Artificial intelligence is seemingly, suddenly everywhere in 2025—and possibly already being used within your organization. With the increasing popularity and use of artificial intelligence by organizations also comes additional regulations and best practices. The European Union’s Artificial Intelligence Act may be the first law to regulate the use of artificial intelligence, but it is closely followed by other countries, including Brazil where an AI law was just signed and several US states including California and Colorado.

A privacy professional knows that artificial intelligence is the privacy program’s business. Before inwardly groaning at the idea of creating another governance program for artificial intelligence, consider how artificial intelligence management can be incorporated into the privacy program. This will not only preserve resources and energy but also make use of existing systems and processes to minimize the lift of governing artificial intelligence.

Risk management

The use of artificial intelligence for business purposes necessitates an understanding of the risks involved and mitigation measures to limit these risks. To comply with the EU AI Act and some of the upcoming US state AI laws, deployers of artificial intelligence must conduct some version of a risk assessment, sometimes called a conformity assessment or data protection impact assessment (DPIA).

If the EU AI Act or state comprehensive privacy laws apply to the organization, there should already be a DPIA or privacy impact assessment (PIA) process in place. Questions covering the use of AI can be added into the PIA and DPIA template in that case so that the artificial intelligence use can be risk ranked and risk mitigations can be identified.

Transparency

Once the use and risks of artificial intelligence are known and mitigated, and as they are updated and tracked, this information can be used to inform employees and consumers about the use of artificial intelligence. The EU AI Act and some of the US state AI laws require that people interacting with AI systems be notified of that fact.

Language about the use of AI and the data used to train it can be added to internal privacy policies and external privacy notices. Depending on the use, there may be new processing purposes added to the privacy notice or a smaller addition that certain processing may be performed in an automated fashion. New processing purposes should also trigger an alert to consumers per certain US state laws.

If automated decision-making is a new processing purpose of personal information using AI, the right to opt out of automated decision-making may need to be built into the existing data subject rights request fulfillment process and listed in the privacy notice.

AI Literacy

AI literacy is the requirement that artificial intelligence evaluators and users have the minimum knowledge and understanding to perform the tasks expected of them using AI. This includes a basic understanding about AI, along with combination of technical skills, critical thinking, practical application, and legal and moral awareness. Anyone responsible for human oversight of AI or using artificial intelligence on behalf of the business should be AI-literate.

Look to current training and awareness activities for opportunities to introduce artificial intelligence topics such as risks and appropriate use. Artificial intelligence can be introduced in short training videos or in-person training along with awareness activities or exercises such as privacy incident practices. It may also be necessary to create a policy on appropriate use of artificial intelligence which can be circulated using existing communication mechanisms such as newsletters or internal privacy pages.

Another place where AI can be incorporated to increase literacy is in the Privacy Steering Committee or similarly named security and privacy committee that meets regularly. Perhaps this committee can double on a recurring schedule as an Artificial Intelligence Review Committee, or a smaller subset of these folks can review AI requests and report to the steering committee regularly.

Reach out to Privacy Ref with all your organizational privacy concerns, email us at info@privacyref.com or call us 1-888-470-1528. If you are looking to master your privacy skills, check out our training schedule, register today and get trained by the top attended IAPP Official Training Partner.