145 AI Laws Were Passed in 2025. Privacy Teams Are Not Catching a Break.
Most enterprise discussions of shadow AI focus on employees using unauthorized tools. The DataGrail Privacy and AI Trends Report 2026 identifies a more fundamental problem: shadow AI embedded inside authorized enterprise software. When 63.6% of AI vendors do not disclose their third-party subprocessors, every organization using those tools has shadow AI in its environment by default — approved and active.
The practical consequence is that data governance frameworks built on the assumption that legal documentation accurately describes data flows are operating on false premises. A data processing agreement that does not name subprocessors cannot support a GDPR analysis, a HIPAA business associate agreement review, or a CMMC 2.0 assessment of information system boundaries. The organization believes it has evaluated the data processing risk. It has not.
This creates specific problems for regulated industries. A healthcare organization processing patient data through an AI tool whose subprocessors include undisclosed model training services has potentially violated HIPAA without any indication a violation occurred. A defense contractor routing CUI through an AI system with undisclosed subprocessors may have crossed CMMC boundaries without any alert triggering. The risk is invisible precisely because the vendor chose not to disclose it. Data privacy due diligence needs to explicitly ask about AI subprocessors and require contractual representations that the answer is complete.
5 Key Takeaways
1. U.S. state legislatures enacted 145 AI-related laws in 2025 — with 1,000+ bills introduced or revised.
Privacy teams absorbing headcount reductions of up to 33% are simultaneously navigating a regulatory pace no manual compliance program was designed to sustain. Each new law creates new data subject rights, new documentation requirements, and in many cases a private right of action adding litigation exposure independent of regulatory enforcement. The compliance function is not failing to keep up — it is being asked to do fundamentally more with fundamentally less.
2. 63.6% of AI vendors hide their third-party subprocessors.
Of 2,400 business software providers advertising AI capabilities, nearly two-thirds do not disclose AI subprocessors in their legal documentation. Organizations using these products deploy AI systems routing data through undisclosed parties — with no visibility into where that data goes, what models it trains, or what retention policies apply. This is shadow AI at the vendor level, active inside tools legal and procurement teams explicitly approved. Data governance due diligence must explicitly ask vendors to enumerate every AI subprocessor.
3. 32.8% of AI systems participate in at least one high-risk activity.
Sensitive data processing and automated decision-making trigger heightened requirements under the EU AI Act and emerging U.S. state laws. A substantial portion of enterprise AI deployments already triggers those requirements under multiple active frameworks — yet most organizations have not formally assessed which category their deployments fall into.
4. 42% of companies abandoned AI projects in 2025 due to privacy concerns.
Organizations without a governed AI infrastructure that enforces compliance requirements at the data layer face a binary choice: deploy without compliance, or don’t deploy. Forty-two percent chose not to deploy. A governed AI channel — policy-enforced pathways where every data movement is logged, every subprocessor is known, and every access decision is attributable — turns that binary into a third option: proceed and be defensible.
5. California’s 2028 attestation requirement introduces personal criminal exposure for executives.
Privacy risk assessments filed under penalty of perjury shift compliance accountability from organizational budgets to individual careers. Any attestation filed under this framework must accurately describe actual AI data flows — including subprocessors. Organizations whose AI vendors are in the 63.6% that hide subprocessors will find it very difficult to sign an accurate attestation. GDPR frameworks have operated with similar accountability through DPIA requirements for years; U.S. executives are now being held to a comparable standard.
What Data Compliance Standards Matter?
The Regulatory Acceleration and What It Requires
145 laws in a single calendar year is a pace most compliance programs were not designed to sustain. Each new law creates new data subject rights, new compliance obligations, new documentation requirements, and in many cases private rights of action creating litigation exposure independent of regulatory enforcement.
U.S. state data privacy laws are now the primary driver of domestic compliance complexity for organizations outside heavily regulated federal sectors. California, Texas, Colorado, Virginia, and Connecticut have enacted comprehensive privacy frameworks with distinct requirements around automated decision-making, sensitive data processing, and consumer rights. The DataGrail finding that 32.8% of AI systems participate in at least one high-risk activity means a substantial portion of enterprise AI deployments already triggers heightened requirements under multiple active frameworks.
California’s 2028 attestation requirement raises stakes substantially. A privacy impact assessment filed with executive attestation under penalty of perjury needs to accurately reflect actual AI data flows — including the subprocessors 63.6% of vendors are not disclosing. GDPR established this model years ago through DPIA requirements. U.S. regulators are now adopting the same logic.
