Article · AI Privacy
How enterprise AI security reviews have changed
What buyers asked about AI in 2023 vs. 2024 vs. 2025 vs. 2026: from retention checkboxes to data-path diagrams, subprocessor maps and model-level controls. A practical guide for vendors and buyers.
Enterprise security reviews of AI features have changed more in three years than typical SaaS reviews changed in the previous ten. The shift is not just longer questionnaires. The questions themselves got sharper, the language is converging across industries, and the bar for what counts as a credible answer keeps moving up.
This is a practical, year-by-year view of how the conversation evolved — based on the questions vendors actually get, not on a framework someone wishes existed.
2023 — "Do you use AI?"
The first wave was structural. Reviews added an "AI" section to existing questionnaires and asked the equivalent of "do you use it, and if so, which model?" Specific concerns:
- Is GenAI used in any product feature?
- Which provider (often a single-line answer was accepted)?
- Is customer data sent to the model?
- Is the data used for training?
- Is there a retention window?
Answers were usually short. Most vendors had no formal answer for any of them. Reviewers accepted "we use OpenAI's API and the data is not used for training" as a complete response.
2024 — "Which tier, which subprocessors, which retention?"
The Samsung incident, the OpenAI outages and the broader maturing of enterprise AI tenants pushed reviewers to be more specific. The questions got operational:
- Which provider tier — consumer, API, enterprise?
- Is training opt-out enabled at the account level?
- What is the documented retention window for prompts and outputs?
- List the subprocessors that touch the prompt.
- Does any human at the vendor see prompts?
- Where is the inference performed geographically?
- What is the incident-response process for prompt exposure?
"We use OpenAI" stopped being a sufficient answer. Vendors who could not name their provider tier and retention posture started losing reviews. Subprocessor lists became a routine ask.
2025 — "Draw the data path"
2025 was the year the conversation moved from controls to architecture. Reviewers started asking for a data path — the sequence of components a prompt traverses, what each one does, what each one stores. This is when "clean data path" became a phrase in security reviews. Typical questions:
- What enters the model, exactly?
- What leaves the model, exactly?
- What is retained at each hop, and for how long?
- Who at the vendor can read prompts in production?
- Is there a gateway or LLM proxy in the path? What does it do?
- Is sensitive data masked before egress? With what technique?
- How are provider credentials managed — pooled, per-tenant, BYOK?
- What logs exist? Are they sanitized?
At this point security reviewers were not just checking boxes; they were evaluating whether the vendor had thought about the problem at all. A vendor with a published data path page frequently shortened the review cycle by weeks.
2026 — "Per-model, per-region, per-role"
The current wave is granularity. Reviewers know that "AI" is not a single thing; they ask about specific models, specific regions, specific roles. Reviews now commonly include:
- Per-model controls: "what is the retention for
gpt-4ovs.claude-sonneton your account?" - Region-level routing: "is EU traffic guaranteed to stay in the EU?"
- Role-based access to the gateway or copilot ("which employee roles can use which models?").
- Vendor-side AI governance: "what is your internal AUP for using AI on customer data?"
- Model-output retention separately from prompt retention.
- Evidence of independent review or testing of the masking / gateway layer.
- Whether the vendor's AI features are covered by the same subprocessor list as the rest of the product.
The reviewers asking these questions are not always security engineers. Procurement, legal and privacy teams are now embedded in AI reviews. The vocabulary has stabilized enough that they can compare answers across vendors.
What buyers expect to see, today
- A data path page. Not a marketing diagram — actual flow, with retention at each hop.
- A subprocessors list. Including the model providers.
- Explicit retention claims for prompts, responses and observability — separately.
- Provider relationship clarity — pooled, per-tenant or BYOK.
- Plain-language descriptions of what masking, filtering or governance the vendor actually performs.
- Honest limitations. A page that lists what the product does not claim is, somewhat counter-intuitively, one of the strongest trust signals in 2026.
What this means for vendors
Three changes are worth making proactively:
- Publish a data path. The act of writing it usually surfaces decisions you have not made.
- Document what you do not do. Reviewers reward honesty here.
- Make the gateway layer explicit, even if it is a single hop. Buyers want to know it exists and what it sees.
Related Privian pages
See data path, architecture, security model and subprocessors for how Privian answers these questions directly.
Written under our editorial principles: implementation-grounded, honest about limitations, educational first.
Try Privian during beta
Protect prompts before they reach GPT, Claude and other models.
BYOK · Zero retention · Provider-agnostic. Privian is currently in beta — pricing and limits may change.
FAQ
Frequently asked questions
- Are AI security questionnaires really different from regular SaaS ones?
- Increasingly, yes. Standard security questionnaires assume a request/response service with stored records. AI features add prompts, model outputs, retention windows specific to model usage, training opt-outs, subprocessor relationships with model providers, and questions about the data path inside the vendor's own architecture.
- What is the single biggest change since 2023?
- Buyers stopped accepting 'we use OpenAI' as an answer. They now ask which provider tier, which subprocessors, what the retention window is, whether training is opted out, what the gateway sees, and whether the vendor itself can read prompts in production.
- Do vendors need to publish a data path diagram?
- It is becoming expected for AI features. A clear written description of what enters the model, what leaves, what is retained, who can see it and what is deleted answers most reviewer questions faster than any questionnaire response.
- Where does Privian help in a review?
- Privian's data path, security and architecture pages are written to answer the recurring questions directly. Teams routing through Privian can point to a managed chokepoint with deterministic masking, zero raw retention and BYOK as part of their own response.
More articles
Continue reading
AI Privacy
GDPR and LLMs, explained
What GDPR means for teams using GPT, Claude and other managed LLMs — personal data in prompts, provider boundaries, retention, and the technical controls teams adopt in practice.
AI Privacy
How to reduce sensitive data in LLM prompts
A practical guide for shrinking the sensitive-data footprint of summarization, drafting, support and copilot prompts — with realistic before/after examples and honest limitations.
AI Privacy
BYOK for privacy-sensitive AI
Bring-your-own-key explained for teams with privacy and procurement requirements: what BYOK changes about billing, provider boundaries and trust — and what it does not solve.