Artificial intelligence is now embedded in public-sector operations, from welfare systems and tax authorities to healthcare and procurement. But while adoption has accelerated, governance and security have struggled to keep pace. For security leaders in government, this gap is no longer theoretical. It is becoming a practical risk tied directly to sovereignty, accountability, and control.
One of the most underappreciated dynamics shaping public-sector AI security is concentration. A small number of U.S.-based providers dominate both large-language-model APIs and cloud infrastructure. This concentration places public-sector workloads on platforms governed by legal and operational frameworks outside the jurisdictions responsible for citizen data and public accountability. From a security standpoint, this creates a dependency problem that traditional risk models were not designed to handle.
Real security benchmarking tools like the F5 Labs CASI Leaderboard now exist to quantify these risks, giving organizations a way to compare models on objective security metrics rather than marketing claims. CASI evaluates models across a set of standardized metrics, including a composite “CASI Score” that reflects how well a model resists adversarial attacks.
Not All AI Models Are Secure Enough for Government Use
Market share and capability benchmarks obscure a critical reality: AI security performance varies dramatically between providers. Independent adversarial testing shows that some models are far more resistant to prompt injection, data leakage, and multi-step attacks than others. In some cases, the security gap between leading closed models and open-weight alternatives is extreme.
According to the CASI Leaderboard, models like Anthropic’s Claude Opus 4.5 score significantly higher on the CASI metric than many competitors, demonstrating that measurable security differences between models are real and quantifiable.
For public-sector use cases, where failures can affect welfare decisions, public safety, or legal outcomes, this matters more than raw performance or cost. Security-critical applications significantly narrow the pool of viable models. Governments may believe they have broad choice, but in practice, only a small subset of providers consistently meet the security bar required for sensitive deployments.
Yet procurement frameworks rarely reflect this reality. Vendors are often assessed on functionality and compliance claims, not on demonstrated resistance to adversarial abuse.
Sovereign Cloud Does Not Automatically Mean Secure Cloud
Much of the current response to sovereignty concerns has focused on “sovereign cloud” offerings. While data residency is important, it is not sufficient on its own. Many sovereign cloud products still fall under extraterritorial legal regimes, meaning data may be subject to foreign access requests even when stored locally.
From a security perspective, the more practical approach is risk-based tiering. Low-sensitivity workloads can run on mainstream cloud services with contractual safeguards. Highly sensitive data – healthcare records, law enforcement systems, tax information, and critical infrastructure – should be limited to providers that demonstrate both jurisdictional independence and strong security validated through adversarial testing.
Initiatives like Gaia-X are beginning to bring transparency to this process by classifying services according to sovereignty levels. This is a useful step, but classification alone does not address model security, auditability, or runtime risk.
Open-Weight Models: Control Comes With Tradeoffs
Open-weight models offer clear sovereignty advantages. Deployed on government-controlled infrastructure, they ensure that inference data remains within national boundaries. For many public-sector organizations, this is appealing.
However, open deployment introduces its own security challenges. Training data provenance is often opaque, and adversarial testing consistently shows that many open-source models perform poorly compared to leading closed models when subjected to sophisticated attacks. A sovereign deployment that is highly vulnerable to exploitation may introduce greater operational risk than a well-governed API deployment of a more secure model.
Security teams must avoid treating open models as an automatic solution. Sovereignty and security are not interchangeable – both must be evaluated explicitly.
Why 2026 Forces a Security Reset
The EU AI Act’s high-risk system provisions become enforceable in August 2026, creating a hard deadline for change. Enforcement will introduce meaningful financial penalties and drive global compliance through regulatory spillover, regardless of where providers are headquartered.
But regulation alone will not solve the security problem. Regaining control requires three parallel efforts already underway:
- Regulatory enforcement, backed by penalties significant enough to change behavior.
- Infrastructure investment, including European initiatives to expand data-center capacity and develop sovereign AI platforms, creating real alternatives to hyperscaler dependency.
- Operational governance, where public institutions implement AI registries, assign system ownership, monitor runtime behavior, and establish accountability chains.
From a security standpoint, all three are necessary. Regulation creates the mandate, infrastructure creates the options, and governance determines whether risk is actually managed.
The Security Risk of Algocracy
Perhaps the most serious long-term risk is not technical, but structural: the drift toward automated decision-making without sufficient human oversight. High-profile failures in welfare and fraud detection systems have already demonstrated how algorithmic systems can cause widespread harm when accountability is weak.
When AI systems influence decisions about benefits, taxation, or public services, security failures are not just breaches – they are governance failures. Democratic systems rely on human judgment, review, and recourse. Removing those safeguards in favor of algorithmic efficiency creates new attack surfaces, both technical and institutional.
AI should support human decision-makers, not replace them.
From Securing AI Systems to Securing Democratic Control
The core challenge for public-sector security leaders is deciding whether governments will remain passive consumers of AI or become active shapers of how it is deployed. Procuring technology without enforcing security standards, transparency, and accountability leaves institutions reactive and exposed.
Securing AI in the public sector means demanding adversarial testing, understanding legal exposure, validating sovereignty claims, and defining strict boundaries around automated decision-making. The technology is already embedded. The question now is whether security governance can catch up before control is permanently ceded.
