Sovereign AI: why your data must never end up with Big Tech
AI is everywhere. But where is your data?
Over the past few years, artificial intelligence has become a fixture in the daily operations of businesses and institutions. Summarising a report, reviewing a contract, answering complex questions: the tools are there, they are powerful, and they are often free or inexpensive. Resistance is understandably difficult.
Yet for the leader of a hospital, a law firm, a financial institution, or a public authority, one question must come first: where does the data I feed into this tool actually go?
In the vast majority of cases, the answer is uncomfortable.
What "sovereign" concretely means
The word "sovereignty" can sound abstract. Here is what it covers in practice when we talk about AI:
Where is the model hosted? An AI model runs on servers. If those servers are located in the United States, Ireland, or Asia, your provider — and potentially the authorities of those countries — may have access to them.
Where is your data stored? Every time you send a document, a question, or a file to an online AI service, that data is transmitted and is often retained.
Who can read, use, or analyse it? Some vendors reserve the right to use your exchanges to improve their models. What you assume is a private conversation can become training data.
Under which jurisdiction? US law (notably the CLOUD Act) allows American authorities to access data held by US companies, even when that data is hosted in Europe.
A Sovereign AI is a model hosted on a controlled territory, where your data never leaves, where you remain the sole owner, and which operates within a known and respected legal framework — above all, the GDPR.
The concrete risks of non-sovereign AI
Performance and cost get most of the attention. Risk rarely does. Yet the risks are real and well documented.
Data confidentiality. A medical record, a contract under negotiation, a financial audit: this information has value. Sending it to a cloud service whose terms and conditions barely allow you to understand what happens to your data means accepting an exposure that few organisations would be willing to accept if they stated it plainly.
GDPR compliance. The European regulation is explicit: the processing of personal data — and all the more so health data — must be framed, audited, and secured. Using a consumer tool to process this type of data exposes your organisation to serious regulatory risk.
Trade secrets. For law firms, banks, and industrial companies: confidentiality is not optional — it is a commitment to clients. A leak — even an unintentional one — can have irreversible consequences.
Re-training on your data. Some services use your inputs to improve their model. In other words, the strategy you describe, the questions you ask, the documents you share may feed a system that will tomorrow serve your competitors.
Technological dependency. If your organisation becomes dependent on a tool whose pricing, availability, or usage policies you do not control, you surrender part of the control over your own operations.
Why this is even more critical in certain sectors
In healthcare, the data being processed is among the most sensitive that exists. Medical confidentiality is a legal and ethical imperative. A hospital that uses a consumer AI tool to analyse patient records takes a legal risk — but also a trust risk — towards its patients and its clinical staff.
In finance, regulatory requirements (ACPR, AMF, Basel frameworks…) impose traceability and data control. Information about clients, portfolios, and transactions cannot pass through unaudited infrastructure.
In law, professional secrecy is absolute. A lawyer or notary cannot outsource — even indirectly — the confidentiality of their files to an American provider whose hosting practices remain opaque.
In the public sector, digital sovereignty is a political question as much as a technical one. Local authorities, ministries, and public institutions are expected to set an example in protecting citizens' data.
Vertical LLM vs. generalist: the right tool for the right context
The large generalist models — the ones everyone uses — are trained on billions of documents drawn from the internet. They are impressive. But they have two major limitations in a sensitive professional context.
They do not know your domain in depth. A generalist model can answer a medical or legal question in an apparently convincing way, but without the precision or reliability that professional use demands.
You have no control over them. You do not know what they have learned, how they evolve, or what they do with your data.
A vertical LLM — that is, an AI model specialised in a specific domain — addresses both problems. It is trained on relevant, validated, controlled sector-specific data. It is deployed in a secure environment, under your control or that of a trusted partner. And it is often more relevant than a generalist model for the use cases that actually matter to you.
The Saana example: a sovereign medical LLM in action
Saana is a vertical LLM dedicated to medicine. It is a sovereign model: data remains hosted in France, it never leaves controlled infrastructure, and the system is designed to meet the regulatory requirements of the healthcare sector.
Saana is already being used by hospitals in Montpellier. One concrete application: transforming educational content produced by clinical teams to make it accessible and understandable to patients. Medical information is often dense, technical, and difficult for a non-healthcare professional to assimilate. AI makes it possible to rephrase and adapt that content — without patient data ever leaving the institution's own systems.
This is an example of what Sovereign AI makes possible: real value, in the service of users, without sacrificing security or compliance.
As CTO of Saana, Dibrilou Diagne has held this conviction from the very beginning: AI is only useful in sensitive sectors if it is trustworthy. And trust is built — with technical rigour, regulatory common sense, and a deep understanding of the field.
How to get there without in-house expertise
The good news is that you do not need a team of data scientists to benefit from a sovereign AI tailored to your sector.
What organisations that successfully make this transition do is delegate the technical complexity while retaining strategic control. They rely on a partner who understands both the technology and the business challenges, who can translate an operational need into a concrete solution, and who guarantees that data stays where it should be.
This is precisely what Twenty does: the expertise of a large group, with the proximity of a trusted partner. With 11 years of IT experience and assignments in demanding environments — MGEN, Air Liquide, the healthcare sector — the approach is well-proven: listen to what you need, build what makes sense, and keep you in control of your data and your decisions.
More than 350 people trained, including some fifty in AI, reflect an approach that combines knowledge transfer with action.
Sovereignty is not a luxury — it is a condition of trust
Using AI without asking the question of sovereignty is a bit like signing a contract without reading the clauses. You tell yourself it will be fine — until the day it is not.
For sectors that handle sensitive data, the question is not "can we afford to do Sovereign AI?" but "can we afford to do otherwise?"
The technology exists. The use cases are concrete. The risks are documented. What is often missing is a partner capable of connecting all of this to your operational reality — and of guiding you without drowning you in complexity.
Let's talk about your project
You lead an organisation in a sensitive sector and are thinking about AI? You have a project in mind but are not sure where to start? Or you have already started and want to make sure you are on the right track?
Dibrilou Diagne is available to discuss it, with no commitment, with the goal of helping you see things more clearly.
- WhatsApp: +33 6 34 42 50 56
- Email: contact@twentyconsultancy.com