This is the paradox of the start of 2026. While Artificial Intelligence has become part of the daily lives of 62% of French companies, a study by EQS Group reveals a colossal blind spot: 80% of organizations are moving forward without a clear vision of the associated risks. Between technological enthusiasm and regulatory dizziness, the time has come to regain control.
February 2026. In open spaces and management committees, AI in business is no longer a subject of foresight. She is there. She writes emails, optimizes lines of code, analyzes customer behavior. In one year, the transition from experimental to operational was dazzling (+18 points). But behind this technological showcase, a darker reality emerges: that of Shadow AI.
Fast car syndrome without headlights
The observation drawn up by the latest Privacy Barometer is clear: we deploy quickly, but we document little.
- 48% of organizations admit to not even knowing precisely which AI systems are used internally, or where they are hosted.
- If we add the 32% who have only partial visibility, we arrive at this record figure: 8 out of 10 companies navigate by sight.
As Thomas Vini Pires, expert at EQS Group, points out: “It is impossible to govern or regulate what you cannot see. » AI is spreading like wildfire, outpacing companies’ ability to map risk.
The trap of the “false sense of security”
This is undoubtedly the most surprising point of the study. French companies feel ready… but for yesterday’s world. 76% of professionals believe that their GDPR compliance has improved. This control of personal data creates a smokescreen: we think we can tame AI because we know how to manage a customer file. However, the AI Act imposes requirements for transparency and human supervision that are much more complex than simple respect for private life.
The risk: Confusing “administrative compliance” and “technical control”. This delay could be costly during the first European controls this year.
The DPO, new AI sheriff
Faced with this disorder, a familiar face is taking up the torch: the Data Protection Officer (DPO). Now, 31% of organizations officially entrust it with compliance with the AI Act. He leaves his costume of “data guardian” to put on that of “Digital Ethics Officer”.
It is a strategic pivot. The DPO becomes the essential bridge between the IT department (technical), legal and business. However, there is still a long way to go: 40% of companies still do not see the link between AI governance and data protection. A major misunderstanding when we know that AI feeds exclusively on… data.
From the charter of good conduct to the technical register
For the moment, French entrepreneurs have mainly activated “soft” levers:
- 44% have drawn up a user charter.
- 42% raise internal awareness. It’s a good start, but it’s not enough. Only 14% of organizations have structured documentation in place (system records, quality management frameworks).
What to remember for your business
The year 2026 marks the end of carelessness. To transform AI into a real competitive advantage without risking regulatory backlash, three projects are priorities:
- Coming out of the shadows: Identify each SaaS tool integrating generative AI.
- Equip compliance: Abandon manual Excel files for digital management tools (already adopted by 57% of professionals in the sector).
- Investing in technical “Care”: Give the DPO the resources to audit algorithms, not just contracts.
AI in business is a powerful engine, but in 2026, performance will no longer be measured by the speed of deployment, but by the robustness of braking.
