Sovereign AI: Responsibility Stays In-House
Eva Mickler
7 Min. Reading time Who brings an AI model into productive operation bears responsibility for its behavior, ...
Data determines how companies operate today, how they make decisions, develop and deploy innovations. It is valuable because it provides insights, optimizes processes and secures competitive advantages. Those who possess data, control it, and decide sovereignly over its use have a decisive advantage. But how does data sovereignty fare in Germany and Europe? This article, created in collaboration with experts from the Federal Association of IT SMEs (BITMi), provides answers and solutions.Data sovereignty, or control over the creation, storage, and processing of sensitive information, is no longer a given today. We live in a data-driven world, but few can decide sovereignly what happens to their own data. In both private and business settings, many people are either unaware of or indifferent to what happens to the information we all generate daily through the use of digital services. This is a significant risk. Location data, contact information, conversation and chat content, usage duration, online movement profiles, payment data – the list goes on. All this sensitive information can cause considerable damage in the wrong hands.Many companies, especially in Europe and particularly in Germany, also lack control over their own data. Azure, IBM, AWS, Google Cloud – few companies do not use services from US-based cloud providers in one form or another. Even if contracts with the EU provide some protection and framework for data processing, data stored and processed here is potentially accessible to US authorities. This applies even if third-party providers are involved and regardless of where the hosting takes place.
“Given increasingly complex corporate structures, we are losing sight of who actually has access to our data – especially with service providers that have international ownership,” says Lennart Schröder, Senior Broker at contego GmbH and BITMi expert.
Companies in this country lack an overview of who accesses their data and how it is used and further processed by their various digital service providers. “Often, companies don’t even know how many different data sources they have and where these are located. At the same time, risks are increasing: cyberattacks, industrial espionage, and political conflicts threaten the security and trust in their own data strategy, while the enigmatic artificial intelligence creates entirely new challenges,” says Jannik Schumann, managing director of basec GmbH.
The lack of transparency makes it nearly impossible to regain sovereignty over one’s own data. “Without clear knowledge of where data is stored and who can access it, every security measure remains piecemeal, and companies risk violating regulatory requirements,” warns Schumann. As long as control over data flows and storage locations remains in the hands of international providers, data sovereignty remains merely a buzzword – without tangible implementation in day-to-day business.
It was the promising opportunities that drove companies into this dependency. Data enables better-informed decisions, more efficient processes, and the optimization of workflows through automation based on data analysis. However, these opportunities come with significant risks. If data falls into the wrong hands, it can expose trade secrets, jeopardize competitive positions, or even destroy entire business models. And this risk increases due to the lack of genuine data sovereignty.
The international interdependence in data processing and storage always carries the danger that data-driven processes may come to a complete standstill in the event of changing political frameworks and conflicts. At the same time, employee data also poses risks. “If this data is used or misused for attacks, for example, to blackmail employees, it can directly threaten the security of a company. Many companies underestimate these risks and lack both the awareness and the strategies to effectively counter them,” says Lennart Schröder.
The risk inherent in today’s data-driven world is further amplified by the immense capabilities of artificial intelligence. AI systems identify patterns, uncover relationships, and generate insights from them. While companies benefit from AI by optimizing processes and exploring new business areas, the same technology enables potential attackers to selectively extract and exploit sensitive information. “This becomes particularly problematic when companies rely on external AI service providers. Without their own AI systems, control over the use and evaluation of data remains in the hands of third parties,” warns Dr. Klaus Meffert, managing director of IT Logic GmbH.
To escape this dependency and strengthen data sovereignty, closed-loop AI systems are gaining importance for companies. In the future, data processing will not proceed without AI – the technology is here to stay. Therefore, companies should focus on this and use AI to their advantage, including in matters of data sovereignty. Closed, specialized AI systems are tailored to the specific needs of a company and offer a clear advantage over open platforms like ChatGPT, which act as generalists: They utilize specialized knowledge that is only available within the respective corporate context and thus deliver significantly better and more usable results.
For the development of such systems, open-source AI models like the ‘Teuken-7B’ model, published at the end of 2024 by the European research project OpenGPT-X, offer a practical solution. “Open-source models are freely available, high-quality, and can be flexibly adapted to the individual requirements of a company – without creating new dependencies on US providers,” says Dr. Meffert. “In combination with the hosting of these AI models and the associated data in company-owned or explicitly European data centers, companies can thus take first steps towards true data sovereignty, thereby retaining control over their own data while also efficiently and securely leveraging the benefits of AI.”
Control over one’s own data today determines a company’s innovation capability, security, and independence. The current risks – from unclear data flows to international conflicts and the challenges posed by AI – highlight how urgently companies need to act. Solutions like closed, specialized AI systems based on open-source models offer a tangible perspective to reduce dependencies and regain sovereignty over data. Coupled with a consistent shift of data processing to purely European environments, the first step towards true data sovereignty can be achieved. This way, companies create the necessary foundation to future-proof themselves in our data-driven world.
Source image: Adobe Stock / Din Nasahrudin
Dr. Klaus Meffert is a computer scientist with a PhD and IT expert (aka “Dr. GDPR”). As managing director of IT Logic GmbH, he offers pragmatic software solutions made in Germany with added value and high data security. His focus lies on… Learn moreJannik Schumann, managing director of Basec GmbH, is an experienced management security consultant with over 15 years of expertise in IT consulting. With extensive experience working with public clients, authorities, and… Learn moreLennart Schröder has been advising companies on securing cyber risks and technological risks as a specialized insurance broker at contego for over two years. Previously, he… Learn more