U.S. Government Accountability Office Report on AI Privacy Risks

The U.S. Government Accountability Office has released a report concerning privacy risks associated with utilizing AI in the federal government.  The privacy risks raised by experts include:

 

Risks Associated with Protecting Privacy When Using AI

The experts identified 10 key risks related to privacy when using AI, including potential invasions of privacy from data aggregation and the use of data for purposes exceeding what was originally intended. Table 1 identifies the 10 risks and associated descriptions.

Table 1: Expert-Identified Risks Associated with Protecting Privacy When Using Artificial Intelligence (AI)

Risk name	Associated risk description
Data persistence	Data may continue to exist in AI systems and be difficult to extract/remove once collected.
Data re-identification	AI has the ability to cross-reference multiple data sets from seemingly independent and anonymous outputs to reidentify anonymized data.a
Generation of deceptive or inaccurate outputs	AI may be used to intentionally or unintentionally generate deceptive outputs (e.g., deepfakes) or inaccurate outputs (e.g., hallucinations)b that may result in harm towards individuals.
Improper disclosure	AI can reveal and cause improper sharing of individuals’ data when it infers additional sensitive information from raw data.
Increased accessibility to sensitive information	AI can make sensitive information more accessible to a wider audience (e.g., data brokers) than intended.
Invasion of privacy from data aggregation	AI may combine various pieces of data about a person to make inferences beyond what is explicitly captured in those data (e.g., social scoring),c which can invade an individuals’ personal space and solitude by revealing private information (e.g., health-related, financial, location).
Lack of security over data	Inadequate AI data requirements and storage practices can result in data breaches and improper access.
Lack of transparency related to data use	AI may be used without providing individuals with notice and control over how their data is being used.
Lack of transparency in AI model algorithmic decision-making	The workings of AI models could include decisions based on individual data that one is unaware of and that can lead to privacy risks.
Secondary use of data	The use of personal data for purposes other than originally intended can be exacerbated by AI’s ability to repurpose data.

 

New US DOJ Corporate Enforcement Policy

The U.S. Department of Justice has released a Corporate Enforcement Policy concerning national security which allows U.S. corporations to voluntarily disclose violating white collar crime rules, including importantly, export control laws, and avoid prosecution (except in limited circumstances).  The Press Release states:

The mission of the Department of Justice’s National Security Division (NSD) is to protect and defend the United States against the full range of national security threats, consistent with the rule of law. Business organizations and their employees are at the forefront of protecting the national security of the United States by preventing the unlawful export of sensitive commodities, technologies, and services, as well as unlawful transactions with sanctioned countries and designated individuals and entities. Enforcing our export control and sanctions laws, and holding accountable those who violate them, is a top priority for NSD.

On March 10, 2026, the Department released its first-ever Department-wide corporate enforcement policy (CEP) for criminal matters, promoting uniformity, predictability, and fairness in how it pursues white-collar cases to protect the American people.

As the announcement explains, the “Department-wide CEP provides concrete benefits to incentivize companies to voluntarily disclose discovered misconduct, cooperate with our investigations, and timely and appropriately remediate the wrongdoing. For companies that do, absent certain limited aggravating circumstances, the Department will decline to prosecute the company. Incentivizing corporate self-disclosures — while still permitting prosecutions in appropriate circumstances — allows the Department to quickly pursue culpable individuals, secure justice for victims, and deter white-collar crime, all while not unduly burdening American businesses.”

Under the CEP, “disclosure must be made to the appropriate component of the Department,” CEP n.5, and all resolutions under the CEP “must be approved by the Assistant Attorney General (AAG) for the relevant Division.” CEP Background ¶ 4. The CEP also provides that a “[g]ood faith disclosure to one component where the matter is later brought to another appropriate component for investigation will also qualify” for declination. CEP n.5

As pertaining to national security laws, the Justice Manual (JM) assigns the “enforcement of all criminal laws affecting, involving or relating to the national security, and the responsibility for prosecuting criminal offenses, such as conspiracy, perjury and false statements, arising out of offenses related to national security . . . to the AAG of NSD.” JM § 9-90.010.

The scope of these matters, which includes violations of the U.S. government’s primary export control and sanctions regimes — the Arms Export Control Act (AECA), 22 U.S.C. § 2778, the Export Control Reform Act (ECRA), 50 U.S.C. § 4801 et seq., and the International Emergency Economic Powers Act (IEEPA), 50 U.S.C. § 1701 et seq. – can be found at JM § 9-90.020.

While the conduct of business organizations and their employees has the greatest potential to implicate U.S. national security interests in the enforcement of export control and sanctions laws, the conduct of business organizations and their employees can also violate other U.S. national security laws, including laws prohibiting material support to and financing of foreign terrorist organizations, criminal violations in connection with the work of the Committee on Foreign Investment in the United States (CFIUS), and the Committee for the Assessment of Foreign Participation in the United States Telecommunications Services Sector (Team Telecom). Companies are encouraged to voluntarily self-disclose to NSD any potential criminal violations of U.S. law relating to matters conducted, handled, or supervised by the NSD AAG.

All voluntary self-disclosures concerning potential criminal violations of U.S. national security laws should be sent, with the company name in the subject line, to NSD’s email inbox for voluntary self‑disclosures: NSD.VSD@usdoj.gov.