AI and Legal Privilege: What Munir and Cork Mean for Your Firm

Case Authority

Munir v Secretary of State for the Home Department

[2026] UKUT 81 (IAC) · Also reported as [2026] 4 WLR 37 · Also known as R (Munir) v Secretary of State for the Home Department

An immigration matter in which the Tribunal identified that privileged client documents had been uploaded to a public AI tool — specifically ChatGPT — in the course of preparing the case. The Tribunal addressed the privilege consequences directly and at length, making observations that apply across all areas of legal practice, not just immigration.

The Holding — Paragraph 60 Uploading confidential client documents or correspondence into open-source AI tools such as ChatGPT places that material in the public domain, thereby breaching client confidentiality and waiving legal professional privilege. Because privilege is contingent upon confidentiality, any such loss is potentially irreversible, regardless of the practitioner's intention. The Tribunal further stated that such conduct may warrant referral to the SRA and must be referred to the Information Commissioner's Office.

What the Tribunal Actually Said — The Three Points

First — privilege waiver is permanent. The Tribunal did not treat this as a technical breach capable of remedy. The language used — "potentially irreversible" — is deliberate. Once privileged material enters a public AI tool, the confidentiality that grounds privilege is gone. There is no mechanism to retrieve it.

Second — intention is irrelevant. The Tribunal explicitly noted that the practitioner's intention does not affect the outcome. A lawyer who uploads privileged documents to ChatGPT believing it is secure has waived privilege regardless of that belief. Ignorance of the tool's data handling is not a defence.

Third — the regulatory consequence is mandatory. The Tribunal said such conduct may warrant SRA referral — not that it should be considered. And it must be referred to the ICO. The word "must" in relation to ICO notification is not discretionary language.

The Tribunal also drew a critical distinction — one that has significant practical consequences for governance decisions — between open-source public tools and secure closed enterprise systems. The latter, it indicated, may be used more safely where appropriate safeguards are in place. This is the governing line in AI tool procurement decisions for law firms from this point forward.

Case Two: Cork

Case Authority

Cork and another v Mark Smith

[2026] EWHC 1199 (Ch) · ICC Judge Mullen · 22 May 2026

A Chancery Division insolvency matter in which AI-generated text citing a non-existent or inaccurate Insolvency Rule was submitted to the High Court as if it were genuine statutory language. The firm involved was Pinsent Masons. The error was not caught before the document reached the court. The firm self-referred to the SRA.

The Holding ICC Judge Mullen criticised the failure to verify AI-generated legal content before submission to court. The judgment reinforced that the supervising solicitor retains full responsibility for the accuracy of all materials submitted to court, regardless of how those materials were produced. Reliance on AI without verification is not a mitigating factor — it may be an aggravating one.

The Supervision Point — More Culpable, Not Less

The principle established in Cork, reinforced by Munir, is that the supervising lawyer is not insulated from responsibility by the fact that AI produced the error. The Tribunal in Munir went further — stating that a failure to supervise and verify work which contains AI-generated errors may render the supervising lawyer more culpable than the individual who initially introduced those errors.

This is the line that should be in front of every senior partner and supervising solicitor at your firm. The governance question is not whether your fee earners are using AI. It is whether your supervision architecture is documented, enforced, and evidenced.

Pinsent Masons self-referring to the SRA is the data point that makes this concrete. This is not a regional firm with limited resources. It is one of the largest law firms in the UK. The failure was not capability — it was governance architecture.

The Closed vs Public Tool Distinction

Munir establishes a distinction that must now govern every AI procurement and deployment decision at your firm. The Tribunal drew an explicit line between open-source public tools and secure closed enterprise systems.

The honest caveat — which Munir leaves open — is that the middle ground is fact-sensitive. Two firms on identical enterprise plans may have different privilege positions depending on what was negotiated at contract stage. The human oversight layer is not just the quality check. It is the only person who can make a defensible judgment about whether a given tool, in a given configuration, sits inside or outside the protected circle for a specific piece of client material.

