Within PMI-CPMAI’s “Support Responsible and Trustworthy AI Efforts,” privacy and security are treated as core, high-severity risks because they can trigger regulatory violations, reputational damage, and harm to individuals. PMI explicitly calls out the need to establish a privacy/security plan with encryption and access controls, privacy impact assessments, and secure handling of personally identifiable information (PII) across the AI lifecycle. If user data is stored in an unsecured database, the agency faces immediate exposure to breach, unauthorized access, and misuse—risks that are typically higher impact than stale data, vendor reliance, or even lack of transparency. In PMI guidance on AI data life cycle management, prolonged retention and weak security increase breach likelihood over time, making insecure storage a critical vulnerability that undermines trust and compliance. While transparency gaps are serious (PMI also emphasizes explainability requirements and audit trails), a direct security failure that exposes user data is generally the most acute and consequential risk because it can cause harm quickly and irreversibly, and it can halt the program through legal and policy intervention.