IAPP’s 2025 Organizational Digital Governance Report: What It Really Tells Us About Privacy, AI, and Governance

The International Association of Privacy Professionals’ Organizational Digital Governance Report 2025 lands at a time when privacy, artificial intelligence, cybersecurity, and online safety are no longer separate projects but overlapping responsibilities.

Based on input from more than 600 professionals across 45 countries, the report gives a grounded view of how organizations are actually managing these pressures, where they are struggling, and what structures are starting to work.

The study doesn’t try to romanticize the situation. It shows, in straightforward numbers, that privacy and data protection are still the main concern for 58% of respondents, while AI (54%), vendor dependencies (51%), legacy systems (41%), budget limits (48%), and nation-state threats (42%) combine to create a complex risk environment.

At the same time, nearly eight in ten professionals say that the regulatory environment is pushing them toward better processes and more considered innovation rather than simply slowing them down.

What follows is a detailed walk-through of the report’s core themes: risk perception, governance maturity, the way different domains are stitched together, how regulations are shaping behavior, and why many organizations now treat governance as a source of advantage instead of a cost center.
The intent is not to repeat the report’s language, but to translate it into practical observations that you can use to evaluate your own structures and priorities.

Privacy Is Evolving – and It Doesn’t Stand Alone Anymore

One of the clearest messages from the report is that privacy is still at the center of digital risk, but it no longer stands on its own. It is tightly connected to AI systems, vendor choices, infrastructure decisions, and how organizations respond to geopolitical developments.

Risks in Concert, Not in Isolation

The headline risk figures look simple at first glance:

• Privacy and data protection – 58% identify this as their leading digital risk.
• Artificial intelligence – 54% see AI as a major risk area.
• Vendor dependencies – 51% worry about third-party risk and outsourced services.
• Legacy systems – 41% acknowledge that older infrastructure is holding them back and creating vulnerabilities.
• Budget constraints – 48% say finances limit their ability to address these issues properly.
• Nation-state cyberattacks – 42% are concerned about geopolitically motivated threats.
• Cyber incidents – 62% experienced at least one cyber incident in the past 12 months.

Taken together, these numbers confirm a pattern many teams already feel: problems rarely show up as a single, neatly labeled incident.
A vendor outage quickly becomes a privacy issue when data is exposed or lost.
An AI deployment that wasn’t properly reviewed can amplify an existing weakness buried in a legacy system.
Budget cuts don’t just delay projects; they contribute to a backlog of unresolved risks that keep resurfacing.

A Clear Maturity Divide

The report uses a three-level model to describe governance maturity. The labels are simple, but the distribution says a lot:

• “Analog” – 35% operate in a largely reactive, firefighting mode.
• “Augmented” – 48% are building bridges between functions and starting to coordinate efforts.
• “Aligned” – 17% have integrated governance frameworks that support both risk management and innovation.

Large enterprises (over $1 billion in revenue) are far more likely to be in the “aligned” category.
Smaller companies and nonprofits are overrepresented in the analog group, often because they simply lack the resources, staff, or time to build robust governance structures.
The report notes a recurring equity issue here: the organizations that can least afford large-scale failures are frequently the ones with the least mature governance.

Regulations Seen as Catalysts, Not Just Obstacles

A notable finding is that 77% of respondents consider growing regulatory obligations to be an enabler of innovation from an organizational perspective.
This does not mean they are excited about every new requirement or deadline, but it does show that many governance leaders see rules as a framework around which to build more durable systems and services.

Even under hypothetical deregulation scenarios, 70% say they would maintain strong programs because they view privacy, security, and responsible AI as essential to reputation and long-term competitiveness rather than optional compliance overhead.
This perspective directly challenges the simplistic narrative that “fewer rules always mean more innovation.”
Instead, the report suggests that the quality and clarity of rules matter more than sheer quantity.

Domains Are Converging

Governance is no longer structured as distinct silos with minimal overlap.
According to the report:

• Privacy is integrated into frameworks for 81% of organizations.
• AI governance appears in 68% of frameworks.
• Cybersecurity is also integrated in 68%.
• Online safety is much lower, at 17%, but is starting to be recognized as a governance domain.

We also see the emergence of new titles and roles such as “Chief Privacy and Trust Officer” or digital ethics leads.
These roles reflect a shift from “department owners” to cross-cutting responsibility for how data and technology are used across the whole organization.

Innovation as a Stated Governance Goal

Another key signal: 74% of governance teams are now explicitly tasked with supporting growth and innovation, not just blocking or slowing risky ideas.
They do this by:

• Using risk-based piloting (reported by 72%) to test new products and AI tools under controlled conditions.
• Implementing process improvements (66%) to reduce manual work, eliminate duplicate reviews, and shorten time-to-approval for compliant solutions.

