PII Protection for AI Agents: Why Detection Is Not the Same as Prevention

On March 19, 2026, the European Data Protection Board launched a coordinated enforcement action involving twenty-five data protection authorities across Europe, with those DPAs set to contact controllers to audit compliance with GDPR's transparency and information obligations under Articles 12, 13, and 14. The question is straightforward: can you show what personal data your systems processed, for what purpose, under what legal basis? For most organizations that have deployed AI agents, that question lands badly.