Enterprise AI Risk: Security, Providers, and Regulation

This is Part 2 of a three-part series on Enterprise AI Strategy. Part 1 covers strategy, economics, and where competitive advantage emerges. Part 3 addresses implementation, portability, and decision frameworks.

---

Introduction

Part 1 of this series established that most enterprises should focus on controlling AI outcomes rather than owning infrastructure, and that open source models now offer enterprise-viable alternatives. However, these options introduce risk considerations that CTOs and CISOs must evaluate carefully.

This article examines three critical risk dimensions: evaluating AI providers across geographies, managing AI supply chain security, and navigating the evolving regulatory landscape.

---

Regional AI Providers: Compelling Economics, Material Considerations

Evaluating Emerging Market AI Providers

The emergence of competitive AI providers outside established Western markets—particularly from Asia—has fundamentally challenged assumptions about AI development economics. These providers offer dramatically different cost structures that warrant serious evaluation alongside established vendors.

DeepSeek exemplifies this shift. The company’s emergence in January 2025 challenged assumptions about AI development economics. DeepSeek claims its V3 model’s final training run cost approximately £4.4 million ($5.6 million) in GPU compute—using approximately one-tenth the computing power of Meta’s comparable Llama 3.1. However, this figure covers only pre-training GPU costs and excludes research and development, infrastructure, failed experiments, and other expenses. SemiAnalysis estimates DeepSeek’s total server capital expenditure exceeds £1 billion ($1.3 billion). Regardless of total costs, the model’s performance across coding, mathematics, and reasoning benchmarks rivals or exceeds many established alternatives.

Pricing disruption: DeepSeek’s API costs approximately £0.22 ($0.27) per million input tokens and £0.88 ($1.10) per million output tokens—roughly 50x cheaper than GPT-4o equivalent pricing. Even the reasoning-optimised DeepSeek Reasoner costs only £1.76 ($2.19) per million output tokens. This pricing has triggered competitive responses across the industry, with major Asian technology companies including ByteDance, Tencent, Baidu, and Alibaba reducing prices on their respective AI offerings.

Performance validation: Academic comparison research confirms DeepSeek-R1 underperforms Claude but outperforms Gemini, GPT, and Llama in most classification tasks. The model achieved an AIME 2025 mathematics test score of 87.5%, approaching GPT-4-level performance. Benchmark analysis shows R1-0528 (May 2025 update) is “just a notch below o3 in pure performance, and comparable to the smaller/faster o4-mini in many cases.”

Open weights advantage: DeepSeek releases models under MIT licence, permitting download, modification, and commercial deployment without API dependency. This enables enterprises to capture cost benefits through self-hosting whilst maintaining data sovereignty.

Due Diligence Framework for All AI Providers

Regardless of provider geography, enterprises must evaluate AI services against consistent criteria. The considerations below apply to any AI provider—established or emerging, Western or Asian—though specific risk profiles vary by jurisdiction and deployment model.

Data sovereignty and regulatory alignment: Enterprise legal teams should assess data residency, transfer mechanisms, and regulatory compliance for any provider. DeepSeek’s privacy policy acknowledges data storage in China; neither DeepSeek nor Alibaba’s Qwen maintains GDPR-required EU representatives. However, data sovereignty considerations also apply to US providers—the CLOUD Act permits US government access to data held by American companies regardless of storage location, a concern that has driven some European enterprises toward EU-based or self-hosted alternatives. Italy blocked DeepSeek on data-transfer grounds in January 2025, with Belgium and Ireland initiating investigations; similar scrutiny has historically been applied to US providers under GDPR.

Jurisdictional legal frameworks: All jurisdictions impose legal frameworks that may affect enterprise AI deployments. China’s Personal Information Protection Law (PIPL) and national security regulations permit government access to data held by companies within Chinese jurisdiction. The United States’ CLOUD Act and FISA Section 702 create analogous access provisions for US-headquartered providers. EU enterprises should evaluate data access provisions for any provider whose legal domicile permits government access that conflicts with GDPR or internal data governance policies.

Content and output policies: AI providers apply varying content policies that may affect enterprise use cases. Security researchers have documented that some regional providers apply content filters on politically sensitive topics that may differ from enterprise expectations. Established Western providers also impose content restrictions—OpenAI, Anthropic, and Google all maintain acceptable use policies that constrain certain enterprise applications. Enterprises should evaluate whether any provider’s content policies conflict with intended use cases.

