A study reveals that most large UK businesses are unaware of the specific purposes for which their sensitive data is utilized when processed by artificial intelligence systems overseas, highlighting the risks associated with this rapidly advancing technology.

The research surveyed senior technology and data leaders at UK companies with annual revenues exceeding £100 million. Results indicate that 61% of respondents lack comprehensive oversight of how their data is handled abroad, a concern particularly prevalent at the board level.

According to the study by research firm Harbr Data, nearly three-quarters of participants reported that data leaves the UK via AI systems at least weekly, with one-third indicating daily data exports.

In less severe scenarios, lack of transparency regarding data processing locations and methods can create regulatory compliance risks, especially concerning data privacy, storage location regulations, and security issues.

In more serious cases, this opacity could lead to data breaches or malicious exploitation.

Matthew Hodgson, CEO and Co-Founder of secure communication platform Element, stated: "There appears to be limited understanding of data governance mechanisms."

"The real danger lies in people casually copying and pasting documents or confidential information, which may then be used to train models and potentially appear in others' data streams. Such incidents have previously led to significant consequences."

In August 2024, researchers disclosed a vulnerability in the popular communication platform plugin Slack AI: malicious commands implanted in public channels could manipulate the AI to access and summarize data from private channels.

Slack stated at the time that it found no evidence of active exploitation of this vulnerability or unauthorized access to customer data.

In February of this year, Microsoft confirmed a programming error in its Microsoft 365 Copilot chat feature that could process and summarize email content, even messages marked as confidential.

In the Harbr survey, half of the respondents indicated that regulatory gaps could lead companies to violate international regulations, 36% mentioned risks of fines or investigations, and 35% pointed to geopolitical risks.

When personal data is processed outside its country of origin—for instance, transferred from the EU to other jurisdictions—strict legal frameworks apply, typically requiring specific safeguards.

As one of the world's most stringent data regulation regions, trust in data management by AI systems outside Europe drops significantly. While 70% of respondents expressed confidence in UK data management and 62% in EU management, confidence levels fell to just 31% for North America and 12% for the Asia-Pacific region.

Bill Connor, CEO of AI integration firm Jitterbit, noted that the training data or core software sources for AI models are often opaque: "The core code and models of such systems frequently carry risks, particularly when incorporating open-source components."

"They assume security by hosting on US cloud services like AWS or Azure, but the critical question remains: will these models still maintain connections to the original models?"

Analysts predict that increasing regulatory pressure will lead more companies to adopt region-specific AI systems by 2027.

Anthony Cosgrove of Harbr commented: "Numerous critical business processes now rely on AI and interact with these tools through data exchange. This issue transcends mere data flow and sovereignty—it concerns the business processes built upon and dependent on these data movements."