AI Sovereignty Emerges as a Strategic Imperative for Luxembourg Organisations

As part of a Golden-I Masterclass, Audric Lhoas, Head of Product at Proximus NXT Luxembourg, explored these challenges with an audience of senior technology decision-makers, opening the discussion with a series of live polls designed to assess the current state of AI adoption and governance.

The results painted a revealing picture. Most participants indicated that generative AI tools are already officially approved and governed within their organisations. However, when asked whether they knew exactly where their data goes when employees use public AI tools, many admitted they only had partial visibility—or that the situation remained largely unclear. While respondents generally described their approach to AI as balancing innovation and governance, a strong majority also stated they would be willing to accept higher costs or lower performance in exchange for stronger AI sovereignty guarantees.

Interestingly, most attendees expressed confidence in their ability to explain their organisation’s AI architecture and solutions to a regulator or auditor, highlighting the growing importance of governance and compliance in enterprise AI strategies.

What Organisations Know and What They Don’t

According to Audric Lhoas, enterprises today have a clear understanding of several realities. Employees are already using AI tools on a daily basis, adoption is accelerating faster than governance frameworks can keep pace, AI capabilities are increasingly embedded within critical business processes, and sensitive information is already being shared with AI systems.

Yet significant blind spots remain.

Many organisations still struggle to answer fundamental questions: Where does the data actually go? Who has access to prompts and generated outputs? Under which jurisdiction is AI inference being performed? And perhaps most importantly, how much control do organisations truly have over their AI stack?
These questions become even more critical because AI fundamentally changes the traditional understanding of data sovereignty. While many organisations have invested heavily in controlling where data is stored, far fewer have visibility into where the actual processing of that data—the inference layer—takes place.
This creates a growing tension between the convenience, scalability and performance offered by public AI platforms and the need for transparent, auditable governance frameworks.

A Practical Sovereignty Exercise

To illustrate the complexity of these decisions, participants were invited to imagine themselves as the CIO of a fictional financial institution, Golden-I Bank, tasked with designing a sovereign AI solution.

The exercise centred around seven critical questions:
• Will the AI process critical data?
• Which AI model can be trusted?
• Where does inference take place?
• How is data protected?
• What level of security is required?
• Can the provider be trusted?
• How can control be maintained over the entire AI stack?

The discussion quickly highlighted that even among experienced technology professionals, key concepts remain open to interpretation. One recurring challenge involved defining what constitutes “critical data.” While regulations increasingly reference the concept, organisations often apply different definitions depending on their industry, risk profile and compliance requirements.

Trust also emerged as a major topic of debate. Participants expressed differing views on whether certain AI providers should be considered more trustworthy than others. While European-hosted AI services were generally viewed as offering stronger jurisdictional alignment and therefore representing an important step towards sovereignty, many attendees argued that highly sensitive workloads should remain on-premises or be handled through genuinely sovereign AI environments.

Governance: The Missing Piece of AI Sovereignty

Another key takeaway from the session was that AI sovereignty cannot be achieved through infrastructure choices alone. Effective implementation requires continuous governance.

Regulatory frameworks, including the EU AI Act, increasingly emphasise ongoing oversight mechanisms such as monitoring, audit trails, model reviews and incident response procedures. These capabilities are rapidly becoming essential components of enterprise AI strategies, particularly within highly regulated sectors such as finance, healthcare and public administration.

As AI adoption continues to accelerate, governance is expected to become one of the most significant areas of investment and focus for organisations across Luxembourg.

Data Sovereignty Remains the Top Priority

The session concluded with a final audience poll, revealing how perspectives had evolved throughout the discussion.

When asked how they now viewed AI sovereignty, participants overwhelmingly described it as a critical strategic topic. Data leakage emerged as the single biggest concern regarding enterprise AI adoption, while data sovereignty and control were identified as the most important factors when selecting an AI platform.

The message from Luxembourg’s technology leaders was clear: AI adoption is no longer simply about innovation and productivity. As organisations move towards large-scale deployment, sovereignty, governance and control are becoming fundamental requirements for sustainable and compliant AI strategies.