For Saudi audit, law & professional firms

Can a Saudi law firm use AI on client matters without breaching confidentiality?

Ithbat guide·Arabic-first·Built in Saudi Arabia
Quick answer

Yes — but only if the firm controls where matter content actually goes. Feeding client files, pleadings, or deal documents into public AI tools sends that data to third-party servers outside the firm's control, which sits uneasily with a lawyer's professional secrecy duties and PDPL. The safer path is automatic classification: keep sensitive matter content in-house, and allow general drafting or research on approved cloud AI under firm policy.

Why this question lands harder for a law firm than most businesses

A matter file is often the single most sensitive category of information a business ever creates about itself: draft deal terms before signing, dispute strategy before it is disclosed, IP filings before a priority date, and personal or family matters a client never intended anyone outside the file to see. A lawyer's duty of confidentiality toward client matters is not an internal policy nicety — it is the basis on which a client hands over information they would not give anyone else. That is why the question of using AI on a matter feels heavier for a law firm than for a marketing team drafting a social post, and it deserves a more careful answer than a simple yes or no.

What AI is good at in legal work — and where it still needs a lawyer

Used well, AI genuinely speeds up parts of legal work:

What it is not good at is the part that actually makes someone a lawyer. Legal judgment and the authority to advise a client stay with the lawyer, not the tool. Citations, case references, and statutory detail an AI produces can be wrong or invented outright, so nothing reaches a client or a counterparty without the lawyer checking it against the real source. And AI has no way to weigh the specific facts of a matter the way the lawyer responsible for it does — it can draft around a fact pattern, but it cannot own the judgment call.

What actually happens when a matter document goes into a public AI tool

When a lawyer pastes a contract, a client's personal details, or a dispute summary into a consumer AI chat tool to save time, that content leaves the firm's premises and is processed on a third party's servers, usually outside the Kingdom, under terms the firm did not negotiate and does not control. Depending on the tool, that content may be retained, used to improve the provider's models, or accessible to the provider's own staff. None of that requires bad intent from anyone — it usually happens because a deadline makes the fastest tool the one that gets used. But it is difficult to reconcile with a lawyer's duty of confidentiality toward client matters, and it raises precisely the cross-border-transfer and third-party-access questions that Saudi Arabia's Personal Data Protection Law (PDPL) exists to address.

The pattern firms actually discover: it is rarely one dramatic incident. More often, a firm learns after the fact that several lawyers had already been pasting client documents into public AI tools for months — not because anyone approved it, but because it was the fastest option under deadline pressure.

A workable framework: classify first, decide second

The realistic answer sits between two failed extremes. Banning AI outright tends to push its use underground, where the firm has no visibility at all. Allowing it without limits creates exactly the confidentiality exposure described above. The framework that actually holds up in practice has three parts:

Per-matter confidentiality evidence as a client-trust asset

Corporate clients are increasingly asking their outside counsel how AI is used on their matters, not just whether it is used at all. A firm that can only assert it doesn't use AI on sensitive files is asking the client to take that assurance on faith. A firm that can show, per matter, where content was actually processed turns the same question into a point of differentiation rather than a risk to manage defensively.

How Ithbat applies this framework

Ithbat is an on-premise AI gateway that installs on hardware the firm already owns and runs Arabic-first models locally. It classifies every prompt before processing it, checking for Saudi-sensitive indicators — national ID or Iqama numbers, IBAN, VAT and commercial registration numbers, phone and email details, client financial records, and related Arabic and English keywords. Anything flagged as sensitive is kept and served on the firm's own hardware and is never offered to a cloud provider; that is a hard guard built into the system, not a setting a lawyer can turn off under deadline pressure. Non-sensitive, everyday prompts can still be routed to an approved frontier cloud AI on the firm's own account when that is useful, and both paths are governed and logged.

Every inference — whether handled locally or routed to the cloud — produces a hash-chained, tamper-evident evidence record. Only metadata about that record reaches the coordinator dashboard; the actual prompt, response, and any cloud API keys never leave the firm's node. Rolled up per matter, this becomes a bilingual Client Confidentiality Assurance report mapped to PDPL and NDMO concepts, which a firm can share when a client asks how a matter was handled. Because sensitive content is processed on-premise inside Saudi Arabia rather than transferred elsewhere, this is designed for PDPL alignment by construction — formal certification is still completed with the firm's own assessor.

Frequently asked questions

Is it a breach of confidentiality to use ChatGPT for legal work in Saudi Arabia?
It depends what goes into it. Using a public AI tool for general drafting or research generally isn't the concern; pasting a client's matter file, personal data, or deal terms into it sends that content to third-party servers the firm doesn't control, which is difficult to reconcile with a lawyer's duty of confidentiality and with PDPL's rules on where personal data goes.
What client information should never go into a public AI tool?
As a working rule: anything that identifies a client (national ID or Iqama number, contact details, CR or VAT numbers), and anything describing the substance of a matter — deal terms, dispute facts, IP details, financial records. General legal research or a non-matter drafting task doesn't carry the same risk.
Can lawyers use AI for legal research and drafting at all?
Yes — first-draft clauses, correspondence, summarizing long documents, and general research are exactly where AI is useful in legal work. The lawyer still has to verify anything AI produces, especially citations and statutory references, since these can be wrong or fabricated.
How can a law firm show a client that AI wasn't used on their sensitive matter content?
By keeping a record, not just a policy. A system that classifies every prompt automatically and logs, per matter, where content was processed and whether anything left the firm's infrastructure gives a firm something concrete to show a client who asks, rather than a verbal assurance.
Does Saudi PDPL specifically ban lawyers from using AI?
No — PDPL doesn't ban AI use. It governs how personal data is processed and transferred, including cross-border transfer and third-party access. Those are exactly the questions that arise when matter content containing personal data goes into a public AI tool hosted outside the firm's control, which is why keeping sensitive processing on infrastructure the firm controls inside Saudi Arabia is the practical way to align with it.

See where your firm stands — in 60 seconds

Take the free self-check to see your client-confidentiality exposure band instantly. No sign-up needed to see your result.