The legal profession has a data problem that didn't exist a decade ago. The tools that make legal work faster — AI-assisted research, contract analysis, document review — also create new exposure: client-identifiable data transmitted to third-party servers under terms that range from ambiguous to clearly incompatible with professional obligations.
This article is for attorneys and legal professionals thinking through how to capture the productivity benefits of AI without creating privilege, confidentiality, or ethics problems in the process.
The Exposure Problem
When an attorney types a client-specific query into a commercial AI tool — ChatGPT, Claude's standard interface, Gemini — that query is transmitted to a third-party server. The provider logs it, processes it, potentially retains it, and operates under terms of service that are not designed to accommodate attorney-client privilege.
The ABA has issued formal guidance noting that attorneys using AI tools that transmit client information to third-party servers may be creating disclosure that undermines privilege and potentially violates Model Rules 1.6 (confidentiality of information) and 1.1 (competence, which now includes technological competence). State bars have issued their own guidance, some more specific than others, most arriving at the same conclusion: attorneys need to understand where their data goes.
The question isn't whether AI is useful for legal work. It clearly is. The question is whether the specific data flow created by AI tool usage is compatible with professional obligations. For many commercial AI tools, the honest answer is: it depends on what data you transmit.
What a Privilege-Preserving Configuration Looks Like
HammerLockAI can be configured for legal work in three ways, from most to least conservative:
Local-only. Every query runs on Ollama models installed on your device. No data leaves your machine for any query. Attorney-client privilege analysis: straightforward. You're using an AI tool running on your own hardware — the analysis is no different from using any other locally-installed software. Zero third-party transmission, zero third-party access.
Anonymized cloud. Cloud AI providers handle queries, but PII is stripped before transmission. Client names, company names, matter identifiers, and other identifiers are replaced by generic placeholders before the query reaches any cloud server. The provider sees a legal question without client-identifiable context. This is a significantly more defensible posture than full-data cloud transmission, though not as clean as local-only.
Standard cloud. Cloud providers receive queries as-written. Only appropriate for legal research on non-client-specific questions — general law research, statute lookups, academic legal questions — where no client information is involved.
The appropriate configuration depends on the nature of the query. For any query involving a specific client, matter, or client-identifiable facts: local-only or anonymized cloud. For purely general research: any configuration.
Contract Review Workflow
Contract review is one of the highest-value AI use cases in legal practice — and one of the highest-risk from a confidentiality standpoint, since contracts contain client-identifiable commercial terms.
A privacy-preserving contract review workflow in HammerLockAI:
Step 1: Upload the contract. PDF upload is encrypted locally. The contract is stored in your encrypted vault.
Step 2: Configure for the sensitivity level. If the contract has identifiable client information on the face of it — party names, deal specifics — run the Counsel agent in local Ollama mode for the analysis, or in anonymized cloud mode where the PII anonymizer handles party names.
Step 3: Run the initial analysis.
Query: "Analyze this commercial distribution agreement. Provide: (1) a summary of key commercial terms, (2) any unusual or non-standard provisions that deviate from market norms, (3) provisions that create material risk for the distributor, and (4) any missing standard provisions I should flag for the client."
The Counsel agent produces a structured analysis. In local mode, this runs on your hardware entirely. In anonymized cloud mode, the provider sees the substantive legal analysis query with placeholder names, not "Company A" and "Company B" mapping to your actual client and counterparty.
Step 4: Drill down on flagged issues.
Query: "The indemnification clause in Section 12 doesn't have a cap on liability. What's the market standard for a cap in this type of agreement, and draft two alternative versions: one that's aggressive in protecting my client, one that's a reasonable compromise position."
Step 5: Export the analysis. Export the session as markdown, save to your vault, or copy to your document management system. The analysis is encrypted in your vault; the export you take to your document management system is your work product.
This workflow gives you a structured first-pass analysis of a complex agreement in a fraction of the time it would take to do it manually — with your client's information protected at each step.
Case Research Without Client Disclosure
Case law research is the legal AI use case with the least privilege risk — you're usually researching the law, not your specific client's situation. But the risk exists when research queries include client-specific facts.
The distinction: "What is the current state of circuit law on personal jurisdiction over foreign corporations?" is a pure research query. No client data involved.
"Does [my client's specific fact pattern] satisfy the minimum contacts test for personal jurisdiction in the Ninth Circuit, given these facts: [specific facts]?" is a client-specific analysis query that carries disclosure risk if the facts are sufficient to identify the client or matter.
In practice, you can often preserve the benefit of client-specific analysis while reducing disclosure risk by:
Anonymizing the facts yourself. Change identifying details in the hypothetical before submitting: industry categories instead of company names, approximate figures instead of specific dollar amounts, "a distributor" instead of your client's name. This is essentially manual anonymization — HammerLockAI's PII layer handles it automatically, but you can also do it intentionally.
Separating legal research from factual analysis. Run the legal research query in standard mode to get the legal framework. Run the factual application in local mode. You get the full cloud model's capability on the legal question; you keep the sensitive factual application local.
Using the Counsel agent's IRAC structure. Ask Counsel to give you the IRAC framework for the legal issue, then apply it yourself to the client-specific facts. You get the legal structure without transmitting the client details.
Regulatory Compliance Research
Regulatory compliance research for clients is high-value and often time-intensive — tracking regulatory developments across multiple agencies, synthesizing guidance documents, identifying compliance gaps against current rules.
HammerLockAI's Brave-powered search enables real-time regulatory research: current FDA guidance, recent SEC enforcement actions, FTC rulemaking updates, state-level regulatory changes. Search queries go through the PII anonymizer before reaching Brave's infrastructure.
A regulatory compliance research workflow:
Query: "Search for current SEC enforcement actions related to cryptocurrency exchanges operating without proper registration in the last 12 months. Summarize the enforcement posture and what the actions reveal about SEC's current priorities."
Counsel retrieves current results, synthesizes them, and produces an analysis of enforcement priorities — the kind of real-time regulatory intelligence that keeps your compliance advice current.
Query: "Based on the current enforcement posture, draft a compliance risk assessment memo for a client in this space. Structure it as: current regulatory framework, enforcement priorities, highest-risk practices, recommended compliance steps."
This produces a structured memo you can adapt for your specific client — with client details added manually in your document management system after the AI has done the structural and research work.
The Ethics Opinion You Haven't Read Yet
If your bar association hasn't issued formal guidance on AI tool usage, it will. Most state bars are actively working on it. The common threads in guidance issued so far:
- Competence obligations extend to understanding how AI tools work, including data handling
- Confidentiality obligations apply to client data transmitted to AI tools
- Supervision obligations require that attorneys review AI output before relying on it
- Billing transparency may require disclosure of AI tool usage
Getting ahead of this guidance means understanding your tool's data architecture now, not after guidance arrives. HammerLockAI's architecture is documented precisely — you can tell your client or your bar exactly what happens to data at each step because this article is that documentation.
That's a better position than "I used a commercial AI tool and I'm not sure where the data went."
HammerLockAI is built for professionals with confidentiality obligations. Get started →