Companies massively underestimate their AI dependencies
An IBM study shows: Many German companies talk about AI sovereignty but hardly know their dependencies.
(Image: heise medien)
A new study by IBM concludes that while many companies in EMEA talk about AI sovereignty, they inadequately understand their dependencies. According to the survey, only 10 percent of companies in the region have a good understanding of their interconnections across providers, models, and infrastructure. In Germany, this figure is 13 percent. For everyday IT operations, this means: Many organizations know they depend on certain AI services but cannot cleanly resolve or secure these dependencies.
This becomes particularly clear when changing providers. 73 percent of the surveyed executives in EMEA say it would be difficult to switch their primary AI provider or model. In Germany, this figure is 65 percent. At the same time, 70 percent of respondents in EMEA find it difficult to comply with data residency and data sovereignty requirements across different regions. In Germany, 70 percent also say this.
Little overview of the AI stack
The study describes AI sovereignty not as complete independence, but as the ability to regain control when needed. It primarily means making dependencies visible, managing them, and keeping components interchangeable. This applies to the entire AI stack, i.e., data, models, infrastructure, and applications. Unlike traditional enterprise systems, the dependency does not end with infrastructure or applications but extends to the model layer and ongoing services.
According to the study, this is precisely where the greatest risks arise. 81 percent of respondents in EMEA and 85 percent in Germany say that a failure of the primary AI provider for seven days would have serious or critical consequences. On average, companies reported seven AI-related operational disruptions in the past two years, with six in Germany. In EMEA, provider services were the most common cause, while in Germany, it was technical problems. Thus, AI failures arise both from classic infrastructure problems and directly at the provider and model level.
Multi-vendor does not automatically mean control
Many companies already rely on multiple providers. According to the study, 73 percent describe their AI environment as deliberately multi-vendor oriented. In practice, however, this diversity is often not the result of a clear strategy, according to IBM. It is frequently driven by organizational divisions, regional requirements, and legacy IT decisions. 72 percent of respondents cite independent decisions by individual business units as a driver, 75 percent cite geographical necessities, and 63 percent cite legacy complexity.
Multiple providers only offer more freedom of action if companies actively manage their AI environment. Without common standards for data, models, and security, complexity increases. The study points out that 71 percent of respondents in EMEA would even be willing to accept up to 20 percent higher costs to maintain strategic flexibility. In Germany, this figure is 79 percent.
Videos by heise
Selective sovereignty instead of total overhaul
As a result, the study advocates for the concept of selective sovereignty. This does not mean a complete withdrawal from proprietary environments but targeted control in areas that are business-relevant. For example, a transcription service would be evaluated differently than a model that influences credit risk, production decisions, or security-critical processes.
For classification, IBM suggests a three-tier system: business-critical systems, important but not differentiating functions, and commodity services. For Tier 1 systems, i.e., truly critical applications, the study emphasizes rapid data migration, interchangeable models, and tested fallback paths. For less critical functions, it is more about consciously managing dependencies and clearly defining contractual and architectural boundaries. For simple standard services, a stronger vendor lock-in might be economically sensible.
Looking at the numbers: Companies with the most advanced control functions protect 55 percent more operating profit from AI-related disruptions, according to IBM. However, only 7 percent of surveyed organizations worldwide achieve this.
Data residency, model switching, and technical legacy
Switching data and models remains particularly complex. According to the study, it takes an average of 145 days to move AI training and operational data to another environment. Globally, 68 percent of respondents find compliance with data residency and sovereignty requirements across regions to be difficult. For many companies, this is not a theoretical compliance problem but a practical migration issue. Those who cannot cleanly export, replicate, or keep data locally are tied to the provider's architecture.
The situation is similar for models. 57 percent of respondents say that replacing a core model would require significant decoupling or even a complete rebuild. A model change often affects not only the model itself but also prompting, fine-tuning, RAG pipelines, evaluation, security filters, and monitoring – turning a seemingly small change into a larger architectural project.
Dependency is also evident in infrastructure. 56 percent of respondents say it would take at least six months to migrate central AI systems and applications to another provider. For IT, this means: Sovereignty is not created by a single product or a single contract but by portability, clear interfaces, and tested fallback scenarios. Those who do not establish these foundations quickly find themselves in a defensive position regarding price changes, model discontinuations, or usage restrictions.
Details about the study can be found at IBM, and the complete results are available for free download.
(fo)
