Foreign AI is powering India’s banks, ministries and utilities, raising concerns over data control, sovereignty, security, strategic autonomy and national resilience
India is wiring a roster of foreign Artificial Intelligence models into its enterprises and ministries. The convenience is real, so is the sovereignty risk. A banker in Mumbai asks an AI assistant to summarise a confidential loan file; a Delhi official feeds citizen records into a chatbot.
Both believe the data never leaves Indian soil. The moment they hit “enter,” it enters a machine built, owned and ultimately governed by a foreign power. In June 2025, Microsoft France’s legal-affairs director, submitted under oath that he could not guarantee that French citizens’ data on European servers would never reach US authorities. As under the US Cloud Act, an American provider must comply with a lawful US demand wherever the data sits. As a result, EU has now enacted the Cloud and AI Development Act which will grade cloud and AI providers by sovereignty with most sensitive workloads being given to EU-controlled suppliers.
China reached the same conclusion years earlier and chose to build their own indigenous AI models DeepSeek, Qwen, Kimi, GLM, Minimax, Mimo etc which today run its public and strategic sectors. These are competitive on benchmarks, and far cheaper than American rivals. The logic is not merely economic but also that a model trained, hosted and governed at home cannot be compelled by a foreign court, throttled by a foreign export order, or quietly degraded in a dispute. For Beijing, AI self-reliance is a matter of national security. The irony is hard to miss. Today India is embracing foreign AI faster than almost anyone, across both private enterprise and public administration, with scant regard for data security or residency.
The question is not whether these tools work; but who controls them, and what that means when the data belongs to a billion citizens. India ranks as number one by country for its active user base of Google and Open AI platforms. Our biggest enterprises ie Infosys, TCS and Wipro have rolled out Microsoft 365 Copilot for more than 300,000 employees. These firms build and run systems for Indian banks, insurers, public utilities and government agencies. Meanwhile MeitY’s e-Governance Division has empanelled six firms ie TCS, NEC India, Kyndryl, Innefu Labs, BharatGPT-maker CoRover and Cactus to deploy AI across ministries and states. The panel is only as sovereign as the models and clouds its vendors run underneath; if those are foreign frontier models on foreign-controlled infrastructure, the empanelment only accelerates dependence. It may be noted that in the recent US-Iran confrontation, AI was used predominantly by American forces for intelligence fusion, targeting, surveillance and decision support.
If the same AI that a foreign military leans on in a live conflict is also the AI quietly running India’s banks, ministries and utilities, then embedding it is as good as handing over the keys to the house to a power that has already shown it will use these tools as instruments of war. In critical information infrastructure like banking, defence, energy, healthcare, it is a security question. A foreign-controlled model’s data can be compelled by a foreign government under laws like the Cloud Act. Also access to AI models, updates and compute can be throttled by export controls or policy shifts ceding a strategic lever in critical information infrastructure to a foreign power. Closed AI models reveal little about how prompts and outputs are logged or reused. In defence or healthcare that inference trail is itself sensitive intelligence. Also, when a few foreign providers underpin our nation’s critical systems, a single outage, breach or policy decision becomes systemic and is a disaster waiting to happen. This is not an argument for digital isolationism.
We should not rip out tools that make our workforce more productive. The answer is to govern foreign AI and build the indigenous capacity that gives the country a real choice. We can rank public-sector and critical infrastructure workloads by sensitivity, and mandate that the most sensitive run only on AI models and infrastructure under our jurisdiction. This implies that sovereign models like BharatGPT and Indian-controlled cloud should be the presumptive choice for defence, finance, energy and health data, with foreign tools requiring documented justification. There is a dire need to fund domestic compute, data centres, open-weight models and the talent to maintain them.
Also, laws should be enacted which ensures guarantees on data handling, audit rights, exit portability and protection from foreign extraterritorial demands etc. For any AI touching critical systems, we must insist on visibility into how prompts and data are logged and used and favour open-weight AI models that can be inspected and self-hosted. Europe spent years discovering that the cheapest cloud is the most expensive choice once you count who controls it.
China never had to learn the lesson, it built its own from the start. India is at the crossroad, scaling foreign AI through its biggest firms and its ministries while other leading powers are factoring in the cost of dependence. The time to choose sovereignty by design, rather than discover it by crisis, is while the systems are still being built. Sovereignty without capability is just a slower form of dependence.
(Brig (Retd) Anil John Alfred Pereira is a veteran from Goa, who served the nation with distinction for 32 years)
