Partnership
Can AI be trusted?
Why trust in AI is fragile
GenAI was adopted at remarkable speed by everyone from pupils to lawyers to sales agents, all using it to make their work more efficient. But the lessons came quickly: alongside the efficiency gains, a general sense of insecurity and a lack of trust set in.
The reasons are not hard to find. The same tool that drafts a contract in seconds also sends that contract to a server you do not own, in a country whose laws you did not choose. The model that summarizes patient notes might be retaining them. The assistant that answers a customer might be quietly trained on the conversation. None of this was obvious at first, because the output looked the same either way: fluent, fast, convincing. The risk was never in only what the AI said. It was in where the data went, who could see it, and whether anyone could reconstruct what happened after the fact.
That is what makes trust in AI fragile. It is not that the technology fails loudly, but it is that it works beautifully while quietly doing things you cannot see. A system you cannot inspect asks you to take its safety on faith, and faith does not survive a regulator's audit, a client's due diligence questionnaire, or a breach notification. "We assume it is fine" is not a position regulated companies can defend.
So the question is not whether AI is useful. That is already settled. The question is whether it can be trusted in the places where trust is not optional. And to answer that, you have to look at what can actually go wrong.
The real threats
Data security
Data breaches and leaked information make the news almost weekly, yet we keep feeding sensitive data into tools without knowing where it goes. Every prompt enters a black box. If security and permission policies are not taken seriously, trust turns into exposure fast.
Prompt injections
A threat far fewer people know about is prompt injection: malicious instructions hidden in a website, a document, or an email that the AI reads. The system quietly follows them instead of you, changing its behaviour or handing over information that was never meant to leave.
Image rights
Some AI tools use images without the original creator's consent, both for training models and for generating new content. The most visible cases involve fabricated images of public figures, but the same techniques work on anyone: an employee, an executive, you. And for companies, the risk runs both ways; the content your AI generates might reproduce someone else's protected work, and the liability for that is rarely spelled out.
Cost
It always starts cheap: a free tier, a low per-token price, a demo that costs almost nothing. Then adoption grows. Subscriptions get purchased, upgraded, stacked, and per-request pricing that looked harmless at pilot volume scales with every user you add. The tool did not get more expensive, you started actually using it. And usage-based pricing is designed for exactly that moment.
How to build trustworthy AI
Every threat above has the same root: the AI runs somewhere you do not control, on a model you cannot inspect, in a way you cannot prove after the fact. Trustworthy AI is not a feature you switch on. It is a set of architectural decisions made before the first prompt is ever sent. Five of them matter most.
Run on your own or controlled infrastructure
The single most effective way to stop a data breach is to make sure the data never leaves the building. When inference runs on hardware you own or govern, there is no third-party API to log your prompts, no external cache holding your inputs, and no silent egress to a provider's training pipeline. The question "where does our data actually go?" stops being a matter of trust and becomes a matter of network topology, something your own team can verify.
Use open source, inspectable models
A closed model is a black box twice over: you cannot see how it was trained, and you cannot see what it does with your data at runtime. Open-source models remove the second unknown entirely. You can read the weights, run the model in isolation, swap it for another, and confirm for yourself that nothing phones home. Inspectability is not an ideological preference here, but it is what lets a security or compliance team sign off with evidence rather than assurances. It also answers half of the image rights problem: when you choose the model, you can choose one with documented training data and a license that permits your use, instead of inheriting whatever a provider scraped.
Keep compute on your own hardware
Data breaches, prompt injection, and silent egress all assume the same thing: that your inference runs somewhere reachable from the outside. Remove that assumption and most of the attack surface disappears with it. When the model runs on the hardware you own, inside your own network perimeter, there is no external endpoint to breach, no shared tenancy to escape and no route out to a third party in the first place. The supercomputer sits in your server room, not in a data center you will never see. A prompt injection that tries to exfiltrate data has nowhere to send it because there is no egress path to abuse. This is what we mean by sovereign by architecture, not by contract, which means in practice that your data does not stay put because a provider promised it would, it stays put because there is physically nowhere else for it to go.
Make cost a property you control, not a meter you watch
The fourth threat, cost explosion, is the one people underestimate because per-token pricing looks cheap at the demo stage. It stops looking cheap the moment adoption is real. Rented AI is priced for bursty workloads at around 15 percent utilization. But an AI feature that people actually use, especially always-on agents, runs closer to 80-90%, and at that level the meter never stops. We call this the Utilization Inversion: below a certain usage threshold the cloud is cheaper, and above it, owning your inference wins: at high utilization, by roughly 80 percent compared to the equivalent cloud capacity. Owning the hardware turns a variable bill you cannot forecast into a fixed cost you already paid. There is no surprise invoice after a busy quarter, and no incentive to ration usage to stay under budget.
Instrument everything so you can prove it, not just claim it
The three decisions above close the gaps. This last one is what lets you demonstrate to an auditor, a regulator, or your own board that they are closed. Trust that cannot be shown is just a different kind of assurance. On the infrastructure you control, you can log every request, track every token, see exactly which model handled which prompt, and produce that record on demand. Sovereignty becomes a property you can point to in a network diagram and an audit trail, not a clause you hope holds up. For a company with sensitive data, "we can prove it" is the difference between a pilot and a production deployment.
The same record is your answer to the other half of the image rights question. Architecture cannot stop a model from generating something too close to protected work, no infrastructure can. But a full log of which model produced which output, from which prompt, is what lets you investigate a claim, remove the content, and show you acted responsibly. Vendor indemnification pays out after the damage. Provenance lets you catch it before it ships.
The vendor checklist
Before you sign with any AI vendor, put these seven questions in the room. The answers separate architecture from assurances.
Where does our data physically go when we send a prompt, and can you show it on a network diagram?
Can we run this entirely inside our own perimeter, with no external egress?
Can we read the model weights and run them in isolation?
Do you log every request and token in a record we can hand to an auditor?
Is our data ever used for training, caching, or retention, even temporarily?
What happens to our cost curve at 80-90% utilization, not just at demo volume?
Who is liable if the model reproduces copyrighted content?
A vendor built on the five decisions above can answer all seven with evidence. Anyone else will answer with a contract.
Conclusion
Trust in AI is fragile because most systems ask for it on faith. The alternative is not to trust harder, but to build on architecture where faith is unnecessary: infrastructure you control, models you can inspect, costs you own, and records that prove it. If a vendor can answer the seven questions above with evidence, you are looking at that architecture. If they cannot, you now know what to ask for.
This guide was co-written by Tealstack and Xinity. If any of these questions are open in your company, book a call with us.