What the GAO Says About Privacy Tech for Safer AI: A User’s Guide

If you use ChatGPT, Gemini, or any other generative AI tool, you’ve probably wondered what happens to your data. It’s a fair concern. These services often send your prompts to remote servers, and that information can be used to retrain models – or worse, mishandled.

In May 2026, the U.S. Government Accountability Office (GAO) released a report that addresses exactly this problem. The GAO’s conclusion: privacy-enhancing technologies (PETs) are essential for making AI adoption safer without sacrificing the benefits of the tools. The report confirms what some security researchers have been saying: that techniques like differential privacy and federated learning can meaningfully reduce the risk of exposing personal data.

Here’s what the GAO found, what it means for you, and how you can use this information to choose safer AI tools.

What happened

The GAO was asked to evaluate how federal agencies can adopt AI while protecting privacy. In its report, it identified several PETs that can help – and argued that these should be a standard part of AI deployment. The report highlighted three core technologies:

  • Differential privacy – a mathematical framework that adds calibrated noise to data so that no single person’s information can be identified in the output.
  • Federated learning – a method where a model is trained across many devices holding local data, without that data ever leaving the device.
  • Encrypted computation (including homomorphic encryption and secure multi-party computation) – which allows processing on encrypted data.

These aren’t theoretical. Major companies already deploy some of them. Apple uses differential privacy in its keyboard suggestions and health data. Google uses federated learning in Gboard. But many AI chatbots still operate on a simpler – and riskier – model: collect everything, process centrally, and promise not to misuse it.

Why it matters

When you type a question into a public AI tool, that text usually travels to a data center. The company may store it, analyze it, and use it to improve its models. Even if the company says it “anonymizes” your data, anonymity is often weaker than people think.

PETs change that. With differential privacy, the model learns patterns from your data without learning anything specific about you. With federated learning, your data never leaves your phone or computer. Those are big differences for anyone concerned about privacy breaches, identity theft, or just the creepiness of having your conversations analyzed.

The GAO’s endorsement matters because it sets a standard. Agencies that adopt AI will now have a benchmark for what “safe” means. And consumers can start asking: does this tool use any of these technologies?

What readers can do

You don’t need to become a privacy engineer to make smarter choices. Here are practical steps:

  1. Check the privacy policy. Look for terms like “differential privacy,” “federated learning,” or “encrypted processing.” If you don’t see them, the tool probably uses standard collection methods.

  2. Ask directly. Users of ChatGPT, Gemini, and other platforms can contact support and ask, “Do you use differential privacy or federated learning for user prompts?” If the answer is vague, treat that as a red flag.

  3. Prefer local models where possible. Some AI tools run entirely on your device (for example, Apple’s on-device models, or open-source tools like Llama on a local machine). These inherently avoid sending your data anywhere.

  4. Use privacy-focussed alternatives. Several startups now offer AI tools built around PETs from day one. They’re not as polished as the big names, but they exist and are improving.

  5. Don’t overshare in prompts. Even with PETs, no system is perfect. Treat each AI prompt as if it could be stored indefinitely. Avoid sharing personal identifiers, passwords, or sensitive financial information.

Sources

  • GAO report, May 2026 (full title not publicly linked at time of writing, but covered by MeriTalk)
  • “GAO: Privacy Tech Could Be Key to Safer AI Adoption” – MeriTalk, May 20, 2026
  • Overview of differential privacy and federated learning from the GAO’s cited technical briefs

The GAO report is a concrete signal that privacy tech is no longer a niche concern. It’s becoming a baseline requirement. For everyday users, the takeaway is simple: you can demand better protection, and now there’s a government report to back you up.