Your AI Vendor Has a Vendor. You Have Never Heard of Them.

The model powering the tool your organisation uses was built by a lab you have never reviewed.

Audio summary: https://youtu.be/G22wSv7cfL4

Sign up for my Substack daily AI newsletter here.

See my AI Training course portfolio for corporate Business Leaders here.

Article link: https://open.substack.com/pub/johanosteyn/p/your-ai-vendor-has-a-vendor-you-have?r=73gqa&utm_campaign=post&utm_medium=web&showWelcomeOnShare=true

Follow me on LinkedIn: https://www.linkedin.com/in/johanosteyn/

When a South African financial services company deploys an AI tool to summarise client correspondence, the vendor relationship it manages is with the software company that sold it the tool. There is a contract. There is a data processing agreement. There has, in most cases, been some form of due diligence. What that due diligence almost certainly did not surface is the identity of the model at the bottom of the stack — the foundation layer on which the tool was built, whose training data is undisclosed, whose terms of service were never reviewed, and whose originating government’s law may permit access to the data that passes through it. The open source AI revolution has made extraordinarily capable models freely available to anyone who wants to build with them. It has also created an invisible supply chain that runs beneath a significant portion of global enterprise AI — and almost no organisation using it has looked at what is there.

CONTEXT AND BACKGROUND

The scale of open-weight Chinese AI adoption in global enterprise technology is now documented and striking. Alibaba’s Qwen model family is the largest ecosystem on Hugging Face, the world’s primary open source AI platform, with over 100,000 derivative models built on its foundation. Between November and December 2025, seven of the ten most downloaded models on the platform came from Chinese labs — including derivatives of DeepSeek, whose R1 reasoning model matched the performance of the best American systems at a reported fraction of the cost when it launched in January 2025.

One partner at venture capital firm Andreessen Horowitz estimated that roughly 80 per cent of US startups now use Chinese base models to build derivative applications. DeepSeek released a preview of its V4 model on 24 April 2026 — open source, available to anyone, and according to analysts at Counterpoint Research offering excellent agent capability at significantly lower cost than its American competitors. Moonshot AI’s Kimi K2.5 costs four times less than OpenAI’s GPT-5.2 while matching it on capability scores. The cost argument for Chinese open-weight models is not marginal. It is overwhelming — and it is driving adoption at every level of the enterprise technology stack, including in the tools and platforms that South African and global organisations are deploying right now.

The organisations using these models — directly or through derivative applications — did not, in most cases, make a deliberate choice to adopt Chinese AI. They made a choice to use a tool, and the tool was built on a foundation model they never saw, never evaluated, and never agreed terms with. As Sanchit Vir Gogia, chief analyst at Greyhound Research, observed in a March 2026 Computerworld analysis of the risk implications: enterprises are no longer making a clear, deliberate choice about which AI model they adopt. The open source AI supply chain is invisible, global, and almost entirely ungoverned — and it runs through the centre of enterprise technology in 2026.

INSIGHT AND ANALYSIS

The security implications of this invisible supply chain are not theoretical. The US National Institute of Standards and Technology evaluated DeepSeek’s models in September 2025 and found that agents built on DeepSeek’s most secure model were, on average, twelve times more likely than US frontier models to follow malicious instructions. In simulated tests, hijacked agents sent phishing emails, downloaded malware, and exfiltrated user login credentials. The evaluation also noted that Chinese models are subject to political content restrictions, and that enterprises routing workloads through Chinese-linked providers face data jurisdictional risks — a concern that has drawn regulatory scrutiny across Europe and South Korea. Multiple US states, Australia, Taiwan, South Korea, Denmark, and Italy have introduced bans or restrictions on DeepSeek following its January 2025 release, citing privacy and national security concerns. These are not the responses of governments that have reviewed the evidence and found nothing to concern them.

The compliance implications for South African organisations are direct and largely unexamined. POPIA’s Section 72 imposes specific requirements on cross-border transfers of personal information — the organisation responsible for the data must ensure that the recipient is subject to a law, binding corporate rules, or binding agreement that provides an adequate level of protection. An open-weight Chinese model embedded in an enterprise workflow, processing client correspondence, employee records, or financial data, with undisclosed training data and no verified data residency, does not meet that standard. As Cloudgate’s April 2026 analysis of private AI for South African businesses confirms, POPIA carries penalties of up to R10 million and potential imprisonment for responsible individuals in severe cases — and the intersection of AI deployment and cross-border data transfer is becoming urgent in ways that most organisations have not yet addressed. The compliance exposure is real, present, and almost entirely unexamined in the boardrooms of the organisations that carry it.