Where leadership support is weak, the data suggests higher breach rates and slower progress.
The report draws a direct line between clear executive backing, mature governance, and better outcomes.

Why This Report Is Getting Board-Level Attention

By late 2025, several trends are converging at once:

• The EU AI Act and related rules are taking shape in practice.
• U.S. state-level privacy and AI laws continue to expand.
• Large vendor incidents have confirmed that third-party risk is not just theoretical.
• AI-generated misinformation and deepfakes are showing up in elections, markets, and everyday communication.

Against that backdrop, the report functions less as an abstract study and more as a snapshot of how organizations are coping with these overlapping pressures.
Financial penalties under regimes like the GDPR can be very high, but the report and related research suggest that the bigger long-term cost often comes from lost trust.
Surveys consistently show that a large majority of consumers will stop doing business with companies they believe mishandle or misuse data.

The global breakdown adds nuance:

• Respondents in Asia report the highest budget constraints (64%).
• Government entities elevate privacy concerns to 76%, reflecting public sector sensitivity around citizen data.
• Views on deregulation are mixed—around a tenth complain about overregulation, while majorities in regions like Oceania see rules as necessary guardrails.

Instead of suggesting a single “correct” governance model, the report acknowledges that local context, sector, and organization size shape both risks and realistic solutions.

Risks and Governance Domains: Seeing the Interconnections

To better understand how risks and governance domains intersect, the report organizes concerns into four main categories.
Each category is paired with the domains most involved in managing those risks and the strategic implications leadership teams should consider.

Risk Category	Leading Concerns (% of Respondents)	Linked Domains	Integration Prevalence (%)	Strategic Implication
Geopolitical	Nation-state cyberattacks (42%), Economic rivalry (33%)	Cybersecurity, Privacy	68% Cyber, 81% Privacy	Develop geofencing strategies, contingency plans, and cross-border data safeguards.
Organizational	Budget constraints (48%), Accountability gaps (35%)	All domains	Variable	Use ROI-driven dashboards and clear ownership models to justify and sustain investments.
Societal / Environmental	Privacy protection (58%), AI acceleration (54%), Misinformation (37%)	Privacy, AI Governance, Online Safety	81% Privacy, 68% AI, 17% Safety	Align governance with ESG expectations and stakeholder expectations around fairness and transparency.
Technological	Vendor dependencies (51%), Legacy systems (41%), Data mapping gaps (39%)	Cybersecurity, Data Governance, AI	~68% Cyber/Data, 71% Data Gov	Modernize infrastructure, strengthen vendor vetting, and improve data inventories and lineage.

The report highlights an important pattern: these risk categories are strongly correlated.
For example, organizations that report struggles with legacy systems are substantially more likely to report significant cyber exposures, and those that under-invest due to budget constraints tend to see higher incident rates and weaker response capabilities.

From Fragmented Efforts to Integrated Governance

A large portion of the report is devoted to how organizations move from isolated, reactive approaches toward integrated governance.
It describes this progression in terms that are easy to recognize in real environments.

“Analog” Governance: Constant Catch-Up

Organizations in the analog category are still relying heavily on manual processes, informal coordination, and one-off responses to incidents.
Privacy, AI, cybersecurity, and online safety teams (if they exist at all) operate largely on their own.
There is minimal shared tooling, and accountability often becomes blurred when problems cross boundaries.

This model is common among small businesses, early-stage companies, and nonprofits that lack specialized staff.
It is not necessarily the result of negligence; in many cases, these teams are simply overloaded.
But the costs are real: higher breach likelihood, more duplicated effort, and more time spent reacting to crises instead of improving systems.

“Augmented” Governance: Beginning to Coordinate

The augmented stage represents organizations that have started to actively connect their governance domains.
Common characteristics include:

• Cross-functional committees or working groups that bring together privacy, security, AI, IT, and legal stakeholders.
• Shared risk registers or dashboards that consolidate information from multiple teams.
• Formalized review processes for new projects or technologies, especially AI and data-intensive tools.

Just under half of respondents sit in this middle category.
They are moving in the right direction, but often still struggle with friction: slow review cycles, unclear decision paths, or too many overlapping checklists.
Still, this stage is where many of the most visible improvements occur—reduced duplication, more consistent policies, and better visibility into organization-wide risk.

“Aligned” Governance: Built-In, Not Bolted On

The most mature organizations (17%) describe governance as something embedded in how they operate rather than a separate layer added on top.
In these environments:

• Executive leadership regularly reviews and supports governance priorities.
• AI, privacy, cybersecurity, data governance, and online safety share common frameworks and principles.
• Digital products and services are designed with governance requirements in mind from the very beginning.
• Performance metrics include both risk reduction and support for strategic initiatives.

