From Hallucinations to Confidentiality

The legal profession’s first encounter with the pitfalls of AI was hallucinated authority. Commentators tracking AI hallucination cases have identified more than 60 suspected or confirmed incidents in the UK, and more than 1,000 globally. The issue has reached the highest levels of legal practice: in April 2026, Sullivan & Cromwell apologized to a New York federal judge after a filing reportedly included AI-generated citation errors and misstatements of the US bankruptcy code. In May 2026, Pinsent Masons was admonished by London’s High Court after its lawyers made false submissions based on AI, twice misleading the court by inaccurately citing a statute in a routine insolvency application

In a precedent-based legal system, that risk is obvious. A fabricated authority can mislead the court, prejudice a party, and expose the lawyer to professional consequences.

The next risk is quieter, but potentially more serious: lawyers placing privileged or confidential material into AI systems without understanding where that data goes, who can access it, and what terms govern its use. These are AI confidentiality risks that often surface only after something goes wrong.

Recent decisions in the UK and US point in the same direction. In the UK, Munir v Secretary of State for the Home Department [2026] is significant because it appears to be the first English court or tribunal decision to comment directly on the privilege risks of placing confidential material into AI tools. In the US, United States v Heppner [2026], a New York court treated communications with a public AI platform as falling outside the protected lawyer-client relationship.

Together, they point to the same practical problem. The issue is not what an AI tool is called. It is whether the environment receiving the data is controlled enough to preserve confidentiality 

Munir and Heppner: Two Cases, One Warning

One distinction matters: not all AI tools carry the same risk. The meaningful line is not public AI versus enterprise AI, but uncontrolled versus controlled, and whether the environment that is being used has defined access, retention limits, confidentiality protections, and governance capable of being defended to a court.

In Munir, the Upper Tribunal considered two immigration cases involving suspected AI use by legal representatives. In one, grounds of judicial review contained fictitious citations. In the other, an immigration adviser cited unrelated case law, denied using AI, and later accepted he could not dismiss the possibility that the case was an AI creation.

At paragraph 21, the Tribunal went further. It observed that putting client letters and Home Office decision letters into an “open source AI tool, such as ChatGPT” would “place this information on the internet in the public domain”, breach client confidentiality, and waive legal privilege.

That warning matters, even though Munir is not a final answer to every privilege question. The Tribunal was not asked to decide whether privilege had actually been lost, and an Upper Tribunal decision is not binding on the High Court. Its value is practical, and it shows how seriously courts may treat the use of public or consumer AI platforms for client material. 

Those platforms are not legal workspaces simply because they feel private to the user. They are externally hosted, general-purpose services that may sit outside the confidentiality framework required to preserve privilege.

Heppner shows the same risk through platform terms. The defendant had independently entered information into Claude and later argued that the resulting AI-generated documents were privileged. The court disagreed. It found the communications were not confidential, not simply because Claude was a third-party AI platform, but because Anthropic’s privacy policy allowed it to collect user inputs and outputs, use them for training, and disclose them to third parties, including government authorities.

Heppner is a US decision, applying a different privilege framework. However, the practical lesson is highly relevant. If a platform’s terms permit collection, training, or onward disclosure, it becomes much harder to argue that confidentiality has been preserved.

The Real Issue Is Control, Not Code

The Tribunal’s warning in Munir was right, but its technical framing still matters because it risks obscuring the real issue.

ChatGPT is not open source in any ordinary technical sense. Open-source software has source code that is publicly available for inspection, modification, and reuse under defined licensing terms. ChatGPT is better understood as a proprietary, externally hosted, general-purpose generative AI service.

That distinction is not semantic nit-picking. Source-code status tells lawyers very little about confidentiality risk. An open-source model can be deployed securely inside a tightly controlled private environment. A proprietary model can become risky when accessed through a public consumer interface. 

This also explains why public AI is different from other hosted tools. Lawyers routinely use email, cloud storage, secure file transfer tools, and eDiscovery platforms. Those systems do not automatically destroy privilege simply because a third party hosts them.

A public chatbot usually sits outside that framework. It is not a lawyer. It is not automatically the lawyer’s agent. It is not inherently part of the protected lawyer-client relationship. It is a third-party system receiving information under its own terms. 

Public AI, Enterprise AI, and the Behaviour Gap

The market increasingly wants a simple distinction: public AI is unsafe; enterprise AI is safe. That framing is useful, but incomplete.

A lawyer using the free version of ChatGPT to summarise a client memorandum is in a different position from a firm operating an enterprise AI assistant within its own Microsoft 365 tenant. Enterprise deployment may reduce risk, but familiar branding, tenant integration, and workplace convenience are not substitutes for confidentiality terms, access controls, and defensible data handling.

For privileged or confidential workflows, legal teams should aim for controlled AI environments. That may mean an enterprise tool with appropriate contractual protections, a dedicated eDiscovery platform, a private AI workspace, or a matter-specific environment configured around confidentiality. The product label matters less than the safeguards. 

The harder governance challenge is behaviour. Many organisations prohibit public AI tools for confidential material, but lawyers and business teams still use them for summaries, translations, chronologies, and first drafts when the approved alternative is unclear, slow, or inconvenient.

Five Questions Before Using AI on Confidential Material

Before using AI on privileged or confidential material, legal teams should be able to answer five questions:

1. Where does the data go? 
2. Who can access prompts, uploads, and outputs? 
3. Is the material retained, reused, or used for training? 
4. What contractual confidentiality, deletion, and audit controls apply? 
5. Could the workflow be explained to a client, court, regulator, or opposing party? 

These are not abstract governance questions. They are the practical minimum for defensible AI use in contentious legal work, and they go directly to AI confidentiality risks and how to mitigate them.

Conclusion: Cautious Optimism, Not Casual Adoption

Munir and Heppner should not be understood as anti-AI decisions. They are warnings about uncontrolled disclosure through AI systems.

AI can be used safely in legal practice. Courts, regulators, and law firms are not rejecting AI. Carefully governed AI-assisted workflows will continue to expand because the efficiency gains are too significant to ignore.

The point is narrower and more important: confidentiality does not depend on whether a tool is described as open source, proprietary, public, private, or enterprise. It depends on whether the legal team understands where client material goes, who can access it, how it may be used, and whether the contract preserves confidentiality through clear controls on retention, deletion, and onward disclosure. That is the core of responsible enterprise AI governance, and it is also what helps preserve legal professional privilege in practice.

Lawyers do not need to retreat from AI. They need to stop treating convenience as control.

Using AI in privileged or confidential matters? Connect with TransPerfect Legal to evaluate governance, confidentiality controls, and defensible AI workflows.