Your Software Vendors Are Running AI on Your Data

DataGrail published the Privacy and AI Trends Report 2026 this morning, and the number on the cover page is the one your privacy counsel should be reading first. Of 2,400 business software vendors that prominently advertise AI capabilities, 63.6% do not disclose a third-party AI subprocessor in their legal documentation. Translation: the SaaS tools your company already pays for are quietly piping customer records, employee data, and internal documents through AI pipelines you never reviewed, never approved, and in most cases do not know exist. This is shadow AI, but it’s not living on your employees’ personal ChatGPT logins. It’s living inside the vendors you wrote a check to.

That’s a different governance problem than the one most security programs are actually working on. And it’s the one that’s about to start showing up on audit findings.

Quick Verdict

The Number	What It Means
63.6% of 2,400 AI-advertising vendors	Don’t disclose third-party AI subprocessors in legal docs
32.8% of AI systems analyzed	Run at least one high-risk activity (sensitive data, automated decisions)
47.1% of AI systems analyzed	Process personal data
42% of companies in 2025	Abandoned AI projects over privacy concerns
398% YoY increase in deletion requests	2,000+ per month average — privacy ops drowning
145 state AI laws enacted in 2025	1,000+ additional bills in flight
CCPA AI risk assessment requirement	In effect January 1, 2026 — already live
Your real exposure	Vendor-side. Contract clauses at the renewal table.

The Subprocessor Gap Is the Story

Most CISOs spent the last 18 months building governance for the employee paste problem. Block the paste into ChatGPT. Sanction the corporate tenant. Train the workforce on what counts as sensitive. That work matters and most of it is the right call, as the LayerX power user data made clear.

But the LayerX data is one half of the shadow AI surface. The DataGrail data is the other half. And the other half is the one the corporate governance program cannot reach from the inside.

Here’s the mechanic. A SaaS vendor adds an AI feature. Summarize this ticket. Draft this email. Score this lead. Behind that button is a model, and the model is almost never the vendor’s own. It’s OpenAI’s API, or Anthropic’s, or one of the open-weight providers running on a third-party hosting layer. That model provider is what privacy law calls a subprocessor. They process your data on behalf of the vendor that processes your data on behalf of you.

The vendor’s data processing agreement is supposed to name every subprocessor. That’s the legal architecture that lets your privacy team approve the chain, route data the right way, honor deletion requests downstream, and sign DPAs that actually mean something at audit time.

DataGrail’s number says the legal architecture is broken. Almost two-thirds of vendors that brag about AI on their marketing pages don’t name the AI provider in their DPA. The model is running. The data is flowing. The legal trail stops at the vendor’s front door. Per VentureBeat’s coverage of the report, that gap exists at vendors of every size and across every industry vertical the dataset covered.

That’s a structural failure of how privacy programs are being run against AI-augmented SaaS, and it’s why I think this report is going to set the audit conversation for the second half of 2026.

What Else the Report Found

The subprocessor number is the headline. The supporting numbers are where the operational risk lives.

32.8% of analyzed AI systems run at least one high-risk activity. High-risk in the DataGrail framing means sensitive personal data processing, automated decision-making with material consequences, or another category the major state privacy laws now flag for risk assessment. Roughly one in three AI-enabled features inside the SaaS layer sits inside the legal definition of high-risk processing. Most of those features were turned on by default during 2025 product updates without anybody at the buyer’s company noticing.

47.1% process personal data. Just under half of the AI systems in the dataset touch personal information about identifiable individuals. That number alone moves the conversation from “AI feature” to “regulated data activity” for anybody under GDPR, CPRA, the Colorado AI Act, or any of the 145 state-level AI laws passed in 2025. Half of the AI in your stack already triggers a privacy obligation. Most companies have not registered that.

Deletion requests are up 398% year over year. Per Help Net Security’s writeup of the DataGrail data, the average company is now fielding 2,000+ deletion requests per month. That’s the operational tax of running consumer-facing software in a 50-state patchwork of privacy law. And every deletion request now has to be honored across every subprocessor the data touched, including the AI ones the DPA never named.