These organizations are not immune to incidents, but they are better positioned to respond quickly and adapt.
They also tend to see governance as a differentiating factor, particularly in industries where trust and data stewardship are central to customer decisions.

How the Risk Index Reflects Current Reality

The report’s risk index doesn’t read like a hypothetical scenario; it mirrors several high-profile events from the last few years.
Privacy sits at the heart of the index, with 58% naming it as a primary concern, but the context provided by AI, vendor risk, and technological dependencies is what makes the analysis useful.

Examples from recent years illustrate how these risks compound:

• A large healthcare vendor breach that affected millions of patients because of a single third-party flaw.
• Misconfigured AI tools spilling sensitive data or unintentionally re-identifying individuals.
• Legacy systems that could not be patched quickly enough, leaving organizations exposed to well-known vulnerabilities.

The index also calls attention to regional differences in how organizations perceive risks.
European firms, for example, report higher concern around nation-state threats and regulatory enforcement, while organizations in emerging markets are more likely to emphasize budget constraints and talent gaps.

Mapping Governance Domains: From Siloed to Shared Responsibility

The governance domain mapping section of the report is particularly useful for organizations trying to understand whether they have the right pieces in place.
Rather than treating privacy, AI, security, and online safety as separate disciplines, the report documents how organizations are weaving them together.

Key observations include:

• Privacy is still the anchor domain, driven by GDPR-like laws and growing state and sectoral regulations.
• Data governance is maturing quickly, with about 71% of organizations including it in their frameworks. It acts as the “plumbing” that supports all other domains.
• AI governance has moved from theory to practice, now at 68% integration, reflecting real scrutiny around AI model risks, transparency, and fairness.
• Cybersecurity remains a foundational pillar at 68%, now more explicitly tied to privacy and AI rather than managed separately.
• Online safety, though lower at 17%, is expected to grow as content integrity, harmful behavior, and safety-by-design expectations rise.

The report also notes that many organizations now oversee five or more governance domains in a coordinated way, rather than maintaining separate playbooks for each.
This trend is driving demand for generalized “trust” roles and for frameworks that can be applied across multiple technologies and risk types.

Maturity as a Moving Target, Not a Badge

One recurring message in the report is that maturity is not a static label.
Organizations can move up or down the ladder depending on leadership changes, acquisitions, new laws, or major incidents.
The most effective teams treat governance maturity as an ongoing effort supported by:

• Regular assessments and audits, not just one-off gap analyses.
• Clear, measurable goals tied to real risk reduction and business outcomes.
• Training and upskilling so staff in product, engineering, and operations understand governance requirements.
• Adaptive frameworks that can incorporate new domains like AI or safety without starting from scratch.

The report also underlines that maturity does not automatically track size.
While larger organizations have more resources, they also face more complexity and legacy baggage.
Smaller organizations sometimes move faster and adopt integrated approaches earlier, especially when they build governance into their systems from the start.

Regulation: Constraint or Structure?

The regulatory section of the report is candid about the burdens organizations feel—especially with overlapping privacy and AI regimes at national, regional, and sectoral levels.
However, the overall stance among respondents leans toward seeing regulation as a form of structure that they can build around, rather than purely an obstacle.

Respondents highlight several benefits:

• Clearer expectations for what “good” looks like in terms of privacy controls, AI documentation, and security practices.
• Standardization of requirements, making it easier to reuse controls and documentation across multiple jurisdictions.
• Stronger internal alignment because regulations provide an external reference point for internal debates.

At the same time, the report does not ignore the challenges.
Smaller companies in particular feel overwhelmed by the pace and volume of new rules.
The data suggests that what helps most is not fewer rules, but more practical guidance, better training, and more consistent enforcement.

When Governance Becomes an Innovation Engine

Toward its conclusion, the report focuses on how governance shifts from being perceived as a drag on innovation to being a mechanism that enables safe experimentation and faster iteration.
The numbers are clear:

• 74% of organizations report that governance functions are directly involved in supporting growth and innovation.
• 72% use risk-based piloting for new initiatives, allowing ideas to be tested in limited, controlled forms before full deployment.
• 66% report operational improvements tied directly to governance-driven changes.

In aligned organizations, innovation and governance are connected from the beginning of the product lifecycle.
Privacy-by-design and security-by-design are treated as non-negotiable starting points, not last-minute additions.
AI is evaluated for fairness, explainability, and data use before it reaches customers.
User rights, such as data access or deletion, are built into the architecture instead of handled manually.

Leadership commitment is the critical factor here.

Where boards and executive teams treat governance as central to brand, trust, and long-term value, organizations see fewer breaches, faster recovery when things go wrong, and more confidence in launching new services.

Where that commitment is missing, governance tends to be underfunded, overworked, and perc