DataGrail: 63% of AI Vendors Omit Subprocessor Disclosure
Key insights
- 63.6% of 2,400 business software providers fail to disclose third-party AI subprocessors, creating compliance blind spots for enterprise buyers.
- 42% of companies abandoned AI projects in 2025 over data privacy concerns while privacy teams absorbed headcount cuts of up to 33%.
- Data brokers saw a 398% year-over-year surge in deletion requests; mid-sized firms face $1.5 million annually in manual processing costs.
Why this matters
Enterprise AI procurement has a structural visibility problem: more than six in ten software vendors are not disclosing how they chain AI subprocessors, meaning legal and security teams cannot assess their full AI supply chain risk. Regulatory pressure is accelerating faster than privacy headcount can absorb, with 145 new state laws enacted in 2025 and California requiring executive-signed risk assessments with annual audits beginning April 2028. The 42% project abandonment figure signals that privacy risk has moved from post-launch compliance checkbox to a front-end investment blocker that is killing AI initiatives before they ship.
Summary
DataGrail's 2026 report finds 63.6% of 2,400 software vendors fail to disclose third-party AI subprocessors, leaving enterprise buyers with hidden compliance exposure they cannot audit or manage.
42% of companies abandoned AI projects in 2025 over privacy concerns, while privacy teams absorbed cuts of up to 33%. Meanwhile, 32.8% of AI systems already engage in high-risk activities involving sensitive data or automated decision-making.
Essentially: (DataGrail) is mapping a vendor transparency gap that enterprise buyers must now navigate alone.
- 145 AI-related laws were enacted by US states in 2025, with 1,000+ additional bills introduced or revised.
- California logged $4.3 million in consent management settlements in 2025; 63% of websites still fail to honor opt-out signals.
- Data brokers faced a 398% year-over-year surge in deletion requests, with mid-sized firms absorbing $1.5 million annually in manual processing costs.
California now requires privacy risk assessments with annual audits beginning April 2028 and executive personal attestation under penalty of perjury.
Potential risks and opportunities
Risks
- Enterprise AI buyers that deployed tools without auditing subprocessors face mounting exposure as California's mandatory risk assessments and executive attestation requirements converge toward April 2028
- Privacy teams that absorbed up to 33% headcount cuts face a capacity gap against 2,000+ monthly deletion requests and 1,400+ class action lawsuits already filed in 2025 over tracking pixels and session replay software
- AI vendors remaining in the 63.6% non-disclosure majority risk losing enterprise procurement deals as buyers tighten vendor DPA reviews under the pressure of 145 new state laws from 2025
Opportunities
- AI vendors that proactively disclose full subprocessor chains gain a procurement edge as 42% of enterprise buyers now cite privacy as a project-killing blocker
- DSR automation and consent management platforms have a clear upsell story given $1.5 million annual manual processing costs at mid-market scale and the 398% surge in deletion request volume
- Privacy consultancies and legal practices specializing in California's new audit framework face near-term pipeline demand as the April 2028 deadline and executive personal liability create urgency for attestation preparation
What we don't know yet
- Which AI software categories (LLMs, HR tools, analytics platforms) account for the highest share of the 63.6% non-disclosure rate
- Whether the 42% project abandonment rate varies by company size or sector, or is consistent across enterprise and mid-market buyers
- What specific penalty structure will apply to California's executive attestation requirement under penalty of perjury as the April 2028 audit deadline approaches
Originally reported by helpnetsecurity.com
Read the original article →Original headline: DataGrail: 63.6% of AI Software Vendors Don't Disclose Third-Party AI Subprocessors — 42% of Companies Abandoned AI Projects Over Privacy Risk in 2025