Because the AI Act builds on GDPR principles rather than replacing them. Transparency, minimisation, human review, and documented risk assessment all reappear in AI governance, so separate programmes create blind spots. Teams that manage personal data, model data, and decision rights in one path are better placed to prove control.
Why This Matters for Security Teams
GDPR and the EU AI Act do not sit in separate operational lanes. If personal data is used to train, fine-tune, prompt, evaluate, or audit an AI system, the same workflow can trigger privacy duties and AI governance duties at the same time. Treating them as separate programmes often leaves gaps in lawful basis, data minimisation, transparency, retention, and human oversight. That is why current guidance increasingly points security, privacy, legal, and risk teams toward one coordinated control plane, not parallel checklists.
This matters most when model development is fast and evidence is fragmented. The Ultimate Guide to NHIs — Regulatory and Audit Perspectives shows how auditability depends on linking identity, access, and evidence across the lifecycle, while the NIST Cybersecurity Framework 2.0 reinforces governance as a continuous function rather than a one-time review. In practice, many security teams encounter GDPR scope creep only after an AI feature is already in production and the evidence trail is too fragmented to reconstruct.
How It Works in Practice
Governing the two regimes together means mapping one AI use case to one shared set of control questions: what personal data is involved, why it is processed, where it flows, who can change it, how long it is kept, and what human review exists. The GDPR side answers legality, minimisation, accuracy, retention, and rights handling. The AI Act side asks whether the system is prohibited, high-risk, or subject to transparency and documentation duties. The overlap is the operational core: data lineage, model documentation, access control, and impact assessment.
A practical workflow usually includes:
- One intake review for both privacy and AI risk, so the use case is not duplicated in separate systems.
- Shared records of processing, model cards, and risk assessments, with consistent ownership for updates.
- Data minimisation for training and retrieval layers, not only for production outputs.
- Role-based access plus purpose-based restrictions for prompts, fine-tuning sets, and evaluation data.
- Human review points that are documented where the AI Act expects oversight and GDPR expects defensible decision-making.
The Top 10 NHI Issues is a useful reminder that access and secret sprawl can undermine both privacy and AI control evidence. For implementation detail, NIST Cybersecurity Framework 2.0 helps structure governance, and the current guidance from the Ultimate Guide to NHIs — Lifecycle Processes for Managing NHIs supports lifecycle controls for the identities and secrets that move AI data around. These controls tend to break down when teams outsource model development, because the processor, the model owner, and the privacy owner all maintain different evidence sets.
Common Variations and Edge Cases
Tighter joint governance often increases review time, documentation load, and cross-functional dependency, so organisations must balance speed against defensibility. That tradeoff becomes sharper when the AI system is low-risk, experimental, or used only internally, because not every workflow warrants the same level of formal review.
There is no universal standard for this yet, but current guidance suggests three common edge cases need special handling. First, reused training data may have been collected for one lawful purpose but deployed for another, which can trigger GDPR purpose-limitation issues even when the AI Act documentation is complete. Second, vendor-hosted models can obscure where personal data is stored, copied, or retained, making retention and deletion obligations harder to prove. Third, security telemetry can itself become personal data if it is tied back to employees, customers, or users, so logs used for AI governance must be scoped carefully.
For teams building a repeatable control model, the most reliable path is to treat privacy impact assessment, AI risk assessment, and third-party assurance as one connected evidence chain. The DeepSeek breach is a reminder that weak data handling and weak AI governance often surface together, not separately. Where there is no clear owner for both data protection and model risk, the programme usually fails at the point of incident response, not at the point of policy design.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
NIST AI RMF and NIST CSF 2.0 set the technical controls, while EU AI Act define the regulatory obligations.
| Framework | Control / Reference | Relevance |
|---|---|---|
| EU AI Act | AI Act duties on transparency and high-risk governance are central to the question. | |
| NIST AI RMF | AI RMF supports aligning governance, mapping, and measurement across privacy and AI risk. | |
| NIST CSF 2.0 | GV.OV | Governance oversight helps unify privacy and AI controls into one operating model. |
Build one AI governance intake that assigns risk tier, documentation, oversight, and disclosure duties.
