Institutions are racing to reconcile AI deployments with student‑data protections even as cyber incidents disrupt campuses. Industry guidance on protecting student privacy with AI emphasizes vendor vetting, data minimization, and contractual controls after surveys showed many organizations cannot remove personal data from models once it has been ingested. Health‑care and higher‑education CIOs were flagged as particularly exposed. The vulnerability is immediate: a cyberattack forced an English secondary school to close for days while investigators worked with the Department for Education’s incident response team, demonstrating that even local IT compromises can cascade into lost instructional time and reputational risk. Universities must align AI governance, incident response and vendor risk management to protect learners and operations.