Here's the claim I want to make, and it's a pretty direct one: if you're an attorney, a CPA, or an independent consultant using ChatGPT or Notion AI to work through client matters, your client's information is sitting in someone else's infrastructure right now. Not in a "they're reading it" sense. In the literal "a copy exists on servers you do not control and cannot audit" sense.
I'm not writing this to scare anyone. I'm writing it because I built a tool, Advisor Prep Hero, that's premised on the opposite arrangement, and I want to explain why that arrangement is the right one for professionals who actually have confidentiality obligations attached to what they do every day.
The term gets thrown around loosely. Some people use it to mean "works offline." Some people use it to mean "the cache is local but the source of truth is the cloud." The definition I'm using here is the strict one from the original Ink & Switch paper: your data lives on your device, in a format you control, and the network is optional.
Concretely, for a tool to be local-first:
By that definition, almost no AI tool today is local-first. Notion AI isn't. ChatGPT isn't. Claude.ai isn't. Reflect, Tana, and Mem.ai aren't either. Cursor is local-first for the code files but not for the chat history. Obsidian is local-first for the notes but its AI features are community plugins that vary in design.
That's not a coincidence. Local-first is harder to build than cloud-first. The economics push everyone toward subscription SaaS in someone else's data center.
A regular knowledge worker losing control of their notes is inconvenient. A professional whose client information ends up in an AI vendor's infrastructure has a different kind of problem, one with professional and sometimes legal consequences attached.
The ABA issued Formal Opinion 512 in July 2024. It was the profession's first formal guidance specifically on AI confidentiality, and it's direct: attorneys must understand how an AI tool handles client data before using it. "Reasonable measures" to protect client information, which Rule 1.6 has always required, now have to account for what happens when that information passes through an AI provider's servers. The opinion doesn't ban AI. It does require practitioners to actually think through where the data goes.
That guidance landed in 2024. A lot of attorneys I've talked to hadn't seen it. If that's you, it's worth reading.
For tax preparers, CPAs, and enrolled agents, two statutes matter. IRC §6713 imposes strict-liability civil penalties of $250 for each unauthorized disclosure of client tax information, with no intent required and a $10,000 annual cap. IRC §7216 makes knowing or reckless disclosure a criminal misdemeanor. Both create disclosure risk whenever client tax information reaches a third party without the client's explicit written consent.
The question most practitioners haven't asked yet is whether pasting client tax data into a cloud-based AI tool constitutes a disclosure under §7216. The answer is honestly unsettled right now. What is settled: an architecture where client data goes to no outside server at all, like a local model, is the one where the question doesn't even arise.
I'm not a lawyer. If you're a tax professional and you're using AI tools for client work, this is worth a conversation with your own counsel. But I built Advisor Prep Hero in a way where your files never leave your machine, Advisor Prep Hero never sees them, and if you use Ollama locally, no client data touches any third-party server at all. With a cloud model (Claude, OpenAI, Gemini), your prompt goes to that provider under your own API key, not through Advisor Prep Hero. The question becomes narrower: what did you send, and to whom.
Independent consultants and boutique agencies are running into this from a different direction. NDA language around AI has gotten more specific in the last 18 months. I've seen contracts from Fortune 500 procurement teams that now include explicit clauses prohibiting the use of AI tools that process or transmit confidential information, with "process or transmit" defined broadly enough to cover cloud-based AI inference.
The first time a consultant discovers that their standard engagement NDA covers this is usually not a great moment. Local-first plus BYOK is the architecture where you can credibly say: my client's files never left my machine, Advisor Prep Hero never saw them, and if I used a local model, nothing reached any outside server. If you used a cloud model with your own key, your prompts went to that provider under your account, not through a workspace vendor who also holds your client data.
Local-first solves the data-at-rest problem: your client files, your case notes, your work product live in a folder on your hard drive, not in someone else's database. BYOK (bring your own key) solves the data-in-motion problem.
BYOK means: you have your own account with Anthropic or OpenAI. You paste the API key into Advisor Prep Hero. The app stores it in your OS keychain, Keychain on Mac, Credential Manager on Windows. When you make an AI request, it goes directly from your computer to the provider's API. Advisor Prep Hero is never in that request path.
This matters because it eliminates an entire category of vendor risk. The tool vendor cannot see your AI conversations because the tool vendor never receives them. The only thing my server ever sees is your license key on activation. After that, my server has no visibility into anything you do in the app.
Structurally airtight. Not promised.
I'd be lying if I said local-first has no downsides.
For a team of 50 collaborating in real time, none of this is worth it. For a solo attorney managing a 200-client practice, or a CPA doing tax season with 300 client files on their desktop, all four of those trade-offs are either inverted (the "downside" is actually a feature) or genuinely trivial.
Here's the exact situation I hear about. See if it sounds familiar.
It's a Tuesday evening. You have two hours before you need to stop. You open ChatGPT, start a fresh conversation, and work through a client matter. The AI helps you think through the relevant considerations. An hour in, you have a useful outline of the issues, the client's situation, some relevant case law you want to verify, and a draft structure for the memo.
That information is now in ChatGPT's servers. It's technically associated with your account. You didn't sign a BAA with OpenAI. Your engagement letter didn't contemplate this. You close the tab and try not to think about it.
That's the situation local-first is designed to prevent. Not by blocking AI. By keeping the data where it has always belonged: in your office, on your machine, under your control.
One last thing, because the takes I've seen on local-first sometimes lean luddite.
I'm not arguing against AI. I use Claude every single day for my own work. AI is genuinely the most interesting thing that's happened to professional workflows in a decade, and I think the attorneys and CPAs who figure out how to use it well are going to have a real edge over the ones who don't.
The argument is about where the data lives, not about whether AI is involved. AI is just as useful when it's reading and writing files on your hard drive as when it's reading and writing to a cloud database. The user experience is identical. The only thing that changes is who has a copy of your client's file.
That's the case for local-first if your work is confidential. Nothing to do with being old-fashioned. Everything to do with the fact that your confidentiality obligations didn't pause when AI became useful.
See Advisor Prep Hero, the local-first AI workspace for confidential client workJameson Daines builds Advisor Prep Hero on weekends and evenings around a Senior Product Designer day job. Read about the 8-week launch or get Advisor Prep Hero at advisorprephero.com.