AI Confidentiality for Regulated Firms After Hepner

A US federal court compelled production of Claude prompts and outputs in late 2025. The case was United States v. Hepner. A criminal defendant had used the free version of Anthropic's Claude to draft documents related to his case; the court ruled the resulting material was not protected by attorney-client privilege or the work-product doctrine. The government could use the conversations as evidence.

The Hepner ruling is the most concrete signal so far that AI confidentiality is a real legal question, not a theoretical one. It will not be the last. The 2026 docket already contains a handful of cases where AI prompts and outputs are at the discovery table, and at least three regulators (DFSA, FCA, SEC) have signalled that AI usage will be part of routine supervision going forward.

This piece is the long-form treatment of AI confidentiality for regulated mid-market firms. It complements the Shadow AI Audit landing and the AI for Corporate Law Firms sector page. It exists because Managing Partners, General Counsel, and Risk Partners keep asking the same set of questions and the answers are not generic.

Why AI confidentiality is structurally different

Three structural facts make AI confidentiality harder than the confidentiality posture firms built over the last twenty years.

First, the data does not behave like email. Email leaves the firm through known infrastructure: SMTP gateways, DLP, archive policies, retention rules. The firm's IT team can produce a logged history on request. AI prompts leave the firm through a browser tab. Most firms cannot produce a log of what entered which AI tool last quarter, let alone last year. The audit trail required by privilege, by client engagement letter, and by regulator supervision does not exist by default.

Second, the relationship to the model provider is contractually new. With email, the firm controls the storage and the transport. With AI, the prompt becomes the model provider's data, governed by the model provider's terms, retained under the model provider's retention policy, possibly used to train future models. Most firms have not signed an enterprise agreement that addresses these points. The default consumer or business-tier terms generally do not protect what regulated firms need to protect.

Third, the law and regulation are moving. Hepner moved the discovery question. Regulator focus on AI under DFSA, FCA, FSRA, and SEC has tightened through 2025 and into 2026. The EU AI Act's General-Purpose AI provisions moved the contractual question for any firm dealing with EU clients. The posture that was defensible eighteen months ago is no longer defensible today, and the posture defensible today may not be in twelve months. Firms that have not been actively managing this are sitting on stale exposure.

The four surfaces where AI breaks confidentiality

Every AI Operating Audit at a regulated firm runs into the same four confidentiality break-points. They are sector-flavored, but the underlying mechanics repeat.

1. Privileged work product entering generalist AI

A lawyer drafts a deal memo using ChatGPT. A wealth manager drafts a discretionary allocation rationale using Claude. A corporate-services associate drafts a structuring memo using Gemini. The material entered is privileged or near-privileged. The generalist AI tool's terms do not recognize privilege as a category. The model provider's training pipeline, retention policy, and sub-processor list do not care about privilege.

Hepner is the specific risk here. A court can compel production of these conversations under existing discovery rules. The work-product doctrine and attorney-client privilege were designed for a world where the privileged document sat inside the firm or with the client or with retained counsel. AI conversations sit with a third-party vendor whose terms most firms have not negotiated for privileged use.

The fix runs through three layers. First, eliminate generalist AI on privileged material: ban free-tier, ban personal accounts, route all use to enterprise licenses with the right DPA. Second, segment workflows: privileged material goes to tools whose contracts cover privilege explicitly; non-privileged material can use the broader stack. Third, document the boundary: leadership can produce, on demand, which tools handle which classes of work.

2. Client identity, matter context, and engagement-letter terms

A partner forwards a client email into ChatGPT for synthesis. A relationship manager pastes a private-banking client's portfolio review into Copilot to redraft. A corporate-services associate uploads a client's residency file into Gemini for a meeting prep. Client identity, matter context, fee structure, and engagement-letter terms now sit in the vendor's logs.

The exposure here is not just legal; it is commercial. Sophisticated clients are starting to ask AI questions in their procurement. If a wealth manager cannot tell their UHNW client which AI tools have touched their portfolio data, the client has a portability conversation in hand. We have audited firms where this has already happened: a client moved a mandate because the wealth manager could not answer the AI question in writing.

The fix is a per-client-class data boundary in the AI governance line. Some tools are approved for marketing copy. Different tools are approved for client correspondence. Different tools again, with tighter DPA terms, are approved for matter material. The firm documents the boundary and trains staff against it. The Audit installs this boundary; ongoing maintenance runs under the AI Operating Partner engagement.

3. Embedded AI in DMS, productivity suite, and meeting tools

Microsoft 365 Copilot reads the firm's email and document corpus by default. iManage AI reads the matter library. NetDocuments AI reads what NetDocuments holds. Salesforce Einstein reads the CRM. Zoom AI and Otter and Fireflies transcribe meetings. Each tool is enabled inside a SaaS contract the firm signed before AI was the conversation.

This is the surface most General Counsel underestimate. The base SaaS contract is fine. The AI feature inside the SaaS contract is governed by a separate clause that frequently has different data terms, different sub-processor disclosures, and different retention policies. The contract says EU hosting; the AI feature routes through US-hosted model providers. The contract says no training on customer data; the AI feature has a separate training-data clause that the firm has not opted out of.

The fix is a per-feature audit inside the SaaS contracts the firm already pays for. The Audit produces a verdict per AI feature, separate from the base SaaS posture: enabled with named approvers, disabled until contract amended, or disabled permanently. Most firms walk out with three or four embedded-AI features either re-procured under tighter terms or shut off.

4. Conflicts, KYC, and screening surfaces

Conflict checks now run through AI synthesis. KYC files get summarized by AI before partner review. Sanctions screening narratives are AI-drafted. Beneficial-ownership analysis is AI-extracted. The exposure here combines confidentiality with regulatory accuracy: a hallucinated sanctions narrative is a much worse exposure than a hallucinated marketing email.