42% of companies abandoned AI projects in 2025 over data privacy concerns. That’s the productivity cost the subprocessor gap is already inflicting. Privacy teams that cannot trace the data flow are killing AI features rather than approve a workflow they cannot audit. That kill rate is the receipt for why this is a CFO conversation now, not just a privacy one.

What Is an AI Subprocessor and Why Does It Matter?

An AI subprocessor is a third-party AI provider that a SaaS vendor uses to run AI features on customer data. When you upload a contract to your CRM and the CRM offers to summarize it, the summarization usually runs through an external model API like OpenAI, Anthropic, or a hosted open-weight provider. That external provider is the subprocessor. They process your data on behalf of your direct vendor. Under GDPR, CPRA, and most state-level privacy regimes, every subprocessor in the chain must be named in the data processing agreement, must be subject to equivalent contractual protections, and must be auditable end to end. When the SaaS vendor turns on an AI feature without updating the DPA, the legal chain breaks. The data is still flowing through the new subprocessor. The contract just stops covering it. Your audit trail stops at the vendor that wrote the check, not the model that actually saw the data. That gap is the legal exposure.

Why the Subprocessor Gap Is Different From Employee Shadow AI

Two reasons the vendor-side problem is harder than the employee-side problem.

You cannot solve it with a browser extension. The shadow AI playbook most security teams are building this year is browser-layer. Watch what employees paste. Classify the data at the prompt boundary. Sanction the corporate tenant for the tools they actually use. That whole approach assumes the AI surface lives in a browser tab the user controls. The vendor-side AI surface lives inside the vendor’s product. There is no browser to monitor. The data leaves your environment through a sanctioned integration, hits the SaaS vendor’s servers, gets forwarded to a model API, and comes back. Your visibility stops at the egress to the vendor.

You cannot fix it with policy training. The employee paste problem is partly a training problem. Tell the workforce what counts as sensitive. Give them a sanctioned alternative. Repeat. The vendor-side problem is a contracting problem. The data flow is invisible to the employee, automatic from the user’s perspective, and triggered by features the buyer enabled at procurement time. No amount of workforce training fixes a missing clause in a master subscription agreement.

The fix has to be procurement-side. Contract language, DPA exhibits, subprocessor lists with audit rights, deletion propagation guarantees. That’s a different motion than the one most AI governance programs are running today, and it’s the motion the next two quarters of audit findings are going to force.

How Should You Govern Vendor-Side AI Subprocessors?

Govern vendor-side AI subprocessors with three contractual controls layered on top of your existing DPA. First, require an exhaustive subprocessor list in the DPA exhibit, with a specific carve-out naming every AI model provider, every AI hosting layer, and every fine-tuning or embeddings service the vendor uses to power AI features in the product. Second, require 30-day advance notification with a right of refusal for any new AI subprocessor added during the contract term, including model upgrades that route data to a new provider. Third, require subprocessor-level deletion propagation, meaning the vendor contractually guarantees that any deletion request you forward gets honored at every AI subprocessor in the chain within a defined window, with audit logs available on request. Those three clauses move the legal architecture from “trust the vendor” to “verify the chain.” That’s the posture the CCPA AI risk assessment requirement, effective January 1, 2026, already presumes is in place.

That last point is the one most procurement teams have not internalized. The risk assessment requirement is live. The audit conversation is already happening at the largest enterprises. The contract amendment cycle starts now or starts after the finding.

The Three Vendor Conversations to Run This Quarter

Sized for an IT lead, CISO, or AI program owner running a real SaaS portfolio. Doable inside a 90-day procurement cycle. Will reset your vendor-side AI exposure against the DataGrail data instead of last year’s threat model.

Conversation 1: Inventory the AI features that turned on without a contract amendment. Pull the last 18 months of vendor release notes for your top 20 SaaS contracts by spend. Flag every feature that mentions AI, machine learning, generative, summarization, scoring, automated decisioning, or smart suggestions. For each flagged feature, check whether the corresponding DPA exhibit was updated to name a new subprocessor. The gap between “feature shipped” and “DPA updated” is your exposed surface. Most companies will find this list is much longer than they expected. The enterprise AI decision your IT team already missed framing covers why this inventory work keeps getting deferred and what it costs when audit catches up.

