Class 7 – Privilege-Specific Confidentiality Risk (Risk Taxonomy 2026)
Definition
Class 7 covers risks where AI use creates exposure of client-confidential or privileged information through:
- Prompt-context leakage (e.g., past conversation or document context resurfacing in other outputs)
- Retraining on privileged material (model or embedding store updated with privileged content in a way that can affect other matters or clients)
- Cross-engagement contamination in vendor systems (data from one client/matter influencing responses for another)
- Sub-processor disclosure beyond the agreed engagement scope
Class 7 is the privilege-specific subset of Class 2 (Data leakage). The underlying mechanics resemble general data leakage, but the consequences are sharper (waiver of privilege, sanctions, disqualification, reputational harm) and mitigation requirements are tighter (privilege-preserving architecture, stricter vendor controls, and publication-block handling).
Required Mitigations
Mitigation for Class 7 requires:
- Privilege-Preserving Architecture (DAT-01)
- Segregated data planes for privileged vs. non-privileged content.
- No training, fine-tuning, or long-lived memory on privileged material unless explicitly designed as a matter-scoped, access-controlled store.
- Strong identity, access management, and logging tied to matter/client identifiers.
- Vendor Data Protection Obligations (DAT-03)
- Contractual guarantees that vendor models and systems do not use privileged data for cross-customer training.
- Explicit controls on sub-processors and data residency.
- Right to audit or obtain independent assurance (e.g., SOC 2, ISO 27001) with AI- and training-specific controls.
- Client Disclosure and Consent (CLI-01)
- Engagement-letter language that discloses AI use where applicable, including:
- Whether third-party AI vendors are used.
- How privileged data is isolated, stored, and protected.
- Any circumstances under which data may leave firm-controlled environments.
- Where required, client consent for specific AI workflows (e.g., large-scale document review using external LLMs).
- Engagement-letter language that discloses AI use where applicable, including:
- Tier 4 Capability – Privilege-Handling Testing (VEN-03)
- For Tier 4 AI capabilities, POC scenarios must explicitly test privilege handling under privilege-mixed content (documents or prompts containing both privileged and non-privileged material).
- Test cases include:
- Ensuring no bleed-over of privileged content into non-privileged workspaces or other matters.
- Verifying that redaction, summarization, and classification workflows preserve privilege markings and do not strip or misapply them.
- Confirming that vendor logs, telemetry, and caches do not expose privileged content outside the agreed scope.
Relationship to Other Classes and Governance
- Overlap with Class 8 (Professional Conduct)
- Failure to supervise AI tools and vendors handling privileged data can constitute a Rule 5.3 supervision failure.
- Lawyers remain responsible for ensuring that AI use does not compromise confidentiality or privilege.
- Evidence Register Handling (GOV-13)
- In the Evidence Register, Class 7 cells are treated as publication-block-grade.
- This means:
- Evidence and incident records involving Class 7 are highly restricted, not available for general training, demos, or knowledge-base publication.
- Any reuse of Class 7 incident data (e.g., for training staff or improving controls) must be carefully anonymized and scoped to avoid secondary leakage.
Practical Positioning and Usage
- When to classify as Class 7 vs. Class 2
- Use Class 7 when the data at risk is client-privileged or work-product and exposure could affect privilege, ethical duties, or court-facing obligations.
- Use Class 2 only when the data is sensitive but not privileged (e.g., internal firm operations data, non-privileged client business data).
- Examples of Class 7 Scenarios
- Uploading a privileged litigation memo to a general-purpose LLM that retains it for model improvement.
- A vendor’s multi-tenant vector database allowing embeddings from one client’s matter to influence retrieval for another client.
- An AI drafting tool that surfaces snippets from a prior privileged brief in a new, unrelated client’s document.
- Logging or monitoring systems at a sub-processor storing full privileged prompts in plaintext beyond the agreed engagement scope.
- Design Implications
- Default to matter-scoped, non-training, non-sharing configurations for any AI system that may touch privileged content.
- Treat prompt logs, caches, and embeddings as part of the privileged record when they contain or derive from privileged material.
- Ensure governance alignment: DAT-01, DAT-03, CLI-01, VEN-03, and GOV-13 must be implemented coherently to manage Class 7 risk end-to-end.
Class 7 is not just another data leakage category; it is the privilege-focused subset of Class 2 with elevated ethical, legal, and governance stakes. Any AI workflow that can touch privileged material must be architected, contracted, and tested specifically for privilege preservation, and incidents must be handled as publication-block-grade in the Evidence Register.
image pending
Diagram showing Class 7 as a subset of Class 2 with links to DAT-01, DAT-03, CLI-01, VEN-03, and GOV-13 controls.