The fix is sector-specific and runs through the Keep, Fix, or Kill framework. Conflicts surface in corporate law and corporate services work; KYC and screening surfaces in wealth management, multi-family office, and private equity operations. Each gets its own per-tool verdict against its own data class.

What Hepner means in practice

The Hepner ruling did three concrete things.

First, it confirmed that AI prompts and outputs are discoverable under existing rules. They are not categorically privileged. They are not categorically protected by work-product doctrine. They sit in a third-party vendor's logs and can be compelled out of that vendor or out of the user who created them.

Second, it underlined that the audit trail matters. The Hepner record went beyond the outputs to include the prompts, the model selection, the account tier, the timestamps, and the user identity. A party that cannot produce that audit trail has a separate problem from one whose AI conversations are uncomfortable to produce.

Third, it confirmed that the user, and by extension any firm whose systems they used, bears the burden. In Hepner the defendant could not point to a posture that segmented work by privilege, used enterprise licensing with the right contractual terms, or maintained an audit trail. The court treated that absence as a problem for the party asserting privilege, not for the government seeking the records.

For corporate law firms specifically, Hepner says: the firm needs an AI policy that segments privileged work, an enterprise license that contractually supports privileged use, and an audit trail that produces on demand. The Audit installs all three.

How this maps to specific sectors

Each sector has its own version of the confidentiality problem.

For corporate law firms, the issue is attorney-client privilege and work-product doctrine. The fix is segmented tooling per matter class, an enterprise license with privilege-grade DPA, and a documented audit trail.

For wealth managers, the issue is client PII, holdings data, and HNW correspondence. The fix is a per-client-class data boundary, regulator-aligned governance posture, and a client-facing AI policy document.

For multi-family offices, the issue is family balance-sheet data, cross-jurisdictional structures, and beneficial ownership. The fix is jurisdiction-mapped governance and a family-facing briefing the principal can read.

For private equity funds, the issue is deal flow data, IC memos, and portfolio operating information. The fix is a fund-level governance line that holds in an LP DDQ, optionally extended to portfolio companies.

For corporate services firms, the issue is client KYC, beneficial-owner documentation, and government correspondence. The fix is a KYC-grade governance line aligned to UAE federal, DIFC, ADGM, and free-zone regulator expectations.

The operational fix in plain language

Confidentiality is not solved by a policy document. It is solved by four working artifacts that the firm produces and maintains.

First, a tool inventory per data class. Every AI tool the firm uses, tagged against the class of work it handles. Public marketing copy is one class; client correspondence is another; privileged work is a third. The inventory is a one-page document, not a wiki page.

Second, a vendor posture review. Enterprise license, DPA terms, sub-processor disclosure, training opt-out, and audit-trail features per vendor. Where the vendor cannot meet the firm's perimeter, the tool moves to fix-or-kill in the framework.

Third, an audit trail. Every AI conversation on privileged or near-privileged material is logged in a form the firm can produce on demand. This is mostly achievable with enterprise licenses today; consumer-tier licenses generally cannot produce it.

Fourth, a per-client-class boundary in the governance line. The firm's written posture names which tools are approved for which classes. Staff are trained against it. New tools enter via a named approval path with a turnaround commitment.

This is the framework the Audit installs and the AI Operating Partner maintains under HIP's quarterly cadence.

Common questions

Are AI conversations privileged?

Generally, no. There is no privilege category that automatically protects AI prompts and outputs. Privilege attaches to communications between attorney and client (or between two lawyers preparing the matter), not to communications between a lawyer and a third-party software vendor. The Hepner ruling treats AI conversations like any other third-party communication: discoverable, producible on order, and not entitled to a special protective category.

Can we just ban AI on privileged work?

You can, but it does not work for two reasons. First, staff will use AI on privileged work anyway, on personal devices, and the firm loses visibility. Second, the throughput gains are real and competitors are using them. The defensible posture is segmented tooling: enterprise licenses with the right DPA on privileged work, and discipline about the boundary. Banning is a poor substitute.

What does the audit trail need to contain?

At minimum: which user, which tool, which account tier, which prompt, which output, which timestamp. Enterprise licenses from major model providers produce this. Consumer-tier and most free-tier licenses do not. The first remediation step in most engagements is moving privileged-material workflows onto licenses that produce the trail.

Does this apply outside the US?

Yes. The Hepner ruling is US, but the underlying logic applies wherever discovery, supervisory review, or client DDQ can compel production. The DFSA, FCA, FSRA, and SEC are all moving in similar directions; the EU AI Act is a separate but reinforcing pressure. UAE PDPL and DIFC data protection law both reach the same conclusion via different paths: the firm needs an audit trail and a governance line.

How long does the engagement take?

Two to six weeks for the AI Operating Audit with confidentiality as primary lens, depending on firm size and matter complexity. A mid-sized corporate law firm typically completes in four weeks. A multi-entity multi-jurisdictional wealth manager or PE fund is closer to five or six.

What does it cost?

From $15,000 for a single-entity Audit. The Fractional CAIO retainer that maintains the governance line afterward is quoted in the Audit readout based on operating surface and matter volume.

Bottom line

AI confidentiality stopped being a theoretical question in late 2025. Hepner moved it into discovery. DFSA, FCA, SEC, and EU AI Act guidance are moving it into supervisory routine. UAE PDPL and DIFC data protection law cover the broader perimeter.

The work is bounded. The framework is well-tested. The artifacts the firm needs to produce on demand are four, not forty.

If your firm handles privileged work, client PII, fund data, or beneficial-ownership material and the AI confidentiality question is currently unanswered, the entry point is the AI Operating Audit. Apply to work with HIP when leadership is ready to act on the answer.