Anything You Say to a Chatbot May Be Used Against You

On February 10, 2026, Judge Jed S. Rakoff of the Southern District of New York did something unusual: he made case law out of a chatbot conversation. In United States v. Heppner, No. 25 Cr. 503, the judge ruled from the bench that 31 documents a defendant had generated using Anthropic's Claude were not protected by attorney-client privilege or the work-product doctrine. The defendant, Bradley Heppner, a Dallas finance executive charged with a $150 million fraud, had used the consumer version of Claude to draft reports about his legal strategy after learning he was under investigation. He then emailed the outputs to his lawyers at Quinn Emanuel. Federal agents found the documents on devices seized during a search of his mansion.

Heppner's defence team argued privilege. Rakoff was unpersuaded. "I'm not seeing remotely any basis for any claim of attorney-client privilege," he said. The AI tool is not an attorney, owes no duty of confidentiality, and its terms of service explicitly disclaim any expectation of privacy. Anthropic's privacy policy at the time noted that inputs could be collected, disclosed to authorities, and used for model training. On the work-product argument, Heppner's own lawyers conceded that he had prepared the documents on his own initiative, not at their direction. The government's motion put the point plainly: sending unprivileged documents to your lawyer after the fact does not retroactively cloak them in privilege.

Debevoise & Plimpton calls it the first reported case where using a consumer AI tool led to a loss of privilege. The National Law Review calls it a "discovery nightmare." Lawyers report that in civil proceedings, they are already requesting adversaries' AI chat logs as a matter of course. It is, as one attorney observed, a whole new category of discoverable information.

The confession booth that records everything

The reasoning in Heppner is not novel. It applies the same logic courts have used for decades about third-party disclosures. If you discuss your case with a friend at a dinner party, that conversation is not privileged either. What makes the ruling significant is its collision with widespread behaviour. Millions of professionals now routinely paste confidential material into AI chatbots. They draft legal memos, analyse clinical data, model financial scenarios, and brainstorm competitive strategy, all inside tools whose providers reserve the right to log, store, and learn from every input.

The intuition that a chatbot conversation is private turns out to be wrong. It feels private, in the same way that whispering into a telephone feels private. But the provider is not bound by any duty of secrecy, and the infrastructure sitting between you and the model is owned and operated by a third party with its own interests and obligations.

Debevoise notes an important nuance: enterprise AI tools with contractual confidentiality commitments and no-training clauses might fare differently. But no court has tested that distinction yet. Rakoff has not issued a written opinion, only the bench ruling transcript. Until another judge draws the line, the prudent assumption is that anything typed into a consumer AI platform is as discoverable as a Google search.

The pharmaceutical problem

Consider what flows through AI tools in a typical pharmaceutical company on a typical day. A medicinal chemist uploads a proprietary molecular structure for quick analysis. A clinical data analyst pastes unpublished trial results into a chatbot to spot patterns. A quality team feeds manufacturing process details into an AI for optimisation suggestions. Each action is well-intentioned. Each creates a permanent exposure that cannot be undone.

The Kiteworks 2025 study found that 83% of pharmaceutical organisations lack basic technical safeguards against AI data leakage. The Varonis 2025 report found that 99% of organisations have sensitive data exposed to AI tools. Stanford's 2025 AI Index documented a 56.4% year-on-year increase in AI-related security incidents.

What makes AI data leakage different from a conventional breach is its permanence. When a password is stolen, you change the password. When information is absorbed into an AI training dataset, it becomes permanently embedded. The model can memorise fragments. It cannot unlearn them on demand. A single molecular structure can represent a billion-dollar drug programme. An unpublished clinical result can make or break an approval. These are not the kinds of assets you want sitting in someone else's training pipeline.

Samsung learned this the hard way in 2023, when engineers uploaded confidential source code to ChatGPT without realising it would be stored on OpenAI's servers. Samsung banned the tool. JPMorgan, Goldman Sachs, and Amazon followed with similar restrictions. After Heppner, the argument for restricting consumer AI usage is no longer just about data hygiene. It is about litigation exposure.

Giving away the alpha

The hedge fund industry arrived at this conclusion slightly earlier, and for a different reason. In quantitative finance, your edge is your data and your models. Sending either through a cloud API is, in a real sense, giving away the alpha.

Resonanz Capital reports that one fund's internal trial flagged a developer using real client trade data in prompts to debug a pricing tool on an open-access generative AI model. The practice was technically functional but constituted an unacceptable security risk. The firm fast-tracked a firmwide AI use policy and built a private, firewalled environment.

This is not paranoia. It is arithmetic. A prompt containing a trading signal, a position, or a piece of strategy logic is transmitted to and stored by a third party. The risk of model inversion attacks, where adversaries reverse-engineer AI models to extract trade execution patterns, is well documented. And after Heppner, there is a new vector: any AI-generated analysis could be subpoenaed and used against the firm in litigation or regulatory proceedings.

