DataGrail Report Shows 63% of AI‑Enabled SaaS Vendors Conceal Sub‑Processors, Raising Privacy Risks After 145 New State AI Laws
What Happened – DataGrail’s 2026 Privacy & AI Trends Report documents that 145 AI‑related statutes were enacted by U.S. states in 2025 and that 63.6 % of the 2,400 surveyed SaaS providers with AI features failed to disclose third‑party AI subprocessors. The same study highlights a surge in data‑subject‑request costs and widespread non‑compliance with browser opt‑out signals.
Why It Matters for TPRM –
- Hidden AI subprocessors create “shadow AI” exposures that can breach contractual and regulatory data‑privacy obligations.
- Rapidly expanding state AI legislation amplifies compliance risk for any organization that relies on third‑party AI services.
- Manual handling of data‑subject requests is becoming financially unsustainable, pressuring vendors to improve privacy‑by‑design controls.
Who Is Affected – SaaS vendors, fintech platforms, health‑tech solutions, e‑commerce sites, and any enterprise that integrates third‑party AI APIs.
Recommended Actions – Conduct a vendor‑level AI sub‑processor inventory, update contracts to require full disclosure, implement automated opt‑out signal handling, and invest in scalable data‑subject‑request automation.
Technical Notes – The risk stems from lack of legal disclosure rather than a specific vulnerability; however, the underlying vector is the reliance on undisclosed third‑party AI services that may process sensitive data or perform automated decision‑making. Source: Help Net Security – DataGrail AI & Privacy Risks Report 2026