Pillar guide

Using AI Without Breaking Client Confidentiality

Akash Praveen, Privileged Founder

Yes, you can use AI in a solo practice without breaking client confidentiality — but whether a given tool lets you comes down to one architectural question: does it transmit the client's material to a third party to do its work? Cloud AI tools do, which creates a disclosure event the confidentiality rules ask you to take reasonable steps to prevent. On-device AI doesn't, because the document never leaves your machine. This guide walks through the tension honestly: what the duty of confidentiality requires at a high level, why cloud tools sit crosswise with it, what the ABA's guidance signals, and how local processing resolves the conflict instead of just managing it.

A note before we start: this is educational background, not legal advice. It does not tell you what is permissible in your situation. Your jurisdiction's rules of professional conduct, your bar's guidance, and your own client agreements govern what you actually do — when in doubt, consult them.

The tension, stated honestly

The reason this is hard is that both sides are real.

AI is genuinely useful for the document-heavy parts of a solo practice. Reading a contract and surfacing what's unusual, summarizing a long filing, pulling defined terms and dates out of a dense agreement, answering questions grounded in a specific matter — these are exactly the mechanical, time-eating jobs a solo attorney needs help with, and modern tools do them well.

But the most convenient way to get that help — paste it into a cloud chatbot, upload it to a web tool — runs straight into a duty that predates AI and applies regardless of it. The client's document is confidential. The cloud tool needs that document on its servers to process it. So the convenient path quietly asks you to hand privileged material to a third party. That's the tension: the usefulness is real, and so is the obligation, and the default workflow puts them in conflict.

The goal of this guide isn't to scare you off AI. It's to show that the conflict is a property of one architecture, not of AI itself — and that a different architecture dissolves it.

What the duty of confidentiality actually requires

You don't need a refresher on the rule you live under, so this stays high-level and practical.

The duty of confidentiality — reflected in ABA Model Rule 1.6 and its state analogues — broadly covers information relating to the representation, and among other things calls for reasonable efforts to prevent its inadvertent or unauthorized disclosure. Two features of that matter for tool choice:

  • It's broad. It isn't limited to what's "secret" or to formal communications. It reaches information relating to the representation generally — which is why "but it's just a routine contract" isn't a safe assumption.
  • It's about reasonable efforts. The rule doesn't demand the impossible; it asks whether you took reasonable steps given the sensitivity and the circumstances. Critically, what counts as reasonable depends on the tool — and that's where AI architecture enters the analysis.

That second point is the hinge of this whole guide. Two tools that produce a similar answer can sit very differently against the same duty, because one transmits the document and the other doesn't. The obligation is constant; the effort required to satisfy it is not.

Again: how the duty applies to your facts is a question for you and your jurisdiction's rules, not for a marketing article.

Why cloud AI sits crosswise with the duty

It helps to be concrete about what "a cloud tool transmits your document" actually means, because the mechanism is the whole argument.

When you upload or paste a client's document into a cloud AI service, the contents of that document leave your control and arrive on servers owned by a company that is not you and not your client. From that moment, what happens to it is governed by the vendor's systems and policies: how long it's retained, whether it's logged, which sub-processors handle it, whether it's used to improve a model, and what a security incident or a subpoena to the vendor might expose. Those terms might be excellent. But the document has already been disclosed to a third party — that part isn't undone by a favorable policy.

This is why "we don't train on your data" doesn't fully answer the question. It addresses one downstream use. It doesn't change the fact that the material was transmitted and now sits, at least transiently, somewhere you don't control. For confidential client information, the transmission is the event the duty asks you to take reasonable steps to prevent — and a promise about what the recipient will do with it afterward is a different thing from not transmitting it at all.

What the ABA has signaled: Formal Opinion 512

The profession's governing bodies have started addressing this directly. The most prominent example is ABA Formal Opinion 512, which takes up the ethical duties that apply when lawyers use generative AI tools.

Two things are worth taking from it, both at a careful distance:

  • It frames duties; it doesn't ban the technology. The thrust of this kind of guidance is not "don't use AI." It's that the existing duties — competence, confidentiality, communication with clients, reasonable fees, and supervision of the work — continue to apply when AI is in the loop, and lawyers are responsible for meeting them.
  • Confidentiality is squarely in scope. Where a tool involves sending client information somewhere, that implicates the confidentiality analysis — which loops directly back to the architectural question this guide keeps returning to.

