Privacy Violation

Privacy is an unusual security category in AI because the data is often inside the model rather than next to it. Three failure modes dominate. First, training-data memorization: models can be coaxed into emitting verbatim PII or copyrighted text from their corpus — a documented vector against several frontier LLMs. Second, vendor data retention: applications routinely send user content to third-party APIs (OpenAI, Anthropic, Google) where it may be retained, logged for safety review, or used to improve future models, depending on the contract; under GDPR this is a controller-processor relationship that requires DPAs and lawful basis. Third, application-layer leakage: chat histories cached without per-tenant keys, vector stores indexed without ACLs, and logs containing full prompts. Compliance frameworks now address this directly: ISO 42001 Annex A 9.x, EU AI Act Article 10 (Data Governance), and GDPR Article 25 (Data Protection by Design).