IBM Study: 91% of Enterprises Don’t Understand Their AI Vendor Dependencies

Ask 1,000 senior executives whether they understand exactly which AI vendors, models, and infrastructure their company now depends on, and roughly 910 of them will tell you, in effect, that they don’t. That is the headline finding from a new IBM Institute for Business Value study, and it lands at a moment when most large enterprises have already wired generative AI into operations they cannot easily unwind.

The global study, based on responses from 1,000 senior executives across 16 countries and 17 industries, found that 91 percent of organizations do not fully understand their dependencies across AI vendors, models, and infrastructure, while 71 percent said switching their primary AI vendor or model would be difficult. IBM is calling the underlying problem “AI sovereignty” — an organization’s actual capacity to control, audit, and if necessary replace the AI systems it has come to rely on.

The numbers describe a familiar enterprise-technology pattern: companies adopted a powerful new capability quickly, and the bill for that speed is now coming due in the form of dependencies that, by IBM’s own data, almost nobody mapped in advance.

What Happened

The study was conducted by the IBM Institute for Business Value in collaboration with Oxford Economics, surveying executives responsible for AI, data, or technology strategy between February and April 2026. Beyond the headline visibility and switching-difficulty figures, the study found that 68 percent of executives say meeting data residency and sovereignty requirements across geographies is challenging, and that organizations report an average of six AI-related disruptions over the past two years.

Despite the difficulty of switching vendors, 72 percent of executives said they would accept a 20 percent cost increase to maintain flexibility across their AI vendor relationships, and 73 percent described their AI environments as intentionally multi-vendor. IBM’s own data complicates that self-description, however: the leading reasons given for that vendor diversity were independent business-unit decisions and geographic necessity, both cited by 69 percent of respondents, with legacy complexity from mergers and acquisitions cited by 57 percent — organizational accidents more than deliberate resilience strategy.

The Mechanism: Why AI Dependency Is Harder to Unwind

AI sovereignty, as IBM frames it, is a broader concept than the vendor lock-in enterprise technology buyers have managed for decades. A traditional SaaS contract can usually be replaced by exporting data and re-integrating with a new provider over months. An AI deployment is different: the model itself shapes how a workflow behaves, fine-tuning and prompt engineering accumulate institutional knowledge that doesn’t transfer cleanly, and the infrastructure underneath — specific chips, specific cloud regions, specific data pipelines — is frequently invisible to the business teams who depend on the output.

That invisibility is precisely what the 91 percent figure is measuring. It is not that executives are unaware AI is embedded in their operations; it is that almost none of them could produce an accurate map of which models, vendors, and infrastructure layers a given workflow actually depends on, which makes it nearly impossible to assess risk or plan for disruption before one happens, rather than after.

The Backstory

This is the second major AI-governance study IBM has published in the span of ten days. On June 8, the company’s Institute for Business Value released a separate study finding that two-thirds of CIOs are accountable for AI systems they don’t fully control, with only 11 percent describing themselves as ready for what comes next. Read together, the two reports describe the same underlying problem from two different vantage points: one about who is accountable inside the organization, and this newer one about how little visibility that accountable person actually has into the dependencies they’re responsible for.

IBM has also been building commercial products squarely aimed at this exact problem. The company launched IBM Sovereign Core in January 2026, software built on Red Hat open-source foundations designed to give customers a self-operated control plane, in-region data and key management, and continuous compliance evidence — a product whose entire value proposition depends on enterprises agreeing that the kind of dependency risk this new study quantifies is real and worth paying to address.

Reactions

Ana Paula Assis, IBM’s senior vice president and chair for Europe, the Middle East, Africa, and Asia Pacific, framed the urgency directly: “AI has introduced new forms of dependency that evolve faster than traditional governance, procurement, or technology cycles were designed to handle.”

Companion findings IBM presented for the EMEA region at its AI Summit in London put a sharper edge on the same point. Gregory Verlinden, vice president of data and AI at IT consultancy Cegeka, said the cost of vendor lock-in “can be invisible until it’s too late,” while Nina Wilhelmsen, IBM EMEA’s sovereign hybrid cloud and AI business lead, argued that visibility into data storage alone isn’t sufficient: “If you don’t understand how data is moving or who controls access to those systems, you don’t have true control.”

The Dispute: Diagnosis From a Company Selling the Cure

IBM is not a disinterested observer of the problem it is describing. The same company publishing data on enterprises’ lack of AI-dependency visibility has, since January, been selling Sovereign Core specifically to address it, and the study’s framing — control, auditability, the ability to swap vendors — maps closely onto that product’s feature list. That doesn’t make the underlying data wrong; the Oxford Economics collaboration and the scale of the 1,000-executive sample lend it real methodological weight. But it is worth reading the findings with the awareness that the company commissioning and publishing them has a direct commercial stake in enterprises concluding that the answer is more vendor-agnostic control infrastructure, of the kind IBM happens to sell.

There’s also a tension inside the data itself. Nearly three-quarters of organizations call their AI environments intentionally multi-vendor, which on its face should reduce concentration risk. But IBM’s own breakdown shows that diversity is mostly an accident of organizational structure and acquisition history rather than a deliberate resilience strategy — meaning the multi-vendor label may be giving executives false comfort about a problem the underlying data says they haven’t actually solved.

What Happens Next

IBM is positioning the study as a roadmap rather than a one-off finding, and is expected to use it in client briefings and around its AI Summit circuit in the coming months. Expect rival cloud and infrastructure vendors — Microsoft, Google, and AWS chief among them — to publish their own competing framings of AI dependency risk in the coming weeks, each one likely to point, in its own way, toward that vendor’s preferred architecture as the safer answer.

Why It Matters

As enterprises move from experimenting with generative AI to embedding agentic systems directly into core operations, dependency mapping is becoming a board-level risk question rather than a problem that can be left to IT procurement alone. The findings also intersect with a broader policy conversation about AI and digital sovereignty already underway at a national level in the EU and elsewhere, and with the wider pattern of AI infrastructure concentration visible in deals such as Nvidia’s sprawling, multi-billion-dollar web of AI equity investments across the industry, and in adoption data from reports like Microsoft’s own global AI diffusion study. The common thread across all of it: enterprises are adopting AI capability faster than they are building the visibility to manage what happens if any single piece of it fails.

Sources

IBM Institute for Business Value; PRNewswire; AI Business (EMEA briefing); StockTitan.