Deep Bench Briefings Recap: “Identifying AI & Privacy Blind Spots Before They Become Liabilities”

May 18, 2026
post featured image

For CEOs, Founders, and General Counsels navigating AI adoption, governance gaps can quickly become board-level liabilities. Here’s what business leaders need to know. 

In our latest Deep Bench Briefings session, “Identifying AI & Privacy Blind Spots Before They Become Liabilities,” FRB’s Moish Peltz, James Black, and Daniel Gershman, alongside Steven Blickensderfer, Global Privacy & AI Attorney at Mastercard, joined together for a timely discussion on one of the most urgent challenges companies face today: the widening gap between how businesses think AI and data are being governed and what is actually happening in practice. 

The conversation focused on a simple but critical reality: many organizations believe they have adequate controls in place, but rapid AI adoption, evolving vendor ecosystems, and everyday employee behavior are exposing blind spots faster than many companies can identify them. 

AI Governance Is Not a Privacy Policy 

The session opened with a broader point about how organizations should be thinking about AI and privacy. As the panel explained, AI governance is no longer a narrow privacy issue or a standalone compliance task. It is a strategic business function that spans privacy, cybersecurity, internal accountability, vendor oversight, and real-world operations, and it demands executive attention. 

As Steve noted, the trend is moving away from siloed privacy thinking and toward a more holistic view of how data is collected, used, shared, and governed across the organization. The implication is clear: if your organization is only updating a privacy policy without reexamining the larger governance structure behind it, you are already behind. 

Vendor Agreements Are Often Misaligned with Internal Privacy Commitments 

One of the first major blind spots discussed was vendor management. Dan highlighted a frequent problem: your company’s public-facing privacy policy may tell customers their data will only be used to deliver requested services, while the underlying vendor agreement allows the vendor to use aggregated or de-identified data for product improvement, benchmarking, or even model training. 

That disconnect can create significant exposure. 

The panel also pointed to recurring issues involving: 

  • Subprocessor use without sufficient notice or approval rights;  
  • Weak controls around cross-border data transfers; 
  • Vendor terms buried behind hyperlinks rather than negotiated paper; and, 
  • Legacy agreements that never contemplated AI use but now govern relationships where AI is actively involved.  

The key takeaway for business leaders: you cannot assume existing contracts still fit current realities. Legacy agreements need to be revisited, vendors need to be asked direct questions about whether and how they are using AI, and procurement teams need clearer intake processes so legal, privacy, and compliance concerns are identified before agreements are signed. 

Shadow AI May Be the Biggest Blind Spot of All 

The panel then turned to one of the most practical and pressing issues facing every organization with employees: unapproved tool use, often called “shadow AI.” 

As Moish framed it, companies may spend significant time and resources procuring approved tools, training employees, and building controls around them, only to discover that employees are still using free or consumer-grade AI tools on personal devices because they are faster, easier, or simply more familiar. 

That creates serious enterprise risk. 

Employees are often not acting with bad intent. As Dan pointed out, most are simply trying to work more efficiently. But when they paste confidential company information, customer data, proprietary materials, or other sensitive content into unvetted tools, they may be exposing the company to confidentiality breaches, contractual violations, regulatory scrutiny, and downstream litigation. 

The discussion made clear that shadow AI is not just an IT problem. It is a governance problem. It requires: 

  • Employee education;  
  • Practical policies; 
  • Reasonable approval pathways for new tools; and, 
  • Governance structures that enable innovation without allowing a free-for-all.  

Jim put it in familiar terms: the underlying problem is not entirely new, but AI magnifies it. The risks move faster, spread further, and can trigger real regulatory consequences in ways earlier technologies did not. 

Public Disclosures Must Match Real Data Practices 

Another major area of concern was the gap between what companies publicly say about their data practices and what is actually happening under the hood. 

Steve returned to two core privacy principles: transparency and accountability. Companies may publish polished privacy notices, website disclosures, or compliance statements, but if those representations do not match their actual data processing activities, regulators and plaintiffs’ lawyers will notice. 

The panel emphasized that this risk is not theoretical. Misalignment between disclosures and practice can lead to: 

  • FTC scrutiny for misrepresentation;  
  • State attorney general enforcement;  
  • Private litigation in jurisdictions with private rights of action; and,  
  • For public companies, potential securities-related exposure if material AI or privacy risks are not properly disclosed.  

The discussion underscored that strong governance is not just about external statements. Internal policies matter too. If a company’s internal rules are outdated, vague, or inconsistently enforced, that weakness often shows up later in audits, investigations, complaints, or litigation. 

Strong Governance Requires Ownership, Accountability, and Process 

When the discussion shifted from risk to solutions, the message was clear: good governance does not happen accidentally. 

A mature AI governance framework requires more than broad statements of intent. It requires someone to own the function, whether through a designated individual, a formal committee, or an integrated compliance structure. As the panel noted, when “everyone” is responsible, no one really is. 

Strong governance means: 

  • Knowing what tools are being used;  
  • Understanding what data is flowing through them;  
  • Setting policies that reflect actual business practices; 
  • Documenting processes; 
  • Auditing what is happening; and,  
  • Regularly updating those controls as the technology evolves.  

The panel also noted that businesses do not need to start from scratch. Existing frameworks, such as the NIST AI Risk Management Framework,NIST AI Risk Management Framework, can help organizations structure responsibility, map risk, and build a repeatable process for oversight. 

For Founders and CEOs of small and midsize businesses in particular, one practical point stood out: if internal bandwidth is limited, governance functions can be outsourced to qualified counsel or consultants. The obligation to manage these risks does not disappear simply because your organization is lean. 

The Most Practical First Step: Conduct an AI Inventory 

In the final portion of the session, the panel focused on immediate next steps. 

Dan offered perhaps the most practical place to begin: conduct an AI inventory, even if it is imperfect. Start by directing each business unit leader to answer three straightforward questions: 

  1. What AI tools are you using?  
  2. What data is being put into them?  
  3. Did legal or IT approve them?  

Those answers alone can reveal unknown tools, unmonitored data flows, and governance gaps that leadership did not realize existed. 

From there, companies can begin building: 

  • A current list of approved tools;  
  • A process for evaluating new tools; 
  • Updated vendor and privacy documentation; 
  • Internal policies that reflect actual operations; and,  
  • Training programs that help employees understand both the benefits and risks of AI use.  

As Steve noted, sometimes the hardest part is simply getting started. But once an organization begins documenting its practices, creating checklists, and building repeatable workflows, the governance process becomes much more manageable. 

Key Takeaways 

The consistent message throughout the webinar was that AI and privacy risks are no longer future problems. They are present operational risks that cut across contracts, compliance, security, employment practices, and public disclosures, and they require executive-level attention. 

For business leaders, legal teams, and compliance professionals, the practical takeaways were clear: 

  • AI governance should be treated as part of a broader data governance strategy; 
  • Vendor agreements must be aligned with public privacy commitments and real business practices; 
  • Shadow AI use is already happening and must be addressed through governance, education, and workable controls; 
  • Public-facing disclosures must accurately reflect actual data handling and AI-related practices; 
  • Governance requires ownership, accountability, and ongoing maintenance—not a static policy document; and, 
  • A simple AI inventory is often the best place to begin.  

As Jim put it plainly in closing: “Get started. Time is of the essence.” 

If your organization is evaluating AI governance, reviewing vendor relationships, updating privacy disclosures, or assessing internal blind spots around AI use, FRB’s attorneys are ready to help you build a practical, defensible approach. Contact us here or fill out the form below.  

Have Questions? Contact Us

Categories