Blab AI
Federal Courts Tighten Protective Orders to Guard Confidential Discovery from Generative AI
Between July 2025 and March 2026, five federal district courts issued or analyzed protective‑order language that specifically limits the use of generative artificial‑intelligence (AI) platforms with confidential discovery materials. These rulings signal that courts no longer view AI‑specific provisions as optional; they are becoming standard practice in litigation.
The cases illustrate four distinct approaches that courts have adopted to address the risk that confidential documents could be uploaded to AI tools that retain user inputs, use them for training, or share them with third parties.
Model 1 – Blanket Prohibition In Fiorito v. Metropolitan Council, 2025 WL 1806612 (D. Minn. July 1 2025), the court entered a protective order that bars any party from uploading or disclosing confidential data to any generative AI platform, including ChatGPT. The language is short and clear, but it treats all generative AI tools the same, regardless of whether the platform stores data, trains on it, or shares it. The result is that parties cannot use even enterprise‑grade tools that contractually prohibit data retention. The advantage is that the rule is unambiguous and easy to enforce.
Model 2 – Data‑Rights Approach The United States v. Jackson, 2025 WL 1666249 (W.D. Wash. June 12 2025), and United States v. Navarro Hernandez, 2025 WL 3290753 (W.D. Wash. Nov 26 2025), introduced a protective‑order framework that focuses on the rights the AI provider retains. The order states that protected material may not be loaded into an AI tool unless the provider has expressly agreed to be bound by the order. This approach applies to all AI tools, not just generative ones, and shifts the inquiry from the platform’s nature to the contractual relationship. It is well suited to criminal cases where the volume of material is manageable and the stakes of data exposure are high.
Model 3 – Contractual Safeguards Approach In Morgan v. V2X, 2026 WL 864223 (D. Colo. Mar 30 2026), the court rejected the parties’ proposals and entered its own language. The order bars any party from inputting confidential information into an AI platform unless the provider has contractual commitments that: (1) prohibit storing or using inputs to train the model; (2) restrict disclosure to third parties except when essential for service delivery; (3) bind any third party to no less protective obligations; and (4) allow the user to delete all confidential data upon request. The court required parties to keep written documentation of these contractual protections. The order effectively excludes most low‑cost consumer AI tools and aligns with enterprise‑grade agreements.
Model 4 – Notice‑and‑Secure‑Environment Approach Jeffries v. Harcros Chemicals Inc., 2026 WL 820218 (D. Kan. Mar 25 2026), adopted the most comprehensive framework. The protective order requires a party to: (1) provide notice and an opportunity to object before using an AI tool; (2) use the tool only in a secure environment and prevent training on confidential data; (3) destroy any data used to train the tool at the end of litigation; and (4) delete all confidential data from the tool. The court expanded the restrictions to all discovery materials, not just confidential ones, citing the impracticality of retrieving data from open AI tools and potential GDPR violations. The notice requirement gives opposing parties a chance to challenge the specific AI tool before it touches any material.
Practical Implications for Litigators The rulings underscore that courts will impose AI restrictions even if parties do not raise the issue. Practitioners are advised to: (1) proactively propose AI‑specific language, ideally using Model 3 as a baseline; (2) audit existing protective orders for gaps, since many pre‑2025 orders lack AI language; (3) maintain a compliance record that documents every AI platform used, the contractual protections in place, and the date of use; and (4) consider hybrid approaches—applying Model 3 to confidential documents while adding Model 4’s notice requirement for trade secrets or GDPR‑subject materials.
Conclusion The four models illustrate a spectrum of protective‑order strategies, from the blunt blanket ban to the nuanced contractual safeguards and the procedural safeguards of the notice approach. Courts are increasingly treating AI‑related disclosure risks as a core litigation concern, and the trend is likely to continue as generative AI tools become more prevalent in document review and discovery. Litigators must stay abreast of these developments and incorporate AI‑specific provisions into protective orders to avoid inadvertent data exposure.
The cases illustrate four distinct approaches that courts have adopted to address the risk that confidential documents could be uploaded to AI tools that retain user inputs, use them for training, or share them with third parties.
Model 1 – Blanket Prohibition In Fiorito v. Metropolitan Council, 2025 WL 1806612 (D. Minn. July 1 2025), the court entered a protective order that bars any party from uploading or disclosing confidential data to any generative AI platform, including ChatGPT. The language is short and clear, but it treats all generative AI tools the same, regardless of whether the platform stores data, trains on it, or shares it. The result is that parties cannot use even enterprise‑grade tools that contractually prohibit data retention. The advantage is that the rule is unambiguous and easy to enforce.
Model 2 – Data‑Rights Approach The United States v. Jackson, 2025 WL 1666249 (W.D. Wash. June 12 2025), and United States v. Navarro Hernandez, 2025 WL 3290753 (W.D. Wash. Nov 26 2025), introduced a protective‑order framework that focuses on the rights the AI provider retains. The order states that protected material may not be loaded into an AI tool unless the provider has expressly agreed to be bound by the order. This approach applies to all AI tools, not just generative ones, and shifts the inquiry from the platform’s nature to the contractual relationship. It is well suited to criminal cases where the volume of material is manageable and the stakes of data exposure are high.
Model 3 – Contractual Safeguards Approach In Morgan v. V2X, 2026 WL 864223 (D. Colo. Mar 30 2026), the court rejected the parties’ proposals and entered its own language. The order bars any party from inputting confidential information into an AI platform unless the provider has contractual commitments that: (1) prohibit storing or using inputs to train the model; (2) restrict disclosure to third parties except when essential for service delivery; (3) bind any third party to no less protective obligations; and (4) allow the user to delete all confidential data upon request. The court required parties to keep written documentation of these contractual protections. The order effectively excludes most low‑cost consumer AI tools and aligns with enterprise‑grade agreements.
Model 4 – Notice‑and‑Secure‑Environment Approach Jeffries v. Harcros Chemicals Inc., 2026 WL 820218 (D. Kan. Mar 25 2026), adopted the most comprehensive framework. The protective order requires a party to: (1) provide notice and an opportunity to object before using an AI tool; (2) use the tool only in a secure environment and prevent training on confidential data; (3) destroy any data used to train the tool at the end of litigation; and (4) delete all confidential data from the tool. The court expanded the restrictions to all discovery materials, not just confidential ones, citing the impracticality of retrieving data from open AI tools and potential GDPR violations. The notice requirement gives opposing parties a chance to challenge the specific AI tool before it touches any material.
Practical Implications for Litigators The rulings underscore that courts will impose AI restrictions even if parties do not raise the issue. Practitioners are advised to: (1) proactively propose AI‑specific language, ideally using Model 3 as a baseline; (2) audit existing protective orders for gaps, since many pre‑2025 orders lack AI language; (3) maintain a compliance record that documents every AI platform used, the contractual protections in place, and the date of use; and (4) consider hybrid approaches—applying Model 3 to confidential documents while adding Model 4’s notice requirement for trade secrets or GDPR‑subject materials.
Conclusion The four models illustrate a spectrum of protective‑order strategies, from the blunt blanket ban to the nuanced contractual safeguards and the procedural safeguards of the notice approach. Courts are increasingly treating AI‑related disclosure risks as a core litigation concern, and the trend is likely to continue as generative AI tools become more prevalent in document review and discovery. Litigators must stay abreast of these developments and incorporate AI‑specific provisions into protective orders to avoid inadvertent data exposure.
