Why AI Governance Is Landing on Privacy’s Desk (and What to Do About It)

What happened

A growing chorus of voices in the data protection world is pointing to the same trend: AI governance responsibilities are being handed to privacy teams. The International Association of Privacy Professionals (IAPP) has published several pieces on the subject, most notably “When AI governance lands on privacy’s desk” and “No new acronyms required: Governing AI without ‘AI law’.” The message is clear: organisations are not waiting for dedicated AI legislation. Instead, they are leaning on existing privacy frameworks—GDPR, CCPA, and others—to manage the risks that AI systems introduce.

This isn’t a theoretical shift. Privacy professionals are being asked to review AI vendors, assess models for bias, and ensure that automated decisions are explainable. In many cases, they are doing this without additional budget or staff.

Why it matters

The regulatory landscape for AI remains fragmented. The EU’s AI Act is still being implemented; the US has no comprehensive federal AI law. Meanwhile, companies deploy AI tools at speed—customer service chatbots, hiring algorithms, fraud detection systems, and more. Privacy laws, though not designed for AI, already cover several core risks:

  • Lawful basis and consent: Many AI systems process personal data. GDPR requires a valid legal basis. If an AI model is trained on customer data without proper notice, that’s a violation.
  • Data minimisation and purpose limitation: Training a model often requires large datasets. Privacy principles demand that you collect only what’s needed, and use data only for the purpose disclosed.
  • Transparency and explainability: Article 22 of GDPR gives individuals the right not to be subject to solely automated decisions with legal or significant effects. That pushes privacy teams to understand how an AI reaches conclusions.
  • Accountability and impact assessments: Both GDPR and CCPA require data protection impact assessments for high-risk processing. AI deployments almost always qualify.

The IAPP’s “No new acronyms required” piece argues that privacy teams already have the tools—they just need to apply them to AI.

Key challenges

It’s not straightforward. Privacy professionals face:

  • Lack of explainability: Many machine learning models are black boxes. Even the engineers can’t always say why a model made a certain prediction.
  • Bias and fairness: Current privacy laws don’t directly address algorithmic bias. Yet biased outcomes can lead to discrimination claims and reputational damage.
  • Vendor management: AI is often delivered as a service. Privacy teams must vet third-party models without full visibility into training data or logic.
  • Evolving regulations: The AI Act, once enforced, will add new requirements. Privacy professionals need to prepare for that without over-engineering for a moving target.

What readers can do

Here are practical steps to integrate AI governance into existing privacy programmes, based on guidance from the IAPP and industry practitioners.

1. Conduct AI impact assessments.
Build on your existing Data Protection Impact Assessment (DPIA) framework. Add sections for model purpose, training data sources, bias testing, and human oversight mechanisms. Treat each AI use case as a new data processing activity.

2. Map data flows for AI systems.
You cannot govern what you do not know. Inventory all AI tools in use across the organisation—including those adopted by individual teams without IT approval. Document what data goes in, what comes out, and where it is stored.

3. Update vendor management.
When contracting with AI vendors, require transparency on training data, model performance metrics, and any ongoing monitoring. Include contractual clauses for audit rights and data deletion. The IAPP suggests treating AI vendors almost like data processors under GDPR.

4. Create an AI ethics checklist.
Not everything needs a full legal review. A short checklist for business teams can flag red flags early: Does the model use sensitive data? Will decisions be automated without human review? Can the outcome be explained in plain language?

5. Build cross-functional governance.
Privacy cannot do this alone. Establish a working group with legal, IT, product, and risk management. Schedule regular reviews of new AI deployments. The governance structure should be lightweight enough to scale.

6. Prepare for the AI Act—without panic.
The EU AI Act will likely classify many systems as high-risk, requiring conformity assessments, human oversight, and transparency documentation. Start by documenting what you already do under GDPR. Much of the groundwork overlaps.

Sources and further reading

  • IAPP, “When AI governance lands on privacy’s desk” (2026)
  • IAPP, “No new acronyms required: Governing AI without ‘AI law’” (2026)
  • IAPP, “Analyzing China’s PIPL and how it compares to the EU’s GDPR” (2021)

These articles are available through the IAPP’s resource library. They provide detailed guidance on adapting privacy frameworks to AI and comparing regulatory approaches across jurisdictions.

The bottom line

Privacy professionals are already in the AI governance seat. The question is not whether to take on the role, but how to do it effectively without waiting for new laws. The frameworks you already use—GDPR, CCPA, DPIA processes—are a starting point. Expand them thoughtfully, collaborate across teams, and keep an eye on emerging regulation. The work you do now will shape how your organisation handles AI for years to come.