Someone on your team opens a browser tab and types a client question into ChatGPT. Not because they're careless. Because the alternative is three hours of manual work. The win is immediate. The risk feels like someone else's problem, until it isn't. They're not alone. According to Microsoft's 2025 Work Trend Index, 71% of workers use unapproved AI tools at work. LayerX puts the number pasting corporate data into public chatbots at 77%. IBM found 1 in 5 organizations breached via shadow AI in the last twelve months. These aren't reckless people. They're your analysts, your project managers, your operations leads — people who've found a tool that makes them significantly better at their jobs and haven't been given a sanctioned reason to stop.
The gap between your AI policy and your employees' Tuesday morning is the exposure
The instinct is to write a better policy — ban ChatGPT, issue guidance, remind people of their obligations. But shadow AI in your organization isn't going away, and banning it just makes it untraceable. According to IDC's 2025 survey, 56% of employees use unauthorized AI tools at work while only 23% use tools their organization actually provides and governs. That gap isn't a compliance failure. It's what happens when the sanctioned alternative doesn't exist — employees don't stop using AI, they just stop being visible when they do.
Each path to sovereign AI fails regulated firms differently — and getting there is harder than it looks
Private cloud platforms like AWS Bedrock and Google Vertex feel like a middle ground, but your data still moves through infrastructure owned by a foreign hyperscaler, under their jurisdiction. For environments with strict data residency or GDPR obligations, "dedicated tenancy" rarely satisfies the auditor.
DIY on-premises gives you genuine sovereignty — nothing leaves your perimeter. The cost is everything else: hardware, serving infrastructure, governance, audit logging, access controls, model versioning. The realistic timeline is 12-18 months before the first production workflow, during which shadow AI keeps compounding.
On-device first is the least deployed path, not only because the market assumes it requires compromising on capability, but because scaling inference across a fleet of heterogeneous devices has historically required custom infrastructure that simply didn't exist. Both are changing.
On-device AI is good enough for most of what your team actually does — the market just doesn't know it yet
Most workplace AI tasks — summarizing documents, drafting responses, answering questions about internal content, extracting information from contracts — don't require the largest models in the world. They require models that are fast, sovereign, and reliably available. Modern 7-13 billion parameter models handle these tasks well. The performance difference is real for complex multi-step reasoning; for the routine work that makes up most actual usage, it's narrower than most procurement teams expect — and the capability gap is closing faster than procurement cycles are moving.
Sovereign AI for regulated firms: What we're building at Locai
SafeChat is built by Locai — a device-first AI infrastructure company backed by Google for Startups, NVIDIA Inception, and Fuel Ventures. It works like ChatGPT — browser-based, nothing to install, sign in and start working in seconds — but every inference runs locally on the user's own device. No prompt ever leaves the browser. Where a task needs more compute than a device can handle, it routes to your own servers or a cloud endpoint you control, and the sovereignty guarantee holds either way. Architected for SOC2, GDPR, and HIPAA compliance.
SafeChat is open for early access now. For organisations ready to move from policy to infrastructure — and from shadow AI to something their compliance team can actually sign off on.