Attorney-Client Privilege Protection in AI Legal Workflows

Legal teams want AI for research summaries, issue spotting, chronology drafting, and internal work-product preparation. Those are sensible uses. They are also exactly where privilege mistakes become expensive. A lawyer or paralegal may paste draft strategy language, case identifiers, or internal client communications into a model prompt long before anyone has confirmed whether the route, provider, and review process are appropriate for privileged material.

Keeptrusts helps by governing the AI boundary rather than pretending to replace legal judgment. A legal workflow can use RBAC to require attributable users, Case Privacy and PII Detector to minimize matter identifiers and personal data, Data Routing Policy to keep routes on approved providers, Legal Privilege to block outputs containing configured privilege markers, and Audit Logger to record how the route behaved.

Use this page when

• You support law firms or in-house legal teams using AI for research, summarization, or draft work product.
• You need a practical way to reduce privilege and confidentiality exposure in AI-assisted legal workflows.
• You want a pattern aligned to Legal, Legal Privilege, and Case Privacy.

Primary audience

• Primary: Technical Leaders
• Secondary: Technical Engineers, legal operations reviewers

The problem

Privilege risk in legal AI is rarely one dramatic event. It is usually a sequence of small operational shortcuts. A lawyer uses a shared assistant to summarize a privileged memo. A paralegal includes a case number, party names, and settlement posture in a request because the model performs better with more context. An internal note drafted for outside counsel becomes part of a broader research prompt. None of those actions may look extreme in isolation, but together they create an uncontrolled path for privileged context.

That is why legal AI governance needs precision. Not every safeguard does everything. The current Legal Privilege policy, for example, is an output-phase blocker for configured privilege markers. That is useful, but it is not a complete privilege engine and it does not replace prompt minimization, routing controls, or attorney review. If a team misunderstands that boundary, it can overestimate what the route is actually preventing.

There is also a process problem. Legal work is collaborative and time-sensitive. Teams need fast drafting help, but they also need a reliable answer when someone later asks who accessed the route, whether privileged markers were blocked in output, or whether sensitive matter references were routed to an approved environment. A generic chatbot with shared access cannot answer those questions well.

The solution

The best legal pattern is layered and narrow. Treat privilege protection as a combination of request minimization, routing constraints, output checks, and reviewable evidence.

Start with rbac so every request is attributable to a named legal user and workflow. This matters because privilege review is not meaningful if the route cannot distinguish a partner, associate, paralegal, or external contractor.

Use case-privacy and pii-detector on input to reduce the amount of matter-specific and personal data that reaches the model. case-privacy is especially useful for case-number-like identifiers, while pii-detector handles broader personal-data categories.

Use data-routing-policy so privileged workflows stay on provider targets that meet the firm's actual handling requirements. If the legal team requires zero retention, local-only processing, or sanitized input, that should be expressed as route policy rather than training guidance.

Then add legal-privilege as an output-phase block for phrases the legal team wants to stop from appearing in generated output. Finally, use human-oversight and audit-logger so sensitive outputs can be escalated and the route remains reviewable later.

Implementation

This example creates a legal drafting lane with identity checks, case-number minimization, provider restrictions, and output-phase privilege marker blocking.

pack:
  name: privileged-legal-workflow
  version: 1.0.0
  enabled: true

providers:
  targets:
    - id: legal-zdr
      provider: openai
      model: gpt-5.4-mini-mini
      secret_key_ref:
        env: OPENAI_API_KEY
      data_policy:
        zero_data_retention: true
        training_opt_out: true
        retention_days: 0
        in_memory_only: true
        sanitized: true

policies:
  chain:
    - rbac
    - case-privacy
    - pii-detector
    - data-routing-policy
    - legal-privilege
    - human-oversight
    - audit-logger

policy:
  rbac:
    deny_if_missing:
      - X-User-ID
      - X-User-Role
      - X-Matter-ID

  case-privacy:
    action: redact

  pii-detector:
    action: redact
    detect_patterns:
      - name
      - email
      - phone
      - address

  data-routing-policy:
    require_zero_data_retention: true
    require_in_memory_only: true
    sanitize_before_provider: true
    on_no_compliant_provider: block
    log_provider_selection: true

  legal-privilege:
    privilege_markers:
      - attorney-client privilege
      - privileged and confidential
      - work product
      - for legal review only

  human-oversight:
    require_human_for:
      - external_sharing
      - privilege_sensitive_output
    confidence_threshold: 0.8
    action: escalate
    default_assignee: legal-review

  audit-logger: {}

The route is intentionally modest in what it claims. It reduces exposure and makes behavior reviewable. It does not determine privilege status for every document or replace attorney supervision.

The basic validation loop is enough to prove the route is wired correctly:

kt policy lint --file ./privileged-legal-workflow.yaml
kt gateway run --policy-config ./privileged-legal-workflow.yaml --port 41002
kt events tail --policy legal-privilege
kt events tail --policy case-privacy

Those checks tell you whether case identifiers are being minimized and whether configured privilege markers are being blocked in output.

Results and impact

Legal teams usually see two improvements immediately. First, the route stops behaving like a general-purpose assistant and starts behaving like a controlled legal workflow. Second, later review becomes much easier because the organization can inspect who used the route, what policies fired, and whether sensitive outputs were escalated.

That does not eliminate privilege risk entirely, but it moves the risk from informal habit to explicit policy. Matter identifiers are minimized, provider eligibility is constrained, and privilege-marker output checks provide a last-mile control against obviously problematic generated text.

For law firms and in-house teams, that is the right operational goal. AI assistance becomes useful without pretending that a single policy solves privilege doctrine.

Key takeaways

• Privilege protection in AI workflows requires layered controls, not a single policy.
• legal-privilege is useful as an output-phase marker block, but it is not a full privilege-review engine.
• Use case-privacy and pii-detector to minimize matter and client details before model calls.
• Use data-routing-policy to keep legal routes on approved providers.
• Use human-oversight and audit-logger so sensitive outputs are reviewable and attributable.

Next steps

• Legal
• Legal Privilege
• Case Privacy
• RBAC
• Data Routing Policy
• Human Oversight