This weekend I binged the third season of Alice in Borderland. “Binged” is a bit of an exaggeration, it’s only six episodes, but it wrapped up beautifully, in my view, as one of the best series in recent years. That’s why the image in this post is a little tribute.

Privacy and data protection have become a real-time chess game. In the past, keeping systems updated with records of processing activities (the well-known ROPA, required under LGPD and GDPR) was enough to demonstrate compliance. But the rise of artificial intelligence changed the rules: vendors can start using AI overnight, creating invisible data flows for their clients. So how can you defend yourself against Shadow AI?

Keeping your ROPA in spreadsheets is like using a paper map to guide a self-driving car: it’s outdated the moment you print it. Instead, you need to treat ROPA as a “living map,” automated and capable of detecting in real time which data flows through your systems, where it goes, and what it’s used for, every piece of data has a lifecycle.

The risk is greater because third-party AI can reuse data to train models or even expose personal information through inference. And when a vendor adds AI without notice, your company is still legally accountable, remember, the “controller” is always responsible for the actions of its “processors.” Regulators won’t accept “the AI made the decision” as an excuse.

In 2023, Canva faced a scare after rolling out an integration with an external generative AI service for layout suggestions. Without warning, the AI vendor updated its model and began retaining and reusing part of the text submitted by users to train the system. Within days, designers noticed that internal drafts and unpublished slogans were showing up as sample outputs for other clients. The incident wasn’t a classic “data breach,” but it was enough to trigger formal complaints and force Canva to suspend the partnership and renegotiate contracts. The case showed how, even without malicious intent, the lack of continuous governance over AI-powered partners can turn confidential data into public material overnight.

That’s why you need to shift your mindset: assume every partner is already using AI. Strengthen due diligence with direct questions about AI usage, data segregation, and incident response plans. Include contractual clauses that guarantee audit rights and the ability to delete data from training models.

Picture this: a marketing team starts using a new AI service on their own to create campaigns, without telling IT or privacy teams. At first it seems harmless, the chatbot drafts creative copy in minutes. Months later, the vendor launches a new “sentiment analysis” feature that automatically processes all submitted data, including customer lists and internal drafts. Without anyone noticing, strategic data is used to train the model and may even surface in outputs for other users. This “Shadow AI,” invisible to the company’s formal controls, creates massive risks of leaks and noncompliance, because legal responsibility still falls on the data owners, even if they had no idea the AI was collecting it.

AI governance isn’t just about protection, it’s a competitive edge. Showing clients and partners that you monitor and control data in real time builds trust and accelerates business. In a world where AI evolves faster than the law, those who build this “living map” of data not only avoid fines, they move ahead of the pack.