Conversation 2: Send the subprocessor disclosure request to your top 20 vendors. A one-page request, signed by procurement and privacy jointly. Asks for a current, exhaustive list of every AI subprocessor the vendor uses, with model name, provider, data flow description, retention terms, and deletion propagation guarantee. Set a 30-day response deadline. Track which vendors respond cleanly, which respond with redacted lists, and which do not respond at all. The response pattern is your renewal-risk signal for the next cycle. The vendors that cannot tell you what models touch your data are the ones whose next renewal needs the new clauses or a competitive RFP.

Conversation 3: Amend the DPA exhibit at the next renewal touchpoint. Don’t try to renegotiate the master subscription agreement mid-term. That conversation goes nowhere with most vendors. Do put the three subprocessor clauses (exhaustive list, 30-day advance notice with refusal right, deletion propagation) on the renewal redline list, and route them through the renewal cycle as standard procurement language. By the end of Q3 you’ll have a portfolio where the largest spend lines have the subprocessor architecture you need, and you’ll have a list of vendors who refused, which becomes the prioritized switch list. The Deloitte governance framework covers the operational machinery for running this at SMB scale, and the same playbook scales up.

The pattern here is the same one I’ve been pushing on the shadow AI productivity tradeoff for the last six months. Govern the data flow and the contract that covers it. Make the right path the default by writing it into the procurement template instead of chasing exceptions after the fact.

The Anti-Hype Read

Two cautions before the slide deck gets built.

The 63.6% disclosure-gap number is a snapshot of legal documentation as of the report’s analysis window. Some of that gap is bad practice. Some of it is timing. AI features moved faster in 2025 than the contract amendment cycles could keep up with, and a non-trivial share of vendors are sitting on DPA updates that are drafted but not yet circulated. That doesn’t make the gap less real, but it does mean that a polite, specific request from a customer-side procurement team is more likely to get a clean answer in 2026 than the headline number suggests. Try the request before you assume the worst.

The 42% project-abandonment number cuts both ways. It says privacy risk is real enough to kill AI work, which is the read most coverage will run with. It also says privacy teams without good vendor-side visibility are using the kill switch as a default, which is the part nobody is writing about. Both reads are true. The fix in both cases is the same: give the privacy team the contract architecture to approve a workflow they can actually audit, and the kill rate drops. That’s the path to keeping the ROI receipts the enterprise AI reckoning post warned you’d be defending in front of the CFO this year.

Neither caution softens the directional read. The legal chain is broken at most vendors. The 2026 audit cycle is going to surface it. The procurement window to fix it is open right now.

My Read

The DataGrail report is the cleanest data point yet on the half of shadow AI that nobody is solving. Employee paste problems are the visible half, and the LayerX data already told us where to aim the browser-layer controls. The vendor-side disclosure gap is the invisible half, and DataGrail just put a number on it.

63.6%. Two-thirds of your AI-enabled SaaS portfolio is running models on your data without the contract architecture to prove who saw what, where it went, or how to get it back. This is a procurement and privacy contracting problem, and the fix is contract language at the renewal table.

The teams that do this work in Q3 will walk into the 2026 audit cycle with a clean subprocessor map, a documented deletion chain, and a renewal portfolio where the high-risk vendors have either signed the new clauses or been replaced. The teams that skip it will spend Q4 explaining a 32.8% high-risk-activity number to a regulator who already read the DataGrail report.

The disclosure gap is the audit finding nobody is writing about yet. Write it into your renewal redlines this week. The procurement window closes the day the regulator asks first.

Sources external to the post: Privacy and AI Trends Report 2026 by DataGrail, VentureBeat coverage of the subprocessor gap, and Help Net Security on the 145 state AI laws and deletion-request surge.

---

Related Reading:

• Your Power Users Are Your Biggest AI Risk
• Shadow AI Is Costing More Than Productivity. Here’s How to Fix It.
• The AI Decision Your IT Team Already Missed
• The 145 State AI Laws Crushing Small Businesses
• Colorado AI Act: What Small Businesses Need to Know
• The Deloitte SMB AI Governance Playbook
• The Enterprise AI ROI Reckoning