AI concentration risk arises when multiple sectors depend on a small number of foundation model providers, creating single points of failure that can propagate disruptions across the economy. The EU AI Act addresses this partly through GPAI obligations, while financial regulators increasingly treat AI concentration as a systemic risk.
AI Concentration Risk: Dependency on Few Providers and Systemic Implications
The Concentration Problem in AI
The AI industry exhibits extreme concentration at the foundation model layer. A small number of providers (OpenAI, Google DeepMind, Anthropic, Meta) supply the base models that thousands of downstream applications depend upon. This concentration creates systemic risk: an outage, security breach, or policy change at a single provider can simultaneously disrupt banking, healthcare, legal services, and critical infrastructure across multiple jurisdictions.
The EU Digital Markets Act (Regulation 2022/1925) designates gatekeepers in digital markets. While foundation model providers are not yet designated as gatekeepers, the Commission has signaled interest in assessing whether AI model markets exhibit gatekeeper characteristics.
Concentration Risk Dimensions
| Dimension | Risk Description | Example Scenario |
|---|---|---|
| Infrastructure | Dependency on few cloud providers for AI training and inference | AWS, Azure, or GCP outage disabling AI services across sectors |
| Model | Dependency on few foundation models | GPT-4 API deprecation affecting thousands of applications simultaneously |
| Data | Training data sourced from concentrated internet platforms | Platform access policy change eliminating training data sources |
| Talent | AI research talent concentrated in few organisations | Hiring freeze or acquisition removing key research capacity |
| Compute | GPU supply controlled by single manufacturer | NVIDIA supply constraints limiting AI training capacity globally |
Regulatory Responses to AI Concentration
The EU AI Act imposes specific obligations on providers of general-purpose AI (GPAI) models under Articles 51-56. Providers of GPAI models with systemic risk (those trained with more than 10^25 FLOPs or designated by the Commission) must conduct model evaluations, assess and mitigate systemic risks, track and report serious incidents, and ensure adequate cybersecurity. These provisions are the first regulatory attempt to address concentration risk at the model layer.
The European Systemic Risk Board (ESRB) has flagged AI concentration as a potential source of systemic risk to financial stability. The Bank of England's Financial Policy Committee has similarly noted concentration risk in AI model and cloud provision as an area of supervisory focus.
Financial Sector Implications
The Digital Operational Resilience Act (DORA, Regulation 2022/2554) requires financial entities to manage ICT third-party risk, including concentration risk. Article 29 mandates that financial entities assess whether ICT third-party dependencies create concentration risks. AI model providers may be designated as critical ICT third-party service providers under Article 31, subjecting them to direct oversight by the European Supervisory Authorities.
Diversification Strategies
- Maintain the ability to switch between foundation model providers (multi-model architecture)
- Invest in open-source model capabilities as alternatives to proprietary models
- Distribute AI workloads across multiple cloud providers
- Develop internal model fine-tuning and evaluation capabilities to reduce dependency on provider benchmarks
- Contractually secure data portability and model portability provisions with AI vendors
- Maintain fallback procedures for critical functions that can operate without AI assistance
Assessing Your Concentration Exposure
Organisations should map their AI dependency chain from compute hardware through cloud infrastructure, foundation models, fine-tuned models, and application layers. At each layer, identify the number of viable alternative providers, switching costs and timelines, contractual lock-in provisions, and data portability constraints. A dependency where fewer than three viable alternatives exist warrants active diversification planning.
The Open Source Dimension
Open-weight models (such as Meta's Llama series) partially address concentration risk by enabling organisations to host models independently. However, open-weight distribution does not fully eliminate concentration: training capability remains concentrated among organisations with sufficient compute resources, and fine-tuning on proprietary data may create new dependencies on data providers. The EU AI Act's GPAI provisions apply to open-source models under certain conditions specified in Article 53(2), though with reduced obligations for genuinely open-source models that are freely accessible.
Check your AI compliance readiness — free.
Take the Readiness Check 3 minutes · 10 questions · no signup requiredThis article is for informational purposes only and does not constitute legal advice. Regulatory requirements change frequently — verify current rules with official sources. Built by Sawai Gyoseishoshi Office, Hiroshima, Japan.