On April 4, 2026, a federal court in Oregon sanctioned attorney Stephen Brigandi $110,000 — the largest AI hallucination penalty in American legal history. On February 17, 2026, the Southern District of New York ruled that everything typed into ChatGPT is not protected by attorney-client privilege. The government gets it. These are not isolated decisions. Together, they define the new cost of unarchitected AI research.
Two federal court decisions issued within weeks of each other in early 2026 have fundamentally altered the calculus every litigator must apply to AI-assisted research. The Oregon sanctions record establishes what courts will do when AI-assisted filings lack a documented verification process. The SDNY privilege ruling establishes that the research process itself — every query submitted to a public AI platform — is potentially discoverable by opposing counsel and the government. For solo and small-firm litigators who do not operate a local-first private vault architecture, both exposures exist simultaneously.
What Did the Oregon Court Actually Hold in the Brigandi Case?
On April 4, 2026, U.S. Magistrate Judge Mark Clarke in the District of Oregon issued a $96,000 sanctions order against attorney Stephen Brigandi in a family winery dispute. With costs, total exposure reached $110,000 — the largest AI hallucination sanction in U.S. legal history. The filing contained 23 fabricated citations and 8 invented quotations. The court’s language focused on what it characterized as ‘pervasive misconduct’ and the attorney’s apparent abandonment of professional responsibility.
The $110,000 figure was not the court’s first number. The court explicitly considered and rejected a lower sanctions figure. The order was constructed to signal that AI hallucination sanctions have not plateaued. The sanctions escalation curve — $3,000 (2023), $5,000 (Philadelphia, April 2026), $30,000 (Sixth Circuit, March 2026), $110,000 (Oregon, April 2026) — does not have a ceiling the Oregon order was willing to identify.
What distinguished the Brigandi case from the lesser-sanctioned cases is what courts have consistently treated as the threshold variable: the documented activity trail. Attorneys who produced verification records — showing they queried primary source databases, cross-checked citations, and documented that process — have been treated as correctable errors. Attorneys who produced nothing have been treated as pervasive misconduct.
What Is the SDNY Privilege Ruling and Why Does It Apply to Litigators?
On February 17, 2026, the Southern District of New York issued its ruling in United States v. Heppner, holding that a client’s communications with a public AI platform are not protected by attorney-client privilege and are not work product. The court held that privilege presupposes ‘a trusting human relationship with a licensed professional bound by fiduciary duties’ — an AI platform satisfies none of those elements.
The practical consequence is direct: every research query submitted by an attorney or their client to ChatGPT, Perplexity, Copilot, or any public cloud-based AI platform is potentially discoverable. Public AI platforms retain user input. OpenAI, Google, and every major cloud-based AI provider stores queries in their infrastructure. In a criminal matter, the government can subpoena that data. In a civil matter, opposing counsel has a documented basis for a discovery request.
A circuit split is developing. The Eastern District of Michigan and the District of Colorado have issued rulings in civil contexts that take a more protective view, declining to find that privilege is waived simply by using a public AI tool. But the criminal context decision from SDNY has not been overturned, and it applies to every attorney conducting case research on a public AI platform in a federal matter.
What Is the Criminal-Civil Split and Which Cases Will Resolve It?
The developing circuit split on AI communications privilege breaks along two axes: criminal versus civil context, and use of AI as a research tool versus AI as a communication channel.
In SDNY (criminal context), the court held that communications with a public AI platform fail all three elements of the privilege test: the communication was not confidential (the platform retains it), legal advice was not being sought from the AI (it is not a licensed professional), and there is no attorney-client relationship with the AI. The court declined to extend privilege to what it characterized as a voluntary disclosure to a third-party commercial platform.
In the civil context, the Michigan and Colorado decisions have focused on a narrower question: whether an attorney’s use of an AI tool for research waives privilege over the underlying communications with the client. These courts have been reluctant to find a blanket waiver. But the question of whether the AI platform queries themselves are protected — as opposed to the underlying client communications — remains open.
Cases are working toward circuit courts on both tracks. Until circuit-level resolution, every litigator operating in federal court faces meaningful uncertainty about the discoverability of their AI research process — unless they are operating a local-first architecture that keeps research within their own infrastructure.
How Does a Local-First Private Vault Architecture Change the Privilege Analysis?
The SDNY ruling’s logic turns on a specific architectural fact: the AI platform retains the queries, and the platform is a third party. The attorney-client privilege analysis treats voluntary disclosure to a third party as a waiver. A local-first private vault architecture — where AI inference runs within the attorney’s own infrastructure and research queries are never transmitted to a third-party commercial platform — does not present the same third-party disclosure issue.
This is not a theoretical distinction. Lex Arca Legal Vault’s architecture is built on a Bring Your Own Storage model: Cloudflare R2, Supabase, and LlamaCloud are the infrastructure components, running within the attorney’s own provisioned environment. Client data and research queries are architecturally excluded from Lex Arca’s infrastructure — and from any third-party cloud platform that could be subpoenaed. The research process stays in the attorney’s vault.
This architectural design was a deliberate response to ABA Formal Opinion 512’s confidentiality requirements. The SDNY ruling has now confirmed that it also addresses a federal privilege concern that every attorney using a public AI platform for case research should be taking seriously.
The Dual Exposure — And the Architecture That Addresses Both
Solo and small-firm litigators who use public AI platforms for case research now face two simultaneous exposures: sanctions liability when AI-generated citations are unverified (the Brigandi track), and privilege risk when the research process itself becomes discoverable (the SDNY track).
These are not independent problems requiring separate solutions. They share a root architecture: research conducted on a public AI platform, without a documented verification record, in an environment where the research is both unverified and externally accessible.
The compliance architecture that addresses both is specific: a local-first private vault that keeps research within the attorney’s infrastructure, combined with an append-only, tamper-evident documented activity trail that proves the verification process was completed. That architecture answers ‘What did you do to verify this?’ on the sanctions track and ‘Where did this research happen?’ on the privilege track — with the same vault.
KEY TAKEAWAYS
- The $110,000 Brigandi sanctions order (Oregon, April 2026) is the largest AI hallucination penalty in U.S. history and signals that the sanctions floor continues to rise with each cycle.
- The SDNY ruling in United States v. Heppner (February 2026) established that communications with public AI platforms are not protected by attorney-client privilege in federal criminal proceedings, making AI research queries potentially discoverable.
- A local-first private vault architecture addresses both the sanctions exposure (documented verification record) and the privilege exposure (research stays within the attorney’s own infrastructure) simultaneously.
- Lex Arca Legal Vault provides a documented, verifiable AI activity trail designed to support attorney compliance workflows — built on a local-first private vault architecture that keeps research outside third-party commercial platforms.
- Calculate your firm’s billing leakage and get early access at https://calculator.lex-arca.com.
ABOUT THE AUTHOR
Kim Xi Harris is the Founder and Platform Architect of Lex Arca™, an AI-native litigation intelligence and compliance platform for solo and small-firm attorneys. She is a Cornell Women’s Entrepreneur Program graduate, SBA Women in Business Champion Award recipient, WOSB certified, and holds five Google AI certifications. Calculate your firm’s billing leakage and join the VIP waitlist at https://calculator.lex-arca.com — or reach us at legalvault@lex-arca.com.