The dilemma facing executives in 2026: the urgent need to innovate to remain competitive in the face of the risk of massive data breaches. Presenting AI not as a gimmick, but as a building block of theOperating Model that requires a rigorous framework.
In 2026, all business leaders face the same dilemma: accelerate to avoid falling behind, or slow down to secure systems and prevent data breaches. Artificial intelligence is revolutionizing the market just as the Internet did in the late 1990s: a technology that’s taking off at breakneck speed, but one that everyone is still learning to master. Back then, companies created unprotected websites before realizing that a digital infrastructure without a rigorous framework leaves them constantly exposed to risk. History is repeating itself.
These days, AI is no longer just a demo gadget reserved for R&D teams; it has become a structural component of companies’ operating models, much like a CRM or ERP system. This shift in status is significant—you don’t deploy critical infrastructure without governance or risk mitigation.
The Acceleration of AI: A Performance Driver unprecedented
AI is transforming product management by accelerating discovery and delivery.
Artificial intelligence delivers measurable gains in productivity, foresight, and customer satisfaction.
First, regarding productivity, artificial intelligence automates repetitive, low-value-added tasks, thereby freeing up human time for tasks with greater strategic value. According to PwC (1), since 2022, productivity growth has nearly quadrupled in the industries most exposed to AI: rising from 7% between 2018 and 2022 to 27% between 2018 and 2024.
Prediction is undoubtedly the most easily measurable use case. Predictive artificial intelligence is transforming the way companies manage their operations: instead of reacting after the fact, they can now anticipate events before they occur (stockouts, machine breakdowns, customer churn, etc.). According to McKinsey (2), predictive AI applied to the supply chain can reduce forecasting errors by 20 to 50%, resulting in up to a 65% reduction in product shortages and a 5 to 10% decrease in warehousing costs.
To wrap up the topic of customer satisfaction, companies are increasingly integrating AI into their customer service operations to ensure round-the-clock availability and enhanced personalization. Companies measure the impact of AI using satisfaction and loyalty metrics; however, according to Adobe for Business (3), 52% still struggle to demonstrate a measurable ROI. This is a common paradox: the benefits are real, but we don’t yet know how to measure them effectively.
These benefits extend to all areas of the business. Artificial intelligence is also central to product management, helping to accelerate discovery and delivery.
During the discovery phase, it reduces analysis time: automatic processing of feedback, detection of usage patterns and correlations between behaviors, hypothesis generation… What used to take several weeks of interviews and qualitative analysis can now be done in a matter of hours.
For the delivery phase, the impact is just as significant: AI assists with code writing, speeds up code reviews, and enables faster iteration by continuously analyzing results.
It doesn't replace the product manager—it enhances their role. That's a subtle difference that changes everything. Artificial intelligence doesn't change the product cycle—it accelerates it.
(1) PwC 2025 Global AI Jobs Barometer | PwC
(2) Stronger forecasting in operations management—even with limited data | McKinsey
(3) Adobe AI and Digital Trends 2026: Insights on GenAI and Agentic AI
The 3 Major Risks of AI if not properly regulated
1. Leakage of sensitive data (shadow AI)
"Shadow AI" refers to the use of consumer-grade AI tools (such as ChatGPT and Claude.AI) by employees without approval from the IT department; this can lead to the leakage of sensitive data. If no one tells them that this is risky, then using consumer-grade AI, a developer might copy proprietary code, a sales representative might summarize a client contract, or an HR professional might request a performance evaluation. However, this data is transmitted to external servers, beyond the company’s control.
This is what happened at Samsung in 2023: Engineers, who were authorized to use ChatGPT, inadvertently sent proprietary source code, internal meeting notes, and sensitive hardware data to OpenAI. As a result, Samsung lost control of its data without even realizing it at the time. (1)
According to the Netskope 2026 report (2), in companies where AI adoption is most advanced, the study found an average of 2,100 leaks of sensitive data to external LLMs per month per organization—or more than 70 per day.
(1) Samsung Semiconductor employees leak sensitive information via ChatGPT
2. Unreliability and hallucinations
Socrates said, “I know that I know nothing,” and it is precisely this self-awareness that the LLM lacks. An LLM does not know that it does not know. When it lacks information, it fills in the gap with a plausible answer, presenting it with the same confidence as an accurate answer. This is called a hallucination. It is a structural property of language models, demonstrated by Kalai & Vempala (1): for certain types of facts, a minimal rate of hallucinations is inevitable.
There are actual cases: In 2023, a New York lawyer was sanctioned by a court for submitting a legal brief containing citations and case law entirely fabricated by ChatGPT. The case set a legal precedent. (2)
For a company, the reputational risk is the same: an AI system that spreads false information is effectively a message endorsed by the company, and therefore affects the brand’s reputation. A correction can never make up for the mistake.
(1) [2311.14648] Calibrated Language Models Must Hallucinate
(2) United States: ChatGPT Feeds Him Made-Up Cases, Putting a Lawyer in a Bind – 20 minutes
3. Regulatory Compliance (IA Act and GDPR)
Every company must comply with regulatory requirements, including the GDPR, which governs personal data, and the AI Act, which governs AI systems.
From a GDPR perspective, for example, every prompt containing personal data sent to a cloud-based LLM constitutes a potentially undocumented data transfer—and thus an unintentional violation. (GDPR: Articles 30, 44–49) This is typically a blind spot that many companies did not anticipate when deploying their first AI tools.
