2,567 senior leaders named their biggest AI-governance concern. Sovereignty came first.

In December 2025, NTT DATA published a survey of 2,567 senior decision-makers across 15 industries and 35 countries. It sorts the sample into “AI leaders” and everyone else, using self-reported strategy, maturity, and profit, then reports what the leaders do differently. It is industry research from a large consulting firm, not a peer-reviewed study, so the useful reading is narrow: this is what senior buyers say they prioritize, and not proof that any one approach works.

The finding that stood out sits in the governance section. Asked about their biggest governance concern, the leaders did not name model accuracy or cost. Cross-geography data privacy and sovereignty was the single biggest governance concern among AI leaders, flagged by 59.4% of them. The report frames this in terms of where infrastructure is located. We would put it more precisely: where the data sits matters less than which legal regime can compel access to it, which is the point the Schrems II note works through.

The second finding is about proof. As organizations move from pilots to production AI and agents, the report says the question shifts from “Can we do this?” to “Can we prove we did it safely, fairly and profitably every time?” The leaders answer it structurally. 55.9% run a centralized governance model, against 33.3% of the laggards, and they run a platform where the organization defines what to permit or forbid once, then enforces it as policy across data access, prompt safety, logging and retention.

Two more details are worth noting if you are the one accountable for this. The buyer is real and concentrated: 77.8% of leaders have a dedicated Chief AI Officer, and 56.2% run an AI steering committee with legal and security at the table. And the report is clear that the surface is about to widen. It calls agentic AI “the defining leap of the moment” and says leaders will have to govern not only people but the agents acting on their behalf.

Where Mandate fits, and where it does not

Measured against our own product, here is the honest read. Mandate is one layer of the picture the report paints, not the whole thing. It does not set AI strategy, redesign workflows, rebuild applications, reskill staff, or run the change program, and it does not make an organization an “AI leader.” NTT DATA sells the broad transformation and the partner program around it. Mandate is a control layer such a program would deploy, not a competitor to it.

What Mandate does cover is the part those two findings point at. The sovereignty concern becomes a property your counsel can verify, because the platform is Canadian-owned under a jurisdiction you can name. The proof the leaders are asking for is the audit record Mandate produces: hash-chained, signed, and checkable by your own team. And the policy they define once is the policy Mandate enforces in flight, as allow, warn, redact, or block. If you want the boundary in full, the FAQ lays out what we cover and what we leave to the rest of your program.