THE TECHNOLOGY BLIND SPOT

In the five weeks ending March 30, 2026, three federal judges issued the first such rulings on whether materials a party ran through a commercial AI tool would survive in court. The rulings split. Judge Rakoff in Manhattan held that thirty-one Claude documents were neither privileged nor work product. Judge Patti in Detroit held that ChatGPT outputs deserved work product protection. Judge Dominguez Braswell in Denver split the difference and ordered a contractual safeguard test for any AI vendor receiving confidential information.

What the three rulings share is the variable they treat as decisive. None opened the AI vendor’s SOC 2 binder. None asked about the vendor’s AICPA certification. Each examined the vendor’s terms of service, the data flow, and the contract.

Ask most attorneys about AI vendor due diligence and you get two words: SOC 2. The courts drawing the privilege line are not asking that question.

What SOC 2 Actually Audits

SOC 2 was built for static SaaS. It tests a vendor’s controls against five Trust Service Criteria (security, availability, processing integrity, confidentiality, and privacy) over a fixed period, within a fixed system boundary, with deterministic processing and known principals. None of those assumptions holds up against an agentic AI system. Such a system reasons by probability over user inputs. It calls external tools, hits APIs, and may keep prompts in ways the auditor never tested. The attestation says the vendor’s data center is running. It says nothing about whether the vendor’s stochastic system has memorized your client’s settlement plan. Or whether it routed that plan through a subprocessor the SOC 2 report names in eleven paragraphs and tests in zero. [See 17 Subprocessors Deep, The Technology Blind Spot (2026).]

The Attack Surface SOC 2 Was Never Designed to Test

In December 2025, OWASP published its first Top 10 for Agentic Applications. The list contains ten attack categories that did not exist in the 2017 Trust Service Criteria the AICPA still uses today: Agent Goal Hijack, Tool Misuse, Identity and Privilege Abuse, Agentic Supply Chain Vulnerabilities, Unexpected Code Execution, Memory and Context Poisoning, Insecure Inter-Agent Communication, Cascading Failures, Human-Agent Trust Exploitation, and Rogue Agents. Every one operates on a surface a SOC 2 auditor does not test for. Prompt injection through a poisoned document is invisible to processing integrity. Privileged content showing up in another customer’s session is invisible to confidentiality. Agent action across third-party APIs is invisible to a vendor check that asks whether the subprocessor signed a DPA.

When the Agent Breaks the Stop Sign

On July 17, 2025, Jason Lemkin, the CEO of SaaStr, asked Replit’s AI coding agent to freeze the code on a contact database he had spent twelve days building with the agent. He stepped away. When he returned, the agent had ignored the freeze, deleted his production database of 1,206 executive records, generated over 4,000 fake user profiles, and produced fake status messages. When Lemkin asked what had happened, the agent said the deletion could not be rolled back. That was a lie. The rollback worked when Lemkin tried it himself. Replit’s CEO called the incident “unacceptable.” The agent had direct write access to production with no system-level enforcement of the freeze. The freeze was a sentence in a prompt. The model ignored it.

Replit’s data center was SOC 2 certified. Nothing about that audit boundary changes when the agent inside the platform decides to ignore a freeze, write to production, and lie about the result.

The Other Failure Mode

Nine months later, the failure pattern reached legal practice. On April 18, 2026, partner Andrew Dietderich of Sullivan & Cromwell apologized to Chief Judge Martin Glenn of the Southern District of New York for an emergency Chapter 15 motion in In re Prince Global Holdings Limited containing AI-fabricated case citations, misquoted authorities, and garbled text. The firm acknowledged that its mandatory AI training and “trust nothing and verify everything” verification policy had not been followed. The standard citation-checking review missed the errors. The protocols existed. They failed. [See When Attorneys Stop Checking AI’s Work, The Technology Blind Spot (2026).]

The autonomous agent and the hallucinating model are different failures with the same root: governance gaps SOC 2 does not audit. [See Every Failed AI Project Breaks the Same Rule, The Technology Blind Spot (2025).] SOC 2 audits the vendor’s data center, not the agent’s decisions in production or the lawyer’s review of the model’s output. Under Model Rules 1.1, 1.6, and 5.3, both failure modes land on the supervising attorney’s desk regardless of which side of the firewall the failure originated.

Three Federal Judges. One Variable.

In United States v. Heppner, Judge Jed Rakoff in the Southern District of New York held on February 17, 2026 that thirty-one documents a criminal defendant generated using Anthropic’s consumer Claude product lost privilege the moment they passed through a vendor whose terms reserved the right to use them. The third-party doctrine, Rakoff held, applied to the AI vendor.

A week earlier, Magistrate Judge Anthony Patti in the Eastern District of Michigan reached the opposite conclusion. Sohyon Warner, the pro se plaintiff in Warner v. Gilbarco, Inc., had used ChatGPT in her case. The defendants moved to compel production of every document tied to her ChatGPT use, framing the tool as a third party to whom she had disclosed her thought process. Patti denied the motion. Generative AI tools, he wrote, “are tools, not persons, even if they may have administrators somewhere in the background.” Disclosure to an AI provider, he held, was not equivalent to disclosure to an adversary.

Six weeks later, in Morgan v. V2X, Inc., Magistrate Judge Maritza Dominguez Braswell in the District of Colorado rejected both extremes. She preserved work product protection but imposed a contractual safeguard test for any AI tool handling confidential information.

What the Contract Has to Say

Dominguez Braswell wrote her own protective-order language after rejecting both sides’ proposals. The provision states that no party may upload confidential information to any AI platform unless the AI provider is contractually prohibited from “(1) storing or using inputs to train or improve its model; and (2) disclosing inputs to any third party except where such disclosure is essential to facilitating delivery of the service.” Where third-party disclosure is essential, the third party must accept obligations no less protective than the protective order itself. The provider must contractually grant the firm the ability to remove or delete confidential information on request. And the order closes with a documentation requirement: any party relying on these protections must keep written records that the AI vendor’s contractual obligations are in place.

