---
title: "ABA Model Rule 1.6 Compliant AI: Privileged Work Product Stays Behind the Firewall"
slug: "aba-model-rule-1-6-compliant-ai"
author: "ibl.ai Engineering"
date: "2026-06-01 20:30:00"
category: "Premium"
topics: "ABA Model Rule 1.6 AI, ABA Rule 1.6 compliant AI, attorney-client privilege AI, privileged work product AI, law firm AI confidentiality, ABA 1.6 self-hosted AI, state bar AI opinions, lawyer AI compliance"
summary: "ABA Model Rule 1.6 obligates lawyers to make 'reasonable efforts to prevent the inadvertent or unauthorized disclosure of' client information. State bars are converging on the view that this is incompatible with sending privileged work product to managed AI vendors. Self-hosted AI inside the firm's network is the architecture that satisfies the rule by deployment."
banner: ""
thumbnail: ""
---

## The Short Answer

**ABA Model Rule 1.6 compliant AI means privileged work product stays inside the firm's network — not in a managed AI vendor's cloud.** ibl.ai's self-hosted architecture aligns directly with Rule 1.6's "reasonable efforts" standard: the runtime, the model, and the privileged data all sit inside the firm's existing perimeter, where the firm's existing confidentiality controls already operate.

## What Rule 1.6 Actually Requires of AI Use

ABA Model Rule 1.6(c) reads: *"A lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client."*

Three structural questions every firm's general counsel asks of any AI deployment:

**1. Where does privileged work product live during the inference call?** A managed AI vendor's cloud is — at minimum — transit. Even with a DPA, the privileged information has been processed by a third party.

**2. Who has access to logs and intermediate state?** The vendor's engineers, sub-processors, and (under subpoena to the vendor) third parties have potential access. The firm's confidentiality controls don't extend to the vendor's environment.

**3. What contractual + technical controls prevent the vendor from using client data for training, evaluation, or quality improvement?** A strong DPA addresses this contractually. The technical controls live in the vendor's environment, not the firm's.

State bars are increasingly answering: **"reasonable efforts" requires the firm's confidentiality controls to extend to the AI processing path — which is hard when a managed vendor controls that path.**

Recent state-bar opinions (NY, CA, FL, IL, and others) have not banned managed AI vendors outright, but have raised the bar on disclosure, supervision, and informed consent. The architectural shortcut: keep the privileged data inside the firm's network.

## How ibl.ai's Architecture Satisfies Rule 1.6 by Deployment

**Self-hosted runtime inside the firm's network.** The runtime executes in the firm's existing VPC or on-prem environment — same network as iManage / NetDocuments / SharePoint. Privileged documents are processed inside the firm's existing confidentiality perimeter.

**Model-agnostic with firm-controlled routing.** Open-weight models (Llama 4 / DeepSeek-R1) run on firm GPU — no data ever leaves. For frontier-lab models (Claude / GPT-5 / Gemini), cloud API calls route through a firm-controlled proxy that enforces data-residency policy + logs every call to the firm's SIEM. The firm decides which models are permitted for which matters.

**Open-source platform.** OpenClaw is MIT-licensed; the platform license is perpetual. The firm can audit the code, document it in the firm's AI governance policy, and operate independently.

**Audit logs in the firm's SIEM.** Every AI call, every model output, every tool invocation logs into the firm's existing SIEM with matter ID, user ID, model version, and timestamp. The firm's normal supervision processes apply.

**Conflicts checking + DMS integration inside the firm.** Connectors to iManage / NetDocuments / SharePoint / firm's matter-management system run inside the firm's network. Documents never leave the perimeter to be reviewed.

For the broader policy framework: **[AI Policies for Law Firms: A Practical 2026 Guide](/blog/ai-policies-for-law-firms)**.

