# Dependency as Strategic Risk: AI Supply Chains Under Geopolitical Stress
Every generation of executives discovers, sooner or later, that what they had treated as a commodity was in fact a strategic dependency. The semiconductor crisis of 2020 to 2023 was such a discovery for the automotive industry, which lost more than 210 billion dollars in revenue in 2021 alone because it had classified chips as a generic input. The question that this essay pursues, grounded in the analytical framework of the book ALGORITHMUS. Wer die KI kontrolliert kontrolliert die Zukunft, is whether the same misclassification is now being repeated, silently and at scale, with artificial intelligence services, foundation model APIs and cloud infrastructure. The answer, as Dr. Raphael Nagel (LL.M.) argues throughout that volume, is that the misclassification has already happened. What remains open is whether boards will correct it while the cost of correction is still measurable, or only afterwards, when the cost has become structural.
## The Lesson of the Semiconductor Crisis
Between 2020 and 2023, a combination of pandemic-related supply chain disruption and a parallel surge in electronics demand produced a shortage that the automotive industry had considered statistically improbable. Volkswagen was unable to build roughly 600,000 vehicles. Toyota missed around one hundred thousand units. General Motors, Ford and Stellantis reported comparable gaps. AlixPartners put the total lost revenue of the global automotive sector in 2021 alone at more than 210 billion dollars. These numbers are not, at their core, a logistics story. They are an epistemic story about how an entire industry had categorised a critical input.
For decades, the just-in-time doctrine had treated semiconductors as an undifferentiated commodity, to be ordered when needed and held in minimal inventory. The doctrine was rational under the assumption that the supply side was redundant, substitutable and politically neutral. None of these assumptions survived the crisis. The supply side was concentrated, specialised and exposed to geopolitical tension. The chip was not a commodity. It was a strategic bottleneck that had been accounted for as a line item.
The deeper lesson is not that the automotive industry failed to forecast a pandemic. It is that its risk framework contained no category for the kind of dependency it actually had. There was operational risk, financial risk, regulatory risk, but no column for structural technological exposure to a small set of foreign suppliers operating under the jurisdiction of foreign export regimes. The crisis did not create the dependency. It merely revealed it.
## Why AI Services Repeat the Pattern
The architecture of artificial intelligence, as described in the chapters on infrastructure in ALGORITHMUS, concentrates rather than distributes. Advanced logic chips for AI training are produced almost exclusively by TSMC in Taiwan. The lithography machines without which those chips cannot be manufactured come from a single Dutch supplier, ASML, which delivers perhaps fifty to sixty EUV units per year. The GPUs that enable frontier model training are designed by NVIDIA, whose data center revenue quadrupled in twelve months and whose hardware was sold out for extended periods in 2023. Three firms, three jurisdictions, one choke point each.
Above this hardware layer sits a second layer of concentration. A small number of hyperscalers, predominantly American, operate the cloud regions on which most enterprise AI workloads run. Above that, a handful of foundation model providers, again concentrated in one political and legal sphere, offer the APIs that are rapidly being embedded into banking workflows, underwriting models, compliance engines, client communications and document pipelines. Each layer has its own dependencies, and the layers compound. A medium-sized bank that integrates a generative model into its onboarding is not depending on one supplier. It is depending on the stability of a vertical stack whose every layer sits behind an export regime, a jurisdictional risk or a commercial bottleneck.
The parallel to the semiconductor case is exact. The dependency is being recorded on the balance sheet as a software subscription or a cloud contract. It is being treated as a commodity. It is not a commodity. It is the same category error that cost the automotive sector 210 billion dollars, now being made in institutions that are legally required to manage operational risk with considerably more rigour than a just-in-time production line.
## The Geopolitical Overlay
The export control package announced by the United States Bureau of Industry and Security on 7 October 2022 altered the meaning of technological dependency. For the first time in modern American export policy, talent flows were used as a control lever: United States citizens and green card holders were prohibited from working for certain Chinese semiconductor firms. Chips above defined performance thresholds could no longer be exported to China. The stated objective, as internally formulated, was not to exclude China from AI but to keep America at least one chip generation ahead. The mechanism of power was time.
European firms are not the addressees of these measures, but they live inside their second-order effects. A European bank that builds its AI stack on American chips in American clouds using American foundation models is indirectly regulated by American export controls, American sanctions regimes and American legal reach. This is not a hypothetical. It is the structural reality of a technological order in which the hardware, the cloud and the model layers are all concentrated in one jurisdiction, while the regulatory frontier in Europe, embodied in the AI Act, concerns itself primarily with use rather than with sovereignty over the substrate.
A dependency of this kind cannot be dissolved by a purchasing decision. But it can be made visible, priced and managed. What cannot be managed is a dependency that the board has never classified as one.