The large quantitative shops have responded accordingly. D.E. Shaw runs prompt cost meters with automatic throttles on each desk. Point72 and Balyasny maintain permanent, uneditable logs of every AI query and response to pre-empt SEC audits. Several funds report that GPU rental and cloud exit costs now rival prime-broker financing as line items. Citadel's aborted Seattle AI lab illustrated the cultural tension: discretionary portfolio managers worried about IP leakage even within the firm's own walls.

For a fund running inference on local GPUs, the maths is simple. Signals arrive in microseconds instead of the tens-of-milliseconds round trip to a cloud API. The data stays behind the firewall. The model stays under the firm's control. The alpha stays proprietary. In the language of the trade, on-premise AI converts proprietary data into intellectual capital without handing that capital over to a hyperscaler in Northern Virginia.

The economics have caught up

For years, the standard advice to startups and research teams was to use cloud APIs. They were fast to deploy, required no hardware procurement, and let you start building before you had a data centre budget. The advice was sound. It is now out of date for a growing number of use cases.

The Lenovo 2026 TCO study introduced a "Token Economics" framework that compares the amortised cost per million tokens of on-premise hardware against cloud API pricing. Self-hosting on current-generation GPUs offers an 8x cost advantage per million tokens compared to cloud infrastructure-as-a-service, and up to 18x compared to frontier model-as-a-service APIs. At high utilisation, the break-even point arrives in under four months. Over a five-year lifecycle, the savings per server can exceed $5 million. The architectural leap from NVIDIA's Hopper generation to the Blackwell architecture has fundamentally altered the throughput calculus.

Deloitte's 2026 infrastructure analysis tells the same story from the demand side. Some enterprises now face monthly AI bills in the tens of millions of dollars. The biggest cost driver is agentic AI, where continuous inference loops send token consumption spiralling. Deloitte's rule of thumb: when cloud costs exceed 60 to 70% of the total cost of acquiring equivalent on-premise systems, a capital investment becomes more attractive than ongoing operational expense. Inference-heavy workloads reach self-hosted break-even at surprisingly low utilisation thresholds: 50% for 7B-parameter models, just 10% for 13B models.

Meanwhile, cloud API pricing at the frontier remains substantial. Current rates for leading models range from $0.20 per million input tokens at the low end to $15 per million output tokens at the top. The "AI wrapper" startups that built their businesses on reselling API access are discovering that usage-based pricing compounds viciously as adoption grows. What starts as a manageable bill becomes budget-breaking at enterprise scale, with the added indignity that every prompt also leaks to the underlying provider.

Sovereign AI is no longer theoretical

The economic and legal arguments are reinforced by a regulatory shift that has accelerated faster than most observers expected.

Deloitte's 2026 State of AI survey of 3,235 executives found that 83% of organisations now view sovereign AI as important to strategic planning. Two-thirds express concern about reliance on foreign-owned AI technologies. Seventy-seven percent factor an AI solution's country of origin into vendor selection. Nearly three in five build their AI stacks primarily with local vendors. Deloitte forecasts that nearly $100 billion will flow into sovereign AI compute globally in 2026, with companies outside the US and China aiming to double domestic AI capacity by 2030.

This is not protectionism dressed up in technical language. It is a response to real regulatory obligations. HIPAA governs patient data. GDPR governs personal data. Banking secrecy laws apply across financial services. Many jurisdictions now mandate data residency: sensitive data must not leave national borders. An on-premise deployment satisfies all of these constraints simultaneously. The model never touches the public internet. Audit trails are complete. Compliance teams can demonstrate exactly where data went.

What Heppner clarifies

The Heppner ruling did not create new law. It applied old principles to new technology, and in doing so, it clarified something that the technology industry had been content to leave ambiguous. Consumer AI chatbots are not vaults. They are not advisors. They are not bound by any duty of confidence. They are third-party services operated by companies with their own commercial interests, their own data retention policies, and their own obligations to law enforcement.

For industries where data is the product, the competitive edge, or the regulatory liability (pharma, finance, and the intersection of the two in royalty and licensing markets), the implications are hard to overstate. Sending proprietary data to a cloud AI is not just a security risk. After Heppner, it is a litigation risk. It is a regulatory risk. And at scale, it is an economic choice that increasingly does not pencil out.

The cloud remains useful for experimentation, for non-sensitive workloads, and for organisations that lack the engineering capacity to run their own infrastructure. Nobody should tear up their OpenAI contract because of one bench ruling in the Southern District. But for anything involving privileged, proprietary, or regulated information, the direction of travel is clear. The new default, for those who can afford it, is on-premise AI: compute that lives where the data lives, under governance you control, producing intelligence that stays yours.

Judge Rakoff, in his characteristically blunt fashion, simply pointed out what should have been obvious all along. An AI chatbot is not your lawyer. It is not your confidant. And its memory is not protected by any privilege known to American law.

All information in this report was accurate as of the research date and is derived from publicly available sources including company press releases, SEC filings, regulatory announcements, and financial news reporting. Information may have changed since publication. This content is for informational purposes only and does not constitute investment, legal, or financial advice.