92% of Enterprise AI Tools Route Through OpenAI. Including Your Accounting Software.
Your accounting software got an AI upgrade last quarter. If you use Sage, Cegid, QuickBooks, or PennyLane, there is now an AI assistant in your finance interface — and it runs on US infrastructure you didn't choose, under data terms your vendor agreed to, processing financial documents you may not have known were in scope.
You didn't install ChatGPT on your financial systems. Your accounting software did. It just didn't ask you first.
The 92% problem in enterprise finance
Three independent research firms — Kiteworks, Reco.ai, and LayerX — each measured the same finding in 2025: 92% of enterprise AI tools route through OpenAI infrastructure, either directly or through Azure OpenAI. That figure means Sage Copilot, Cegid AI features, QuickBooks AI, and PennyLane's AI assistant are all processing financial data through the same US-headquartered infrastructure — the same infrastructure your IT team may have blocked on personal devices in 2023 under your shadow AI policy.
The shadow AI problem most CFOs addressed was visible: employees with personal ChatGPT subscriptions pasting financial data into chat windows. Samsung had three separate incidents in April 2023 where engineers pasted semiconductor source code into ChatGPT — not out of negligence, because using AI for technical analysis had become natural and fast. Finance teams were doing the same with supplier data, margin analysis, and quarterly numbers. Policies were written, blocks were put in place, training was delivered.
An invisible version of the same problem arrived through product updates from vendors you'd already approved.
What changed inside your approved software
Accounting software vendors introduced AI as clearly labeled, opt-in features in 2022. By late 2023, AI was integrated deeply enough that opting out meant losing core functionality. By 2025, AI-assisted document processing had become the default interface for many workflows — users who hadn't actively enabled it found it running in the background. No new procurement happened when the AI layer was added. It arrived as a product update to software that passed vendor review years before AI infrastructure choices were a consideration.
GDPR Article 28 requires that any subprocessor — a third party your software vendor uses to process personal data on your behalf — be named in the data processing agreement with your vendor. Supplier invoices contain supplier contact names and addresses — personal data under GDPR. If your accounting software's AI feature routes those invoices through OpenAI servers in Virginia, and OpenAI isn't named as a subprocessor in your data processing agreement, you have a GDPR Article 28 gap that neither you nor your vendor has formally identified.
Most data processing agreements with accounting software vendors name the vendor's cloud hosting provider and customer support platform as subprocessors. They don't name the AI model processing financial documents, the jurisdiction where that processing occurs, or the data retention terms your vendor agreed to with their own AI provider. Your regulator won't accept "our vendor didn't tell us" as a complete defense.
What the concentration means for your operations
DORA — the EU Digital Operational Resilience Act — entered full effect in January 2025, requiring EU financial entities to identify, assess, and manage technology concentration risks. Single-vendor AI convergence across your financial software stack is precisely the concentration risk DORA was designed to address. If your DORA compliance program doesn't include a vendor AI dependency map, it is incomplete against the regulation's own terms.
In November 2023, OpenAI's board crisis degraded API services globally for several hours. Accounting software products built on OpenAI's API lost AI functionality without warning — and their status pages showed "all systems operational" because the fault was in their AI provider's infrastructure, not their own. Finance teams using AI-assisted reconciliation or document processing that day experienced unexplained processing failures with no incident notification from their vendor. This scenario — unlikely on any given day, non-zero over a year — is the stress test most financial technology continuity plans haven't run for their AI layer.
Commercial terms carry the same dependency forward. After an accounting software vendor rebuilds their product roadmap around OpenAI's API, switching AI providers requires an engineering rebuild, not a configuration change. Price increases from OpenAI get passed through at contract renewal. Changes to OpenAI's data terms become your terms because your vendor has no alternative infrastructure to offer. Your negotiating position on AI infrastructure is determined by a decision your vendor's engineering team made, not yours.
Stralevo's different architecture
Stralevo was built model-agnostic by design — not locked to any single AI provider. When AI pricing changes, when a provider has an outage, when a regulatory decision requires a change in infrastructure, swapping the underlying AI model takes seconds, not months. The financial data processing stays within EU jurisdiction regardless of which AI model runs the analysis. Every query is logged, every source cited, every AI processing decision recorded in a complete audit trail.
Day-to-day, the finance team sees the same capability: invoices analyzed, supplier questions answered, FEC files produced — the FEC being the standardized accounting export that French tax authorities can demand with 15 days' notice and a €5,000 non-compliance penalty. The operational difference is invisible to the bookkeeper submitting invoices and decisive for the CFO answering the audit committee.
Integration covers Sage, Xero, Cegid, QuickBooks, and PennyLane, and connects natively with Liberté, a free EU accounting platform. Organizations don't replace their existing software — they add Stralevo as the intelligence layer that processes their financial data within EU jurisdiction, with full audit trails, independent of which AI model is most appropriate today and which will be appropriate next year.
The audit committee question you should be ready to answer
Regulatory deadlines are converging from three directions on AI infrastructure in finance. DORA required financial entities to map technology concentration risks by January 2025. The EU AI Act's requirements for AI systems used in financial decisions phase in from August 2026, with mandatory documentation, audit trails, and risk management for AI tools that help determine financial outcomes. GDPR enforcement of Article 28 subprocessor disclosure has accelerated — TikTok's €530M fine in May 2025 was specifically about undisclosed cross-border data processing that the organization's contracts hadn't documented.
Netskope research from January 2026 found 223 sensitive data incidents per company per month in the enterprise segment — most originating from approved enterprise software processing business data through AI backends, not from rogue employees or personal devices. The volume is not an edge case. It is the aggregate result of approved tools running undisclosed AI processing at scale.
CFOs who sit on audit committees are already fielding questions about AI infrastructure from board members who read the TikTok fine coverage. The CFO who handles these questions with a complete vendor AI dependency map — which tool, which model, which jurisdiction, which data processing agreement — is in a different professional position than the one who discovers the exposure during the meeting.
Sending three software vendors this question this week — in writing, via official support channels so there is a record — is the audit that DORA requires and the preparation the next board meeting needs: "Please confirm in writing: which AI model processes our financial data in your product, where are those servers located, and what data use rights does your AI provider hold under your agreement with them?" The quality of the response, or the absence of one, maps the exposure more accurately than any internal assessment.
Financial intelligence that runs on infrastructure you control, independent of any single provider, is what DORA describes as resilient. Stralevo is built to that specification from the architecture up — because that's the only architecture that makes financial intelligence trustworthy.