Privilege at the Tool Call: AI Agents Inside Law and IP Firms
Privilege at the Tool-Call Layer
Most of my work focuses on regulation: PCI DSS, GDPR, SOX and operational resilience. In those environments, a control failure can lead to enforcement action, financial penalties and costly remediation.
Law firms and intellectual property practices face a different kind of exposure. The most serious consequence may not be a fine, but the loss of legal professional privilege or client confidentiality.
Depending on the jurisdiction and the circumstances, disclosure of privileged material to someone outside the protected relationship may result in privilege being waived. Once that happens, the position may be difficult or impossible to reverse.
That changes the access-control discussion. The question is not simply whether an AI system can reach sensitive information. It is whether every tool call is constrained tightly enough to prevent an agent from crossing a boundary that is defined by legal context rather than by a database field.
The matter management problem
Law firms and IP practices rely on matter management systems that contain case files, client correspondence, patent applications, prior art research, settlement positions and litigation strategy.
Connecting an AI research agent to those systems can deliver clear operational benefits. An agent might search across relevant matters, identify earlier advice, summarise documents, retrieve precedents or assemble prior art for review. Used carefully, it can reduce hours of repetitive work.
The access-control problem is harder.
Matter management systems often hold privileged and non-privileged material side by side. Legal advice may sit next to filed documents. Internal strategy may sit next to correspondence that has already been made public. A document's status may depend on who created it, why it was created, the matter it belongs to and how it is later used.
Those distinctions are not always visible in the folder structure.
An AI agent with broad tool access can cross those boundaries without recognising that it has done so. It may search for a phrase, retrieve a relevant passage from a privileged strategy note and include that passage in a summary that is later shared with someone outside the privileged group.
The agent has not necessarily malfunctioned. It has followed its instructions. The control failure occurred earlier, when the organisation allowed the agent to search too widely or failed to restrict the arguments it could submit to the underlying tools.
How unintended disclosure can happen
Consider a disclosure exercise in litigation. The firm produces a set of documents to opposing counsel. One of those documents is a summary prepared with the assistance of an AI agent. The summary contains a sentence derived from a privileged strategy memorandum.
The agent did not export the original memorandum. It searched the matter management system, found material that appeared relevant and used it to produce an answer. The issue is that nobody had restricted which matters it could query, which documents were in scope or which results could be incorporated into the output.
For an IP practice, the pattern is similar, although the commercial consequences may be different. Patent prosecution strategy, prior art analysis and planned opposition arguments are confidential to the client and may be commercially sensitive. An agent with unrestricted cross-matter access could surface one client's strategy while working on another client's matter.
The resulting exposure is not limited to data protection. It may include:
- loss of client confidence;
- professional conduct concerns;
- negligence claims;
- disputes over privilege or confidentiality; and
- the cost of investigating what the agent accessed and how the information was used.
The precise legal outcome will depend on the facts and the relevant jurisdiction. The technical lesson is more consistent: access needs to be controlled before the agent receives the material, not after it has generated a response.
Why privilege is different from regulated data
Many security controls are designed around identifiable data categories. GDPR applies to personal data. PCI DSS applies to cardholder data. Those categories can often be supported by classification rules, pattern matching, detectors and redaction.
Privilege is not a data type in the same sense. It arises from the relationship between the document, its purpose, the people involved and the relevant legal principles. A paragraph does not become privileged because it contains a particular phrase, and there is no regular expression that can reliably identify privileged material in every context.
Data classification still has value, but it is not sufficient on its own.
The more reliable control point is the tool call. The organisation needs to decide:
- which agents are allowed to call which tools;
- which matters each agent may query;
- which document classes are within scope;
- what arguments the agent may pass; and
- what evidence is retained for later review.
In other words, the control sits between the agent and the system it is trying to use.
What tool-call controls look like in practice
Three controls are particularly important for law firms and IP practices.
Identity-based allowlists
Each agent should have an explicit identity and a defined scope.
A litigation agent might be permitted to call search_matters and get_document, but only for matters assigned to the litigation team. An IP research agent would have a separate scope. Neither agent should automatically inherit access to the other's matters simply because both use the same underlying platform.
Wildcard rules can help where teams operate multiple agent instances. For example, litigation-agent-* could be granted access to a defined set of litigation tools, while ip-agent-* is limited to IP-specific functions.
The important point is that access is granted deliberately. It is not assumed because a tool is technically available.
Argument-level restrictions
Tool access alone is too coarse. An agent may be allowed to call search_matters, but that does not mean every matter reference should be accepted.
Argument-level controls can block calls that contain restricted matter IDs, client references or other prohibited values. If an agent submits a request containing a protected matter identifier, the gateway denies the call before it reaches the backend system. The agent does not receive the results and cannot incorporate them into a later response.
This is especially useful where several teams use the same tool but should operate within different matter boundaries.
A usable audit trail
Every tool call should create a structured record containing the agent identity, the tool used, the decision taken and the arguments supplied, with sensitive fields redacted where appropriate.
That evidence matters when a client asks, "Did anyone access my file?" It also matters during an internal investigation, a professional conduct review or a regulatory enquiry.
General application logs may contain some of this information, but they often require engineering support to reconstruct what happened. A purpose-built audit trail gives compliance, security and professional conduct teams a record they can query directly.
Keeping client data inside the firm
For legal and IP practices, deployment architecture is part of the confidentiality model.
Client information leaving the firm's environment is not only a data protection concern. It may also engage contractual duties, professional obligations and the wider duty of confidence that underpins the client relationship.
In this model, the gateway runs inside the firm's own infrastructure. Data is not sent to me or to another third party. The firm's IT team controls the deployment, the logs and the access policies.
That does not remove every risk. The firm still needs appropriate governance, matter-level permissions, secure model deployment and clear operating procedures. It does, however, keep the enforcement point and the evidence within the firm's control.
A practical test
A useful starting point is to ask three questions about any AI agent connected to a matter management system:
- Which matters could the agent access last week?
- Can the firm prove which tools it called and what arguments it supplied?
- Can the firm show that privileged or confidential material was not disclosed outside the permitted scope?
If those questions cannot be answered, the gap is not simply an AI governance issue. It is a control weakness that may affect professional duties, client trust and the firm's ability to respond when something goes wrong.
Learn more about the MCP Audit and Compliance Gateway
Could your firm answer those three questions today?
