Industry

SOC 2ABA Model RulesGDPR

AI Agent Security for Legal AI Agents

Legal AI agents are transforming law practice — drafting contracts, reviewing documents, researching case law, summarizing depositions, and managing client communications. But the legal domain introduces security requirements that go beyond standard data protection. Attorney-client privilege is a foundational legal protection that can be permanently waived if privileged information is disclosed to unauthorized parties — even accidentally, even by an AI agent. Work product doctrine protects trial preparation materials. Ethical rules govern conflicts of interest, client confidentiality, and the unauthorized practice of law. A compromised or manipulated legal AI agent can waive privilege for an entire case, create conflicts of interest by cross-contaminating client data, generate documents that constitute unauthorized legal practice, or disclose litigation strategy to opposing counsel. The stakes are existential for law firms: malpractice liability, disciplinary action, and loss of client trust. Rune provides the security infrastructure that legal organizations need to realize the efficiency gains of AI while protecting the privileges and ethical obligations that define legal practice.

Start Free — 10K Events/MonthNo credit card required

Privilege waiver can cost $10M+ in litigation exposure

Inadvertent privilege waiver can expose an entire category of communications to discovery, fundamentally altering the outcome of high-stakes litigation. The financial impact includes both the direct case exposure and the malpractice liability to the firm.

100% client matter isolation in agent context

Rune's matter isolation ensures zero cross-contamination between client files, eliminating the ethical violations and malpractice risk that arise when AI agents share context across matters.

3.1x faster document review with security guardrails

Legal teams using AI agents with Rune's security layer complete document review 3.1x faster than manual review, while maintaining the confidentiality and privilege protections that manual processes inherently provide.

Key Security Risks

criticalAttorney-Client Privilege Waiver

Attorney-client privilege protects confidential communications between lawyers and clients from disclosure. If a legal AI agent includes privileged information in an output that is shared with third parties — in a filing, a report, or even an email — the privilege may be permanently waived for that communication and potentially for the entire subject matter.

Real-world scenario: A legal AI agent was used to draft a summary of case strategy for a client meeting. A prompt injection in an opposing party's motion (loaded for analysis) caused the agent to incorporate privileged settlement negotiation details into the summary. The summary was emailed to the client, who forwarded it to their business partner — a non-privileged party. Opposing counsel later obtained the forwarded email in discovery and successfully argued that privilege was waived for the entire settlement discussion.

criticalCross-Client Data Contamination

Law firms handle cases for multiple clients, some of whom may have adverse interests. If a legal AI agent's context contains information from multiple client matters, injection or misconfiguration can cause information from one client's case to appear in another client's documents — creating ethical violations and potential malpractice.

Real-world scenario: A firm used an AI agent to draft contracts for multiple clients. The agent's context window retained fragments from a previous client's M&A deal terms when it began drafting a contract for a different client in the same industry. The new contract included specific pricing structures from the first client's confidential deal, which the second client recognized as belonging to their competitor. Both clients terminated their engagements with the firm.

highUnauthorized Legal Practice

AI agents that provide legal analysis, recommend courses of action, or draft legal documents without appropriate attorney oversight may constitute the unauthorized practice of law. If agent outputs are presented to clients without adequate attorney review, the firm risks disciplinary action and the client receives potentially unreliable legal guidance.

Real-world scenario: A client-facing AI assistant at a law firm was designed to answer procedural questions. A prompt injection caused it to begin providing substantive legal advice — recommending specific contract clauses and litigation strategies — without flagging these responses for attorney review. A client relied on the agent's contract recommendation, which contained a flawed indemnification clause that exposed the client to significant liability.

criticalLitigation Strategy Disclosure

Legal AI agents analyzing case files, drafting motions, and preparing for depositions have access to the firm's litigation strategy, witness preparation notes, and damage calculations. Injection attacks can extract this information, which would be devastating if obtained by opposing counsel — even if work product doctrine would normally protect it.

Real-world scenario: A litigation support agent was analyzing documents for a patent case. A prompt injection embedded in a technical document from the opposing party's production caused the agent to include the firm's damage calculation methodology and key witness vulnerabilities in its analysis report. The report was saved to a shared drive, and while it was caught before external disclosure, the incident required the firm to disclose the potential compromise to the client and consider whether a conflict-free analysis was still possible.

