Brushed Mac mini on a polished mahogany desk in a quiet law office at dusk with leather-bound law books and warm desk lamp glow

The Heppner Ruling, Warner v. Gilbarco, and What Confidential AI Actually Has to Mean

Leave a Comment / Uncategorised / By
This article describes a recent federal court ruling and what it implies for confidential AI use. It is not legal advice. Talk to your bar counsel before changing any firm policy.

“The AI-generated content was not protected by the attorney-client privilege or the work-product doctrine.”

— Hon. Jed S. Rakoff, S.D.N.Y., Feb. 17, 2026

On February 17, 2026, in United States v. Heppner, No. 25-cr-00503-JSR (S.D.N.Y.), Judge Jed S. Rakoff ruled that AI-generated content produced by the defendant using a publicly available generative-AI tool was not protected by the attorney-client privilege or the work-product doctrine. The defendant, the former CEO of GWG Holdings, had used a public AI platform to prepare roughly 31 documents after his federal indictment, then shared those documents with his attorneys, who asserted privilege. The court rejected the claim.

The reasoning was direct. There was no reasonable expectation of confidentiality when the data was voluntarily transmitted to a third-party public platform. And transmitting AI-generated content to a lawyer after the fact does not retroactively render it privileged.

This is the first federal opinion of its kind. It will not be the last. And it is worth understanding precisely, because the press summary of this case is doing a lot of damage that the actual holding does not support.

What the ruling actually says, and what it does not

Heppner is about a client — not a lawyer — who used a public AI tool on his own, after indictment, and then handed the output to his lawyers. The court held that the client’s own act of transmitting prompts to a public platform destroyed any expectation of confidentiality. Receiving the output later did not cure that.

It is not a blanket holding that all AI-assisted legal work loses privilege. The same month, in Warner v. Gilbarco, Inc., No. 2:24-cv-12333 (E.D. Mich. Feb. 10, 2026), a federal court denied a motion to compel disclosure of AI-assisted internal analysis and drafting, holding that the work-product doctrine still applied.

The split is not about whether AI is allowed in legal work. It is about where the AI runs and who sees the data along the way.

⚠️ Public, third-party-hosted AI

Used by a client or counsel. Heppner-style transmission risk to privilege. The contract may help but does not physically prevent transmission.

Privilege intact

✓ Internal / on-device AI

Used by the firm for its own work-product, where data never leaves the firm. Warner-style work-product protection still applies.

The two real categories of “private AI” in 2026

☁️

Cloud with contractual ZDR

Spellbook, Harvey, CoCounsel. Pitch: we do not train on your data, contract says so, here is the DPA. Heppner weakens the simple version of the argument; the contract still has to survive scrutiny.

🖥️

On-device

The language model runs on a Mac or PC inside the firm. Outbound network traffic blocked at the firewall. The data is not transmitted because there is no transmission. Verified with lsof -i.

Both categories have legitimate use cases. They are not the same product. After Heppner and Warner read together, they are not the same risk profile either.

Why physical beats contractual for genuinely privileged work

A contract is a promise that something will not happen. A network configuration is a constraint that prevents something from happening.

When Judge Rakoff examined the public AI platform’s terms in Heppner, he was assessing a promise. When you point bar counsel at a Mac running locally with the Wi-Fi physically off and lsof on screen, you are showing them an absence of transmission. That is a different evidentiary category. It is also a verifiable one. Any partner, paralegal, IT vendor, or auditor in the firm can run lsof -i themselves and see whether a network connection is open. The check takes three seconds. It does not depend on trusting a third party’s audit.

What on-device AI is good at, and what it is not

✓ Good at

  • NDA and contract review against template clauses
  • Document summarization
  • Drafting against your own document library, with citation-checking against your corpus
  • Daily briefings on what changed in matter folders overnight
  • Plain-English Q&A over a firm’s own document set

✗ Not as good at

  • Real-time legal research against current case law (the model knows what it was trained on; it does not search Westlaw)
  • Tasks that genuinely require frontier cloud-model capability (on-device frontier is roughly a 70B model in 2026)
  • Workflows where current online context is the whole point

A realistic implementation uses both: on-device for the privileged work, cloud-with-care (with a DPA, with a written firm policy) for the public research. The point of Heppner is not to forbid cloud AI. It is to stop pretending cloud AI is the same thing for both kinds of work.

What a small firm can actually do this week

  1. Write down which matters have had documents touched by public AI tools. You may need this if discovery ever comes for the AI-generated work product.
  2. Update your firm’s AI policy to differentiate between research (cloud OK with care) and privileged document work (on-device, or contractual ZDR with eyes wide open about Heppner-style risk).
  3. Pilot on-device for the small, repeatable, privileged tasks first: NDA review, contract summary, intake document analysis, daily briefings.

The hardware to run on-device AI privately in 2026 is a Mac mini or MacBook Pro with Apple Silicon. The open-source software stack to run a 31-billion-parameter language model on either is freely available. The total setup time for a technical person is a weekend. The total setup time for a $400-an-hour attorney is also a weekend they will never take.

On that note

I run a small business in Arcata, California, that builds and ships one of the pre-configured options for the second group. It is called the AirGap Box: a Mac mini with the open-source local-AI stack and three working agents (folder watcher, daily briefing, local Q&A) already installed, a default-blocked outbound firewall, a 90-minute setup call, and a written compliance memo template for your firm’s records.

Hardware

AirGap Box

$2,995–$3,995 one-time

Pre-configured Mac mini shipped to your office. Founding-customer pricing for first 5 buyers.

Join the waitlist →

AirGap Agents

$19 one-time

Three agents that drop on your existing local LLM. DIY install in 60 seconds.

See the pack

You can watch a live lsof-on-screen demo of an NDA being reviewed on a laptop with Wi-Fi physically off, on YouTube, before deciding anything.

If you are a partner, a managing attorney, or an IT lead at a firm trying to figure out what Heppner and Warner mean for your firm’s AI policy, my email is matt@ineedhemp.com. No sales pitch. I will tell you honestly whether on-device makes sense for your firm before I would let you buy anything from me.

— Matt Macosko
Nice Dreamz LLC
Arcata, California

Sources for the cases discussed:

  • K&L Gates, “Litigation Minute: Generative AI Data, Attorney-Client Privilege, and the Work-Product Doctrine” (Feb. 23, 2026)
  • Wealth Management, “Attorney-Client Privilege Waived by Client’s Use of Public AI” (2026)
  • United States v. Heppner, No. 25-cr-00503-JSR (S.D.N.Y. Feb. 17, 2026)
  • Warner v. Gilbarco, Inc., No. 2:24-cv-12333 (E.D. Mich. Feb. 10, 2026)

Leave a Comment

Your email address will not be published. Required fields are marked *
Shopping Cart
06.12.26 Disclosure Day
Scroll to Top