Answer — AI Governance
Is a privacy impact assessment enough for AI?
A privacy impact assessment remains necessary — but it photographs a project at one moment. AI changes weekly: vendor-enabled agents, drifting usage. The point-in-time assessment therefore needs to rest on a continuously maintained inventory and a history of what actually happened since.
What the assessment does — and does well
The privacy impact assessment (ÉFVP) is a Law 25 obligation for projects acquiring, developing, or overhauling systems that touch personal information — and an excellent exercise: it forces you to name the data, the flows, the risks, and the safeguards before deploying. A serious AI project starts there. Nothing below suggests skipping it.
Where does the photograph reach its limit?
An assessment is dated: it describes the project as evaluated that day. Three things move after the signature:
- The perimeter. AI features arrive through vendor updates — sometimes enabled by default — without passing through the assessment again. IBM’s breach report (2025) attributes 20% of breached organizations to shadow AI: AI that was never assessed, precisely.
- The usage. A tool approved for one use case attracts others; the drift is silent.
- The proof. The day the question arrives — from the board, the auditor, the regulator — the assessment demonstrates that an evaluation took place. It says nothing about what the systems have done since.
How do the assessment and the continuous record complement each other?
The assessment says: “here is what we evaluated and decided.” The continuous record says: “and here is what actually happened since, week after week.” Either one alone is incomplete: the evaluation without the trace ages from the day it is signed; the trace without the evaluation has no frame. Together, they form demonstrable reasonable diligence.
Agentica provides the second half: the continuous inventory of every AI agent in your business environment and the tamper-proof history of what it did — the raw material for your next assessments, and the proof that the decided safeguards lived on beyond the document.