AI Is Already Inside the System. Many Organizations Don’t Know Where Their Data Actually Goes.
Every AI conversation I have with executives eventually arrives at the same uncomfortable realization: they do not always know where their data is, who is processing it, or who holds the keys that protect it. Not because they are careless, but because the architecture has moved faster than the governance.
Julian Fay, Co‑Founder & CTO of Senetas, is on the mic with John Kananghinis, Alexander Corne from RMK+A and Stephen Rando from ANZ Bank on And Why Is That? exploring “What Is AI? Will It Save Us or End Us
AI is no longer a tool at the edge of the enterprise. It is embedded in analytics, operations, security, and decision-making, and it often runs on infrastructure the organization does not own. Data flows continuously across clouds, edge environments, partners, and jurisdictions. The operator of the platform, the holder of the keys, and the owner of the data may all be different parties. In that world, the platform is secure is not the same as assurance.
This is where I think a lot of the current AI risk conversation goes wrong. We debate alignment, regulation, and existential risk—all worth debating—while skipping the immediate, tractable problem sitting on every CISO’s desk: critical data is moving through systems the organization does not control, protected by keys the organization may not hold, under assurances the organization cannot independently verify.
The questions that matter right now are unglamorous: Where does sensitive data move? Who holds the keys? Where do your trust boundaries actually end? If your answer to any of these is “the cloud provider handles it”, that is not a trust boundary. That is a vendor relationship.
AI will genuinely transform medicine, logistics, science, and productivity. But it amplifies whatever weaknesses already exist in your data governance. Confidentiality leaks faster. Misuse scales further. Sovereignty erodes one integration at a time, and you usually only notice when something has already gone wrong.
The technical answer has not changed, and it is not exotic. Encrypt data where it moves. Hold your own keys. Insist on trust boundaries that are independently assured through standards and certifications such as FIPS and Common Criteria, which exist precisely because vendor self-assertion is not enough. In an AI world that runs on data in motion across infrastructure you do not own, customer-controlled encryption is not a nice-to-have. It is the difference between sovereignty and hope.
This is what Senetas has built for over two decades, and it is why defense, government, and critical infrastructure customers come to us when “trust the platform” is no longer an acceptable answer.
The full conversation is here.
By Julian Fay
