Artificial intelligence (AI) is reshaping how organizations operate, compete, and innovate. From predictive analytics and automation to generative AI and decision support, AI is becoming deeply embedded in enterprise workflows. The recent 451 Research Voice of the Enterprise (VotE) Agentic AI study revealed that over a third of enterprises (34%) have embedded agents already in use and the vast majority (73%) expect to have them in place within twelve months. But as adoption accelerates, AI is also forcing enterprises and governments to confront a critical question: who truly controls the data, systems, and intelligence powering these technologies?
For CISOs and CIOs, the challenge is no longer simply knowing where data is stored. It is understanding where data is processed, how it is reused, and whether it can be inferred from AI models themselves. Once data is absorbed into a model, traditional controls around deletion, residency, and access become far more difficult to enforce.
This reality complicates compliance with data protection laws, sector regulations, and internal governance requirements - especially in highly regulated or globally distributed enterprises.
AI sovereignty challenges for enterprises
At its core, digital sovereignty is about control: control over data, control over technology, and control over how digital systems operate within legal and regulatory boundaries. AI stresses all three simultaneously.
AI systems depend on vast amounts of data, complex models, and globally distributed infrastructure. While this enables scale and performance, it also introduces new risks around jurisdiction, governance, and dependency that traditional IT architectures were never designed to handle.
The challenge is that AI thrives on data. For AI to deliver real business value, it must be embedded deep inside an organization’s most sensitive information flows. Customer service chatbots require access to personal records. Optimization tools depend on operational and performance data. Personalization engines draw on detailed consumer profiles to shape decisions in real time.
For organizations subject to strict sovereignty and privacy rules, this raises immediate sovereignty concerns:
Data may be processed or stored in jurisdictions with conflicting legal regimes.
Enterprises may lose visibility into how data is reused, retained, or inferred from by AI systems.
Data residency and localization requirements become harder to enforce when AI pipelines span regions and providers.
Once data is consumed by an AI model, reclaiming control is far more difficult than in traditional systems.
Growing dependence on foreign AI platforms
Adding to the challenge, most leading AI platforms, foundation models, and hyperscale cloud infrastructures are controlled by a small number of vendors, often headquartered in just a few countries. This concentration creates strategic dependencies that go beyond normal vendor lock-in. In fact, Gartner predicts that by 2027, more than 40 % of AI-related data breaches will result from improper use of GenAI across borders—a stark indicator of how quickly governance shortfalls can translate into real risk.
For enterprises and governments, reliance on foreign AI platforms can mean exposure to extraterritorial laws and government access requests, with limited ability to audit or understand how models are trained and governed. Digital sovereignty is weakened when the intelligence layer of the enterprise is effectively outside its control.
AI expands the attack surface for sensitive data
Enterprises see the exposure of sensitive data as the top concern in securing AI applications according to the 2026 Thales Data Threat Report. That emanates from the fact that AI introduces new security risks that sit outside traditional perimeter and application security models. Models can unintentionally retain sensitive training data, inference techniques can expose confidential attributes, and generative AI interfaces can be manipulated to exfiltrate data or bypass controls.
In addition, AI adoption is rapidly changing the IT ecosystem of organizations. New systems such as Retrieval Augmented Generation (RAG), Model Context Protocol (MCP) servers and Enterprise AI applications connect with data lakes, databases and models, creating possible vulnerabilities across the infrastructure. As a matter of fact, AI ecosystem changes are the top security concern of organizations worldwide.
These risks are not theoretical. They directly affect intellectual property protection, customer trust, and—in regulated sectors—national and economic security. For CISOs, AI represents both a powerful tool and a rapidly expanding attack surface that must be governed and protected in real time.
Regulation Is catching up
Governments and regulators are moving quickly to address these challenges. Initiatives such as the EU’s GDPR and AI Act, national sovereign cloud strategies, and sector-specific regulations for defense, healthcare, and critical infrastructure are redefining expectations for AI governance. In fact, Gartner forecasts that AI governance will be mandatory under sovereign AI regulations by 2027, meaning that organizations operating across borders will need enforceable models, controls, and auditability for AI data and workflows.
For enterprises, this means AI strategy needs to balance innovation speed with regulatory compliance, legal exposure, and geopolitical risk.
How can organizations maintain Sovereignty in the era of AI?
Maintaining digital sovereignty does not mean rejecting AI. It means deploying AI on your own terms. For enterprises and governments, this involves maintaining control over data, models, identities, keys, and policies across the AI lifecycle—from training and inference to deployment and audit. Organizations need to:
Identify and classify sensitive and regulated data before ingestion into models.
Protect sensitive data using strong encryption, tokenization and key management in all systems connected to the AI ecosystem.
Enforce security and access policies consistently based on sovereignty and privacy regulations.
Continuously monitor all interactions of AI with databases and unstructured data repositories.
Analyze every input and output of AI Applications in real time, detecting and stopping actions that may infringe sovereignty requirements.
Detect and block exposure of sensitive information or harmful AI outputs.
Learn more about how Thales can help organizations pursue AI innovation confidently and sustainably, while retaining the controls necessary for true digital sovereignty in a rapidly evolving regulatory and geopolitical landscape.