The standard advice for using AI without breaching confidentiality is to take out the client’s name. Strip the identifiers, then prompt freely. It is the answer most firm policies land on, and for an IP or patent practitioner it is close to useless.
Anonymizing a name is not the same as protecting confidential information, and the two come apart fast. The duty does not attach to the name. It attaches to information relating to the representation. A sufficiently specific fact pattern identifies a client as reliably as a letterhead. A compound with that mechanism, at that stage of development, from a company of that size, in that district - you have not hidden anyone. You have described them precisely and left off the label. Re-identification from "anonymized" facts is not exotic. It is the easy case.
For most practice areas that is a serious problem. For IP and patent work it is a different order of risk, because what enters the prompt is often not just confidential. It is rights-bearing.
Consider what an IP lawyer routinely has on the screen: an invention that has not been filed yet. Draft claims. A description of a process the client holds as a trade secret. Prior art the client does not know about and you have not yet designed around. Put any of that into the wrong system and the harm is not embarrassment. Depending on where the text goes and how that service is configured, you may be affecting novelty, creating a record that complicates a later priority dispute, or eroding the secrecy that a trade secret depends on for its very existence. The confidentiality breach and the substantive loss of rights become the same event.
That is why the real skill is not redaction. It is knowing where your text goes.
Not all AI use carries the same exposure, and treating it as a single category is its own failure of competence. There are roughly five modes, and a serious practitioner can say which one they are in:
Consumer chatbots, on free or personal tiers.
Business and enterprise deployments, including API access, where the major providers contractually disclaim training on your inputs by default.
Retrieval setups that point a model at your own documents.
Fine-tuning or custom models trained on your material.
Local or self-hosted models, where the text never leaves a machine you control.
The point is not that one of these is “safe” and the rest are forbidden. It is that the honest answer to “what happens to this text” is completely different across them, and a lawyer who cannot name which mode they are using cannot assess the risk at all. The competent move is to know - not to assume the worst, which paralyzes, and not to assume the best, which is how rights get waived.
So before a sensitive prompt, three questions do more than any redaction step.
First, taken together, what does this prompt identify? Not “did I remove the name,” but “could a careful reader reconstruct the client or the matter from the facts I left in.” If yes, the name was never the issue.
Second, where does this text go, and on what terms? Which of the five modes is this, and have you actually read what the provider does with inputs on that tier, rather than assumed it?
Third, does disclosure here change legal rights? Novelty, priority, privilege, trade-secret status. If the information is rights-bearing, your threshold for which tool you will use should be far higher than for a routine memo - and sometimes the right answer is that this particular text never goes into a general-purpose tool at all.
Local and tightly controlled setups help here, and for the most sensitive matters they are worth the trouble. They shrink how far the information travels and how many parties can touch it. But be precise about what they buy you. They reduce disclosure surface area and increase your control. They do not, by themselves, resolve privilege, competence, or conflicts - those are legal questions, not network settings. Anyone who tells you a local model makes privilege airtight is selling architecture as if it were doctrine.
Confidentiality in an AI-enabled practice is not a redaction habit. It is a routing decision, made before the text leaves your hands, by someone who knows where it is going.
I write more about practicing law in the age of agentic AI - using these tools without surrendering judgment, privilege, or the duty of competence - at The Agentic Lawyer. www.theagenticlawyer.com
Educational only, not legal advice, and no attorney-client relationship is created. Views are my own, not my employer's. Attorney advertising in some jurisdictions.