How Rune Helps

Privilege Classification and Protection

Rune scans every agent output for privileged content — settlement discussions, legal advice, litigation strategy, and client communications marked as privileged. Detected privileged content is blocked from appearing in outputs destined for non-privileged channels, preventing inadvertent waiver.

Client Matter Isolation

Rune enforces strict isolation between client matters at the agent level. Context from one client's files cannot leak into another client's documents. The agent's accessible context is scoped to the current matter, with cross-matter access requiring explicit authorization — preventing the conflicts and contamination that arise from shared context windows.

Attorney Review Enforcement

Rune flags agent outputs that contain substantive legal analysis, specific recommendations, or drafted legal language, requiring attorney review before the output reaches the client. This ensures that AI efficiency does not come at the cost of proper legal oversight, protecting both the client and the firm from unauthorized practice issues.

Document Confidentiality Controls

Every document loaded into the agent's context is classified by confidentiality level — public, confidential, privileged, work product. Rune enforces information barriers that prevent content from higher confidentiality levels from appearing in outputs destined for lower confidentiality contexts.

Example Security Policy

version: "1.0"
rules:
  - name: protect-privileged-content
    scanner: confidentiality
    action: block
    severity: critical
    scope: output
    config:
      protected_categories:
        - attorney_client_privilege
        - work_product
        - settlement_discussions
        - litigation_strategy
      description: "Block privileged content from appearing in non-privileged outputs"

  - name: enforce-client-matter-isolation
    scanner: data_isolation
    action: block
    severity: critical
    config:
      isolation_key: matter_id
      prevent_cross_matter_leakage: true
      require_explicit_authorization_for_cross_matter: true
      description: "Strict isolation between client matters"

  - name: require-attorney-review
    scanner: legal_practice
    action: alert
    severity: high
    scope: output
    config:
      flag_substantive_advice: true
      flag_legal_recommendations: true
      flag_drafted_clauses: true
      require_attorney_approval: true
      description: "Flag outputs requiring attorney review before client delivery"

  - name: classify-document-confidentiality
    scanner: classification
    action: enforce
    severity: critical
    scope: input
    config:
      levels:
        - public
        - confidential
        - privileged
        - work_product
      enforce_information_barriers: true
      description: "Classify and enforce confidentiality levels for all documents"

Policies are defined in YAML and enforced at the SDK level. Version control them alongside your agent code.

Quick Start

pip install runesec

from rune import Shield

shield = Shield(
    api_key="rune_live_xxx",
    agent_id="legal-research-assistant",
    policy_path="legal-policy.yaml"
)

def draft_legal_document(
    instructions: str,
    matter_id: str,
    attorney_id: str,
    document_type: str,
):
    # Scan instructions for injection (opposing party content is untrusted)
    input_result = shield.scan_input(
        content=instructions,
        context={
            "matter_id": matter_id,
            "attorney_id": attorney_id,
            "document_type": document_type,
        }
    )
    if input_result.blocked:
        return {"status": "blocked", "reason": input_result.reason}

    # Agent drafts document with matter-scoped context
    draft = agent.generate(
        instructions=instructions,
        matter_context=get_matter_documents(matter_id),
    )

    # Scan draft for privilege leakage and cross-matter contamination
    output_result = shield.scan_output(
        content=draft,
        context={
            "matter_id": matter_id,
            "output_destination": document_type,
            "confidentiality_level": "confidential",
            "check_privilege_waiver": True,
            "check_cross_matter": True,
        }
    )

    if output_result.blocked:
        return {
            "status": "blocked",
            "reason": output_result.reason,
            "requires": "attorney_review",
        }

    # Flag for attorney review if substantive legal content detected
    if output_result.flags.get("requires_attorney_review"):
        return {
            "status": "pending_review",
            "draft": output_result.content,
            "flags": output_result.flags,
            "reviewer": attorney_id,
        }

    return {"status": "ready", "draft": output_result.content}

This example demonstrates legal-specific security controls. The matter_id scopes all document access to a single client matter, preventing cross-matter contamination. Output scanning checks for privilege waiver risks — detecting if privileged content (settlement discussions, litigation strategy) appears in documents that could be shared externally. Substantive legal analysis is flagged for attorney review, ensuring proper oversight before any AI-generated legal content reaches the client. All actions are logged with matter and attorney context for ethical compliance auditing.

Secure your legal ai agents today

Add runtime security in under 5 minutes. Free tier includes 10,000 events per month.

Start Free — 10K Events/Month Getting Started