A new study from IBM found that while digital sovereignty is becoming a priority for businesses across EMEA, many are locked into AI systems they struggle to understand or control.
According to the report, 90% of EMEA executives surveyed do not fully understand their organization’s dependencies across AI vendors, models and infrastructure. At the same time, nearly three-quarters said switching their primary AI vendor or model would be difficult.
The combination of vendor lock-in and limited visibility can lead to significant financial and operational risk, with 81% of respondents saying a seven-day outage at a primary AI provider would have a “severe or critical” impact on their organization.
Speaking at a media briefing at IBM’s AI Summit in London last week, Gregory Verlinden, vice president of data and AI at IT consulting and systems integrator company Cegeka, said the cost of vendor lock-in can be “invisible until it’s too late.”
“We’ve seen this before across the IT industry,” he said. “When supply chain disruptions hit, costs rise quickly, and organizations realize how exposed they are. As AI becomes a larger part of the business, enterprises need to think carefully about how they reduce those risks.”
Verlinden pointed to prioritizing a multi-vendor, flexible environment as a means of avoiding this dependency and providing a more resilient framework for companies.
“AI token consumption is becoming one of the largest expense categories after labor,” he added. “If those costs were to increase significantly overnight, it would have a real financial impact. That’s why enterprises need strategies that give them greater flexibility and reduce dependence on any single provider.”
However, understanding infrastructure dependencies is only part of the challenge. As the number of AI models and agents deployed rises, governing this technology is equally important.
Governing an ‘Explosion’ of AI Agents
Nina Wilhelmsen, sovereign hybrid cloud and AI business lead at IBM EMEA, argued that organizations need greater visibility into not only where data is stored, but also how AI systems are operated.
“Data sovereignty is only one part of the picture,” she said. “If you don’t understand how data is moving or who controls access to those systems, you don’t have true control.”
According to IBM, 67% of executives say they lack adequate governance over AI models.
“We’re seeing an explosion in AI models and agents, and how easy it is now to develop them,” she said. “The challenge is governance — who has access, what data sets they can reach, and what the lifecycle of an agent or model looks like.”
Addressing this, she argued, requires clear data classification and tiering, distinguishing mission-critical applications involving sensitive data or falling under frameworks such as the EU AI Act or the Cloud Act, from lower-stakes applications such as customer service or HR.
Open Source as Key
To address these issues, IBM argues that enterprises should focus on building flexibility into their AI environments, strengthening governance frameworks and reducing unnecessary dependence on individual providers.
Verlinden said that starts with a more technology-agnostic approach to AI strategy.
“If your architecture is built around open principles rather than a specific vendor, you have much more flexibility to adapt as the market changes,” he said.
In this context, open source remains one of the most important de-risking strategies available to European companies.
“Open source is owned by the world, not China, not the U.S.,” he said. “There is no AI adoption without trust. And for that, we need good governance, and good governance means transparency.”
However, IBM’s report suggests that flexibility requires more than simply adopting multiple vendors.
While many enterprises already operate in multi-vendor environments, the research found that this is often due to geography, legacy decisions and organizational fragmentation rather than deliberate design.
To improve resilience, organizations need visibility into their dependencies, the ability to move data and workloads between environments, and processes for switching models or providers when required.
Ultimately, the report argues that AI sovereignty is not about controlling every layer of the stack but is rather about understanding where dependencies exist and having the flexibility to continue when technology, regulations or vendors change.
As Wilhelmsen said: “The question isn’t whether you need sovereignty in every aspect of your AI environment, the question is where control matters most.”
