DataGrail: 60% of AI Software Hides Data Subprocessing

According to a June 1 report by data privacy firm DataGrail, nearly two-thirds of business software vendors claiming AI capabilities do not disclose which third-party AI subprocessors handle user data.

The 2026 Privacy and AI Trends Report analyzed 2,400 vendors and found that 63.6% failed to name any subprocessors in their legal documents.

Shadow AI: Data Flows Through an Invisible Chain

Subprocessors are third-party AI models that a vendor's tool relies on. A company might buy software from Vendor A, which then passes data to Vendor B's large language model, which may in turn use Vendor C. The customer only signed a contract with A, unaware of the rest.

DataGrail calls this phenomenon "shadow AI." When something goes wrong, companies have no idea whom to hold accountable.

Another finding: 32.8% of AI systems perform at least one high-risk operation. Combined with the opacity of subprocessors, businesses are flying blind.

Regulation Surges While Compliance Teams Shrink

The report paints a contradictory picture. In 2025, U.S. states passed 145 AI-related laws, with over 1,000 more bills pending. Class-action lawsuits over tracking pixels alone exceeded 1,400 in a year.

Yet privacy compliance teams are being cut. Some teams saw reductions of up to 33%. More rules, bigger fines, fewer people to handle them.

DataGrail CEO Daniel Barber summed up the state of privacy in 2026:

"If there's one word that sums up data privacy in 2026, it's 'more': more regulation, more risk, more pressure."

42% of Companies Halted AI Projects Over Privacy

The report also found that 42% of companies abandoned AI projects in 2025, citing privacy concerns as the direct reason.

After two years of rushing to embed AI into everything, many firms realized they couldn't trace data flows, identify subprocessors, or keep up with tightening regulations. Nearly half chose to pull the plug.

Key FiguresValue
Vendors not disclosing AI subprocessors63.6%
AI systems performing high-risk operations32.8%
AI projects halted due to privacy concerns in 202542%
New state AI laws passed in 2025145
Privacy team headcount reductionsUp to 33%

The report's core message is not that AI should be avoided, but that companies must understand where their data goes before deploying AI. That seemingly minor detail is becoming a major hidden liability.

Sources: CocoLoop; 145 AI laws passed in 2025 and privacy teams aren't catching a break (Help Net Security); DataGrail Privacy and AI Trends Report 2026 (DataGrail)