Training a model on customer data increases the risk: it must be legally justified and may be subject to an impact assessment. (GDPR: Article 35) Added to this is another issue: the U.S. Cloud Act authorizes the U.S. government to access, pursuant to a court order, data stored by U.S. companies, even on servers located in Europe. In practice, documented cases are very rare, but the legal uncertainty remains real: if a company complies with a U.S. warrant, it risks violating the GDPR. (3)
The AI Act raises additional legal issues:
- The AI literacy requirement has been in effect since February 2025. (AI Act: Section 4)
- As of August 2025, large models must publish a summary of their training data. (AI Act: Article 53)
- Starting in December 2027, high-risk systems (recruitment, credit scoring, healthcare, performance evaluation) will be fully subject to requirements for traceability, explainability, and human oversight. (AI Act: Articles 6, 12, 13, 14)
And if all that weren’t enough to convince you: up to 35 million euros or 7% of global revenue in the event of a breach. (IA Act: Article 99 and GDPR: Article 83)
(1) GDPR: Regulation – 2016/679 – EN – GDPR – EUR-Lex
(2) AI Act: Regulation (EU) 2024/1689 – EN – EUR-Lex
(3) Cloud Act: Data in Europe Remains Accessible to the U.S.
(4) AI Act Timeline: Entry into force of the EU AI Regulation: Initial Q&A from the CNIL | CNIL
Strategy: How to Build a Framework for secure innovation
Usage Audit: Identify where AI delivers the most immediate value.
Infrastructure Options: Self-hosted open-source LLMs vs. secure APIs (Enterprise versions).
Data Governance: Clean and anonymize data before it is fed into AI.
The three risks identified earlier are not inevitable; we must adapt and secure usage and deployments. Security is not a barrier to innovation; it is the key to its sustainability. In practical terms, this security process consists of three steps: auditing usage, selecting infrastructure, and governing data.
Before deploying AI, the first step is to audit the teams in order to identify where artificial intelligence creates real value: which tasks are repetitive and time-consuming, which processes could benefit from greater accuracy, and so on. This audit also uncovers unauthorized uses that are already in place, as it reveals employees’ practices. Rather than imposing bans without offering solutions, the audit helps us understand the situation and propose secure internal alternatives.
The second step in this audit is to prioritize use cases based on value and risk. A use case with a high ROI but high risk will require a compliance framework before any deployment. Meanwhile, a low-risk use case can be deployed quickly, thereby yielding (smaller) gains more rapidly.
Next comes the choice of infrastructure—a strategic decision that depends on several criteria: the sensitivity of your data, the volume of usage, and the company’s technical maturity. Enterprise APIs (Gemini, Claude, GPT, etc.) enable rapid deployment without data retention or retraining, which is contractually guaranteed in their Enterprise versions. As soon as confidentiality becomes non-negotiable or the volume exceeds a certain threshold, self-hosted open-source LLMs become the obvious choice (no data transfer, no Cloud Act risk).
Finally, the last step is data governance. AI is only as good as the data that feeds it. First, you must comply with the GDPR and therefore anonymize or pseudonymize personal data, then define clear access rules: who can use what, on which data, and with what permissions. Governance also includes tracking usage: who is using which tool, on what data, and to achieve what results. This is not only a requirement under the AI Act for high-risk systems, but also a way to detect model drift in production before it impacts business decisions.
The Role of Product Management in securing AI
AI security is not just an “IT” issue, reserved for the IT department to address at the end of a project as a compliance audit. The critical decisions are made at the product level: what data is sent to the model, and in what context.
It is through design choices that the PM ensures AI safety: the integration of guardrails. A guardrail is a mechanism that prevents the AI from producing unwanted output before it reaches the user. The PM defines them at two levels: at the input stage, by specifying what the user can send to the model, and at the output stage, by applying filters to responses that are uncertain or expose sensitive data. The PM must ensure that all requirements of the AI Act are met.
Another important point for the PM is Privacy by Design: integrating data protection right from the discovery phase, not just during final validation. In practice, this means collecting only the data strictly necessary for the use case, anonymizing it as soon as possible, and never sending the model more than it needs. This avoids having to rebuild the entire architecture at the end of the project when compliance is brought into the loop.
Conclusion: Trusted AI as a a competitive advantage
The question is no longer whether your company should adopt artificial intelligence; it’s already doing so, whether you realize it or not. The real question is how to deploy it while building the strongest possible framework. Security isn’t a barrier to innovation—it’s what ensures its longevity.
The facts speak for themselves: partners are demanding contractual guarantees regarding data sovereignty, and regulators (the AI Act) are setting non-negotiable deadlines. Companies that anticipate this framework don’t merely comply with it—they turn it into an operational advantage over those that will have to rush to comply. Data protection isn’t a moral obligation; it’s a competitive advantage.
FAQ: AI in Business
What is "Shadow AI" and how can it be limited?
Shadow AI refers to the use of consumer-grade AI tools such as ChatGPT, Claude, and Gemini by employees without organizational approval. To limit this, it is necessary to have secure internal tools available and to train employees on the risks associated with Shadow AI.
Is AI in the workplace compatible with the GDPR?
AI in the workplace is compliant with the GDPR; it is important to ensure that every prompt containing personal data sent to a cloud-based LLM is documented, legally justified, and contractually governed.
In practice, there are two reliable options: Enterprise APIs with contractual provisions for data protection and self-hosted LLMs.
Should we opt for in-house AI or an off-the-shelf solution?
It all depends on the sensitivity of the data and the use cases. Enterprise APIs are sufficient, quick to deploy, and cost-effective up to a certain usage volume. As soon as the data is confidential, a self-hosted open-source LLM offers absolute technical assurance: no data transfer, no Cloud Act risk. It is the most sovereign solution.
Data Scientist