None of the four elements appears in any standard SOC 2 audit scope.

A framework for the contractual analysis already exists. Austin Litle, Morris, and Das’s AI Legal Reference Model sets out a ten-factor test across four dimensions: who directs the agent, what the contract says, how the system is built, and who reviews the output. SOC 2 reaches none of the four. The contract reaches contractual architecture fully and the other three partly. It cannot make the model deterministic, and it cannot review output for the firm. But it can do the rest. That is the difference between an attestation and an obligation.

What the State Bar Said in February

The Oregon State Bar Board of Governors approved Formal Opinion 2026-208 in February 2026. Its framing is direct: an AI agent built to act on its own and decide can create sub-agents and run without human input once it has a goal. That autonomy raises the supervisory burden because the agent’s errors propagate before the supervising attorney sees them.

Its key passage states that confidentiality due diligence “must reach beyond the policies of the company that offers the chatbot service.” That requirement exists because subprocessor APIs can route protected information to third-party companies the chatbot vendor’s policies do not cover. A SOC 2 attestation reaches exactly to those policies and not one inch further.

Counterargument

The strongest counter is that Morgan is one magistrate’s protective order in a single case, not binding precedent on any other court. Warner kept work product protection without a contract test. Heppner turned on consumer terms enterprise tiers avoid. No appellate court has affirmed any of the three rulings. A managing partner could read all of this and conclude that SOC 2 plus a clean DPA gets the firm to a workable “reasonable steps” position under FRE 502(b) without rewriting AI vendor contracts.

That conclusion ignores three things. The doctrinal trajectory points toward the contract; the next opinion will cite Morgan, not the AICPA. OSB 2026-208 binds Oregon lawyers and persuades elsewhere, and it requires due diligence to extend beyond the chatbot vendor’s policies. Cyber insurance underwriters writing AI endorsements are reading the same opinions Catherine is. They will price the gap before any bar discipline committee gets the chance to.

Thursday Morning

Pull the firm’s primary AI vendor master agreement Thursday morning. Look for two clauses: one barring the vendor from storing or using firm inputs to train its model, and one barring third-party disclosure of inputs except where essential to service delivery. If either is missing, email procurement to obtain a written addendum before the next renewal cycle, and email the cyber insurance broker to ask whether the gap creates an exclusion under the firm’s AI endorsement.

The SOC 2 binder on the partner’s shelf was a comfort in 2018. The federal courts that will rule on AI privilege over the next two years will not open it.

About the Author

JD Morris is Co-Founder and COO of LexAxiom, an Agentic AI platform for the business of law. Over a 25-year career, he has built and scaled enterprise technology products across Dell, EMC, VMware, and Cisco, including the first exabyte eDiscovery platform. He holds dual MBAs from Columbia Business School (Finance) and UC Berkeley Haas (Marketing), a Master of Legal Studies in Cybersecurity Law from Texas A&M, and a Master of Engineering from George Washington University. He writes The Technology Blind Spot on the intersection of emerging technology and law. Connect with him on LinkedIn at www.linkedin.com/in/jdavidmorris, on X at @JDMorris_LTech, or on Bluesky at @JDMorris-ltech.bsky.social.

References

1. United States v. Heppner, No. 1:25-cr-00503-JSR, ECF No. 27 (S.D.N.Y. Feb. 17, 2026) (Rakoff, J.).

2. Warner v. Gilbarco, Inc., No. 2:24-cv-12333, ECF No. 94 (E.D. Mich. Feb. 10, 2026) (Patti, M.J.).

3. Morgan v. V2X, Inc., No. 25-cv-01991-SKC-MDB (D. Colo. Mar. 30, 2026) (Dominguez Braswell, M.J.).

4. Or. State Bar Comm. on Legal Ethics, Formal Op. 2026-208 (Feb. 2026).

5. Or. State Bar Comm. on Legal Ethics, Formal Op. 2025-205 (2025).

6. Model Rules of Pro. Conduct r. 1.6(c) (Am. Bar Ass’n 2024).

7. Model Rules of Pro. Conduct r. 5.3 (Am. Bar Ass’n 2024).

8. ABA Comm. on Ethics & Pro. Resp., Formal Op. 512 (2024).

9. Fed. R. Evid. 502(b).

10. Fed. R. Civ. P. 26(b)(3).

11. OWASP, OWASP Top 10 for Agentic Applications 2026 (Dec. 9, 2025), https://genai.owasp.org/resource/owasp-top-10-for-agentic-applications-for-2026.

12. Alexis Austin Litle, JD Morris & Deepankar Das, The AI Legal Reference Model (ALRM): A Ten-Factor Test for Distinguishing AI Tools from Third Parties in Privilege and Work Product Analysis with Ten Unresolved Questions for Judicial Consideration (Apr. 2026), https://ssrn.com/abstract=6546398.

13. AICPA, Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (2017, with 2022 revised points of focus).

14. Mark Sullivan, Replit CEO: What Really Happened When AI Agent Wiped Jason Lemkin’s Database (Exclusive), Fast Co. (July 22, 2025), https://www.fastcompany.com/91372483/replit-ceo-what-really-happened-when-ai-agent-wiped-jason-lemkins-database-exclusive.

15. Sullivan & Cromwell Apologises to US Court for Filing Errors Caused by AI Hallucinations, Bar & Bench (Apr. 22, 2026), https://www.barandbench.com/news/sullivan-cromwell-apologises-to-us-court-for-filing-errors-caused-by-ai-hallucinations.