The Musk vs. OpenAI trial has drawn a lot of attention over the past few weeks, but there’s a quieter legal development that matters more to most organizations. In February 2026, a federal judge in New York issued the first ruling in the country to directly answer whether conversations with a consumer AI tool can be protected by attorney-client privilege. The answer was no, and the reasoning behind it has implications that extend well beyond the courtroom where it was decided.
What Happened in United States v. Heppner
Bradley Heppner, a Dallas financial services executive facing federal fraud charges, used an AI chatbot to think through his legal situation after he had already hired a defense attorney. He fed information his lawyers had shared with him into the tool, generated 31 documents worth of prompts and responses, and sent those documents to his legal team.
When the FBI seized those documents during a search, Heppner’s attorneys argued they were protected, that because he had eventually shared them with his lawyers, and had used privileged information as input, the materials should be shielded.
Judge Jed Rakoff of the Southern District of New York rejected both arguments. Three reasons:
- The AI isn’t your lawyer. There was no attorney-client relationship between Heppner and the AI platform. Privilege protects confidential communications with your attorney. Chatbots don’t qualify.
- There was no reasonable expectation of confidentiality. The AI provider’s terms of service allowed the company to collect user inputs and outputs, use them to train its models, and disclose them to third parties, including regulators. You can’t claim confidentiality under those conditions.
- The conversations weren’t attorney-directed. Heppner initiated these on his own. The tool itself disclaimed giving legal advice. That’s not what privilege is designed to protect.
The court also rejected the work product argument. Work product protection is meant to shield a lawyer’s thinking and strategy, not documents a client created independently using a public tool.
This Isn’t Just a Criminal Case Problem
The immediate reaction from many people reading about Heppner will be that this doesn’t apply to them because they’re not facing federal fraud charges. That reaction misses the point.
Litigation discovery, regulatory investigations, enforcement actions, and internal audits all depend on keeping certain communications confidential. The court’s reasoning in this case applies to all of them.
Your employees are already having these conversations. Someone on the HR team pastes the details of an employee complaint into a chatbot to draft a response. A finance manager asks an AI tool to help think through whether a vendor deal raises any compliance flags. In-house counsel feeds a legal memo into a tool to generate a summary for the executive team. None of these feel risky in the moment. Under the reasoning from this ruling, all of them could end up as exhibits.
Every AI conversation your employees are having about legal questions, investigations, audits, disputes, or sensitive business matters is a potential exhibit waiting to be produced. That’s true whether the employee knew it or not.
Privilege Doesn’t Just Attach Because Something Feels Legal
For attorney-client privilege to apply, three conditions have to be met: there has to be an actual attorney-client relationship, the communication has to be made for the purpose of getting legal advice, and the parties have to maintain a reasonable expectation of confidentiality.
Typing something into a public AI tool meets none of those conditions, regardless of how sensitive the subject matter is. The fact that an employee was thinking about a legal issue when they wrote the prompt doesn’t make the prompt privileged.
And the scope of this is broader than most people realize. It’s not just typed prompts. Teramind’s AI Data Exfiltration Dashboard monitors the range of ways sensitive content reaches AI tools; file uploads to AI portals, clipboard transfers of regulated data, API key pastes, and screen content being read by browser extensions and agents. The exposure surface is wider than a single chat window.
Privilege Isn’t a Label That Sticks
One of the more important parts of this ruling is the waiver analysis. Privilege protection isn’t permanent, it doesn’t follow information wherever it goes. The moment someone pastes privileged content into a consumer AI tool, that act can constitute a waiver, making the information discoverable by opposing parties and regulators.
It doesn’t matter whether what went in was an investigation report, a legal memo, or a summary of negotiating strategy. If the AI provider’s terms allow them to access, retain, or train on that data, the privilege may already be gone before the user hits send.
This is the risk most organizations are not tracking. It’s not hypothetical. It’s happening every day in the normal flow of work, largely invisible to the security and legal teams who would care most if they knew about it.
Teramind’s AI Usage Dashboard surfaces this activity, providing employee-level visibility into what’s being entered into AI tools, including the prompt-and-response content of conversations, with timestamps, tool attribution, and session replay attached. The foundation for understanding what’s actually happening, not what you assume is happening.
Personal Accounts vs. Corporate Accounts — The Distinction That Actually Matters
The court’s ruling focused on the specific terms of service of the consumer tool Heppner used, which allowed data collection, model training, and third-party disclosure. That’s important, because it points to a distinction that most security tools completely miss: an employee using a personal AI account and the same employee using your organization’s enterprise instance look nearly identical to network monitors. But the governance implications are entirely different.
A personal ChatGPT account or individual-tier Claude subscription carries the data practices of a consumer product. Enterprise agreements typically include data isolation, no training on customer inputs, and contractual confidentiality commitments that are materially different from the consumer terms. The court in Heppner specifically left open that attorney-directed use on appropriately governed platforms might be treated differently.
That means the question isn’t just which AI tools your employees are using, it’s which accounts they’re using them on.
