Sign in Subscribe

AI Chats Meet Discovery: What’s Fair Game—and How to Shield It

AI Chats Meet Discovery: What’s Fair Game—and How to Shield It

Clients type sensitive facts and questions into AI tools all the time: “What happens if I…,” “Can I be charged if…,” “Draft an apology to HR about…” Those prompts, the model’s responses, and associated metadata can live in multiple places: on the provider’s servers, in enterprise audit/retention systems, in the user’s browser or app cache, and in exported files. In June 2025, for example, OpenAI disclosed it’s under a court preservation order to keep ChatGPT consumer conversations—including deleted ones—indefinitely while it litigates with The New York Times. OpenAI says it’s challenging the order, but for now retention is broader than usual for non‑enterprise tiers. Enterprise/API customers remain under different terms (including 30‑day or zero‑data‑retention options). That alone moves “AI chats” into the same discovery conversation we’ve long had for email, messaging, and search history.

By contrast, enterprise AI built into productivity suites is already wired for eDiscovery: Microsoft 365 Copilot interactions are stored in hidden mailbox folders and are searchable with Purview and admins can set retention and legal holds on that data. That means prompts and outputs may be discoverable and fit squarely within a company’s ESI footprint.

Discovery basics apply

In civil cases, the familiar rules still drive scope: relevance and proportionality, production of ESI within a party’s “possession, custody, or control, and preservation duties once litigation is reasonably anticipated. None of that changes because the document happens to be a chatbot transcript. The hard parts are (1) figuring out where that data actually resides and (2) who has “control,” particularly when it lives in a consumer AI account or a cloud tenancy the party can access but doesn’t administer.

Criminal vs. civil: who can get what, and how

Criminal matters. Law enforcement has well‑developed pathways to digital content:

  • From the device: Officers generally need a warrant to search a phone’s digital contents. If the client used a mobile app or browser, cached prompts and local artifacts may be imaged and examined under the warrant. 
  • From the provider: The Stored Communications Act (SCA) governs. For “contents” held by an electronic communication or remote computing service, the government needs appropriate process per 18 U.S.C. § 2703. Providers also publish law‑enforcement policies and may disclose in exigent circumstances, but the baseline is legal process for content.
  • From search engines: Investigators increasingly use geofence and reverse keyword warrants to obtain location data or “who searched for X.” Courts are split and the practices remain controversial, but these warrants have survived challenges in some jurisdictions. Expect prosecutors to analogize AI chat records to other cloud logs. 

Defense access to third‑party data is tighter. Defendants may receive reciprocal discovery and may pursue third -party subpoenas, but the standards provide a high bar to obtain pretrial access to such data. Practically, the defense is more likely to obtain AI chat content from the client’s own accounts/devices than from an AI provider directly. 

Civil matters. Civil litigants usually cannot subpoena AI providers for the content of user communications because the SCA generally prohibits providers from divulging content to anyone other than the government or with consent (see 18 U.S.C. § 2702). That rule has long blocked civil subpoenas to social networks and ISPs for private messages. The upshot: you get the chat transcripts from the party who has access/control—not from OpenAI/Google/Microsoft—unless that party consents. 

Before vs. after “anticipation of litigation”: privilege and work product

Before a dispute is on the horizon, a client’s solo use of a public chatbot to ask legal-ish questions is just a communication with a third party. There’s no attorney‑client privilege. And it’s not work product. If relevant, it can be discovered from the client like any other ESI (and in a criminal case, seized under a warrant). Consider it like Google search history with more context attached.

After the duty to preserve arises. If the client or counsel uses AI to gather facts, analyze issues, or draft strategy because of expected litigation, the output can be work product. That protection is not automatic, though:

  • Attorney‑client privilege covers confidential communications for legal advice. Dual‑purpose communications use the “primary purpose” (or “a primary purpose”) test in many courts; if business and legal purposes are intertwined, it can become detailed, fact-based inquiry.
  • Third‑party involvement can waive privilege unless the third party is necessary to obtain legal advice. Privilege may extend to non‑lawyer agents “translating” client information and the “functional equivalent” doctrine can also keep privilege intact for integrated consultants.. If you’re piping client facts into an AI as a tool retained by counsel under appropriate terms, you’ll have a stronger argument that there’s no waiver than if the client is pasting those facts into a free, consumer chatbot.
  • Work product protects materials prepared “in anticipation of litigatio. Opinion work product (counsel’s mental impressions) is especially shielded, but, as always, disclosure beyond what’s necessary can waive or dilute protection. 

Bottom line: privilege and work‑product arguments get far stronger when AI use is by or at the direction of counsel, through a vendor arrangement that makes the AI provider an agent of the firm or client for the purpose of delivering legal advice—and far weaker when a client is freelancing in public AI tools. 

Is this any different than Google search history?

Similarities:

  • Both create server‑side logs tied to an account; both can be reached by law enforcement with appropriate process under ECPA/SCA; both are generally off limits to civil subpoenas served directly on the provider because of § 2702’s bar on content disclosures. 

Key differences:

  • Content richness. AI chats capture full prompts and model outputs (often more revealing than a list of search terms). That can cut either way: discoverability increases, but so does work‑product potential if counsel directed the work. 
  • Enterprise governance. Copilot/Gemini for Workspace can copy prompts/outputs into enterprise stores with retention, audit, and legal holds—corporate search history typically isn’t centralized like that. 
  • Current retention reality. Due to the NYT litigation, OpenAI says many consumer ChatGPT chats (even deleted) are now preserved under court order, while enterprise/API tiers retain different, often shorter periods or offer zero‑data‑retention. That’s a potential discovery game‑changer for consumer accounts.
  • Reverse‑warrant exposure. Google search logs have been targets of geofence and keyword warrants. That specific technique may be used for AI chats as well.

