IBM has put a profit figure on AI control. In its June 17 Institute for Business Value study, the company reported that organizations with the greatest control across their AI stack protect 55% more operating profit from AI-driven disruption than organizations with less control.
According to the findings, AI systems are no longer limited to pilots or assistants. IBM’s report cites its 2026 CEO Study, saying CEOs reported that AI made 25% of operational decisions in early 2026 and expected that share to rise to 48% by 2030.
In the foreword, Ana Paula de Jesus Assis, IBM senior vice president and chair of Europe, Middle East, Africa and Asia Pacific, wrote: “The stakes are no longer technical; they are economic.”
Vendor lock-in and the visibility gap
The report says that only 9% of executives surveyed said they had an excellent understanding of their dependencies on AI vendors, models and infrastructure, while 71% said switching their primary AI vendor or model would be difficult if required today.
“Vendor lock-in creates imbalance,” said Conor Mlacak, CIO of Staples Canada. “Once you’re locked in, you lose leverage.”
IBM conducted the study with Oxford Economics between February and April 2026, drawing on responses from 1,000 senior executives responsible for AI, data, technology or related enterprise capabilities.
The report details respondents came from 16 geographies and 17 industries, with organizations ranging from $260 million to $92 billion in annual revenue or budget. The sample was weighted toward large, complex enterprises actively scaling AI.
IBM also has a commercial interest in the category: the report’s closing section points readers to IBM’s hybrid cloud, AI governance and consulting offerings, including IBM Sovereign Core.
AI dependency shifts to the model layer
The report’s central argument is that AI dependency has moved beyond infrastructure and applications into the model layer. IBM says model behavior can change without formal release cycles, while service terms and safety controls can be updated with little notice.
Over the past 24 months, executives reported unexpected changes including price increases, usage restrictions, model or service deprecations, data-handling changes, privacy-term changes, geographic access restrictions, performance degradation and quality issues.
Quantifying outages and cost exposure
The disruption data makes the dependency more concrete. IBM reported that executives experienced an average of six AI-related operational disruptions over the past two years, with vendor service disruptions and deprecations ranked as the leading cause.
The outage scenario was starker: 81% of executives said a seven-day outage at a primary AI vendor would have a severe or critical effect, effectively halting business operations.
Cost exposure also appears in where AI runs. IBM reported that organizations pay 2.8 times more in token processing when data placement is misaligned with model execution. For a representative $20 billion enterprise, the report modeled roughly $50 million in additional annual cost for delivering the same AI capabilities when AI runs far from the data it depends on.
Regulatory pressure on third-party risk
The governance concern is not limited to IBM’s survey. NIST’s Generative AI Profile identifies “non-transparent or untraceable integration of upstream third-party components” and improper supplier vetting as generative AI value-chain risks.
The profile lists suggested actions including supplier risk assessments, inventories of third-party entities, contractual expectations for quality and security, service-level agreements and contingency processes for failures in high-risk third-party AI systems.
Financial regulators have already treated technology concentration as a resilience issue. The European Insurance and Occupational Pensions Authority says the EU’s Digital Operational Resilience Act covers ICT third-party risk management, key contractual provisions and oversight of critical ICT third-party providers. EIOPA says the oversight framework addresses systemic and concentration risks arising from reliance on a limited number of ICT providers.
A tiered approach to AI sovereignty
IBM’s response is selective control, not full ownership of every system. The report calls for enterprises to classify AI systems into three tiers: mission-critical or differentiating systems, important but non-differentiating capabilities and operational or commodity services.
The highest-control tier includes systems such as fraud engines, proprietary algorithms, core decisioning platforms and AI capabilities that materially affect revenue, risk and operations.
The tiered model turns sovereignty into an operating discipline. IBM says 57% of executives believe swapping or replacing a core AI model would require significant decoupling or a complete system rebuild, while 56% say it would take at least six months to move core AI systems and applications to a different vendor.
Its action guide calls for dependency maps, outage simulations, data portability rights, exit service-level agreements, failover drills, audit logs, fallback workflows and tested alternatives for data, models and runtime environments.