Security assessment: Security vulnerabilities exist across providers regardless of origin. Researchers from the University of Pennsylvania and Cisco found DeepSeek-R1 exhibited a 100% attack success rate when tested against 50 random harmful-behaviour prompts. However, Chatterbox Labs testing found Google Gemini 2.0 Flash also failed safety assessments across fraud, hate speech, illegal activity, security, and malware categories, whilst OpenAI o1-preview passed only three of five categories. This underscores that security due diligence must be applied consistently across all providers—geographic origin alone does not determine security posture.

Shadow AI exposure: Uncontrolled employee use of external AI services presents data leakage risks regardless of provider. Research from Harmonic Security found that nearly 8% of employees in a sample of 14,000 used emerging market GenAI tools including DeepSeek, Qwen, and Kimi Moonshot during a 30-day period, with over 17 megabytes of sensitive content uploaded. However, shadow AI risks equally apply to consumer use of ChatGPT, Gemini, Claude, and other established services—Deloitte research indicates employee data flowing into generative AI services grew more than 30x from 2024 to 2025 across all providers. Governance frameworks should address all external AI services, not selectively target specific geographies.

Stakeholder and reputational considerations: Various jurisdictions—including Canada, Italy, Australia, and Taiwan—have restricted certain regional AI providers on government devices. Enterprise legal and compliance teams should evaluate stakeholder expectations and regulatory guidance in their operating jurisdictions. Equally, some non-Western markets may view dependency on US technology providers as a reputational or regulatory concern. Stakeholder expectations vary by geography and should be assessed as part of provider selection.

Recommended Evaluation Framework

For API consumption: Evaluate data residency requirements for any provider when workloads involve sensitive enterprise data, personally identifiable information, or regulated content. GDPR compliance, CLOUD Act exposure, and data access provisions should be assessed by enterprise legal teams regardless of provider geography.

For self-hosted open-weight models: Open-weight models from any provider—including DeepSeek (MIT licence), Meta’s Llama (custom licence), and Mistral (Apache 2.0)—can be downloaded and deployed on UK/EU infrastructure, eliminating data transfer concerns. This approach captures cost benefits whilst maintaining data sovereignty, though enterprises should implement comprehensive safety guardrails given documented vulnerabilities across models from multiple providers.

For provider evaluation: Include all credible providers in evaluation frameworks to understand capability frontiers and cost benchmarks, applying consistent due diligence criteria. The reputational and regulatory considerations vary by jurisdiction and stakeholder expectations—but evaluation rigour should not vary based on provider geography.

Governance requirements: Any deployment—regardless of provider origin—should include enhanced monitoring, safety guardrails (such as Llama Guard or NeMo Guardrails), and clear policies for sensitive workloads. Shadow AI controls should address employee use of all external AI services, not selectively target specific providers.

---

AI Supply Chain Security: The Hidden Risk in Open Source Models

The Model Veracity Challenge

A significant and underappreciated risk confronts enterprises adopting open source AI models: supply chain integrity. Unlike traditional software where code can be inspected, AI model weights are essentially opaque—making verification of model provenance and integrity substantially more difficult.

McKinsey’s April 2025 research collaboration with Mozilla Foundation found that whilst over 50% of organisations leverage open source AI technologies, 62% cite cyber security concerns as a significant risk, followed by regulatory compliance (54%) and intellectual property concerns (50%). More experienced developers—those who have contributed to six or more AI systems in production—are approximately 15% less likely to perceive open source as riskier for cyber security, suggesting that risk perception correlates with governance capability rather than inherent risk levels.

Documented Risks in Model Repositories

Security researchers have documented multiple attack vectors in open source AI model repositories:

Supply chain vulnerabilities: JFrog researchers identified at least 100 malicious AI model instances on Hugging Face in 2024, with some models providing persistent backdoor access for attackers through code execution when loaded. These attacks exploit the Python pickle serialisation format commonly used in model distribution.

