An independent audit of 14 major platforms reveals massive gaps in AI governance, with scores ranging from A+ to E+. Your vendor’s grade may surprise you.
Credit agencies rate financial risk. Insurance underwriters rate liability exposure. But when your enterprise deploys AI powered software that processes employee conversations, customer data, and proprietary strategies, who rates the privacy risk?
Nobody. Until now.
At TrustThis.org, we asked a simple question: what would happen if we applied the rigor of financial credit ratings to AI privacy governance? The answer became the AITS (AI Trust Score) methodology, a structured evaluation of 20 criteria across privacy governance and AI ethics. We then turned that framework loose on 14 of the most widely deployed software platforms in enterprise environments.
The results should concern every CISO, compliance officer, and procurement team making vendor decisions today.
The Methodology Behind the Scores
The AITS (AI Trust Score) framework evaluates platforms across two dimensions. AITS Base covers 12 fundamental privacy criteria: data collection transparency, retention policies, opt out mechanisms, international transfer safeguards, cookie governance, Data Processing Agreement availability, and related standards. AITS AI covers 8 criteria specific to artificial intelligence governance: training data usage disclosure, ethical AI principles, algorithmic bias documentation, human review mechanisms for automated decisions, and AI specific opt out controls.
Each criterion receives a pass or fail designation based on documented evidence from publicly available privacy policies, terms of service, and supplementary documentation. The combined score converts to letter grades where A+ represents the highest level of documented compliance and E represents near total opacity.
This is not a subjective opinion survey. Every score traces back to specific policy language, or the absence of it.
The Leaders: Who Gets AI Privacy Right
Anthropic Claude earned an A+ overall, the highest score in our evaluation. The platform achieved approval on 19 of 20 criteria, with a perfect AI governance score across all 8 criteria. What distinguishes Claude is the clarity of its privacy documentation. The platform explicitly discloses its training data practices, provides accessible opt out controls through account settings, maintains defined retention periods, and documents ethical AI commitments directly in its consumer facing policies.
Microsoft Copilot followed with an A, earning approval on 19 of 20 criteria and achieving perfect compliance on all 12 base privacy criteria. Microsoft benefits from mature enterprise governance infrastructure, offering familiar contractual frameworks and Data Processing Agreements that procurement teams can evaluate against existing compliance requirements.
These platforms demonstrate that strong AI governance documentation is not a competitive disadvantage. It is a market differentiator.
The Middle Ground: Gaps That Create Risk
ChatGPT received a B+, with approval on 18 of 20 criteria. OpenAI provides opt out mechanisms and maintains defined retention periods, but two significant gaps emerged. The platform does not document ethical AI principles or bias mitigation measures in its consumer facing privacy policy. Additionally, its international data transfer disclosures reference valid mechanisms without specifying which safeguards are employed, creating uncertainty for organizations operating under GDPR Chapter V requirements.
Google Gemini scored a B, the lowest among the four major LLM platforms. Our analysis found no specific opt out mechanism for AI model training. Users access generic controls for cookies and advertising preferences, but these do not address whether prompts and responses contribute to model development. The platform also lacks documentation of ethical AI principles and human review mechanisms in the privacy policy itself. Google has published AI Principles separately, but the disconnect between corporate commitments and consumer facing policies creates a documentation gap that complicates enterprise due diligence.
The Wake Up Call: When Scores Predict Lawsuits
The most striking finding involved WhatsApp Business, which scored a C+ on AITS Base and an E+ on AITS AI governance. Only 3 of 8 AI governance criteria received approval. The platform lacked documented ethical AI principles, provided no mechanism for contesting automated decisions, and offered no additional safeguards for sensitive data processing.
Months after our audit, a federal lawsuit was filed against Meta targeting the exact governance failures our scoring had identified. The lawsuit allegations mapped directly to the gaps in transparency and accountability that produced the E+ AI governance grade.
This is the proof of concept for standardized privacy ratings. Independent evaluation identified material compliance risk before it became front page news.
Systemic Failures Across the Industry
The platform by platform analysis reveals patterns that should alarm any organization relying on third party software for daily operations.
Human review for automated decisions is nearly nonexistent in documentation. 12 of 14 platforms evaluated fail to specify a process for users to contest AI driven decisions or request human review. Under GDPR Article 22, individuals have the right not to be subject to decisions based solely on automated processing. Under CCPA, the trend toward algorithmic accountability is accelerating. Yet the vast majority of platforms enterprise buyers depend on do not document how they address this requirement.
Data Processing Agreements remain inconsistent. Half of the platforms analyzed do not offer publicly accessible DPAs, forcing enterprise procurement teams into extended negotiation cycles or, worse, deploying tools without adequate contractual protections.
Ethical AI documentation is treated as optional. The majority of platforms lack explicit commitments to bias mitigation, fairness, or algorithmic accountability in their primary privacy policies. Separate corporate responsibility pages do not satisfy the due diligence requirements that compliance teams face during vendor evaluation.
What This Means for Enterprise Procurement
The gap between the highest and lowest scores in our evaluation spans from A+ to E+. That range represents fundamentally different levels of organizational commitment to privacy governance, and fundamentally different levels of regulatory exposure for the enterprises that deploy these tools.
For compliance officers evaluating vendors, the AITS framework offers a structured starting point. Platforms scoring below B+ on AI governance criteria warrant additional scrutiny, contractual safeguards, and documented risk acceptance before deployment.
For CISOs managing enterprise risk portfolios, these scores translate directly to exposure under GDPR and CCPA. A vendor that cannot document its AI training practices or provide a mechanism for contesting automated decisions is transferring regulatory risk to every customer that uses its platform.
The financial services industry learned decades ago that standardized risk ratings protect markets. The software industry is overdue for the same discipline. Independent, data driven privacy scoring is not a luxury for enterprises navigating the AI governance landscape. It is the baseline for responsible vendor selection.
Diego Monteiro is CEO of TrustThis.org, an open platform for privacy scoring and AI governance of software applications. TrustThis.org provides independent evaluation using the AITS methodology to help enterprises evaluate vendor AI Privacy and Security.