A disclosure shown before personal information is collected or repurposed for automated decisionmaking. It tells the consumer what the system will do, why it is being used, and how to exercise opt-out and access rights before the decisioning process begins.
Expanded Definition
Pre-use notice is a privacy and governance control that appears before personal information is collected, combined, or repurposed for automated decisionmaking. Its purpose is to give the affected person meaningful advance notice of what data will be used, why the processing is occurring, and what choices exist before the system acts.
Definitions vary across vendors and regulatory regimes, but the core idea is consistent: notice must be timely enough to shape consent, opt-out, or access decisions before downstream automation begins. In practice, pre-use notice sits alongside transparency obligations in the NIST Cybersecurity Framework 2.0 and broader privacy governance, especially where automated profiling, fraud screening, or agent-assisted workflows touch personal data.
For identity and AI programs, the term matters because it sets the boundary for lawful data use before an AI model, workflow engine, or risk rule starts acting on a person’s record. The most common misapplication is treating a post-collection privacy policy banner as pre-use notice, which occurs when the disclosure appears only after the system has already ingested or acted on the data.
Examples and Use Cases
Implementing pre-use notice rigorously often introduces friction in user journeys, requiring organisations to weigh clearer user control against the operational cost of extra decision points and slower automation.
- A bank displays a notice before using transaction history in an automated fraud model, allowing the customer to review the purpose and available rights before scoring begins.
- An HR platform warns candidates before a screening engine repurposes application data for automated ranking or bias checks, reducing ambiguity around secondary use.
- An agentic customer-support workflow presents a disclosure before a personal record is sent to a decisioning agent, especially when the agent can take execution actions beyond retrieval.
- A health app informs users before sharing data with a third-party analytics pipeline, so consent or opt-out choices happen before the transfer, not after.
- NHIMG’s analysis of identity incidents shows why timing matters: the Ultimate Guide to Non-Human Identities highlights how weak governance around machine-held credentials can cascade into broader misuse, and the Schneider Electric credentials breach illustrates how control failures often surface only after data or access has already been abused.
Teams often pair the notice with operational rules drawn from the NIST Cybersecurity Framework 2.0, then tailor the language to the exact data path, model purpose, and rights workflow.
Why It Matters for Security Teams
Pre-use notice is not just a privacy formality. It is a control that helps prevent downstream disputes over unauthorized processing, unmanaged model inputs, and hidden repurposing of data inside automated systems. For security teams, the risk is that an AI or rules engine can be technically functional while still operating outside the user’s expectations or the organisation’s consent posture.
This becomes especially important where identity data, behavioural signals, or NHI-adjacent telemetry are fed into decisioning systems. NHIMG research shows that 80% of identity breaches involved compromised non-human identities such as service accounts and API keys, a reminder that governance failures often combine with access failures. If a system collects or reuses personal information without a proper pre-use notice, incident response may need to address both privacy exposure and control breakdown at the same time.
Organisations typically encounter the consequences only after a complaint, audit finding, or model incident, at which point pre-use notice becomes operationally unavoidable to address.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
NIST CSF 2.0, NIST AI RMF, NIST AI 600-1 and NIST SP 800-63 set the technical controls, while EU AI Act define the regulatory obligations.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | GV.OV-01 | CSF 2.0 expects governance of risk, transparency, and accountability for data-driven systems. |
| NIST AI RMF | AI RMF addresses transparency and valid notice practices for AI system lifecycle governance. | |
| NIST AI 600-1 | The GenAI profile emphasizes disclosure and accountable use of generative AI systems. | |
| NIST SP 800-63 | AAL2 | Digital identity assurance depends on informed, controlled handling of identity-bound data. |
| EU AI Act | The AI Act includes transparency duties for certain AI systems that affect individuals. |
Define ownership for pre-use notice, then verify disclosures before any automated decision workflow goes live.
Related resources from NHI Mgmt Group
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on July 10, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org