Private AI: security and compliance

GDPR, EU AI Act and NIS2 set sharp requirements for AI systems working with personal data or critical information. Private AI is not just technically safer — it's the most defensible compliance posture for European organisations.

Close-up van de Amaii Company Brain interface met de vraag 'Waar wil je aan werken?'

Why compliance became an AI question

Two years ago AI was primarily an innovation question. In 2026 it is primarily a compliance question. Regulators publish guidance, auditors ask questions during annual reviews and customers contractually require that their data does not end up in public AI. Using AI without demonstrable governance carries not just fine risk but reputational and commercial risk too.

Private AI is often the only way to deploy AI in a demonstrably responsible way — because a closed stack lets you prove exactly what happened to which data, when.

GDPR compliance with private AI

GDPR rests on six principles: lawfulness, purpose limitation, data minimisation, accuracy, storage limitation and integrity. Public AI tools are hard to justify against at least four of those — because you don't control what happens to the data after sending it. Private AI reverses the equation.

  • Purpose limitation: you define which datasets the model may access.
  • Data minimisation: role-based access ensures users see only relevant data.
  • Storage limitation: retention policy per document, user and prompt.
  • Integrity: encryption at rest and in transit, with EU key management.
  • Accountability: full audit trail per interaction, exportable for DPO.
  • Data subject rights: deletion requests are concretely executable without retraining.

The EU AI Act in practice

The EU AI Act classifies AI systems by risk. Systems using personal data or affecting individual decisions (HR, healthcare, finance, justice) quickly fall into the higher categories, with requirements on documentation, transparency, human oversight and logging. Public AI services don't meet those requirements automatically — you are responsible for the compliance of use.

With private AI you have every building block to meet the AI Act: technical documentation of the model, risk assessments, human oversight via roles, end-user transparency and full logging.

NIS2 and cyber resilience

NIS2 significantly expands the set of organisations that must meet strict cybersecurity requirements. AI systems fall into scope once they are part of an essential or important service. Private AI with dedicated infrastructure, network segmentation, encryption and logging fits seamlessly into a NIS2-driven security architecture.

  • Network segmentation: AI stack in a dedicated VLAN or tenant.
  • Encryption: AES-256 at rest, TLS 1.3 in transit, keys in EU KMS or own HSM.
  • Identity: SSO/SAML, MFA, role-based authorisation.
  • Logging: full per-prompt audit trail, integrable with SIEM.
  • Incident response: isolated environment, quickly freezable on suspicious activity.

Data residency: where does the stack run?

At Amaii the client chooses the location: private cloud in the Netherlands, Germany or France, or on-premise on your own infrastructure. Never on US hyperscalers without additional legal safeguards — because the US CLOUD Act enables access to data on US-owned infrastructure even when the server physically sits in Europe.

Shadow-AI: the real risk

Research from NCSC and Capgemini shows employees keep using public AI tools as long as there is no good internal alternative. Policy alone — 'don't use ChatGPT' — doesn't work. Private AI does, because it offers a faster, safer, more organisation-specific alternative inside the controlled environment.

Private AI compliance — frequently asked questions

Bronnen en achtergrondinformatie

  1. EU AI Act — Official Text - European Commission
  2. GDPR - EU
  3. NIS2 Directive - ENISA