Javascript is required
logo-dastralogo-dastra

One Governance Framework for AI Act & GDPR: The Business Case in Numbers

One Governance Framework for AI Act & GDPR: The Business Case in Numbers
Paul-Emmanuel Bidault
Paul-Emmanuel Bidault
June 22, 2026·7 minutes read time

The AI Act, or the Artificial Intelligence Regulation (Regulation (EU) 2024/1689 of the European Parliament and of the Council of 13 June 2024), has given rise to an entire market of tools dedicated to AI governance. But the most advanced organizations are not starting from scratch; they are instead building on what they have already developed.

Privacy, Compliance, and Risk Management teams are, in practice, becoming companies’ first AI Governance teams. This is not a deliberate organizational strategy choice: it is a direct consequence of the fact that the issues raised by AI are, for the most part, issues these teams already know how to handle.

To document this evolution, we cross-referenced data published by IAPP, Cisco, IBM, Microsoft, and McKinsey, as well as several European institutional sources. What these studies reveal together is more significant than what they say separately: GDPR, data governance, and AI governance are converging, and that convergence is already underway.


Privacy teams are gradually becoming AI Governance teams


One of the most striking takeaways from recent studies lies less in the numbers themselves than in what they reveal about the quiet reconfiguration of organizations: AI governance is not being built from a blank slate. In nearly every case, it is being anchored in teams already responsible for data protection, data governance, or compliance.

This trend is no coincidence. The first questions raised when deploying an AI system invariably concern data: where it comes from, its quality, the individuals concerned, and the risks associated with its processing. These are precisely the questions Privacy teams have been trained to ask for years.

Key statistics

  • 69% of Chief Privacy Officers now have AI Governance responsibilities.
  • More than 80% of Privacy teams today have responsibilities extending beyond the GDPR regulatory framework alone.
  • 55% of Privacy professionals work in organizations where the Privacy function participates in AI governance.
  • 22% of organizations assign primary responsibility for AI governance to the Privacy function, compared with 22% to Legal and Compliance teams, 17% to IT, and 10% to Data Governance teams.
  • 67% of organizations where AI governance is led by the Privacy function say they are confident in their ability to comply with the AI Act requirements.

Sources: IAPP Privacy Governance Report 2025 & 2024


AI adoption is advancing much faster than governance frameworks

Enterprise AI adoption is now massive and well documented. What is less visible, and more concerning, is the structural gap widening between the speed at which AI tools are deployed and organizations’ ability to govern them.

The phenomenon of Shadow AI (employees using AI tools without prior approval, often for fear of being seen as behind the curve) is becoming the leading AI governance risk in companies.

Key statistics

  • 75% of knowledge workers already use AI at work
  • 78% of users bring their own AI tools to work
  • 52% of users hesitate to disclose their AI use, and 53% fear being seen as replaceable if they use it
  • 79% of executives consider AI necessary to remain competitive, but 60% acknowledge they do not have a clear AI strategy
  • 77% of organizations believe AI adoption is moving faster than their governance capabilities
  • Only 11% consider themselves fully prepared for large-scale AI deployment

Sources: Microsoft Work Trend Index 2024 / IBM Institute for Business Value (CEO & CTO Generative AI Study)


Debates around artificial intelligence often focus on models, their performance, or their bias.

Yet the most recent studies show that incidents observed within companies often originate elsewhere: lack of governance, insufficient access controls, poor third-party vendor management, and limited visibility into actual usage. The root causes of AI incidents are data governance problems, not model-tuning problems.

These issues are already well known to Privacy, Security, and Compliance teams.

Key statistics

  • 51% of organizations using AI have already experienced at least one negative AI-related consequence
  • Organizations are now managing on average twice as many AI risks as in 2022
  • 20% of companies have already suffered a Shadow AI-related breach, including 63% that had no formal AI governance policy, and 97% that lacked adequate AI access controls
  • Breaches involving Shadow AI cost on average $670,000 more
  • The global average cost of a data breach reaches $4.4 million

Sources: McKinsey – The State of AI 2025 / IBM Cost of a Data Breach Report 2025 / Cybersecurity Dive – Analysis of IBM Cost of a Data Breach Report


Privacy investments are already delivering the benefits sought in AI Governance programs

AI Governance leaders generally aim to improve trust, transparency, risk control, and compliance.

These are precisely the benefits companies have attributed to their Privacy programs for several years.

The results published by Cisco show that investments made in this area are now widely perceived as value-generating.

Key statistics

  • 96% of organizations believe the benefits of their Privacy investments outweigh their costs.
  • The reported median ROI is 1.6x, with 53% of companies seeing a return between 1x and 2x
  • 86% believe data protection regulations have a positive impact on their organization.
  • 99% consider independent assurance and certification mechanisms important when selecting vendors.
  • Organizations spend an average of $2.7 million per year on their Privacy programs.

Sources: Cisco Data Privacy Benchmark Study 2025


The AI Act relies heavily on mechanisms already present in GDPR programs

When examining the obligations imposed by the AI Act, a significant portion of the requirements concerns data, documentation, risk management, and traceability.

These mechanisms are already familiar to organizations that have structured their GDPR compliance.

The AI Act is not the GDPR. Its scope, logic, and actors are not identical. But it shares with the GDPR a governance architecture based on data, documentation, and accountability.

Examples of convergence

AI Act Privacy programs
AI system inventory Record of processing activities
Data governance Data mapping
Risk management Impact assessment (DPIA)
Technical documentation Accountability
AI vendor management Processor management
Post-deployment monitoring Ongoing compliance controls

Regulatory references: European Data Protection Board (EDPB) – AI Act and Data Protection Authorities Position Paper / EU AI Act – Article 10 (Data and Data Governance)


What these figures reveal

Taken individually, each of these figures is interesting, but taken together, they point to a much deeper shift: Privacy teams are gradually becoming central players in AI governance.

Organizations are investing in trust mechanisms that benefit both the GDPR and the AI Act. The incidents observed are often linked to data governance, access control, or vendor management issues. Finally, regulatory requirements rely heavily on assets already present in Privacy programs: inventories, mappings, impact assessments, controls, and documentation.

The point, therefore, is not to determine whether the GDPR and the AI Act are identical. They are not. The real question is whether it is still relevant to maintain two separate governance frameworks to oversee the same data, the same risks, the same vendors, and, increasingly, the same teams.

The numbers suggest that the most advanced organizations have already made their decision.


Separating tools fragments accountability. Unifying them creates control.
Dastra centralizes your Privacy and AI governance on a single platform. Discover it here.


See Dastra in action

In just a few minutes, schedule a personalized demo and discover how Dastra can adapt to your organization.

Ask for a demo
Subscribe to our newsletter

We'll send you occasional emails to keep you informed about our latest news and updates to our solution

* You can unsubscribe at any time using the link provided in each newsletter.