The $1.5 Million Manual Processing Problem
The DataGrail finding that mid-sized companies spend $1.5 million annually on manual data subject request handling describes a structural inefficiency that compounds as the number of applicable laws grows. Each new law creating consumer rights — access, deletion, correction, portability, opt-out — adds to the volume of requests organizations must process. Each new jurisdiction adds to the population of consumers who can exercise those rights.
Governed AI deployment changes this calculation. When AI interactions route through a policy-enforced channel, the audit log recording those interactions becomes the data subject request response infrastructure. An organization that can show exactly what data was processed by which AI system, under which policy authorization, for which business purpose, can respond to access and deletion requests without manual reconstruction. Data minimization policies enforced at the AI data access layer reduce the volume of personal data entering AI workflows in the first place — shrinking the scope of what must be disclosed or deleted in response to consumer requests.
The Kiteworks AI Data Gateway enforces both the policy controls and the logging that turn compliance response from a labor-intensive manual process into an operational capability.
Building an AI Compliance Program That Handles 145 Laws
No privacy team can individually track 145 laws plus 1,000+ pending bills and run manual compliance processes for each. Organizations managing this environment treat AI compliance as an infrastructure problem, not a legal research problem. The underlying requirements — data minimization, access control, processing transparency, audit logging — are common across nearly all privacy frameworks. An AI governance infrastructure enforcing these requirements uniformly satisfies multiple laws simultaneously.
Privacy by design applied to AI means building governance controls into the deployment architecture before sensitive data enters the system. ABAC enforcement within an AI deployment provides the access control layer — ensuring AI systems can only reach data they are authorized to process under conditions aligned with applicable regulatory requirements. For organizations subject to GDPR, AI data access is bounded by lawful basis and data minimization requirements. For organizations under CMMC 2.0, AI data access is bounded by CUI handling requirements. The same ABAC infrastructure serves both.
Regulatory compliance at the speed of 145 laws per year requires automation, not additional headcount. Organizations that build that automation into their AI governance architecture now will have a structural advantage as the regulatory pace continues.
To learn more about protecting sensitive data in an AI world, schedule a custom demo today.
Frequently Asked Questions
More than six in ten AI-capable software products may route your organization’s data through third-party AI services not named in their privacy policies or data processing agreements. Under GDPR, processing records must include subprocessors and DPAs must bind them to equivalent data protection standards. If a vendor has not disclosed a subprocessor, you cannot have evaluated it. Data governance due diligence must explicitly ask vendors to enumerate every AI subprocessor and obtain contractual representations that the disclosure is complete.
Executive attestation under penalty of perjury moves compliance accountability from organizational to individual level — creating potential personal criminal exposure for executives who sign inaccurate attestations. Any assessment filed under this framework must accurately describe actual AI data flows, including subprocessors. Organizations whose AI vendors are in the 63.6% that hide subprocessors will find it very difficult to sign an accurate attestation. Privacy impact assessments are no longer administrative formalities.
The 42% abandonment rate reflects a structural gap: organizations that had AI capabilities they wanted to deploy but could not satisfy applicable compliance requirements without governed infrastructure. Organizations without a governed AI channel face a binary choice — deploy without compliance or don’t deploy. A governed channel with policy enforcement, complete subprocessor transparency, and comprehensive audit trails provides the third option: proceed in a way that is actually defensible under applicable law.
By treating it as an infrastructure problem, not a legal research problem. Documented data flows, enforceable access controls, data minimization, and audit trails are common across essentially all modern privacy frameworks. AI governance infrastructure enforcing these requirements uniformly satisfies multiple laws simultaneously. Audit logs capturing every AI data access event provide the evidentiary foundation for data subject request responses and regulatory inquiries — turning per-request manual handling cost to near-zero.
At minimum: a governed data access channel enforcing policy conditions before AI systems read or write sensitive data; comprehensive audit logging of every AI interaction; data minimization controls preventing AI access beyond task requirements; a complete AI subprocessor inventory with contractual data protection commitments; and a process for data subject requests using the audit log as evidence. The Kiteworks AI Data Gateway and Compliant AI framework provide this as an integrated platform rather than point solutions requiring custom integration.
Additional Resources
- Blog Post
Zero‑Trust Strategies for Affordable AI Privacy Protection - Blog Post
How 77% of Organizations Are Failing at AI Data Security - eBook
AI Governance Gap: Why 91% of Small Companies Are Playing Russian Roulette with Data Security in 2025 - Blog Post
There’s No “–dangerously-skip-permissions” for Your Data - Blog Post
Regulators Are Done Asking Whether You Have an AI Policy. They Want Proof It Works.