AI is spreading rapidly among European companies, but many companies are going in blind.
The study conducted by IBM's Institute for Business Value in partnership with Oxford Economics found that around 90% of executives in EMEA do not fully understand their organizations' dependencies between AI vendors, models and infrastructure. At the same time, nearly three-quarters said changing their main AI vendor or model would be difficult.
That lack of visibility is becoming a major concern as companies move from isolated AI projects to broader deployments involving AI agents capable of making decisions and actions with limited human intervention.
The IBM report found that only 9% of 1,000 executives surveyed worldwide believe they have an excellent understanding of their AI dependencies. Meanwhile, 71% said replacing their main AI vendor or model would be difficult if they had to do it today.
The findings come as executives expect AI to play a much larger role in business decisions in the coming years. According to the research, CEOs surveyed said AI currently influences about a quarter of operational decisions, a figure they expect to increase to almost half by 2030.
The cost of not knowing
A central concern raised in the research is the financial and operational impact of poor visibility into AI systems.
Many companies face unpredictable costs when AI workloads are not aligned with where data is stored or processed. The report notes that such mismatches can significantly increase token processing expenses, adding millions in additional costs for large companies.
Beyond cost, resilience is also at play. A large share of executives say that even a brief outage at a primary AI vendor would have serious consequences for business operations, potentially halting critical workflows. In EMEA, this concern is especially pronounced, with respondents warning that a seven-day outage could lead to critical operational failures.
In this context, AI sovereignty has become a central issue for executives and policymakers in the region. But IBM research suggests that sovereignty is often misunderstood.
Rather than simply owning infrastructure or maintaining data within borders, AI sovereignty is increasingly defined as the ability to maintain control when conditions change, whether due to technical changes, vendor decisions, or regulatory pressures.
The report argues that many organizations remain focused on fragmented governance approaches rather than treating AI systems as interconnected ecosystems that require coordinated control of data, models and infrastructure.
More must-read AI coverage
Governance gaps in an expanding AI landscape
As AI deployment expands, governance emerges as another weak point.
IBM notes that many organizations lack structured oversight of their AI models and agents, even as these systems proliferate across departments. This creates challenges in tracking access, managing data flows, and ensuring compliance with evolving regulations.
Complexity is compounded by hybrid environments that combine on-premises systems, cloud providers, and open source components. While this diversity can improve flexibility, the report suggests that it is often not the result of deliberate strategy but rather the accumulation of decisions over time.
Selective control, not full ownership
The IBM study concludes that full control of each layer of the AI stack is neither realistic nor cost-effective. Instead, it introduces the idea of “selective AI sovereignty,” in which organizations focus their control efforts on the most critical systems.
This means prioritizing strict governance for high-impact applications, such as fraud detection, risk management, and central decision systems, while allowing greater flexibility in lower-risk areas, such as translation or routine automation.
The research also finds that organizations with stronger AI control frameworks are significantly more resilient and protect a substantially higher proportion of operational profits during disruptions compared to their less prepared peers.
Read also: For another look at how weak visibility and governance can create risks, see our coverage of the alleged theft of data from the Council of Europe by ShinyHunters and what this indicates for organizations across EMEA.