## Why Managed AI Vendors Struggle With Rule 1.6 at Scale

Three structural problems for managed legal AI vendors (Harvey, Co:Counsel, Spellbook, Ironclad AI):

**1. Vendor-side third-party access.** The vendor's engineers, the vendor's sub-processors, and (under compelled disclosure) third parties have potential access to privileged content during processing. A DPA contractually limits this; it doesn't structurally prevent it.

**2. Vendor-controlled model lifecycle.** When the vendor updates the model, the firm's prior validation may not apply. The firm's supervision obligation (Rule 5.3 for non-lawyer assistance) becomes hard to discharge.

**3. Subpoena reach.** A subpoena to the firm reaches what the firm controls. A subpoena to the vendor reaches what the vendor controls — including privileged work product the firm sent through the vendor's system. The firm's privilege claim becomes harder.

Self-hosted on the firm's network removes the third-party custodian entirely.

## Workloads Where Rule 1.6 Matters Most

Any AI use that touches privileged work product. In practice:

- **Contract review + redlining** — every contract under review is potentially privileged
- **Due diligence document review** — deal-room content is highly sensitive
- **Brief-writing assistance** — draft work product is privileged
- **Deposition preparation** — witness prep, theory of the case
- **Legal research with case-specific context** — research tied to a specific matter
- **Internal know-how + playbooks** — firm IP that lawyers reference during privileged work
- **Litigation strategy** — even more sensitive than normal privileged work product
- **eDiscovery review** — privilege-log work + relevance determinations

## The Cost Math

A 200-lawyer firm running ~30,000 first-pass contract reviews/month + general legal AI use:

| Approach | Monthly cost | Privilege posture |
|---|---:|---|
| **Harvey** ($400/lawyer × 200) | **$80,000** | Vendor cloud (DPA) |
| **Co:Counsel** ($300/lawyer × 200) | **$60,000** | Vendor cloud (DPA) |
| **Spellbook / Ironclad AI / LinkSquares** (~$2/contract × 30K) | **~$60,000** | Vendor cloud (DPA) |
| Direct Claude Sonnet API (token-priced) | ~$630 | Anthropic cloud (DPA) |
| **ibl.ai self-hosted (Llama 4 / DeepSeek-R1)** | **~$5,000–8,000** | **Inside the firm's network** |

ibl.ai self-hosted is ~10× cheaper than Co:Counsel AND structurally aligned with Rule 1.6.

For per-contract math: **[What AI Contract Review Actually Costs in 2026](/blog/what-ai-contract-review-actually-costs-2026)**.

## Run the Numbers

- **[Harvey AI Alternative](/blog/harvey-ai-alternative)** — direct vendor displacement
- **[Co:Counsel (Thomson Reuters) Alternative](/blog/cocounsel-thomson-reuters-alternative)** — sister vendor displacement
- **[On-Premise Legal AI Platform](/blog/on-premise-legal-ai-platform)** — on-premise architecture
- **[AI Cost Math for Law Firms](/blog/ai-cost-math-for-law-firms-per-seat-vs-usage)** — segment cost math
- **[What AI Contract Review Actually Costs in 2026](/blog/what-ai-contract-review-actually-costs-2026)** — per-contract math
- **[AI Policies for Law Firms: A Practical 2026 Guide](/blog/ai-policies-for-law-firms)** — broader policy framework
- **[Self-Hosted AI vs ChatGPT Enterprise for Legal](/resources/comparisons/self-hosted-ai-vs-chatgpt-enterprise-for-legal)** — deployment comparison

## Why Family-Owned and New York Matters Here

A law firm's AI vendor relationship for workloads touching privileged work product is a multi-year commitment that touches the firm's core ethical obligations. ibl.ai is **family-owned and operated from New York, NY** — a long-term partner with a perpetual platform license and no investor exit pressure. The runtime is open source. Privileged work product stays inside the firm's network. The math works at a 5-lawyer boutique or a 2,000-lawyer global firm.

ABA Model Rule 1.6 compliant AI isn't a vendor checkbox. It's the firm's confidentiality controls extending to the AI processing path — which only works when the AI processing runs inside the firm's perimeter.