TLDR: A March 2026 Delaware Chancery Court ruling used an executive's AI chat logs as substantive evidence, making clear that AI prompts and conversation histories are now discoverable. For law firms, the more pressing issue is not offensive discovery strategy but preservation: the duty to hold AI artifacts attaches before litigation begins, privilege protection depends on facts that exist at the moment of use, and most litigation hold memos and custodian interview protocols have not caught up. This piece covers what needs to change, and why the fix is as much a technology governance problem as a legal one.
For most law firms, AI governance conversations in 2026 have centered on a consistent set of questions: which tools are approved for client-matter work, how to keep confidential data off consumer platforms, and who reviews AI-generated output before it leaves the firm. Those are the right questions, and they are worth getting right.
A Delaware Chancery Court opinion from March adds one that the compliance framework at most firms hasn’t yet caught up to: what happens when an AI chat log becomes evidence.
In Fortis Advisors LLC v. Krafton Inc., Vice Chancellor Lori W. Will used a chatbot conversation as substantive evidence in a post-trial ruling. The acquiring company's CEO had used an AI platform to develop a strategy to defeat a $250 million earnout obligation, one his own legal team had already told him could not be won through a for-cause termination. The bot supplied the operational blueprint. The court quoted it at length, reinstated the target company's CEO, and extended the earnout period by 258 days.
The case has drawn attention as a discovery warning: litigators now need to request AI prompts and chat histories, because the chat log has become the new smoking gun email. That’s half the lesson. The half that lands on firms directly arrives earlier in the timeline. It lives in the litigation hold memo, the custodian interview protocol, and the question of whether your technology environment is configured to preserve AI artifacts before anyone thinks to ask for them. If it’s not, the gap will not show up in your compliance documentation...it will show up in a deposition.
The duty to preserve electronically stored information attaches when a party reasonably anticipates litigation. That standard comes from Zubulake v. UBS Warburg LLC and the cases that followed it, and it’s technology-neutral. Email, text messages, shared drives, and AI chat logs all fall under the same obligation once the trigger is met.
The complication generative AI introduces is that the tool itself has become the medium through which executives reason about the very disputes that trigger the duty. The Krafton CEO did not use an AI platform to draft a press release or summarize a document. He used it to develop a response strategy for a $250 million earnout dispute, one his own legal team had already told him could not be defeated the way he wanted to defeat it. The AI conversation and the underlying dispute became the same thing. By the time a complaint was filed, the prompts and responses were already a months-old record of exactly what the executive had been thinking, and how he had been directed to act on it.
The implication for firms is direct. By the time outside counsel is retained, the executives most likely to face deposition have often been using AI on the matter for weeks. The litigation hold memo, the custodian interviews, and the preservation conversations that shape the privilege record all happen in-house first. If the hold does not expressly cover AI artifacts, and most written before 2024 do not, the window to capture that record may already be closing.
Most attorneys understand attorney-client privilege intuitively. What two recent federal decisions make clear is that AI-generated material does not inherit that protection automatically, and the facts that determine whether it’s protected are facts that exist at the moment someone opens the chat window, not at the moment litigation begins.
In U.S. v. Heppner (S.D.N.Y., February 2026), Judge Jed S. Rakoff held that documents a criminal defendant generated using the consumer version of Anthropic's Claude were protected by neither attorney-client privilege nor the work-product doctrine. The reasoning was straightforward: Claude is not an attorney, Anthropic's consumer privacy policy disclosed that inputs could be used for model training and shared with regulatory authorities, and counsel had not directed the AI use. No confidentiality expectation, no privilege.
In Warner v. Gilbarco Inc. (E.D. Mich., February 2026), the court reached a different result on different facts, declining to compel a pro se plaintiff to produce her AI interactions on the grounds that doing so would expose internal analysis and mental impressions. The protection held, but only because the use was in anticipation of litigation and structured in a way that kept the output out of the adversary's hands.
The practical rule that both cases established is the same: protection turns on four facts that exist at the moment of use. Was it a consumer or enterprise platform? Do the platform's terms preserve confidentiality or permit third-party disclosure? Did legal direct the use? Did the output stay inside the privilege? Change any one of those facts, and the analysis shifts.
For IT administrators and firm technology leads, that rule has a direct operational consequence. The difference between a protected AI artifact and a discoverable one may come down to whether the custodian used the firm's enterprise Microsoft 365 Copilot account or a personal ChatGPT account on their phone. Those are infrastructure and policy decisions, not legal ones, and they need to be made before a dispute arises, not reconstructed afterward.
A litigation hold memo drafted before 2024 that covers email, Teams, and SharePoint is doing most of the job. The part it’s missing is increasingly the part that matters.
At a minimum, an updated memo needs to expressly identify generative AI tools as a category of preservable electronically stored information and give custodians instructions specific enough to act on. Vague language about "digital communications" won’t cover it. Here’s what concrete guidance looks like:
That last item has a specific technical wrinkle worth knowing. Microsoft retains Copilot prompts and responses in a hidden Exchange mailbox folder called SubstrateHolds, reachable through Purview eDiscovery. That data exists and is recoverable, but only if someone in the litigation hold workflow knows to look for it. For IT administrators managing Microsoft 365 environments at law firms, this is not an edge case. It is a standard configuration detail that now carries discovery implications.
