Close
    Share
    Facebook Facebook icon Twitter Twitter icon LinkedIn LinkedIn icon Email
    Whats-at-stake-when-choosing-an-AI-Vendor-2

    Artificial Intelligence

    More than tech: What’s really at stake when we choose an AI vendor

    by Mark J. Greeven, José Parra Moyano Published November 20, 2025 in Artificial Intelligence • 7 min read

    AI has moved from the purely technical realm into the geopolitical one, with nations and regions striving for AI sovereignty. What are the strategic implications for leaders?

    When a European executive recently tested DeepSeek, China’s breakthrough reasoning model, a warning message stopped him cold: “Everything must operate under Chinese law.” His immediate reaction? Uninstall the app. But here’s the uncomfortable question he didn’t ask: Aren’t we already operating under American law when we use ChatGPT?

    Every AI vendor is a package deal. When you choose an AI platform, you’re not just selecting technology; you’re also choosing a regulatory regime, embedding a set of values, and accepting a jurisdictional relationship that could reshape your business operations overnight. The TikTok saga made this brutally clear, with 170 million American users waking up on 18 January 2025 to find their app banned, only to see it restored 24 hours later after presidential intervention. Your AI infrastructure could face the same fate.

    Whereas we might have previously made buying decisions based on technical or price considerations, when it comes to AI, we also have to consider the regulatory strings we’re willing, or able, to accept.

    Capitol dome building exterior Washington DC USA Home of Congress and Capitol Hill American political system Decentralized economy Blockchain cryptography and cryptocurrency concept hologram
    Technology has never been neutral, but AI makes the political nature of our tools impossible to ignore

    The regulatory landscape

    Technology has never been neutral, but AI makes the political nature of our tools impossible to ignore. There are three key ways in which regulation underpins AI:

    • Content moderation: With regulation reflecting key regional constraints. For instance, ChatGPT won’t discuss certain political topics, DeepSeek explicitly acknowledges Chinese law, and Baidu’s Ernie Bot incorporates “regulatory frameworks to generate policy-compliant responses.”
    • Data governance: Which inevitably helps to determine sovereignty. For instance, Microsoft Azure, which powers ChatGPT, operates under the US Cloud Act, which grants US authorities access to data, regardless of where it’s stored. Similarly, European providers are governed by GDPR, and China’s by the country’s data localization requirements.
    • Liability frameworks: Which fundamentally shape responsibility. When AI makes mistakes, which legal system determines accountability? US tort law creates litigation exposure. Chinese oversight ensures state visibility. EU rules mandate explainability and individual rights. Your vendor choice is your liability choice.
    “China treats AI as strategic infrastructure requiring state coordination.”

    A strategic comparison between AI jurisdictions

    In order to choose the right platform for you, you need to understand the regulatory strings attached to each vendor. This requires mapping three distinct approaches.

    The United States prioritizes permissionless innovation with reactive regulation. This means that US-based platforms usually come with minimal regulations initially, but the unpredictable nature of the current regime exposes them to unexpected litigation. They also tend to offer strong IP protection but have weak privacy frameworks, and are subject to national security reviews that can suddenly restrict access. The $500bn AI infrastructure investment President Trump announced signals potential US dominance.

    China treats AI as strategic infrastructure requiring state coordination. More than 300 generative AI services are registered with the Cyberspace Administration of China. You have to accept algorithmic transparency to the state, data localization requirements, and content controls, but this also comes with remarkable cost efficiency. DeepSeek and other Chinese models deliver comparable performance to Western rivals at a fraction of the cost through “modular and resilient AI infrastructure” built in response to US export controls.

    The European Union is renowned as a regulatory superpower, and the AI Act and GDPR are influential both across Europe and further afield. When selecting an EU-based platform, you incur high compliance costs but also get predictability, individual rights protections, and potential trust premiums in sensitive applications. The “Brussels Effect” means that EU standards often become global benchmarks, so European compliance can confer an advantage in other markets, too.

    The reality for multinationals is that trading across borders will require AI support in all three jurisdictions.

    Business intelligence value chain and data driven decision concept For efficiency and sustainable success LCA Life cycle assessment Positive environmental Reduce carbon to limit climate change
    There are also obvious questions to be raised around values alignment

    Questions to ask

    There are a number of key regulatory questions to consider when choosing an AI vendor. The first of these is to understand where the actual authority is. Managers should understand who owns each vendor, where data centers are located, and the regulatory registrations they operate under. For instance, LVMH’s partnership with Alibaba for its China operations was a deliberate choice to work within China’s regulatory framework. It was a choice that was appropriate for localized deployment, but problematic for global applications.

    It’s also important to gauge what compliance is already built in. For instance, companies should understand what restrictions are placed on content and how data should be and is capable of being handled. They should understand transparency requirements around auditing and any certifications that may be required.

