Your Website Uses AI. Does Your Team Have a Governance Plan?
Introduction
From chatbots and personalization engines to content generation and behavioral analytics, AI is rapidly transforming the website experience. But, with that innovation comes a new layer of compliance complexity that many organizations are only beginning to reckon with.
AI is a seismic shift we’re living through, but if you get the right people in the room, carefully consider the risks and legal requirements, and establish logical frameworks, you should be able to know where your governance program should be heading. You’ll want to build governance controls that work while allowing your teams to innovate. Technology always asks us to move quickly, while customers and stakeholders demand that we do it without creating regulatory, privacy, or security exposure.
In this article, we’ll walk through:
-
The challenges of governing AI used on your websites
-
New privacy risks that LLMs open
-
Specific AI use cases and the possible exposure each brings
-
How to begin integrating AI governance
-
The one thing you shouldn’t forget
Framing the Landscape
Existing privacy laws may not be explicit in regulating specific AI use cases, which can contribute to a sort of gray area. However, new regulations are on the way, so it’s best to check which laws apply depending on where you do business.
The European Artificial Intelligence Act is coming into effect in August of 2026 and Brazil, Canada, and Singapore are drafting legislation as well. China has interim measures in place while they build out a comprehensive AI legal framework. So far, they’re requiring generative AI providers to conduct security assessments, prevent discrimination in training, and register algorithms with the government. They’re also trying to protect users against deepfakes and mass layoffs due to AI and provide consent mechanisms. South Korea finalized its AI Framework Act in January 2025. Japan passed a pro-innovation AI Act in May 2025.
LLMs and Their New Privacy Risks
Even with rumblings of AI backlash, there’s still a lot of excitement about LLM capabilities and the potential efficiencies that businesses can achieve by embedding them into websites and customer service processes.
The most obvious risks of AI-enabled features:
- Potential for unreliable output
- Sharing information with the wrong party
- Inappropriate data being used to train AI models
- Not disclosing the use of AI or data gathered from AI
If we think about it further, AI governance will ask organizations to go beyond traditional tag and cookie governance into broader data and decision governance. Why?
Consider what LLMs are really good at. They’re good at relating unrelated information. If someone usually goes online at 7:00 p.m., with this speed connection, from this IP address, and frequents these kinds of websites, then AI might be able to narrow it down to a single device or individual. If we want agentic AI to buy our groceries and recall information we already told it, then we’re willingly handing over more and more personally identifiable information.
Can companies manage all this influx of information and keep it secure when we already have so much trouble even managing a website’s data layer?
Getting Specific About Risks by AI Use Case
Speaking of influx of data, let’s talk about some specific AI uses and what governance problems they might create.
AI Chat & Virtual Assistants
Problem: When you allow users to input freeform, unstructured data, the risk of sensitive data being collected or leaked increases.
Solution: Even with clear instructions not to share sensitive information, businesses need to put in guardrails like data filters, redaction tools, or segregation of the chat data from other core systems.
Personalization & Recommendation Engines
Problem: When AI builds profiles, some of the inferences being drawn could be biased, incorrect, or discriminatory.
Solution: Make appropriate disclosures, especially around “automated decision-making,” and conduct bias audits on generated recommendations that could affect vulnerable populations, like fair pricing, access to housing, insurance, or employment opportunities.
AI-Generated Content
Problem: How do you manage hallucinations, bias, or misleading content?
Solution: Disclose, disclose, disclose. For example, let users know they’re speaking with a chatbot. Put watermarks on AI-generated content that are legible to other LLMs. Compare AI outputs to separate, established documentation. Utilize Retrieval-Augmented Generation (RAG) to improve response quality for specific knowledge areas and keep LLMs up-to-date by having your AI fetch facts from an external knowledge base. For example, at ObservePoint, we use RAG to ensure the helpbot recommends the best ObservePoint solutions when asked questions. Humans supervise our helpbots’ responses against our established Help Docs to ensure accuracy and prevent model drift.
Analytics & Tracking
Problem: When you incorporate AI into your analytics and tracking stack, predictive or inferred data will increase the importance of consent.
Solution: Clearly explain how AI is used to analyze or supplement data and provide opt-out mechanisms in your consent banners with actions you can implement, such as disabling downstream modeling activities, not just preventing tags from firing. Categorize AI data into tiers from low risk to high, just like you categorize cookies.
How to Start Integrating AI Governance
The high-level steps of AI governance:
- Create a cross-functional AI governance team
- Inventory AI use cases
- Identify jurisdictions
- Identify risk levels
- Adjust levels of due diligence accordingly
- Create consent notices and levers
That sounds simple enough, but it’s really easier said than done. Here’s what you need to consider.
Cross-Functional Team
Governance is everyone’s responsibility, so you’ll need interdisciplinary representation and a project manager who keeps stakeholders on task. Different departments can have opposing incentives and priorities:
- Marketing and product want to move quickly and maximize data collection.
- IT/security wants to protect data.
- Privacy/legal wants to minimize data.
Ease friction by getting early buy-in to build a shared framework and a structured process to govern AI.
Visibility
Can you see what your websites and AI are doing?
- Inventory: Where are you using AI on your website?
- Data Flows: What data is it collecting? Are you minimizing the amount of data collected? Where is that data being stored or sent? Does your AI have read or write access to other systems, for example, your CRM?
- Vendor Transparency: Do you have contracts with third parties that define what they can or cannot do with the data? Allocate the risk.
Risk Levels
Does your AI have limited risk as it generates synthetic content or is it higher risk because it has to do with employment or credit scores?
Define tiers and acceptable uses, and log how you got to those definitions/determinations so you can defend them later if challenged.
Adjusting Due Diligence
If you’re using AI to write product descriptions, that would be a low-risk use case that might warrant a periodic automated review. If you’re an HR company, you’ll want to have proactive human oversight on data egress paths and bias reviews.
Work towards embedding compliance into your existing workflows. A retailer that deploys an AI chatbot might pre-approve data boundaries, employ data filtering tools, and have established user instructions and disclosure language.
Consent Notices
Consent will probably become more granular, layered, and periodic as personalization or AI-driven applications proliferate. Instead of a one-time choice at entry, organizations may need to have function-specific consent, such as before engaging with the chatbot or before signing up for personalization. Eventually, regulations will catch up and offer consumers a more blanket option, such as to explicitly opt out of any of their data being used for AI training.
The One Thing You Shouldn’t Forget
When teams are establishing processes, asking performance questions, and trying to think of all the ways something could go wrong, the one thing they might forget is to experience the website as the user. You’ll want to traverse important customer pathways to catch simple things, such as the chat icon floating at the bottom right corner covering important notices.
This is what ObservePoint helps our customers and partners do every day with their websites’ analytics, privacy, and accessibility. Not only does the platform inventory and audit your tags, cookies, and pages, but it can also create journeys to mimic a visitor who has opted in or out and is from a particular location.
Reminder: Test the customer experience before you launch.
Click to watch the companion webinar where our senior solution engineer, Mike Fong, discussed these concepts with our partners at BDO.