A responsible way to use this opinion is as a pointer, not a script: read it yourself, read your own state bar's guidance (state opinions vary and several have weighed in), and treat any third-party summary — including this one — as a starting place rather than an authority. What the opinion requires of you, specifically, is not something an article can tell you.

Privilege vs. confidentiality — a distinction worth keeping straight

Attorneys sometimes use "privilege" and "confidentiality" interchangeably, but for AI decisions the difference matters.

Confidentiality is the ethics duty above: broad, covering information relating to the representation, owed to the client under the rules of professional conduct. Attorney-client privilege is narrower — an evidentiary protection that can shield certain confidential communications from compelled disclosure, subject to its own requirements and exceptions.

Why care about the distinction here? Because sending client material to a third-party AI service can implicate both, along different lines. It's a confidentiality question because you've disclosed protected information to an outside party. It can also raise privilege questions, because privilege analysis is sensitive to disclosure to third parties. The two doctrines aren't identical, and this guide doesn't resolve either for your facts — but a tool that never transmits the material sidesteps the thorniest version of both at once. (The cluster article on AI and privilege goes deeper on that second thread.)

How on-device processing resolves the tension

Here's the move that turns a problem you have to manage into one you've removed.

On-device — or local — AI runs the model on hardware you control. When you ask it to review a contract, the file is read off your own disk, the model processes it in your machine's memory, and the answer comes back, with none of it crossing the network. There is no upload, no vendor account holding the document, no server-side log, no sub-processor in the chain.

Apply that to the duty. The confidentiality concern with cloud AI was the disclosure event — the transmission of client material to a third party. On-device processing doesn't produce that event, because there is no third party and no transmission. You're not relying on a vendor's retention promise or trusting their breach posture, because the vendor never receives the document. The honest answer to "where did my client's file go?" becomes "nowhere — it stayed on my machine."

That's the difference between a policy and an architecture, and it's the reason local processing is the cleaner answer for privileged work. A "we'll handle it carefully" assurance is a promise you have to monitor. "It was never sent" is a fact about how the system is built. The first manages the risk; the second removes the category.

To be clear about what on-device processing does not do: it doesn't secure a lost or compromised laptop for you, it doesn't supply legal judgment, and it doesn't make the output trustworthy without your review. It removes the transmission-to-a-third-party problem — a significant one — and leaves the ordinary professional obligations exactly where they've always been: with you.

The half-measures, and why architecture beats them

Before settling on on-device, it's worth seeing why the common cloud workarounds only go partway.

Redacting or anonymizing before you paste. Tempting, but brittle. Effective redaction of a real legal document is hard — names recur, defined terms leak context, and unusual facts can re-identify a matter even after the obvious identifiers are stripped. You also have to do it perfectly every time, under time pressure, which is exactly when mistakes happen. And even done well, you've still transmitted the residual document to a third party. Redaction reduces what's exposed; it doesn't remove the disclosure event.

Getting client consent. Informed consent has its place, and the communication rules may make discussing your tools appropriate. But consent isn't a universal solvent: it doesn't convert an unreasonable practice into a reasonable one, it has to be genuinely informed to mean anything, and securing it for every cloud tool on every matter is impractical. Treat consent as a possible part of the picture, not a substitute for handling the material carefully — and check what your jurisdiction expects.

Enterprise tiers and "zero-retention" settings. Better policies on the same architecture. They can shorten retention and turn off training, which is genuinely worth having for the right work — but the document still travels to the vendor. They improve the terms of the disclosure; they don't prevent it.

The throughline: every cloud workaround is a way to make transmitting the document less risky. On-device processing is the only option that doesn't transmit it at all. That's why architecture, not configuration, is the durable answer for privileged material.

Where confidentiality actually slips with AI

Most real exposure isn't dramatic. It's mundane and habitual:

  • Personal AI accounts. Pasting a client clause into a personal chatbot "just to check something" is the most common one — convenient, invisible, and a disclosure all the same.
  • Free tiers. Free consumer AI products often carry the most permissive data terms; "free" frequently means your inputs help improve the product. Read what you're agreeing to.
  • Browser extensions and add-ins. "AI assistant" extensions that read the page or document you're viewing can ship it to a server you never thought about. The integration is the point of exposure.
  • Auto-summarize and cloud OCR. Features that summarize an email thread or OCR a scanned filing may be doing it in the cloud. A screenshot sent to a cloud tool is still a transmission.
  • Shadow AI. Tools adopted quietly, without anyone framing it as "using AI on client data," are where good intentions and bad architecture meet.