There is a further dimension that goes beyond security and compliance into something more structurally significant. Chinese AI models are subject to Chinese regulations that prohibit certain categories of content — political topics, historical events, and subjects deemed sensitive under Chinese law.

These restrictions are not disclosed to users. They are embedded in the model’s training and reinforcement learning, shaping what the model will and will not say in ways that are invisible to the organisation deploying it. Tech Policy Press identified this dynamic precisely in its April 2026 analysis of South Africa’s AI infrastructure choices, framing Huawei-hosted DeepSeek integration as creating surveillance dependency in a pattern already documented across Africa — with data stored on infrastructure potentially accessible under Chinese legal frameworks. A legal firm using a Chinese open-weight model to research geopolitical risk, a financial services company using it to analyse China-related investment exposure, or a board using it to brief directors on supply chain vulnerabilities is working with a tool whose outputs are shaped by a political filter it did not agree to and cannot see.

I have previously written about the moment geopolitics entered the AI stack — the reality that a wave of low-cost Chinese models has forced business leaders to confront data sovereignty, compliance, and reputational risk in ways that pure capability benchmarks never required them to. The open-weight supply chain makes that argument more urgent, not less. At least when an organisation uses a proprietary API, it knows whose tool it is using, whose terms it has agreed to, and whose legal framework governs what happens to its data. With an open-weight derivative built on a Chinese foundation model and sold by a third-party vendor, the organisation frequently knows none of those things — and has not thought to ask.

IMPLICATIONS

The practical governance response begins with a question that IDC’s regional head of AI, analytics, and data, Deepika Giri, has put plainly: CIOs should extend risk frameworks to include model lineage, mandating vendors to disclose model origins and training data. That recommendation has not been widely adopted. Standard vendor due diligence processes were designed to evaluate the software company selling the tool — its financial stability, its security certifications, its contractual terms. They were not designed to surface the identity of the foundation model the tool was built on, the legal framework governing that model’s originating lab, or the data jurisdictional risks created by routing enterprise workloads through it. Extending due diligence to reach the foundation layer is not technically complex. It requires adding three questions to a procurement checklist that currently does not contain them: what model is this tool built on, where was that model trained, and what does the originating government’s law permit in relation to the data that passes through it.

For South African organisations specifically, the data sovereignty dimension carries an additional urgency. South Africa is simultaneously building genuine domestic AI infrastructure — Altron’s AI factory at Teraco’s Johannesburg data centre and Cassava Technologies’ deployment as Africa’s first NVIDIA cloud partner represent real and significant investment in locally governed compute. As the Jurist’s February 2026 analysis of AI sovereignty in South Africa argues, AI sovereignty means a country’s capacity to understand, deploy, and develop AI systems while retaining control, agency, and self-determination over them — and that capacity is undermined every time an organisation embeds a foreign foundation model into a critical workflow without examining the dependency it is creating. Infrastructure decisions made now determine what is renegotiable later. For data already processed by ungoverned offshore-linked models, the answer to that question is very little.

CLOSING TAKEAWAY

The open source AI revolution is real, valuable, and genuinely democratising. The ability to access frontier-competitive AI capability at a fraction of the cost of proprietary alternatives has created a genuine opportunity for organisations that could not previously afford to deploy AI at scale. None of that changes what the invisible supply chain beneath that capability actually contains — or the fact that most organisations using it have never looked. Your AI vendor has a vendor. That vendor may be subject to laws that permit government access to the data passing through their model. Their training data is undisclosed. Their political content filters are invisible. And nobody in your procurement process has ever asked about any of it. The boardroom question that needs to be added to every AI governance agenda in 2026 is not whether to use open-weight models. It is whether the organisation knows which ones it is already running — and what it has agreed to by running them.

Author Bio: Johan Steyn is a prominent AI thought leader, speaker, and author with a deep understanding of artificial intelligence’s impact on business and society. He is passionate about ethical AI development and its role in shaping a better future. Find out more about Johan’s work at https://www.aiforbusiness.net