Glossary term
Glossary term
Governance and Compliance
Using data and AI systems only for specified, legitimate, and approved purposes. New purposes may require reassessment, consent, notice, or additional controls. Purpose drift is common when AI tools are easy to repurpose; governance should require reassessment when a system is reused for a new decision context.
GDPR Article 5(1)(b) establishes purpose limitation as a core principle, requiring data to be collected for specified, explicit, and legitimate purposes.
The CNIL's 2024 AI How-to Sheets explicitly address purpose limitation in the context of AI model training and deployment.
EU AI Act Article 9 requires high-risk AI risk management to consider use within and outside the intended purpose.