Data Privacy

Data privacy governs how personal or sensitive information is collected, used, shared, retained, and protected. In AI systems, privacy issues arise at multiple points: when personal data is submitted in prompts to external tools, when documents are indexed in retrieval systems, when conversation logs are stored, and when data is used to train or improve models. The privacy surface of AI is wider than most organizations realize, because AI tools are often adopted informally and data flows are rarely mapped before deployment.

AI adoption tends to outpace privacy review. Employees using third-party AI tools through personal accounts, or teams procuring AI software without legal involvement, can expose confidential data, personal information, or client-protected content to external systems without data processing agreements in place. The liability follows: privacy violations don't require intent, and regulatory fines attach to the organization regardless of whether the exposure was deliberate. Privacy review isn't a compliance formality — it's how organizations find out where their data is actually going.