What Heppner Didn't Settle

Why the structural question is being skipped — and what it means for the firms that figure it out.

In February of this year, a federal judge in the Southern District of New York ruled that documents a criminal defendant generated using Anthropic's consumer Claude were not protected by attorney-client privilege or the work product doctrine.

The legal commentary that followed has been substantive. Privilege scholars and AmLaw practice innovation leads have engaged the ruling carefully, debating Kovel doctrine, third-party disclosure, and the gap between consumer and enterprise AI deployment. That conversation will continue for years. There is real work being done in it.

What I want to surface is a question that conversation is structurally not equipped to ask.

The ruling addressed a defendant who used a publicly available AI tool on his own initiative, without his attorney's direction. The platform's terms placed his inputs outside the kind of confidentiality privilege has always required. The defense team's effort to retroactively claim privilege over a workflow nobody had designed for that outcome did not succeed. On those facts, the ruling reaches the conclusion the doctrine, as written, points to.

The legal commentary engaging this ruling has largely focused on what firms and lawyers should do differently. Use enterprise tools, not consumer ones. Document counsel's direction. Build Kovel-style arrangements around AI use. These are reasonable instructions. They are also single-layer responses to a multi-layer problem — and the problem the ruling exposed is structural, not procedural.

The court explicitly noted that the analysis might have looked different had counsel directed the use, or had the AI tool been deployed as a confidentiality-preserving enterprise instrument. Both openings sound like procedural fixes. Neither one is. Each opening is a doorway into a structural question the current conversation has not yet learned to ask.

The structural question is this. Privilege has never been a property of any single layer of a deployment. It is a property of how the layers hold each other accountable. The ruling did not close the door on AI in regulated work. It surfaced what serious AI in regulated work actually requires — and the requirement is not what the current vendor market is selling.

Three layers have to hold.

The first is architectural. The system has to make confidentiality a property of the code itself — disclosure to third parties precluded by design, not just by terms of service. Identity and role have to be bound to the user's interactions in ways that survive discovery. Access has to be governed by controls no organizational hierarchy can override. The audit trail has to be a first-class output of the system, not a server log produced after the fact. None of this exists in any consumer AI platform. Most of it does not exist in current enterprise legal AI tools either. They are running on a generation of architecture that was not designed for the question this ruling has now made urgent.

The second is operational. The architecture has to be deployed in workflows that preserve human judgment at the points where judgment matters. This is the layer practice innovation directors at major firms understand better than anyone. They are the people watching what happens to lawyer thinking when a tool becomes the workflow — when associates stop consulting the system and start operating inside its frame. In regulated work, that drift is not a productivity story. It is a quiet structural problem that does not announce itself until a court asks who actually exercised judgment over the work product. The operational commitment is making sure the answer to that question is always a human, at this specific point, with the architecture supporting their judgment rather than substituting for it.

The third is practice. The architecture and the workflow are necessary, and they are still not sufficient. Counsel has to direct the use. The matter has to be defined. The legal advice purpose has to be present and documentable. The legal work that privilege has always required has to actually be done. No architecture, no matter how sophisticated, can substitute for legal judgment exercised in real time by a person bound by professional duty. Architecture preserves the conditions for that judgment to operate. The judgment itself is the practice's own.

Three commitments. None of them sufficient on its own. All three required.

This is where the conversation about AI in regulated work has been incomplete. Vendor pitches address the architectural commitment because that is what they sell. Firm policy memos address the practice commitment because that is what they govern. AI ethics frameworks float across all three without committing to any. The buyer is left assembling a coherent picture from sources that each have a structural reason not to provide one.

The cost of that incompleteness is not theoretical. It is sitting in the next several years of privilege rulings. Firms that deploy tools meeting only the architectural commitment will face privilege disputes where the practice commitment was not present. Firms that rely on the practice commitment without architectural support will face them when discovery surfaces the gap. The rulings will arrive case by case, each one nominally narrow, collectively redrawing the line between what counts as protected legal work and what counts as third-party-disclosed analysis.

The firms that navigate that redrawing well will be the ones that asked the structural question early. Not "how do we use AI without waiving privilege" — that question, asked at the policy layer, produces theater. The structural question is sharper. What would the architecture, the workflow, and the practice have to look like, in concert, for AI-mediated work in this firm to remain protected work?

That question is hard. It requires building things that do not yet exist in the market. It requires firms to be honest about what their current tools cannot do. It requires vendors to stop selling capability claims that fold under sophisticated scrutiny. It requires a vocabulary for talking about the layered relationship that almost no one in the current conversation is using.

The vocabulary is what I keep returning to in this work. Without shared language for evaluating AI deployment, governance becomes performance. The ruling did not invent the language gap. It made the gap impossible to ignore for an industry whose entire economic model depends on getting privilege right.

What the ruling settled is narrow. AI used outside legal practice, by a person not directed by counsel, on a platform not designed for confidentiality, is not protected. That conclusion was available before the ruling, and the ruling makes it formal. What sits between that settled conclusion and the unsettled question — AI deployed inside legal practice, with the architectural, operational, and practice commitments all present and verifiable — is the actual frontier.

The next round of rulings will be written about firms that figured that out, and firms that did not.

The conversation about which is which has barely started.