The custodian interview protocol needs the same update. Standard scripts ask about email accounts, messaging platforms, and shared drives. They do not ask whether a custodian has been using a personal AI account on a personal device, or whether a custom system prompt configured months ago has been quietly shaping every interaction since. Those questions need to be on the list now.
The Krafton CEO acknowledged deleting relevant AI chat logs after the dispute began. Instructing custodians not to delete is the straightforward part. Documenting that those instructions were given, and when, is what the damages phase of Krafton is likely to turn on. It is also what the next significant AI spoliation ruling will turn on.
Enterprise AI deployments are largely a manageable governance problem. Most firms running Microsoft 365 Copilot or a comparable enterprise platform have at least some visibility into how those tools are being used. The harder gap is the executive running a personal AI account on a personal device with retention defaults the firm has never seen and cannot control.
Picture a general counsel who learns, two weeks before a Rule 30(b)(6) deposition, that the chief operating officer has spent the past month using a personal ChatGPT account on his phone to draft talking points about the exact dispute that triggered the litigation hold. The data sits on the vendor's servers. Some consumer tiers default to rolling 30-day deletion of temporary chats. The most relevant material may already be gone before anyone thinks to ask for it.
This is the natural consequence of AI becoming a personal productivity tool before firms established clear policies about which accounts are approved for which purposes. The Heppner ruling makes the stakes explicit: consumer platform use without legal direction carries no privilege protection regardless of what the custodian intended.
For IT administrators and technology leads at law firms, this reframes what AI governance actually requires. It’s not only about configuring the firm's enterprise tools correctly, though that matters. It’s about knowing which tools your attorneys and staff are actually using, on which devices, under what terms, and with what retention settings. At most firms right now, that answer sits somewhere between incomplete and unknown.
The firms that close that gap now are the ones that can demonstrate reasonable steps when a court examines the record. The practical work is narrower than it sounds: an updated acceptable use policy specifying approved AI platforms, device management that gives the firm visibility into AI tools on firm-issued hardware, and an AI audit as a standard agenda item at matter kickoff; which tools, which custodians, which devices, and which retention settings. That conversation needs to happen at the start of a matter, not two weeks before a deposition.
The Krafton ruling did not create a new legal standard. It applied an existing one to a category of evidence most firms had not yet built into their preservation workflows. The duty to preserve attaches when litigation is reasonably anticipated, privilege protection depends on facts that exist at the moment of use, and the litigation hold memo and custodian interview protocol are the documents that shape both. For most firms, all three need an update.
What makes this a technology problem as much as a legal one is that the gap between a protected AI artifact and a discoverable one often comes down to infrastructure decisions: which platform a custodian was using, whether it was an enterprise or consumer account, what the retention defaults were set to, and whether anyone in the firm knew to look for a SubstrateHolds folder before the deposition notice arrived. Those are not questions outside counsel can answer retroactively.
Heroic Technologies works with law firms across Oregon, Washington, and California on exactly the kind of technology governance that determines those answers. That includes configuring Microsoft 365 Copilot and enterprise AI tools with appropriate retention and eDiscovery settings, building acceptable use policies that distinguish approved platforms from personal accounts on client matters, and ensuring the firm's IT environment is set up to support preservation obligations before a dispute makes them urgent.
If your firm is still running AI governance on 2023 assumptions, now is the right time to close the gap. Reach out to Heroic Technologies for an assessment, and let's make sure your technology infrastructure is ready for what the next wave of AI discovery rulings will demand.
1. Does the duty to preserve AI chat logs apply even if no lawsuit has been filed yet?
Yes. The preservation standard established in Zubulake and subsequent cases requires preservation when litigation is reasonably anticipated, not when a complaint is filed. Because executives increasingly use AI to reason through disputes before they escalate to litigation, the duty to preserve those conversations can attach weeks or months earlier than most firms currently account for. When a demand letter arrives, a deal starts going sideways, or a regulatory inquiry lands, that is when the preservation conversation needs to happen.
2. If an attorney uses an enterprise AI platform, is that output automatically privileged?
Not automatically, but enterprise platform use is one of the facts that support a privilege claim. The Heppner ruling turned in part on the fact that the defendant used a consumer account whose terms permitted third-party disclosure. Enterprise tiers typically offer data processing agreements and confidentiality terms that support a reasonable expectation of privacy. The other factors still apply: whether legal directed the use and whether the output stayed inside the privilege. Platform selection is necessary but not sufficient.
3. What should a law firm's IT team actually do right now?
Three things: audit which AI tools are in use across the firm, including any personal accounts attorneys may be using on firm matters; confirm that Microsoft 365 Copilot retention and eDiscovery settings are configured correctly, including SubstrateHolds visibility in Purview; and work with firm leadership to update the acceptable use policy to specify which platforms are approved for client-matter work. Those steps do not require waiting for outside counsel or a compliance review. They are infrastructure decisions that can be made today.