What Munir Requires — The Regulatory Obligations

Three obligations follow from the ruling. None are optional.

The Tribunal's language creates three distinct obligations for any firm that has had a lawyer upload privileged material to a public AI tool — whether or not the firm is aware it has happened.

Consider whether the incident constitutes a breach of client confidentiality requiring client notification under SRA Code Paragraph 6.3

Consider whether the conduct warrants or requires referral to the SRA under SRA Code Paragraph 7.7 — the Tribunal said "may warrant referral"

Report to the ICO as a personal data breach under UK GDPR Article 33 — the Tribunal said "must be referred" — this is mandatory, not discretionary

The Governance Gap Both Cases Expose

Both Munir and Cork expose the same structural failure. It is not a failure of capability or intention. It is a failure of accountability architecture.

What most firms have built: An AI acceptable use policy. Possibly a list of approved tools. A general instruction to staff not to upload client data to public AI. Possibly a training session.

What most firms have not built: The explicit mapping from each AI system to a named individual with documented human oversight obligations. A written protocol specifying what review must happen before any AI-generated content touches client work, goes to court, or reaches a regulator. An audit trail demonstrating that review happened on specific matters. A vendor due diligence record confirming the data handling terms of every AI tool in use across the firm.

A policy tells people what is permitted. It does not tell them who is accountable when the tool produces an unexpected outcome at 11pm on a matter deadline. The firms that have resolved this have done one thing differently — they have treated AI governance ownership as a named role with a mandate, not a shared responsibility that belongs to everyone and therefore nobody.

The Ten-Point Governance Response

Audit your AI tool inventory immediately Identify every AI tool in use across the firm — including tools used by individual fee earners without firm authorisation. Shadow AI is the governance gap you cannot see until it becomes a Munir incident.

Classify every tool as open or closed Apply the Munir distinction. Every tool in your inventory must be classified as public (privilege risk) or closed enterprise (lower risk with appropriate safeguards). Anything in the public category must be restricted from use on client matters immediately.

Obtain and review vendor DPAs for every approved tool A contractual confidentiality commitment is not the same as zero data retention. Review what your vendor DPAs actually say about data retention, training use, and third-party access. The privilege position turns on what was negotiated, not what the vendor's marketing material says.

Name a governance owner for each AI deployment In response to both Cork and Munir, the supervising lawyer is the named individual. But at firm level, name a partner or senior manager as AI governance owner with documented accountability for each tool in use. This is the SMCR equivalent for law firms — named accountability, documented mandate.

Write and deploy a human review protocol for AI outputs Cork happened because AI-generated content went to court without adequate verification. Write a specific, named protocol — not a general policy — specifying what human review must happen before AI output reaches a client, a court, or a regulator. Name the reviewer. Specify the standard.

Update client disclosure language in engagement letters The SRA's AI guidance requires disclosure. Munir makes the confidentiality consequence of non-disclosure concrete. Your engagement letter must tell clients whether AI will be used on their matter, which tools, and what safeguards are in place. This is not optional from August 2, 2026.

Establish an AI incident reporting process Munir creates mandatory ICO notification obligations for privilege breaches involving personal data. Your firm needs a written process for identifying, escalating, and reporting AI incidents — with named responsibility at each stage and a 72-hour ICO notification clock running from discovery.

Train all fee earners on the Munir distinction Your supervision obligations require documented training. Every fee earner needs to understand the difference between public and closed AI tools and the privilege consequence of the former. Training records are your evidence of compliance if the SRA asks.

Brief the partnership on Cork — specifically the supervision point The supervising partner may be more culpable than the junior who made the error. Every partner who supervises fee earners using AI needs to understand this and have a documented supervision protocol that reflects it. This is a partnership-level governance obligation, not a technology question.

Document everything and maintain an audit trail The SRA's test is not whether you have the right intentions. It is whether you can evidence deliberate governance. Document your tool inventory, your vendor DPA reviews, your training records, your review protocols, and your incident response process. The audit trail is your defence.