The pattern is that the leak rarely feels like a decision — it feels like a shortcut. Knowing where the shortcuts are is half of avoiding them, and choosing an on-device tool for matter documents removes the temptation, because the safe path becomes the convenient one.

A practical way to think about it

You don't need a policy binder to apply this. A few observations that tend to hold up:

  • **Sort by what's in the document, not by which tool is slicker.** The moment a task involves a client's actual file — a contract, a filing, correspondence, anything identifying the matter — that's where on-device processing earns its place. General, client-free tasks are a different calculus.
  • Verify "local" actually means local. "Private" and "secure" are marketing words; the test is whether the tool still works with the network off. If it needs the internet to analyze a document, the document is going somewhere.
  • Keep securing the device. On-device shifts the risk from "in transit and on a vendor's servers" to "on your machine" — which is a risk you already manage for every privileged file you store. Don't drop the basics: device encryption, access control, backups.
  • Keep a human on the output. Confidentiality is about disclosure; accuracy is a separate duty. Treat AI output as a draft to verify, never a finding to rely on.
  • Mind communication and consent where appropriate. Whether and how to discuss your use of AI with clients is a judgment call under the communication rules and your engagement terms — and exactly the kind of thing to check against your jurisdiction's guidance rather than an article.

Confidentiality isn't the only duty AI touches

This guide focuses on confidentiality because that's the duty most directly threatened by how a tool handles documents. But it's worth naming that it doesn't stand alone, because guidance like Opinion 512 treats these duties together.

Competence has come to include a working understanding of the tools you use — enough to know what a tool does with a document, where it can be wrong, and when not to rely on it. Accuracy is a separate obligation from confidentiality: a tool can be perfectly private and still produce a confidently wrong summary, which is why human review of output is non-negotiable regardless of where the processing happens. And supervision means you remain responsible for work product an AI tool helped produce, the same way you would for a junior associate's draft.

On-device processing settles the confidentiality piece cleanly. The rest stay with you — and that's appropriate, because they're about judgment, not transmission.

Where Privileged fits

Privileged is built around this exact resolution for solo attorneys: document analysis and Q&A that runs entirely on-device via Ollama, organized by matter, with workflow templates for contract review, document summary, filing review, and time entry. The client's documents are analyzed on your own machine and never transmitted, retained off-device, or used to train anything — which is the whole point. It analyzes and reviews the files you give it; it is not a legal-research or document-drafting tool, and it makes no claim to supply legal judgment. It's the on-device answer to the tension this guide describes, narrowed to the contract-review work a solo practice actually does. The how it works page has the specifics.

To go deeper — whether AI use can affect privilege, what ABA Opinion 512 and the state bars are actually saying, the concrete risks of uploading a contract to a cloud chatbot, and how third-party disclosure works — work through the guides in this cluster below.

Start here — reading path

Work through this cluster in order, or jump to the guide you need.

  1. 01Can You Upload Client Contracts to ChatGPT? The RisksUploading a client contract to ChatGPT sends it to a third-party server. Here's what actually happens to it, and a safer on-device alternative.

Frequently asked questions

Can lawyers use AI without violating client confidentiality?
Often yes — but it turns on whether the tool transmits the client's material to a third party. Cloud tools send the document to a vendor's servers, creating a disclosure event; on-device tools process it locally and don't. Sorting tasks by what's actually in the document is the practical move. This is an observation about the technology, not legal advice.
Does the duty of confidentiality apply when I use an AI tool?
Yes. The duty — reflected in ABA Model Rule 1.6 and state analogues — covers information relating to the representation regardless of the software you use. AI doesn't lower the bar; it changes what "reasonable efforts to prevent disclosure" looks like in practice.
What does ABA Formal Opinion 512 say about AI?
At a high level, it addresses the ethical duties that apply when lawyers use generative AI — including competence, confidentiality, communication with clients, and reasonable fees — without banning the technology. Read the opinion itself and your own state's guidance for the specifics before relying on any summary.
Is client confidentiality the same thing as attorney-client privilege?
No. Confidentiality is a broad ethics duty covering essentially all information relating to a representation; privilege is a narrower evidentiary protection for certain communications. Sending client material to a third-party AI service can implicate both, in different ways.
How does on-device AI actually protect confidentiality?
It runs the model on your own machine, so the client's document is never transmitted to a third party — which removes the disclosure event that cloud tools introduce. You still have to secure the device and exercise judgment over the output.