    Companies also need to examine any geopolitical risks surrounding their decision. In the past few years, there have been numerous examples of export controls and even bans. This is evident in the Chinese market, where China’s AI ecosystem – with DeepSeek, 01.AI, and the “six little tigers” as viable alternatives to Western models – comes with considerable geopolitical risk.

    There are also obvious questions to be raised around values alignment. Companies should consider any biases inherent in the models, whether the platforms operate under censorship requirements, and how they approach issues such as privacy and transparency.

    Last, but not least, companies need to rigorously assess whether the vendor is ready for any regulations that might be around the corner, whether general AI-specific regulations or industry-specific requirements. For instance, do you think a Chinese vendor is willing and able to abide by EU regulations as well as Chinese regulations?

    Companies could also consider a more open-source approach that prioritizes models from aligned jurisdictions or builds internal capabilities

    Strategic responses

    So, how might you respond? There are a number of different approaches you could take. For instance, you could choose to segment your efforts geographically, with different AI platforms in different regions. This would allow you to use Western models in the US and Europe, and Chinese models in China. This is probably the best approach for multinationals, especially those in regulated sectors.

    Firms could also default to using Western platforms, with very specific exceptions. For instance, Nestlé found that Western LLMs were more effective for logistics, but Chinese platforms provided higher-quality outcomes in customer analytics in China.

    Another approach is to simply invest in the optimal AI for your circumstances, regardless of its origin and then invest heavily in risk mitigation and exit planning. Companies could also consider a more open-source approach that prioritizes models from aligned jurisdictions or builds internal capabilities. Sometimes, the only way to avoid regulatory strings is to own the technology stack.

    The goal isn’t to slow adoption with bureaucracy; it’s to make hidden costs visible and manageable.

    Start the conversation

    Arguably, the key is to ensure that whatever conversations are being had around AI vendor selection are not confined to the IT department, but take place at the highest level. This is a strategic governance issue that requires input from technology, legal, risk, ethics, and executive leadership.

    The goal isn’t to slow adoption with bureaucracy; it’s to make hidden costs visible and manageable. The era of “neutral” technology is over. Every AI vendor packages technology with jurisdiction, regulation with innovation, values with capabilities. DeepSeek’s explicit warning about Chinese law was refreshing in its honesty. Most vendors don’t make their jurisdictional strings so clear.

    The uncomfortable truth is that there is no perfect AI vendor. Every option comes with regulatory strings. Your job isn’t to find the stringless option; it’s to choose which strings you can work with, which risks you can manage, and which jurisdictional relationships serve your strategic interests.

    Looking ahead, AI is becoming infrastructure, as essential as cloud computing, as embedded as mobile networks. When infrastructure becomes geopolitical, every technology choice becomes strategic. Organizations that thrive will make these choices explicitly, eyes open to both capabilities and constraints.

    In the DeepSeek case, at least the regulatory strings were visible. For most AI vendors, you have to look harder. But they’re always there. And increasingly, they matter more than the technology itself.

    Authors

    Mark Greeven

    Mark J. Greeven

    Professor of Management Innovation and Dean of Asia, IMD

    Mark Greeven is Professor of Management Innovation and Dean of Asia at IMD, where he co-directs the Building Digital Ecosystems program and the Strategy for Future Readiness program. Drawing on two decades of experience in research, teaching, and consulting in China, he explores how to organize innovation in a turbulent world. Greeven is responsible for the school’s activities and outreach across Asia and is a founding member of the Business Ecosystem Alliance. He is ranked on the 2023 Thinkers50 list of global management thinkers.

    José Parra-Moyano

    José Parra Moyano

    Professor of Digital Strategy

    José Parra Moyano is Professor of Digital Strategy. He focuses on the management and economics of data and privacy and how firms can create sustainable value in the digital economy. An award-winning teacher, he also founded his own successful startup, was appointed to the World Economic Forum’s Global Shapers Community of young people driving change, and was named on the Forbes ‘30 under 30’ list of outstanding young entrepreneurs in Switzerland. At IMD, he teaches in a variety of programs, such as the MBA and Strategic Finance programs, on the topic of AI, strategy, and Innovation.

    Related

    Learn Brain Circuits

    Join us for daily exercises focusing on issues from team building to developing an actionable sustainability plan to personal development. Go on - they only take five minutes.
     
    Read more 

    Explore Leadership

    What makes a great leader? Do you need charisma? How do you inspire your team? Our experts offer actionable insights through first-person narratives, behind-the-scenes interviews and The Help Desk.
     
    Read more

    Join Membership

    Log in here to join in the conversation with the I by IMD community. Your subscription grants you access to the quarterly magazine plus daily articles, videos, podcasts and learning exercises.
     
    Sign up
    X

    Log in or register to enjoy the full experience

    Explore first person business intelligence from top minds curated for a global executive audience

    Register NowSign in