Neural backdoors: Research from Anthropic, the UK AI Security Institute, and The Alan Turing Institute demonstrated that as few as 250 malicious documents can successfully backdoor large language models ranging from 600 million to 13 billion parameters—regardless of model size or training data volume. This finding challenges previous assumptions that larger models would require proportionally more poisoned data to compromise.

Medical model poisoning: A Nature Medicine study (January 2025) found that replacing just 0.001% of training tokens with medical misinformation resulted in harmful models more likely to propagate medical errors—yet these corrupted models matched the performance of their corruption-free counterparts on standard benchmarks, making the poisoning virtually undetectable through normal evaluation.

Chat template manipulation: Pillar Security research (July 2025) identified novel attack vectors in GGUF model files—a format with over 1.5 million files on public platforms—where attackers can embed hidden instructions in chat templates that create persistent compromise affecting every user interaction whilst remaining invisible to standard security systems.

Unverified Claims Require Scrutiny

CTOs and CISOs should approach unverified claims about model repository compromise with appropriate scepticism. Whilst speculative reports have circulated suggesting that a high percentage of models on platforms like Hugging Face may be manipulated, no authoritative research from major consulting firms or peer-reviewed academic sources currently substantiates claims of this magnitude. The documented incidents—whilst serious—represent a small fraction of the over 350,000 models hosted on major platforms.

However, the absence of confirmed widespread compromise does not mean the risk is negligible. The OWASP Top 10 for LLM Applications (2025) lists supply chain vulnerabilities as a top risk, noting that “risks emerge from dependencies on external models, datasets, and tools. Malicious pre-trained models, vulnerable adapters, and compromised repositories can inject backdoors or cause systemic failures.”

Risk Mitigation for Enterprise Deployment

Organisations implementing open source AI should establish robust provenance verification protocols:

Technical safeguards: McKinsey’s research found that organisations using open source AI are implementing multiple safeguards—49% use prompt adjustments, 47% use safeguard models (such as Llama Guard), 35% use programmable guardrails (such as Nvidia’s NeMo Guardrails), and 21% are implementing aligned weights.

Supply chain controls: Maintain software bills of materials for all ML components. The Institute for Security and Technology recommends establishing rigorous data supply chain security with provenance verification for all training sources. UK-based platforms such as Xapien (AI-powered due diligence) can support third-party and internal risk analysis as part of model procurement workflows.

Third-party evaluation: Organisations should consider third-party benchmarking that can increase AI safety and trust. Examples include Stanford’s HELM initiative and MLCommons’s AILuminate toolkit, though McKinsey’s research indicates only 39% of C-suite leaders currently use benchmarks to evaluate their AI systems. The UK AI Safety Institute provides testing and safety assessments for frontier AI models that can inform enterprise evaluation criteria.

Documentation and monitoring: Implement quantitative risk assessments using frameworks such as the Common Vulnerability Scoring System (CVSS) v3.0 to assess the severity of vulnerabilities in open source systems. Whilst Hugging Face conducts scans on pickle models and marks potentially unsafe models, users retain the ability to download and execute them—placing the burden of verification on implementing organisations.

---

Regulatory, Trade, and Sovereignty Considerations

EU AI Act: Updated Timeline

The EU AI Act entered into force in August 2024, representing the most comprehensive legal framework for AI regulation globally. However, CTOs and CISOs must note significant recent developments affecting implementation timelines:

Original timeline: Prohibited AI practices and AI literacy obligations took effect from February 2025. High-risk AI system rules were scheduled to become fully applicable by August 2026.

November 2025 Omnibus revision: The European Commission’s Digital Omnibus on AI Regulation Proposal, published 19 November 2025, proposes material changes to the implementation schedule:

• High-risk AI system obligations postponed: The application of requirements around high-risk AI systems has been proposed for postponement from August 2026 to December 2027—more than 16 months later than originally planned.

• Rationale: The Commission cited the absence of harmonised standards, guidance and compliance tools, as well as delays in the appointment of conformity assessment bodies and national competent authorities. Many member states missed the August 2025 deadline to designate competent authorities.

• Transparency obligations delayed: The Omnibus delays transparency obligations under Article 50(2) for AI systems placed on the market before August 2026 by six months, until February 2027.