Teramind closes this gap at the endpoint, making an important difference. By combining network-level signals, request metadata, and behavioral rules, Teramind distinguishes personal AI accounts from corporate ones upon access. Employees on personal accounts can be warned, redirected to the organization’s governed instance, or blocked outright. Employees on the corporate account may proceed normally, with full audit logging.
What was a line item in your AI vendor agreement becomes an enforceable control.
The Tools You Already Have Don’t Cover This
It’s worth being direct about why existing security infrastructure doesn’t solve this. Network DLP, proxy and web gateway controls, and cloud-based CASB solutions each cover a portion of the AI usage surface. None of them cover all of it.
AI-native browsers, desktop AI applications, IDE-embedded tools, terminal and CLI agents, local models with no network footprint, these bypass network inspection entirely. Browser extensions that scrape screen content and send it to external models generate no meaningful network signal. Autonomous agents running on the endpoint leave behavioral traces that only endpoint-level monitoring can see.
Teramind’s governance approach is built around the endpoint because that’s where AI interaction, sanctioned or shadow, online or offline, is likely to surface. The AI governance suite has 11 pre-built behavioral rules covering the channels and risks, including detection of AI-native browser launches, Claude CLI access, agent command execution, and autonomous agent activity that standard network tools likely won’t catch.
What Discovery Looks Like After This Ruling
Going forward, expect AI usage to become a standard line of inquiry in depositions, regulatory interviews, and subpoena negotiations. Questions like “Did you use any AI tools to prepare for this matter or analyze related documents?” are not hypothetical anymore. Subpoenas specifically demanding all AI prompts, inputs, and outputs related to a topic are already appearing.
Organizations that can’t answer that question with specifics are going to be in a difficult position. “We had a policy” is not a satisfying answer to a regulator or opposing counsel, and “we don’t know what our employees were putting into AI tools” is worse.
Teramind’s audit trail can capture high-fidelity evidence around AI usage, who, what, when, and full session context. When the question comes up in a deposition or regulatory proceeding, a record exists.
What to Actually Do About It
Set a policy specific enough to apply
The first step is a rule concrete enough that someone can actually follow it. Something like: employees may not input, paste, upload, or otherwise transmit any legal advice, attorney communications, investigation materials, audit findings, or trade secrets into any AI tool not expressly approved by the legal department.
A vague directive to “use caution with sensitive information” likely won’t hold up when someone makes a mistake. The rule should be specific, and employees need to understand the actual consequence, that it can strip the organization of legal protection in the middle of litigation, not just that it violates a policy.
Enforce it at the endpoint, before the disclosure happens
Policy without enforcement is just documentation. The gap between a written rule and what employees actually do with AI tools is real, and it’s not a reflection of bad intent, it’s a reflection of how people work under time pressure with useful tools in front of them.
Teramind’s behavioral rule library lets you enforce a policy at the initiation of risk, not after the fact. Block a sensitive paste into ChatGPT. Stop a confidential file from being uploaded to an AI portal. Redirect a user from their personal AI account to the organization’s governed instance. These controls fire at the endpoint, before data leaves the machine.
The Agentic AI Dashboard extends this to autonomous agents acting on the endpoint, detecting their commands, tracking configuration changes that could weaken policy, and maintaining the same audit trail you have for human users.
Build the audit record that compliance and legal actually need
When an incident does happen, or when one is alleged, the question is whether you can reconstruct what actually occurred. Teramind’s session replay capability lets you replay selected AI interactions end-to-end with synchronized prompt and response content, making it possible to distinguish an honest mistake from deliberate exfiltration in minutes rather than weeks.
That same audit infrastructure is what compliance teams can use to demonstrate that controls are in place during a regulatory review, and what legal can utilize to understand the scope of any potential waiver before the other side raises it. Having the record isn’t just about accountability after the fact, it’s about being able to manage the situation rather than react to it.
The Takeaway
This ruling didn’t create new law. It applied longstanding privilege principles to AI tools and reached the conclusion most lawyers would have expected. But that’s exactly what makes it significant, the court confirmed that consumer AI tools are third parties, that sharing information with them can waive privilege, and that no amount of attorney involvement after the fact undoes the damage.
The organizations that act on this now are the ones that can keep using AI for the productivity gains it offers without creating the legal exposure that comes with doing it carelessly. The ones that don’t are betting that none of their employees will ever type the wrong thing into the wrong tool. Based on what we know about how people actually use AI at work, that’s not a safe bet.
Disclaimer: This blog post is provided for general informational purposes only and does not constitute legal advice, regulatory advice, or professional guidance. The information may not reflect the most current legal, regulatory, or technical developments and should not be relied upon as a substitute for advice from qualified counsel or other appropriate professionals. Customers and readers are responsible for conducting their own independent research, evaluating their own legal and compliance obligations, and determining whether any information discussed is appropriate for their specific business, jurisdiction, industry, and use case. Teramind makes no representations or warranties regarding the accuracy, completeness, or applicability of this information and disclaims any liability arising from reliance on it.
United States v. Heppner, No. 25 CR. 503 (JSR), 2026 WL 436479 (S.D.N.Y. Feb. 17, 2026)