When AI chats are likely discoverable—and when they aren’t

Expect courts to treat AI chats like any other ESI:

  • From a party: If relevant and proportional, transcripts/exports/browser artifacts are within Rule 34’s scope if the party can access or control them. Disputes will often turn on “control” (e.g., can the user log in and export the conversation?). 
  • From a provider: Civil subpoenas for content will usually be quashed under the SCA; consent from the user can enable provider disclosure in limited circumstances. Government entities may compel content with a warrant/order under § 2703. 
  • From a seized device (criminal): If a warrant authorizes a forensic search, locally stored app/browser data is in play, subject to familiar search protocol fights.
  • If created for litigation: Prompts/outputs that reveal counsel’s mental impressions are strong opinion work product. Fact work product may be discoverable on a showing of substantial need. Label, segregate, and route these materials through counsel.

And remember preservation: if litigation is reasonably anticipated, instruct clients not to delete relevant AI history or disable retention without coordinating a legal hold.

Concrete ways to reduce discovery risk (and serve your client better)

Here’s a practical playbook you can adapt per matter and jurisdiction:

  1. Channel client AI use through counsel, not consumer accounts.
    Prefer enterprise tools (ChatGPT Enterprise/Edu, Microsoft 365 Copilot, Gemini for Workspace, Azure OpenAI) under contracts that (a) disable training on customer data, (b) set short or zero retention where available, and (c) give you legal‑hold and eDiscovery control. Document the provider as the firm’s or client’s agent to strengthen confidentiality and privilege.
  2. Don’t paste client confidences into public bots.
    If you must inject confidential information into public or consumer chats, get client consent.
  3. Turn on enterprise retention and legal holds; turn off consumer “history.”
    In corporate environments, make sure Copilot/Gemini logs are covered by Purview/Workspace retention and legal holds. In consumer ChatGPT/Google accounts, toggle off history where appropriate and lawful, but don’t do so once a hold is in place. Be mindful that OpenAI is subject to a legal hold on deleting chats (and other companies may be under similar constraints).
  4. Separate “legal analysis” prompts from “public drafts.”
    Use distinct workspaces or GPTs for litigation analysis versus routine drafting, with access limited to the legal team. Label outputs “Attorney Work Product—Prepared in Anticipation of Litigation.” Tie these uses to counsel’s instructions to satisfy the “because of litigation” and “primary purpose” tests.
  5. Update your litigation hold templates.
    Add an explicit paragraph covering “AI prompts, chats, and outputs” across consumer and enterprise tools, including any exports, screenshots, or pasted content in documents. Reference the user’s ability to export chats and ask them to preserve. Sedona’s legal‑hold guidance supports this specificity. 
  6. Plan for criminal process.
    If a client’s device is at risk of seizure, advise on device locks and backups, and plan for how to assert privilege/work‑product claims over AI analysis stored locally (e.g., segregated folders). Expect that investigators may also pursue cloud data via the SCA; be ready to litigate scope and search protocols.
  7. Authentication and context.
    If your client used AI in a way that will surface in discovery, collect the “who/when/how” context early: account owner, timestamps, system version, and any enterprise audit logs. Copilot/Gemini generate audit events that can help authenticate or challenge provenance. 

Should you give clients a portal—and what to say in your engagement letter?

A firm‑provided portal (or a shared enterprise tenant) can meaningfully reduce risk if it (a) uses an enterprise AI with no training on client data, (b) has admin‑controlled retention/legal holds, and (c) is wrapped in a vendor agreement that recognizes the provider as the firm’s agent for providing legal services. That’s the cleanest path to preserve privilege and work‑product arguments while keeping you compliant with tech‑competence and confidentiality duties. 

If your practice and jurisdiction permit, add plain‑English language like this to your engagement documents (tailor to your ethics rules):

Use of AI tools. We may use trusted AI tools to assist in legal research, drafting, and analysis. These tools will be used under our supervision and within systems that prohibit training on your data and apply retention and security controls. We will not input your confidential information into public AI systems without your informed consent. If you independently use AI tools, do not input facts about your matter into public systems and promptly preserve any AI outputs that relate to this engagement.
Client use of AI. Please avoid discussing your legal matter with public chatbots or “assistants” (e.g., ChatGPT, Gemini, Copilot personal) and do not delete any AI chats or exports that relate to the issues in this matter once litigation is reasonably anticipated. [If you need to use AI, we will provide access to a secure portal.]
Preservation. You agree to preserve relevant AI prompts, chats, outputs, and exports in your possession (including screenshots and files) and to notify us of any AI systems you used so we can implement appropriate legal holds.

AI chat logs are just the newest flavor of ESI, but they carry outsized risk because they’re richer than search histories and often live on someone else’s servers. Treat them like you treat email and messaging: scope them early, preserve them when litigation is reasonably anticipated, and plan where they’ll be stored. In civil cases, expect to get (and produce) AI chats from the party, not the provider, thanks to the SCA; in criminal cases, plan around warrants to devices and providers. The biggest protection is process: route sensitive AI use through counsel on enterprise tools, document the vendor as an agent, and keep “public” bots out of the loop. Update your holds and engagement letters to call out AI explicitly, and give clients a secure portal if they need AI’s help. Do those things and you’ll reduce discovery fights, strengthen privilege and work‑product arguments, and keep your client’s midnight AI musings from becoming your opponent’s Exhibit A.

Read more