← Back to Articles

Sovereign AI Isn't a Political Statement. It's a Procurement Requirement.

## How to Evaluate AI Tools for Financial Data Without the Ideology Your procurement team doesn't ask "Is this vendor making a political statement?" It asks: "Where is our data processed? Who has...

Sovereign AI Isn't a Political Statement. It's a Procurement Requirement.

How to Evaluate AI Tools for Financial Data Without the Ideology

Your procurement team doesn't ask "Is this vendor making a political statement?" It asks: "Where is our data processed? Who has contractual audit rights? What happens to this data if we change providers?" Apply those exact questions to the AI tools your finance team is using today, and you have a sovereign AI assessment — with no political opinion required.

That reframing is what this article is about. The "sovereign AI" label has accumulated political associations that make enterprise buyers hesitate — it sounds like an ideology, a European identity project, an argument about tech nationalism. Strip the label away and what remains is a procurement checklist. One your organization already applies to every other vendor with access to sensitive data.

---

What JPMorgan Actually Did

JPMorgan banned ChatGPT for employee use. So did Goldman Sachs, Apple, Deutsche Bank, and Accenture. None of those decisions came with a press release about European digital sovereignty. Each was described internally and publicly as a risk management decision: data governance concerns, confidentiality obligations, regulatory compliance, and client contract requirements.

None of those organizations described their decision as anti-American or political. They applied the same criteria they apply to any vendor handling sensitive data: where does our data go, who can access it, can we audit it, and can we contractually guarantee it won't be used in ways we haven't authorized?

Same questions, different vendor category. Consumer AI tools failed the standard enterprise assessment, and the organizations removed them. That's procurement, not politics.

---

The Contractual Fact About US-Hosted AI

CLOUD Act (2018) is a US federal law — not a political position — that allows US law enforcement to compel any US-headquartered company to produce data stored anywhere in the world. An AI vendor with US headquarters and EU data centers is still subject to CLOUD Act. Your data processing agreement with them doesn't override US federal law.

No privacy policy, no GDPR addendum, no data processing agreement between your organization and a US-headquartered AI vendor changes this. These contractual documents govern the vendor's behavior. Federal law governs what governments can compel. There is no contractual opt-out from FISA Section 702, which allows warrantless surveillance of non-US persons, or Executive Order 12333, which authorizes bulk intelligence collection.

Explaining this to your board isn't a political speech. It's the same explanation your legal team gives when someone asks why sensitive M&A documents don't go to a US-hosted cloud. The jurisdiction answer is a legal answer, not an ideological one.

---

What's Already Running Through Your Finance Function

Microsoft Copilot for Finance arrives inside the Microsoft 365 subscription most enterprises already pay for — enabled by default, processing spreadsheet data and email attachments through AI without a separate procurement decision having been made. Nobody pasted anything. The software started routing financial data through AI automatically.

92% of enterprise AI usage routes through OpenAI infrastructure — either directly through ChatGPT or through tools that use the OpenAI API under the hood, including many that don't advertise this (Kiteworks, Reco.ai, LayerX — 2025). Vendor diversity in the enterprise AI market is largely cosmetic: the underlying model infrastructure is concentrated.

Employees are handling the rest. 77% paste corporate data into AI prompts; 82% from personal accounts (LayerX, 2025). Finance teams use ChatGPT to format quarterly reports, summarize supplier contracts, and draft variance analyses — sending margin data, tax strategy, and client financials to infrastructure outside organizational control, without an audit trail and with no recall mechanism.

---

The Seven Criteria That Make It Objective

Enterprise AI procurement for financial data has seven specific criteria drawn from the TSI (The Sovereign Institute) standard — a vendor-neutral framework aligned with GDPR, DORA, and NIS2 (the EU directive on network and information systems security):

Data Residency: Financial data is processed within a specified jurisdiction, not routed to whichever server has spare capacity. Written into the contract.

Model Sovereignty: The organization's data is not used to train future AI models. No model training on client financial data, full stop.

Vendor Independence: Changing AI providers doesn't require changing data architecture. No proprietary data lock-in.

Audit Completeness: Every query, every data access, every output is logged. The organization can produce a full audit trail on demand.

Hybrid Intelligence: Human review and override capability is built in. AI assists, humans decide on exceptions.

Governance by Design: Data handling rules are enforced at the architecture level, not by employee policy compliance.

LLM Agnosticism: The organization can switch AI models without migrating data or workflows. Not locked to a single vendor's model.

Write those seven criteria into an AI vendor RFP for any financial services function and the market self-selects: some vendors can meet them, many cannot. The ones that cannot are the ones routing your data through infrastructure you don't have audit rights over.

---

Why the Window Is Now

DORA — the Digital Operational Resilience Act, which became enforceable for EU financial services organizations in January 2025 — requires documented assessment of all third-party technology providers under Article 28, including AI tools. Financial organizations under DORA scope that haven't assessed their AI tools against supply chain risk requirements are accumulating a compliance gap as enforcement capacity matures.

Two timelines are converging: DORA supervisory review of third-party AI is increasing through 2025-2026, and enterprise clients are beginning to include AI governance in supply chain assessments. Accounting firms whose clients ask for evidence of AI data governance — and whose tooling runs through non-assessed consumer AI — will face a credibility problem that's harder to fix retroactively than preventatively.

M&A due diligence is the scenario that arrives without warning. A buyer's team asks for AI governance documentation for all business-critical functions. An organization that has applied the seven-criteria assessment has a clean answer. One that hasn't has a policy document full of aspirational principles and no vendor assessment to show.

---

How Stralevo Maps to the Checklist

Stralevo is TSI-certified at SL1 and above — meaning every deployment at SL1 meets all seven criteria contractually. EU-hosted by default. No model training on customer data. DORA Article 28-compatible supply chain documentation available. Full query audit trail. Model-agnostic architecture with configurable sovereignty tiers from SL0 (US-hosted models permitted) to SL3 (fully on-premise).

Configurable sovereignty tiers are worth noting: organizations that are comfortable with US-hosted models for some use cases can run at SL0. Organizations with stricter requirements run at SL1 or above. The choice is explicit, documented, and contractual — not a default setting buried in terms of service.

Connecting to your existing Sage, Xero, Cegid, or QuickBooks installation means the financial intelligence layer is added without replacing your accounting infrastructure. The audit trail follows the intelligence layer, not just the accounting software.

---

A Procurement Decision, Not a Philosophy

Most enterprise procurement teams have already applied sovereign AI criteria informally — insisting on EU data residency for certain categories, requiring contractual audit rights for tools handling client data, blocking consumer AI tools from compliance-sensitive workflows. They've done this without calling it "sovereign AI" because the label carries political weight they didn't want to carry.

Questions that already live in your vendor assessment process: Where is our data processed? Who can compel access to it? Can we audit what was done with it? Can we exit without losing access to our data? Apply those questions explicitly to the AI tools handling your financial data and you have a complete assessment.

Procurement clarity has a specific value: the organization that has documented its AI governance against seven objective criteria has something to show in an M&A process, a DORA review, or an enterprise client supply chain audit. The organization that relied on "we use reputable vendors" has a conversation it isn't prepared for.

Sovereign AI isn't a stance. It's a specification: data processed in EU jurisdiction, full audit rights contractually available, no vendor lock-in to a single model. Write those three lines in an RFP and the market self-selects — some vendors can meet them, most cannot. The ones that can are the ones that built their architecture for this requirement from the start, not as an afterthought.

← Previous Your AI Knows Your Client's Tax Strategy. So Does the Cloud Provider. Next → The Real Cost of 'Wait Until March' Is 90 Days of Decisions Made Blind