Privacy professionals are being asked to lead AI governance before their organizations understand what parts of that responsibility actually belong to privacy. According to the IAPP Salary and Jobs Report 2025-26, 68% of privacy professionals have taken on AI governance responsibilities, yet many are uncertain about which tasks leverage their existing expertise and which require entirely new skills.

What Parts of AI Governance Do Privacy Teams Already Know?

The challenge isn't whether privacy professionals have relevant knowledge. They do. The harder issue is sorting the work when AI governance arrives as one large, undifferentiated assignment. Much of what AI governance now requires builds directly on work privacy professionals have been doing for years, even if the vocabulary has changed.

Privacy teams have long handled risk assessment, data use analysis, vendor oversight, transparency, documentation, accountability, human review, and escalation. These operational practices form the foundation of modern AI governance frameworks. The Centre for Information Policy Leadership's 2024 report, "Building Accountable AI Programs," maps its seven-element privacy accountability framework directly onto AI systems, showing that the underlying concepts are not new.

Civil society organizations and privacy think tanks were early to address what we now call AI governance. The Future of Privacy Forum documented harms of automated decision-making by 2017. The Center for Democracy and Technology launched its Digital Decisions project in 2015 to develop principles for fair algorithmic decision-making. The Electronic Privacy Information Center has long advocated for algorithmic transparency and impact assessments. Much of this work wasn't labeled "AI governance" at the time, but it directly addresses what AI governance programs are now expected to handle.

Where Do Privacy Professionals Need to Develop New Expertise?

The second challenge is where many privacy professionals understandably feel anxious. While automated decision-making has long been part of privacy work, current use cases and legal requirements are evolving faster than most organizational structures. Privacy professionals don't need to become machine learning engineers, but they do need enough technical fluency to ask the right questions.

Consider data subject deletion requests. A privacy team may already know how to assess where personal data is held and whether deletion is required. The additional question is whether personal data was used to train a model and what deletion means in that context. If personal data has been used to train a model, removal may require retraining, specialized unlearning techniques, or other controls many vendors have not implemented at scale. A system that ingested personal data in a training run two years ago may not be able to honor a deletion request in an operationally meaningful way, even if the contract uses familiar deletion language.

How to Sort AI Governance Responsibilities Into Four Categories

One framework that helps privacy professionals navigate this complexity is what experts call the "working partition: keep, learn, redirect, buy." This approach helps locate the work before deciding how to manage it.

• Keep: Operational judgment work that has been part of privacy practice for decades, such as purpose limitation analysis, accountability documentation, disparate impact assessments, and fairness reviews. These processes can be reused and extended rather than rebuilt under new vocabulary.
• Learn: Technical issues that affect how AI work is scoped, contracted, monitored, and audited. Privacy teams may keep their privacy-by-design process but learn how to integrate AI-specific review points, or keep their vendor due diligence process but learn which additional questions matter for AI systems.
• Redirect: Work that belongs with another function within the organization, such as technical architecture decisions or machine learning engineering tasks that fall outside privacy's scope.
• Buy: Expertise or services that should be procured or supported externally, such as specialized technical testing or independent auditing of AI systems.

The practical step is to inventory what your privacy program already does so existing processes can be reused and extended rather than rebuilt under new vocabulary. This matters because privacy is not entering AI governance as a newcomer but applying an established body of operational practice to a new generation of systems and legal requirements.

Why Real-World Governance Matters More Than Technology Alone

The importance of proper AI governance extends beyond privacy into healthcare and national security. At Kaiser Permanente, an FDA-cleared AI tool reduced MRI scan times from about 45 minutes to about 30 minutes by reducing image noise, which shortened patient wait times by more than 60%. But the technology was only part of the story. The governance process made sure it was safe and ready for patients.

Kaiser Permanente's approach demonstrates how governance anchors responsible AI deployment. The organization uses AI councils organized around three major areas: care delivery, health plan functions, and business functions and IT. These councils review proposed AI uses before they move forward, ensuring tools support organizational goals and responsible AI principles.

"Good governance gives health care leaders a clear way to evaluate promising tools before they reach patients. It helps inform whether a tool should move forward and what safeguards are needed," explained Daniel Yang, Vice President of Artificial Intelligence and Emerging Technologies at Kaiser Permanente.

Daniel Yang, Vice President of Artificial Intelligence and Emerging Technologies, Kaiser Permanente

Similarly, the Pentagon's adoption of Casepoint's AI-enabled software for classified legal operations reflects how governance frameworks must extend to national security contexts. The $98.8 million blanket purchase agreement covers eDiscovery software, support services, and training for the Defense Department's Office of General Counsel and related agencies.

"At Casepoint, AI governance is not simply an IT function; it is a business, legal, security, compliance, and product responsibility. Our AI governance is the framework of policies, controls, processes, and accountability that ensures AI is used safely, responsibly, securely, and effectively within an organization," stated Paul Colangelo, CEO of Casepoint.

Paul Colangelo, CEO, Casepoint

The Pentagon's legal teams handle large volumes of sensitive and classified data that need to be addressed quickly, accurately, and defensibly. One major challenge is that information is typically fragmented across multiple systems, repositories, and departments. When agencies receive a Freedom of Information Act request, face litigation, conduct an investigation, or respond to an oversight inquiry, locating and managing information efficiently can be extremely difficult.

Casepoint is the only provider in the eDiscovery and investigations industry to offer IL5 or IL6 authorization, the Department of Defense's impact level classification system for cloud-based hosting environments. IL6 marks a rigid compliance standard required to process classified data for cloud-based defense workloads.

What Should Policymakers Support?

As AI governance becomes standard practice across sectors, policymakers have a role in supporting frameworks that work. Kaiser Permanente's leadership recommends that regulations match oversight to risk, support clinical trials and independent testing, and promote consistency across jurisdictions rather than creating fragmented requirements that slow adoption without making patients safer.

For privacy professionals specifically, the takeaway is clear: AI governance is not one job but a set of responsibilities that need to be sorted before they can be managed. By identifying what privacy teams already do well, learning what's genuinely new, redirecting what belongs elsewhere, and buying what requires external expertise, organizations can build AI governance programs that are both responsible and operationally realistic.