Why a legal agent handling privileged documents is a confidentiality exposure

Legal work runs on privilege and confidentiality. An agent that reads privileged documents can be made to leak them through instructions hidden in the documents themselves.

B

Balagei G Nagarajan

4 MIN READ


A legal agent reading privileged documents while a hidden instruction in one of them redirects confidential content

Key facts.

  • Greshake et al. demonstrated indirect prompt injection compromising real LLM-integrated applications by hiding instructions in retrieved data, which acts as arbitrary code the model follows. source
  • The attack requires no direct access, only the ability to get malicious content into data the system will retrieve. source
  • Legal agents read privileged, confidential and opposing-party material, so the documents they process are a realistic injection vector. source
  • A privileged document an agent reads can hide an instruction it obeys (Greshake); a bigger model only widens what a leaked-privilege incident exposes. (arXiv:2302.12173)

Why is legal confidentiality especially exposed?

Because the agent's core function is to read documents and in law those documents include the most protected material there is. Greshake's indirect prompt injection works precisely by planting instructions in content the system retrieves, so the very act of having the agent read a document is the moment a hidden instruction can take hold and no direct access to the agent is needed. A legal agent reviewing a contract, summarizing a discovery production or analyzing opposing-party materials is reading exactly the kind of untrusted external content where such an instruction could be embedded and if it lands, the agent can be steered to disclose privileged communications, confidential client data or work product. A privilege breach is among the gravest failures in legal practice: it can waive protection, expose strategy, violate ethical duties and harm the client irreparably. The agent's helpfulness, reading and acting on documents, is the same surface that makes this exposure real.

The confidentiality risk also runs internally, without any attack. An agent with broad access to a firm's privileged materials can disclose them across matters, to the wrong party or in an output that should have been restricted, simply by being asked a question whose honest answer crosses a confidentiality boundary it was not built to respect.

Isolated access and output controls breaking the path from privileged documents to an unauthorized disclosure

What protects privilege?

Isolation of access and strict output control, with the documents treated as untrusted. Scope the agent's access so it can only reach the privileged material a specific task requires, treat every document it reads as potentially carrying injected instructions and validate every output against confidentiality and privilege boundaries before it is produced. Keep matters and clients isolated so the agent cannot bridge privilege between them and gate any output that would disclose protected material. The Greshake work shows that simply reading a document can be the attack, so the protection has to assume the input is hostile and the output must be controlled, which is the only posture that keeps privileged material from leaking through the agent that was built to read it.

PosturePrivilege exposure
Broad access, documents trusted, output uncheckedHidden instructions or honest answers leak privilege
Isolated access, documents untrusted, output controlledPrivileged material stays protected

Controlling that access and output is part of what VibeModel does as the Pattern Intelligence Layer. We model the patterns of a legal task's legitimate access and authorized disclosure, treating documents as untrusted, so a legal agent reads and analyzes privileged material without becoming the channel that leaks it.

Frequently asked questions

How can reading a document be an attack?
Indirect prompt injection hides instructions in retrieved content, which the model obeys. Greshake showed this compromises real applications without direct access.

Is the risk only external?
No. An agent with broad access can leak privileged material across matters or to the wrong party with no attack, just by answering a question.

Why is a privilege breach so serious?
It can waive protection, expose strategy, breach ethical duties and harm the client irreparably, making it among the gravest failures in legal practice.


Share this post

Join the discussion

Have a take, a war story, or a question? Sign in with GitHub to comment and react. Comments are powered by GitHub Discussions, ad-free and yours to moderate.

Continue Reading

Find where your agent breaks, before you build it

Faultmap maps where your agent will fail from the goal and your data, then hands you the first test suite it has to pass.