The Open-Source Gambit: Did DeepSeek Ignite an AI Arms Race?

On January 20, 2025, DeepSeek stunned the industry with the release of R1, an open-source, cost-efficient AI model that rivaled OpenAI’s GPT-4 on multiple benchmarks. Much like ChatGPT’s viral debut in November 2022, DeepSeek-R1 quickly became a sensation, hailed by enterprises seeking affordable generative AI solutions and governments eyeing it as a fast-track platform to sovereign LLM.

However, the euphoria was short-lived.

On January 29, 2025, cybersecurity researchers uncovered a massive data breach, exposing over one million sensitive records linked to DeepSeek’s AI platform. Almost simultaneously, leading risk and security firms, including Qualys, Inc. and Encrypt AI, raised alarms over DeepSeek’s toxic content generation, vulnerability to jailbreak attacks, and deeply ingrained biases. What began as an AI revolution spiraled into a security nightmare, forcing global regulators to take action.

The Red Flag: Data Sovereignty and National Security

DeepSeek’s privacy policy states that all user data is stored in China, where stringent national security laws compel companies to share data with government agencies upon request. This revelation set off alarms across Europe, prompting privacy watchdogs in Ireland, France, Belgium, and the Netherlands to investigate DeepSeek’s data collection practices. Several national governments have already banned the application over security risks.

Despite DeepSeek’s open-source availability on platforms such as Hugging Face, most users interact with it through mobile apps or web versions, exposing them to potential data surveillance risks. Most government agencies are expected to eventually restrict the use of all foreign AI models, whether ChatGPT or DeepSeek, for official use, driving a stronger reliance on sovereign AI models tailored to national security and regulatory requirements. In contrast, enterprises will retain the flexibility to adopt a best-of-breed AI approach, leveraging both homegrown and international models, as long as they comply with local data protection laws and industry regulations across their regions of operations. As governments and enterprises weigh the implications, one thing is certain: the AI battlefield is evolving, and DeepSeek has reshaped the global conversation on open-source innovation.

DeepSeek’s Sputnik Moment

While governments impose restrictions on DeepSeek’s application layer, its core AI models remain open source, allowing enterprises to host them locally and bypass security concerns. Some have already seized the opportunity—India’s Yotta Data Services recently launched myShakti, the country’s first sovereign B2C generative AI chatbot, built on DeepSeek’s model but operating entirely on Indian servers. Similarly, Elevenlabs, a synthetic voice startup, has integrated DeepSeek-R1 into its products.

Until now, only two major AI players, Meta and Mistral, had made their AI models open source. But DeepSeek’s rise has reshaped the landscape, forcing a strategic rethink. Governments and tech companies worldwide are now accelerating efforts to build indigenous AI models tailored to local languages, cultural contexts, and national datasets, dismantling Silicon Valley’s monopoly over AI.

• • European Union: The European Commission plans to invest around €54M in OpenEuroLLM, an ambitious open-source initiative designed to rival ChatGPT and DeepSeek. OpenEuroLLM, a consortium of 20 top European institutions, companies, and EuroHPC centers, aims to develop high-performance, multilingual AI models for commercial and public-sector use.
  • India: AI startup Krutrim has made its AI models open source and is establishing an AI lab with an initial investment of $240M, which will scale to $1.2B by 2026.

DeepSeek did not just disrupt the AI industry; it sparked a geopolitical AI arms race. The battle for AI sovereignty has begun. While multiple governments have banned DeepSeek over security concerns, its impact on AI’s trajectory is definite. Just as Sputnik’s launch in 1957 ignited the space race, DeepSeek has triggered a reckoning in AI strategy, forcing the world to reconsider the balance between accessibility, security, and sovereignty.

Opportunities and Risks for Enterprises

The emergence of lightweight open-source AI models such as DeepSeek presents a paradigm shift for enterprises. They offer unprecedented cost advantages and customization capabilities while introducing new security, compliance, and operational risks.

Key opportunities

1. 1. Data sovereignty and control: Deploying lightweight open-source AI models locally or on a private cloud helps enterprises retain full control over data privacy, security, and compliance, mitigating risks associated with third-party cloud-based AI solutions. It also allows enterprises to fine-tune models on proprietary data, enabling industry-specific solutions tailored to unique business needs. This is particularly beneficial for highly regulated industries such as banking, healthcare, and government services.
   2. AI democratization and workforce enablement: With open-source AI, enterprises can democratize AI usage. This will eliminate expensive licensing costs and make advanced AI capabilities accessible across departments, empowering employees to integrate AI into workflows. A hybrid approach—leveraging open source for internal innovation and low-risk tasks while using enterprise-grade AI solutions for sensitive, customer-facing applications—will help optimize cost and security.
   3. Faster time to market: The ability to self-host AI models on enterprise infrastructure will reduce dependence on a handful of big tech providers. Companies can experiment more freely and iterate faster on AI-driven products and services without being locked into vendor ecosystems.

Key risks

1. 1. AI governance and shadow AI risks: The accessibility of open-source AI increases the risk of shadow AI, where employees use unapproved models for sensitive tasks without IT oversight. This can lead to compliance breaches, security vulnerabilities, and data governance challenges. Enterprises must deploy AI observability tools to monitor usage, enforce policies, and mitigate risks. As regulations tighten on cross-border data flows and the use of open-source AI models, compliance with regional frameworks such as GDPR and India’s Digital Personal Data Protection Act will add complexity, requiring proactive governance and model transparency measures.
   2. Bias and ethical risks: Without rigorous oversight, open-source AI models can inherit biases from their training data. Enterprises leveraging these models must continuously audit outputs to prevent toxic, biased, or legally non-compliant content generation, especially in HR, finance, and legal applications.
   3. Limited user support and accountability: Unlike proprietary AI platforms that offer dedicated user support, compliance assurances, and security patches, open-source AI models require internal expertise for troubleshooting, maintenance, and risk mitigation. Companies must build strong in-house AI governance and observability frameworks to manage the reliability of open-source AI models.

By Chandrika Dutt, Research Director