Privilege Containment Proxy Agent for Brisbane Firm Principals: Stop Privileged Content Leaving Your Network Before It Reaches an External Model

Your senior associate is drafting a settlement position for a Brisbane commercial dispute. She pastes a six-paragraph extract into a public AI tool to “help tighten the language” — three of those paragraphs contain the client’s reserve number, counsel’s view of evidentiary weakness, and a paragraph from a without-prejudice exchange. Nothing in the firm’s existing DLP stack flagged it because the tool is approved for general use. As the firm principal, you carry the conduct exposure. The Privilege Containment Proxy Agent is built so that content of that shape cannot reach an external model in the first place.

The problem

The Australian Solicitors’ Conduct Rules impose duties on solicitors that pre-date generative AI but apply to it without modification: Rule 9 (confidentiality), Rule 4 (acting in clients’ best interests), and the overriding duty to the court. Confidentiality is owed to the client, not to a system, and is not waived by the practitioner choosing a workflow that exposes the material to a third-party processor. Privileged content that crosses into a vendor’s training boundary — or simply into a vendor’s logs — is content the firm can no longer fully account for.

Privilege bleed across matters or firms takes several forms in day-to-day practice: prompts pasted into consumer LLM interfaces; one matter’s facts ending up as context in a chat session that later touches an adverse matter; embeddings of one client’s material informing answers given to another; and shadow use of unmanaged AI tools by lateral hires carrying habits from previous firms. None of these are caught by traditional perimeter controls because the network path is HTTPS to a permitted SaaS endpoint. The control point has to sit between the user and the model.

What the Privilege Containment Proxy Agent does

The Privilege Containment Proxy Agent is an inline proxy that sits between practitioners’ tools and external AI endpoints. Every outbound request to an external model is intercepted, inspected, and — where privileged or matter-identifying content is detected — scrubbed, blocked, or routed to an internal model before the request leaves the firm’s control boundary.

Specifically, the agent provides:

• A single egress point for AI traffic, so the firm has one auditable record of what is being sent to which model and by whom
• Detection of privileged content patterns: client identifiers, matter codes, counsel opinions, without-prejudice markers, settlement figures, and configurable firm-specific patterns
• Three response modes per detection class — redact and forward, block and notify, or reroute to an on-premise model
• A per-matter ledger of AI interactions, suitable for conflict checks and for responding to a client’s reasonable enquiry about how their material was handled
• Integration points for the firm’s existing conflict-management and matter-management systems

The agent does not generate legal content. It is a containment layer, not a drafting tool.

How it works

1. Egress routing. The firm directs AI traffic — browser extensions, IDE plugins, desktop assistants, API calls from internal applications — through the proxy as the single permitted path to external model endpoints.
2. Inspection. Each outbound prompt is parsed against the firm’s privilege and confidentiality classifiers, including matter-identifier lookups against the matter-management system and pattern rules for privileged content classes.
3. Decision. Based on the policy configured for that user, matter, and content class, the request is forwarded as-is, scrubbed and forwarded, blocked with a notice to the user, or rerouted to an internal model that stays within the firm’s boundary.
4. Logging. Every decision is written to a tamper-evident ledger keyed to the user, matter, and timestamp — available to the firm’s conflicts team and to the principal for review.
5. Review. Detections flagged for human review surface in a daily queue for the firm’s risk or knowledge-management lead.

Why this matters in Brisbane

Queensland adopted the ASCR in June 2012, and the rules govern conduct for solicitors practising in Brisbane. The duties of confidentiality and to act in the client’s best interests are not discretionary, and the Law Council’s ongoing review of the ASCR — including the 2026 consultation on amendments responding to new statutory obligations such as the AML/CTF regime — signals that the regulatory framework around how solicitors handle client information continues to tighten, not loosen. For a Brisbane firm principal, the practical question is not whether AI tools will be used inside the firm — they already are — but whether the firm can demonstrate, on a per-matter basis, that privileged content was contained. A proxy is one of the few architectures that produces that record before the fact rather than reconstructing it after an incident.

Sources

• Law Council of Australia — Australian Solicitors’ Conduct Rules: https://lawcouncil.au/policy-agenda/regulation-of-the-profession-and-ethics/australian-solicitors-conduct-rules

Exegesis capability references:

• Privilege Containment Proxy Agent spec
• RuleCheck by Exegesis (open-source citation verifier)

Join the waitlist

Join the waitlist — be the first to know when access opens for Brisbane firm principals

The Privilege Containment Proxy Agent is on the Exegesis Legal roadmap. We’re scoping deployment models (firm-hosted proxy, managed gateway, or hybrid with on-premise model reroute) against what principals tell us they need. Join the waitlist and the deployment shape you describe will inform the tier we build first.