Critical caveat for CTOs: The Omnibus proposal remains subject to the trilogue process, requiring approval from both the European Parliament and the Council before passing into law. Adoption is likely by mid-2026, though this could be sooner if urgent procedures are applied. Failure to reach political agreement before August 2026 would mean existing high-risk AI requirements apply as originally drafted.

Recommended approach: Despite the potential for delayed timelines, organisations should not pause compliance preparations. The underlying requirements remain substantively unchanged—only the enforcement timeline is under discussion. Enterprises that delay governance investments risk scrambling if political agreement is not reached or if the final adopted dates differ from proposals. Specialist EU AI Act compliance advisors—including firms such as RatioMesh (EU AI Act compliance consulting) or more general AI visibility and control platforms, such as AIScore.ai—can help enterprises operationalise the risk-based approach into internal policies, inventories, and controls ahead of enforcement.

UK Regulatory Posture

The UK has adopted a principles-based, sector-specific approach to AI regulation rather than comprehensive horizontal legislation. The UK AI Safety Institute provides government-aligned testing and safety assessments for frontier AI models. UK-headquartered enterprises operating in the EU remain subject to the AI Act’s extra-territorial reach for systems deployed or affecting EU markets—necessitating compliance regardless of domestic regulatory posture.

AI Chip Export Controls and Supply Chain Implications

Trade tensions have created a volatile landscape for access to AI compute, requiring CTOs to explicitly factor geopolitical risk into infrastructure and vendor decisions.

Current state (January 2026): Export controls on advanced AI accelerators have shifted multiple times over the past year. In December 2025, the US administration announced that Nvidia’s H200—currently the most capable AI chip approved for export to selected markets—would be eligible for sale to licensed customers under revised conditions.

Strategic context: This decision reverses earlier restrictions and signals a tactical policy recalibration rather than a full liberalisation. Several affected jurisdictions have responded by permitting limited commercial sales while excluding these chips from domestic subsidy programmes, increasing effective costs and complicating long-term capacity planning.

Implications for global enterprises:

• Supply chain awareness: Organisations dependent on advanced AI compute should assess exposure to potential future trade policy changes. The evolving nature of export policy creates uncertainty that portability-focused architectures can partially mitigate.

• Regional compute considerations: AI industries in various regions remain dependent on specific hardware ecosystems, with approximately 75% of chips powering AI model training in some markets running on particular vendor platforms. Enterprises with global operations should factor hardware ecosystem dependencies into strategic planning.

• Domestic alternatives emerging: Various markets are developing domestic AI chip capabilities, though production volumes and software ecosystem maturity vary significantly. Enterprises should monitor these developments as part of long-term infrastructure planning.

---

What’s Next

This article has examined the risk landscape for enterprise AI—from provider evaluation and supply chain security to regulatory compliance. In Part 3, we address implementation: managing vendor dependency, designing for portability, and a practical decision framework for CTOs and CISOs.

---

References

[1] McKinsey, Mozilla Foundation, and Patrick J. McGovern Foundation, “Open Source Technology in the Age of AI” (April 2025).

[2] Deloitte, “State of Generative AI in the Enterprise” (2024).

[3] Deloitte, “The AI Dilemma: Securing and Leveraging AI for Cyber Defense” (December 2025).

[4] Deloitte, “AI Trends: Adoption Barriers and Updated Predictions” (September 2025).

[5] European Commission, “EU AI Act Regulatory Framework” (2024–2025).

[6] European Commission, “Digital Omnibus on AI Regulation Proposal” (November 2025).

[7] Anthropic, UK AI Security Institute, and The Alan Turing Institute, “Small Samples Poison: How Few Documents Can Backdoor LLMs” (2025).

[8] Nature Medicine, “Medical Large Language Models Are Vulnerable to Data-Poisoning Attacks” (January 2025).

[9] JFrog, “Data Scientists Targeted by Malicious Hugging Face ML Models with Silent Backdoor” (February 2024).

[10] Pillar Security, “LLM Backdoors at the Inference Level: The Threat of Poisoned Templates” (July 2025).

[11] OWASP, “Top 10 for Large Language Model Applications” (2025).

[12] Harmonic Security, “Overcoming Risks from GenAI Tool Usage” (July 2025).

[13] SemiAnalysis, “DeepSeek Cost Analysis” (January 2025).

Image generated by Night Cafe Studio AI