilege, provided they take reasonable steps to protect confidentiality. These steps include: selecting vendors with appropriate security certifications, ensuring contractual provisions protect confidentiality, verifying that the vendor does not use client data for training, and understanding the vendor's data retention and handling practices.

The practical implication is that law firms must conduct due diligence on AI vendors before using their tools with client-confidential information. This due diligence should examine the vendor's security architecture, data handling policies, sub-processor agreements, and contractual commitments regarding confidentiality. Platforms that offer zero data retention, tenant isolation, and end-to-end encryption provide the strongest basis for maintaining privilege.

How Irys approaches this

Irys is designed to preserve attorney-client privilege through zero data retention on model providers, tenant isolation, encryption, and contractual commitments that support privilege maintenance.

Related terms

Security

Zero Data Retention

Zero data retention is a security policy in which an AI platform does not store user queries, uploaded documents, or generated outputs on its servers after processing is complete. For law firms, this policy ensures that confidential client information is not retained in third-party systems where it could be exposed through data breaches or used to train AI models.

Security

Tenant Isolation

Tenant isolation is a security architecture in which each customer's data is logically or physically separated from every other customer's data within a multi-tenant platform. In legal AI, tenant isolation ensures that one firm's confidential information, work product, and AI interactions are completely inaccessible to other firms using the same platform.

Security

SOC 2 for Legal AI

SOC 2 (System and Organization Controls 2) is an auditing framework developed by the AICPA that evaluates a service provider's controls for security, availability, processing integrity, confidentiality, and privacy. For legal AI platforms, SOC 2 compliance demonstrates that the vendor has implemented and maintained the security controls necessary to protect sensitive legal data.

Security

End-to-End Encryption in Legal

End-to-end encryption is a security method in which data is encrypted on the sender's device and can only be decrypted by the intended recipient, remaining encrypted throughout transmission and storage. In legal AI, end-to-end encryption protects confidential client data, privileged communications, and work product at every stage of processing.

Back to glossary

See Attorney-Client Privilege and AI in action

Irys One brings research, drafting, and document intelligence together in one platform. Try it free for 14 days.

Try Irys free