Privilege is now a security control, not a header.
Tokto puts every prompt your attorneys, paralegals, and contract reviewers run, every model output that touches a matter, and every vendor co-pilot inside your DMS under one auditable trail the bar, the court, and the client can read.
The court asks for the AI history behind a motion that cited three cases that do not exist. The associate produced it in Copilot. The DMS has no log. The model vendor's retention is 30 days. The state bar opens a parallel inquiry.
- Every prompt and model output tied to a matter, an attorney, a client, a model version, and a privilege designation.
- A single audit log that satisfies the state bar, the trial court, the client GC, and the malpractice carrier on the same evidence.
- Policy applied at the prompt: privilege protected, client identifiers redacted, ethical walls enforced before tokens leave the boundary.
- Defensibility under Rule 11, state bar discipline, malpractice, and client audit at once.
- An associate runs research through a public LLM. The brief cites three hallucinated cases. The firm is named in the court's sanctions order along with the lawyer.
- A model is prompt-injected through a hostile motion attachment. CamoLeak-class loss of work product before anyone reads the log.
- A DMS integration with an outside AI tool quietly shares matter content across the wrong ethical wall. The conflict surfaces in discovery.
- The judge orders disclosure of every AI tool used in the matter. The firm cannot produce a list.
Tokto sits at the AI control plane of the firm. Every co-pilot used by an associate, every research query against an outside model, every contract analysis run through a vendor SaaS becomes a record at the moment of output. The record carries the prompt, the policy applied, the model version, the matter, the attorney, the client, and the privilege designation active that day.
When a judge asks how an AI-cited case was verified, when the state bar asks how a client's data was governed, when the malpractice carrier asks what ethical wall was applied, the answer is one query against the system of record. The CISO no longer has to reconstruct it from a screenshot.