May 15, 2026
Deutsch / English
Three years ago, "chip shortage" wasn't in most organizations' operational vocabulary. Then it was the only thing boards wanted to talk about. The lesson from that period wasn't that supply chains are fragile - everyone knew that. The lesson was that dependencies on geopolitically sensitive resources get weaponized faster than organizations can react.
Frontier AI access is the same category of risk. It's geographically concentrated, controlled by a small number of actors, and already subject to government influence that's increasing rather than decreasing. Organizations planning five-year AI strategies that assume stable, unrestricted API access are making the same mistake that just-in-time manufacturers made before 2020.
A risk register that doesn't include "what happens if our AI vendor restricts access for regulatory or geopolitical reasons" is incomplete. Not hypothetically - this is already happening with cybersecurity-adjacent models. The question is whether it spreads to the general-purpose capabilities most organizations are building on.
The organizations that took semiconductor supply seriously before 2020 had options. The ones that didn't spent two years scrambling. AI access is following the same curve, just faster. The window to treat it as a manageable risk rather than an emergency is shorter than most people think.
None of this applies equally across the board. The risk is material for organizations whose core business model structurally depends on access to frontier-adjacent capabilities - not for those that have added AI as a layer on top of something else. For the latter, disrupted access is an inconvenience, not a structural threat, and the damage ceiling doesn't justify a hardware investment. Private GPU infrastructure is expensive, nearly impossible to keep utilized at single-organization scale, and the hardware bought today will be economically marginal before it's fully amortized. The question isn't whether to build your own - it almost certainly isn't. The question is whether your current level of dependency on external AI access has even been named.
Thoughts? Find me on Bluesky.