Cresti’s core claim is simple: if you can’t explain where data goes and who can access it, you cannot credibly claim governance.
Summary
The European Parliament recently disabled built-in AI features on official devices due to untraceable data processing, a move highlighted by Barbara Cresti as a signal that AI is now an embedded infrastructure layer, not just optional software. This decision underscores critical issues like data traceability, AI's shift to a governing layer in workflows, and digital sovereignty concerns related to data visibility, jurisdictional exposure, and dependency economics. The author, ChatGPT-5.2, agrees with the strategic diagnosis that AI is a "cognitive supply chain" requiring serious risk management, but qualifies Cresti's framing by noting the ban was specific to certain features and that disablement is a short-term control, not the sole solution. The analysis suggests a need for clearer threat models, addressing decision-shaping power, anticipating "shadow AI," and considering industrial policy and broader vendor concentration.
Key takeaway
For government leaders and IT directors evaluating AI integration, the European Parliament's device ban signals that opaque AI features pose a constitutional risk to institutional control and data sovereignty. You should implement a "traceability or disablement" policy for sensitive functions, classifying AI features by risk and procuring AI as critical infrastructure with clear audit rights and reversibility KPIs. This approach allows for modernizing with AI while preventing the silent outsourcing of democratic cognitive processes.
Key insights
AI's integration into devices necessitates robust traceability and control to maintain digital sovereignty and institutional competence.
Principles
- Traceability is the minimum for "safe enough" AI governance.
- AI is becoming infrastructure, not merely an application.
- Reversibility of AI integration is a key indicator of agency.
Method
Institutions should assess AI features based on data traceability, legal regime, and exposure reduction capability, treating AI as a cognitive supply chain requiring risk management and contingency planning.
In practice
- Adopt a "traceability or disablement" rule for sensitive roles.
- Classify AI features by data sensitivity tiers.
- Procure AI like infrastructure, requiring data-flow maps and audit rights.
Topics
- AI Governance
- Digital Sovereignty
- Data Traceability
- AI Infrastructure
- AI Risk Management
Best for: VP of Engineering/Data, Director of AI/ML, Executive, Policy Maker, CTO, AI Ethicist
Related on AIssential
Counsel's verdict on this
AIssential's Counsel cites this article in its editorial verdict on the decision it informs:
Editorial summary, takeaway, and curation by AIssential. Original article published by Pascal’s Substack.