- Companies need to be mindful of security risks presented by AI models
- European organizations are looking to migrate away from U.S. cloud providers due to CLOUD Act concerns
- Chinese models, with potential biases and malicious code, are gaining popularity worldwide
As the geopolitical order realigns, digital sovereignty is moving from a compliance checklist item to a grim necessity.
"It's hitting everyone. Everyone is having to deal with [digital sovereignty]. But it varies based on where you're based and where the majority of your operations are," Chuck Herrin, F5 field chief information security officer (CISO) and customer advocate, told Fierce Network.
What's a "field chief information security officer?" Herrin explained that he uses his prior experience at a security startup and in cybersecurity positions at financial services companies to advise companies on cybersecurity issues. "It's like having a friend who's a lawyer. I'm a lawyer, but not your lawyer," he said.
He added, "U.S. companies need to think about what exposure they might have to components of the AI stack that are controlled by the Chinese. European companies are concerned about threats to sovereignty by depending on U.S. cloud providers and hyperscalers."
Herrin continued, "In Southeast Asia, and Singapore in particular, they're treading a balance between the Chinese sphere of influence and the American sphere of influence. They're trying to not take a side and maintain their own autonomy, because in a war between the U.S. and China, Singapore loses."
Sovereignty pressures are not new. The US CLOUD Act, passed in 2018, allows U.S. authorities to access data stored in the European Union, putting that law in direct conflict with the European General Data Protection Regulation (GDPR). That was followed by the Court of Justice of the European Union Schrems II decision, restricting the freedom of European businesses to share data with the U.S.
But the pressure is building. Last year, Microsoft suspended the email account of an International Criminal Court prosecutor in the Netherlands, following an executive order from President Donald Trump, which European officials took as a warning. Also last year, the German state of Schleswig-Holstein switched from Windows and Office to Linux and the open source LibreOffice suite, citing digital sovereignty as a driver. Additionally, in 2025, Airbus began work on a tender offer to migrate mission-critical workloads to a digitally sovereign European cloud, though it estimates only an 80-20 chance of finding a suitable provider.
Mistral AI, valued at $13.6 billion, secured a French military deal in January 2025 and launched Mistral Compute to provide European alternatives to U.S. cloud providers
Plus, Singapore is investing $70 million to build Southeast Asia's first large language model ecosystem while partnering with both U.S. tech giants and developing regional capabilities, maintaining autonomy through its balanced strategy.
Telecoms in the crosshairs
Telecoms have felt the brunt of geopolitical threats, Herrin said. The Chinese government Salt Typhoon attacks hacked into telecoms companies around the world, including AT&T and Verizon, potentially allowing access to text and telephone communications between millions of people and tracking their locations.
Sovereignty considerations make choosing the right AI models crucial, Herrin said.
AI is a black box, making it overwhelmingly difficult to determine what biases might be built in.
Chinese open weight architectures like DeepSeek are free and easy to use, compared with paid, proprietary U.S. frontier models. That makes Chinese models particularly attractive to the Global South and within the Chinese sphere of influence. "Even if it's not the latest, greatest frontier model from a U.S. company, it's good enough to deliver value," Herrin said.
DeepSeek holds 89% market share in China and significant adoption in countries like Belarus (56%), Cuba (49%) and Russia (43%), as well as 11-14% in several African nations, according to a Microsoft report released Jan. 9, 2026.
The AI black box
Chinese models have built-in filters. If you ask a model hosted in China about Tiananmen Square or Taiwan, they have approved responses, Herrin noted.
A technical document published by China's cybersecurity standards committee bars AI from violating the nation's "core socialist values."
Chinese models are often described as open source, but that is a misnomer, Herrin said. Users don't get the source code or training data — users get the weights, millions of values, where it is difficult to search for malicious code.
A geopolitical flashpoint may result in companies reliant on open-weight Chinese models being put at the mercy of the Chinese state, Herrin said.
Herrin said 70-80% of the companies he visited in the startup zone at the Black Hat cybersecurity conference in August were using open-weight Chinese models in security products being built for American companies. "That's concerning because we don't know what's in those models," he said.
And China is not alone. "We know U.S. models have restrictions on what they're allowed to say with respect to DEI and climate change and things that the administration finds unpopular."
Trump signed an executive order restricting so-called "woke AI" in August. In a 2024 report, research documented multiple biases in U.S. models, including political bias, gender stereotyping in book recommendations, and discrimination against resumes with disability-related honors, according to a 2024 report.
"There's a lot of stuff potentially hidden in these models that we never see," Herrin said.
As AI becomes increasingly central to business operations worldwide, the choice of which models to deploy carries implications far beyond technical performance. Organizations must weigh the tradeoffs between cost, capability and control — recognizing that today's convenient open-weight solution could become tomorrow's geopolitical liability.
With both Chinese and American models carrying their own embedded restrictions and potential biases, the black box nature of AI means companies are making trust decisions in an environment of profound uncertainty. In this landscape, digital sovereignty isn't just about where data is stored — it's about understanding what intelligence, and whose values, are baked into the systems making decisions on your behalf.