## A Board Checklist for Supply Chain Risk Analysis
The analytical work required of a board is neither exotic nor technical. It is the systematic translation of what is already known about the stack into categories that risk committees can handle. A first question concerns identification. Which technological inputs, from chips through cloud regions to foundation model APIs, does the institution rely on, and through which contractual and jurisdictional paths do they reach the firm? The mapping is rarely complete on first attempt. Shadow usage of generative tools by business units, embedded AI features in third party software, and indirect cloud dependencies through service providers all tend to surface only when the question is asked explicitly.
A second question concerns concentration. For each critical input, how many genuinely independent alternative suppliers exist, under which jurisdictions do they operate, and what would be the time and cost of migration? A third question concerns exposure scenarios. What would a six month interruption of a specific API, a specific cloud region or a specific chip class mean for client service, regulatory reporting, and the continuity of processes that depend on the input? A fourth question concerns reversibility. Where models, data or workflows have been adapted to a specific vendor, how much of the adaptation is portable, and how much is effectively a lock-in that cannot be undone without starting again.
A fifth question, the most uncomfortable, concerns the legal substrate. Under which export regime, sanctions regime and data protection regime does each input sit, and how would a change in that regime, whether in Washington, Beijing, Brussels or The Hague, propagate into the firm. A sixth question concerns governance. Who inside the institution owns this map, who updates it, and to which committee does it report. If the answer is the IT department alone, the dependency has been delegated rather than managed.
## Alternatives for the Mittelstand and Private Banks
The strategic response cannot be technological autarky. No European mid-cap, and no private bank, will build its own frontier model or its own fabrication capacity. The response is differentiation of dependency. Where a foundation model is used for non-critical productivity tasks, concentration on a single provider may be acceptable. Where it touches regulated processes, credit decisions, client communications or sensitive data, the architecture should allow the substitution of the underlying model with limited rework. This is a matter of abstraction layers, contractual clauses on portability, and a conscious refusal to embed vendor-specific dependencies into the core of the process.
Cloud exposure follows the same logic. A private bank that holds all of its AI workloads in one region of one hyperscaler has accepted a concentration that its credit and market risk frameworks would never tolerate in a counterparty context. Multi-cloud arrangements, sovereign cloud offerings where they are genuinely sovereign, and on-premise capacity for the most sensitive workloads are not ideological choices. They are instruments of resilience, to be calibrated against the specific risk profile of each process.
For the Mittelstand, the more promising path, as ALGORITHMUS argues at some length, runs through proprietary domain data. A mechanical engineering firm with four decades of sensor data, a pharmaceutical company with thirty years of clinical observations, a logistics operator with twenty years of route data, each holds a resource that general-purpose models cannot replicate. Building specialised applications on top of such data, with models chosen and, where possible, operated under one's own control, converts a position of dependency into a position of differentiation. The hyperscaler remains a supplier. It ceases to be the owner of the competitive advantage.
## From Checklist to Strategic Posture
A checklist is an instrument, not a strategy. The strategic posture that the checklist serves is the refusal to treat artificial intelligence as an IT theme. As Dr. Raphael Nagel (LL.M.) formulates it in the opening sections of the book, whoever parks the question in the IT department has already delegated a power question, and delegated power questions are not solved but missed. Supply chain risk in AI is a question of this order. It belongs on the agenda of the board, alongside capital adequacy, counterparty exposure and regulatory positioning.
The posture implies a tempo. The semiconductor crisis took roughly three years to move from invisible dependency to balance sheet loss. The equivalent cycle in AI services may be shorter, because the rate at which AI is being embedded into core processes is faster than the rate at which chips were being designed into vehicles. The window for ordered adjustment, rather than panic substitution, is open now and will close gradually. The boards that use it will not be the ones that reacted fastest to the next headline. They will be the ones that, quietly and without drama, had already classified their dependencies correctly.
Dependency is not, in itself, a failure. Every institution depends on suppliers, jurisdictions and infrastructures it does not control. The failure lies in misclassification, in booking a strategic bottleneck as a commodity and discovering the difference only when the bottleneck tightens. The semiconductor crisis was expensive precisely because the category error had been made for decades and was corrected under duress. The analogous error in artificial intelligence is being made now, in real time, in the procurement decisions of banks, insurers, industrial firms and public institutions across Europe. It can still be corrected under conditions of choice rather than conditions of necessity. Dr. Raphael Nagel (LL.M.) argues in ALGORITHMUS that the mechanisms of power in the AI era are, at their core, infrastructural: chips, clouds, models, data, talent. A board that maps these mechanisms onto its own balance sheet, that asks where it depends, on whom, under which jurisdiction and with what reversibility, does not thereby escape dependency. It does, however, begin to govern it. That is the difference between an institution that is subject to the architecture of the new order and one that has taken a position within it. The essay that a book can offer ends here. The work that a boardroom must do begins.
For weekly analysis on capital, leadership and geopolitics: follow Dr. Raphael Nagel (LL.M.) on LinkedIn →