Balancing AI cost efficiency with data sovereignty: Why enterprises are rethinking risk

As generative AI adoption accelerates across industries, enterprise leaders are confronting a growing tension between cost efficiency and data sovereignty. What began as a race to deploy the most powerful and affordable large language models (LLMs) is evolving into a deeper governance debate—one that places geopolitical risk, regulatory exposure, and fiduciary responsibility at the centre of AI strategy.

For much of the past year, the generative AI conversation has been dominated by performance metrics. Parameter counts, benchmark scores, and model latency often defined competitive advantage. Yet boardroom priorities are shifting. Today, the question is no longer just how capable an AI model is, but where it operates, who controls it, and under what legal framework enterprise data is processed.

This recalibration has been brought into sharp focus by the rise—and scrutiny—of China-based AI lab DeepSeek.

From capability race to governance reckoning

DeepSeek initially captured global attention by demonstrating that high-performing AI models could be developed at a fraction of the cost typically associated with Silicon Valley giants. At a time when organisations are grappling with ballooning cloud bills and uncertain returns on AI pilots, the appeal of low-cost, high-efficiency models was obvious.

According to Bill Conner, former adviser to Interpol and GCHQ and now CEO of integration platform provider Jitterbit, DeepSeek’s emergence disrupted long-standing assumptions in the AI industry.

“DeepSeek challenged the idea that only companies with massive budgets could build competitive large language models,” Conner explains. “Their reported training costs reignited conversations around optimisation, efficiency, and what ‘good enough’ AI actually looks like for enterprises.”

For CIOs under pressure to demonstrate ROI from AI investments, such efficiency offered a compelling alternative to expensive, hyperscaler-backed solutions.

However, that enthusiasm has increasingly collided with geopolitical and regulatory realities.

AI efficiency meets data sovereignty risk

As enterprises began to assess DeepSeek beyond surface-level performance, concerns emerged around data residency, legal oversight, and state influence. These factors are becoming critical differentiators in AI vendor selection—particularly for Western organisations operating under strict privacy and compliance regimes.

Recent disclosures have intensified scrutiny. According to Conner, information released by US authorities suggests that DeepSeek stores data within China and shares it with state intelligence entities. While such claims remain a subject of political and legal debate, their implications for enterprise risk assessments are significant.

“This takes the conversation beyond GDPR or CCPA compliance,” Conner notes. “The risk profile escalates into national security territory.”

For global organisations, AI systems are rarely isolated tools. LLMs are increasingly embedded into core workflows, connected to customer databases, internal knowledge repositories, proprietary codebases, and intellectual property assets. Any uncertainty about who can access that data—or under what circumstances—poses a fundamental threat to corporate security.

“If an AI provider is legally obligated to share data with a foreign government, then sovereignty is effectively lost,” Conner warns. “At that point, any perceived cost savings are meaningless.”

Hidden liabilities in AI supply chains

Beyond data privacy, there are broader risks tied to geopolitical entanglements. Allegations surrounding DeepSeek’s links to military procurement networks and potential export control violations have raised red flags for compliance officers and legal teams.

For multinational enterprises, the use of AI technology tied to sanctioned entities or jurisdictions could expose them to regulatory penalties, disrupted supply chains, or reputational damage. In highly regulated sectors such as finance, healthcare, energy, and defence, tolerance for ambiguity is effectively zero.

Success in enterprise AI, therefore, is no longer defined by use cases like code generation or document summarisation alone. Instead, it hinges on the provider’s governance model, legal accountability, and ethical posture.

“The provenance of the AI matters as much as its performance,” Conner says. “You need to understand not just what the model does, but who ultimately controls it.”

The governance gap between IT and risk teams

One of the most pressing challenges for organisations is the disconnect between technical evaluation and enterprise governance. AI tools are often first assessed by engineering or data science teams focused on speed, accuracy, and ease of integration. Geopolitical risk and data sovereignty considerations may only surface later—sometimes after pilot deployments are already underway.

This creates a governance gap.

CIOs, CISOs, and risk officers are now being called upon to introduce stronger oversight mechanisms. Vendor due diligence must extend beyond technical documentation to include data residency guarantees, transparency around training data, audit rights, and clarity on government access obligations.

“Enterprises need a governance layer that interrogates the ‘who’ and ‘where’ of AI models,” Conner emphasises, “not just the ‘what.’”

Fiduciary responsibility in the AI era

At its core, the decision to adopt—or reject—a particular AI model is a matter of corporate responsibility. Boards are increasingly aware that AI-related failures can trigger regulatory action, shareholder lawsuits, and long-term brand damage.

“For Western CEOs and CIOs, this is not primarily a cost or performance question,” Conner argues. “It’s about governance, accountability, and fiduciary duty.”

Integrating AI systems with opaque data practices creates liabilities that far outweigh short-term efficiency gains. Even a model that delivers near-parity performance at half the cost becomes untenable if it exposes an organisation to compliance violations or intellectual property theft.

As generative AI matures, enterprises are beginning to audit their AI supply chains with the same rigour applied to physical suppliers. Leaders want clear visibility into where inference occurs, how data is stored, and who holds ultimate control.

Trust over raw efficiency

The DeepSeek debate underscores a broader industry shift. While cost efficiency remains important, it is increasingly being weighed against trust, transparency, and sovereignty.

Sovereign AI initiatives—such as regionally hosted models, on-premise inference, and jurisdiction-specific AI backbones—are gaining traction as organisations seek to regain control over their data. These approaches may carry higher upfront costs, but they offer predictability and legal clarity that global enterprises value.

As AI becomes deeply embedded in business operations, the trade-off between speed and security is no longer acceptable. Enterprises are learning that in the long run, governance is not a constraint on innovation—it is a prerequisite for sustainable adoption.