VFF - The signal in the noise
News

Majority of AI Vendors Hide Subprocessors From Contracts

Read original
Share
Majority of AI Vendors Hide Subprocessors From Contracts

A DataGrail analysis of 2,400 business software vendors found that 63.6% of those advertising AI capabilities do not disclose third-party AI subprocessors in their legal documentation. This means companies purchasing AI-enabled software may unknowingly expose customer data to undisclosed AI models and systems they never reviewed or approved. The finding highlights a critical gap between what vendors claim in contracts and what they actually deploy in production.

  • 63.6% of AI-enabled vendors fail to disclose third-party AI subprocessors in data processing agreements
  • DataGrail cross-referenced DPAs against product documentation, GitHub, API connections, and marketing materials to identify gaps
  • Organizations with high shadow AI exposure face average breach costs of $4.63 million, $670,000 more than those with low shadow AI
  • The disclosure gap creates compliance risk, particularly for automated decision-making in hiring and other regulated domains

Data processing agreements are the primary legal mechanism enterprises use to evaluate vendor data handling. If the majority of AI vendors are not disclosing their actual AI subprocessors in these contracts, the entire trust framework for vendor risk assessment breaks down. Companies could unknowingly violate FTC regulations on automated decision-making while exposing sensitive personal data to unvetted AI systems.

Enterprises relying on vendor DPAs to manage AI risk are operating with incomplete information. A company might approve one AI model for a recruiting tool while the vendor secretly uses two others, creating compliance exposure and potential liability. With U.S. states issuing $3.425 billion in privacy fines in 2025 alone, this disclosure gap represents a material financial and legal risk.

  • DPAs can no longer serve as reliable standalone documents for evaluating vendor AI risk, requiring additional due diligence on product documentation and API integrations
  • Enterprises face potential FTC violations if undisclosed AI systems make automated decisions on sensitive data without proper vetting
  • The gap between disclosed and actual AI subprocessors creates shadow AI risk that correlates with significantly higher breach costs

Monitor whether regulators begin enforcing disclosure requirements for AI subprocessors in vendor contracts. Watch for enterprise adoption of supplementary vendor assessment tools that go beyond DPAs to verify actual AI deployments. Track whether major software vendors update their standard DPA language to include comprehensive AI subprocessor disclosure in response to this research.

Share

Subscribe to the newsletter

The latest stories and analysis, delivered to your inbox.

Free. No spam. Unsubscribe any time.

Related stories

Meta's Muse Image Uses Public Instagram Photos Without Consent
TrendingNews

Meta's Muse Image Uses Public Instagram Photos Without Consent

Meta's Muse Image tool allows users to generate AI images by tagging public Instagram accounts, effectively using those accounts' photos as training material without explicit consent. Any Instagram user with a public profile can have their images incorporated into AI-generated creations by other users. The feature raises questions about image rights, consent, and Meta's approach to AI training data sourcing.

by Lauren Forristal· TechCrunch AI
OpenAI launches GPT-5.6 with cybersecurity focus
TrendingNews

OpenAI launches GPT-5.6 with cybersecurity focus

OpenAI has launched a new family of models anchored by GPT-5.6, which the company says delivers improvements across multiple areas including cybersecurity capabilities. The announcement marks the latest iteration in OpenAI's model development roadmap.

by Lucas Ropek· TechCrunch AI
69% of Enterprises Deploy AI Agents With Shared Credentials

69% of Enterprises Deploy AI Agents With Shared Credentials

VentureBeat research of 107 enterprises found that 69% run AI agents with shared API keys, a critical security gap where a single compromised agent gains access to all permissions tied to that credential. The finding has triggered a $22 billion acquisition spree by Palo Alto Networks, CrowdStrike, and Cisco targeting non-human identity management. Only 32% of enterprises give each AI agent its own scoped identity, leaving the majority exposed to lateral movement and forensic blind spots.

by louiswcolumbus@gmail.com (Louis Columbus)· VentureBeat AI
Google Deepfake Detector Debunks McConnell Hospital Hoax

Google Deepfake Detector Debunks McConnell Hospital Hoax

A fabricated image purporting to show Senator Mitch McConnell in distress in a hospital bed circulated online this week before being identified as AI-generated. Google's deepfake detection system was used to debunk the hoax. The incident underscores both the growing prevalence of synthetic media and the potential utility of detection tools in combating misinformation.

by Russell Brandom· TechCrunch AI