Most large UK firms cannot explain overseas AI data use

Harbr Data has published research showing that 61% of large UK firms cannot fully explain how sensitive data is used once it is processed by AI systems overseas. The findings point to a governance gap in cross-border AI data handling.

The survey covered 250 UK IT and data decision-makers, including CIOs, CTOs, Heads of Data, Chief Data Officers and IT Directors, at organisations with 500 or more employees and about £100 million or more in annual revenue.

Nearly three-quarters of respondents said their data is processed by AI systems outside the UK at least weekly, while one-third said this happens daily. The research suggests cross-border data movement has become routine for many large organisations rather than an occasional exception.

That trend is putting pressure on internal governance structures. Boards remain responsible for the outcomes of AI-related decisions and compliance failures, yet only 20% of respondents said boards were ultimately accountable for cross-border AI governance. Instead, 58% said responsibility sat with the CIO or CTO.

Governance gap

The findings suggest many organisations are still struggling to build the staffing, controls and oversight needed to track sensitive data once it leaves domestic systems. Nearly half of respondents, 47%, said their organisations did not have enough qualified staff to manage cross-border AI.

A further 28% cited unclear ownership, saying responsibility was spread across multiple teams. More than 40% were unsure whether their systems fully complied with international regulations, and 38% said they faced difficulties auditing AI-driven decisions that rely on data from multiple regions.

The concern extends beyond internal processes. Half of respondents said limited visibility could lead to breaches of international compliance rules. Some 36% cited potential fines or regulatory investigations, while 35% pointed to strategic or geopolitical exposure. Commercial or contractual disputes were flagged by 31% of organisations.

Regional confidence

Confidence in managing AI-driven data also varied sharply by geography. Seven in 10 respondents said they felt confident handling such activity within the UK, while 62% said the same for the EU and EEA.

That confidence dropped outside Europe. Only 31% said they were confident in North America, and just 12% expressed confidence in Asia-Pacific. The figures suggest legal complexity, differing regulatory regimes and geopolitical concerns are shaping how companies assess overseas AI data processing.

External pressures are also shaping technology decisions. Data localisation laws have influenced AI architecture decisions for 91% of organisations, while 87% said geopolitical factors were affecting how and where data is processed.

The backdrop is a tougher compliance environment for businesses using AI across borders. As enforcement under the EU AI Act develops, companies operating internationally face closer scrutiny over governance, accountability and the movement of sensitive data between jurisdictions.

For large UK organisations, AI governance is moving beyond a narrow technical discussion and into broader operational and board-level risk management. The survey suggests many businesses are still working through how to assign ownership, document decision-making and maintain oversight when data is handled by systems outside the UK.

Harbr Data argues the issue lies less in the use of AI itself than in the difficulty of tracking and governing data once it enters global AI environments. The company works with organisations managing cross-border data ecosystems, with a focus on oversight of data sharing across systems, regions and business partners.

Anthony Cosgrove MBE, founder of Harbr Data, said: "AI systems are global by design, but accountability remains national. Cross-border AI processing is fundamentally an issue of how to govern data sharing. Organisations need a robust operating model for how sensitive data is accessed and used across systems, legal entities and national borders. Without that, boards risk being caught off guard by compliance breaches, fines, or international disputes."