Enterprise DNA

Omni by Enterprise DNA

Enterprise DNA Resources

Latest AI and industry news. Practical AI operating-system thinking for owners, operators, and teams doing real work.

220k+

Data professionals

Omni

AI agents and apps

Audit

Map the manual work

News Trending Regulation

63% of AI Vendors Hide What They Do With Your Data

DataGrail's 2026 Privacy Report finds most business software providers don't disclose their AI subprocessors. What your vendors aren't telling you.

Enterprise DNA | | via DataGrail
63% of AI Vendors Hide What They Do With Your Data

Every business owner buying AI-powered software right now should read this.

DataGrail, a privacy platform that tracks how companies handle personal data, just released its fifth annual Privacy and AI Trends Report. They analyzed 2,400 popular business software providers — the kind of tools your team uses every day. What they found should change how you evaluate any AI vendor.

63.6% of vendors that advertise AI capabilities don’t disclose a third-party AI subprocessor in their legal documentation.

That means if you sign up for a CRM, HR platform, or analytics tool that uses AI, there’s a better-than-even chance the vendor hasn’t told you which AI models are actually processing your data behind the scenes. Your customer information, employee records, and financial data could be flowing to AI pipelines you never reviewed and never approved.

What’s a Third-Party AI Subprocessor?

When a software vendor builds AI features, they often use external models — from OpenAI, Anthropic, Google, or others — to actually process the data. A subprocessor is that third party doing the work. Legal frameworks like GDPR and most enterprise data processing agreements require vendors to disclose these relationships.

Most aren’t bothering.

The report found that among those AI systems that did self-report risk factors:

  • 47.1% process personal data
  • 20.7% power automated decision-making
  • 16.5% process sensitive data categories including health and financial information
  • 7.5% process biometric data

And 32.8% of AI systems overall participate in at least one high-risk activity — automated decision-making, sensitive data processing, or similar. That number is striking against the backdrop of vendors staying silent about it.

Why It Matters for Your Business

This isn’t just a legal problem. It’s a business risk problem.

Consider what happens when a vendor quietly routes your customer complaints through an AI model you didn’t vet. Or when an HR tool uses a third-party model to screen job applications without telling you. The liability sits with you — not the vendor. Your customers trusted you with their data, not the unnamed AI company five contracts down the chain.

The regulatory environment is making this worse to ignore. State legislatures passed 145 AI-related laws in 2025 alone. Colorado’s AI Act, California’s AI Transparency Act, and similar laws across the US and Europe are creating disclosure and governance requirements that will land squarely on the businesses deploying these tools — not just the developers who built them.

For companies in healthcare, financial services, or legal, the stakes are even higher. Sensitive data categories processed through undisclosed AI pipelines create exposure that no indemnity clause will fully protect you from.

The Real Cost of Opaque AI Vendors

DataGrail’s report found that 42% of companies abandoned AI initiatives in 2025, with data privacy concerns cited as a primary reason. That number tells a different story than the hype cycle would suggest.

Organizations aren’t failing at AI because the technology doesn’t work. They’re stalling because they can’t get clear answers from vendors about what the technology actually does with their data. Due diligence takes longer than a demo. Privacy reviews slow procurement. And after the third vendor can’t answer basic questions about their AI stack, many teams just halt.

The businesses making real progress with AI are the ones that established clear vendor standards early — a short list of questions every AI tool must answer before a contract gets signed.

What This Means for Business

Ask your vendors these questions before signing anything:

  1. Do you use any third-party AI models or providers to process customer or employee data?
  2. Are those providers listed in your DPA (Data Processing Agreement) as subprocessors?
  3. Where is data processed, and does it leave your primary region?
  4. Is customer data used to train or fine-tune any AI model?
  5. What is your process for notifying us if you add a new AI subprocessor?

If a vendor can’t answer these clearly, that’s the answer.

For businesses building AI capabilities in-house or through a trusted partner, this is also an opportunity. The 63.6% who don’t disclose create an opening for those who do. Transparency about your AI stack is now a competitive differentiator — especially in industries where clients ask hard questions before signing contracts.

Enterprise DNA builds AI systems for businesses with a commitment to full transparency about what’s under the hood. If you’re evaluating AI for your operations and want to understand exactly how your data flows, that conversation starts here.

Source

DataGrail