European enterprises are about to spend a quarter of a trillion euros on AI — and most of them cannot tell, with any precision, what data their AI systems are allowed to touch.
That is the uncomfortable subtext beneath IDC’s latest Worldwide AI and Generative AI Spending Guide, which projects AI spending across Europe will reach $290 billion (or almost €250 billion) by 2029, growing at a compound annual rate of 33.7%. Software alone accounts for 58.5% of the 2026 total, with AI platforms expanding at 52.5% annually to support the build-out of agentic components across industries. Carla La Croce, IDC’s research manager for Data and Analytics, described the shift as a market rapidly transitioning from experimental to operational and strategic, with agentic AI making the transformation more urgent and more profound than many anticipated.
Urgency is the right word. Preparedness is a different question entirely.
The Spending Curve and the Governance Curve Have Decoupled
Survey after survey in the last twelve months has documented the same gap. The Cyera 2025 State of AI Data Security Report found that 83% of enterprises already use AI in daily operations, but only 13% have strong visibility into how AI is being used. The DTEX 2026 Insider Risk Investigations Report tells a parallel story from inside the organisation. Namely, the fact that 92% of firms say generative AI has fundamentally changed how employees access and share information, yet only 13% have formally integrated AI into their business strategies. 73% worry that unauthorised AI use is creating invisible data loss pathways.
These are not gaps that $290 billion in spending will automatically close. In many ways, the spending accelerates the problem. Every new AI platform procurement, every agentic workflow, every retrieval-augmented generation pipeline pulls more sensitive data closer to systems the organisation cannot fully observe, cannot easily audit, and cannot, in most cases, cleanly withdraw data from once it has been ingested.
The 2026 Cisco Data Privacy Benchmark Study captures the pressure this creates. Outright bans on AI usage have collapsed from 28% of organisations in 2025 to just 7% in 2026 — a 21-point drop in a single year. Enterprises have stopped saying no to AI. They have not, in the main, figured out how to say yes safely.
Europe’s Regulatory Layering Raises the Stakes
Europe is not a generic market for this problem. It is the market where the consequences will arrive first and cut deepest.
The EU AI Act’s general-purpose AI obligations took effect in August 2025. High-risk provisions become fully enforceable in August 2026. Meanwhile, GDPR enforcement has already demonstrated that regulators will act against AI training that lacks a lawful basis — from Italy’s Garante fining OpenAI €15 million in late 2024, to Ireland’s Data Protection Commission securing an undertaking from X to suspend Grok training on EU users’ posts, to the European Data Protection Board’s December 2024 Opinion concluding that AI models trained on personal data cannot, in all cases, be considered anonymous.
The Kiteworks 2026 Data Security and Compliance Risk Forecast Report found that 44% of European respondents cite provider sovereignty guarantees as a top concern, 40% flag EU AI Act obligations directly, and 34% are already reshaping their approach to training data location based on sensitivity classifications. Fifty-five percent plan to invest in compliance automation over the next two years. These are not abstract anxieties. They are budget lines.
And they sit on top of a practical control gap. The same report found that 63% of organisations cannot enforce purpose limitations on AI agents, 60% cannot terminate a misbehaving agent, and only 43% have a centralised AI data gateway. Governance controls such as monitoring, logging, and policy definition run ahead of containment controls such as agent scoping, kill switches, and network isolation by 15 to 20 percentage points. The industry has invested in watching. It has not invested in stopping.
The Assumption That Model-Level Controls Are Enough Is Wrong
Here is where current approaches break. Most enterprise AI governance programmes are anchored to the model through guardrails, content filters, safety training, and alignment. That layer matters. It is also, on its own, insufficient.
Academic research has made this unambiguous. A study of 36 real-world LLM-integrated applications found 31 of them (86.1%) susceptible to prompt injection. The NeurIPS 2024 AgentDojo benchmark demonstrated that state-of-the-art LLMs achieve less than 66% task completion even in benign conditions, and that defences reducing attack success rates also significantly degrade utility. A 2026 IEEE Symposium on Security and Privacy paper analysing 17 third-party chatbot plugins used by over 10,000 public websites found 15 of them enable indirect prompt injection because they fail to distinguish trusted from untrusted content.
Therefore the model cannot be trusted to defend itself. Safety training is not a security control. Alignment is not access control. The CrowdStrike 2026 Global Threat Report adds the adversary context — an 89% increase in AI-enabled adversary attacks, with 82% of detections now malware-free. The people targeting your AI systems are not trying to trigger your endpoint agent. They are trying to get the AI to hand them the data itself.
What Needs to Change: Governance at the Data Layer, Not the Model Layer
The architectural shift is straightforward to describe and harder to execute. Enterprises need to stop treating the AI system as the governance boundary and start treating the data itself as the governance boundary.
This means every request an AI agent makes to a sensitive repository passes through four non-negotiable checkpoints. First, authenticated identity linked to a human authoriser, typically via OAuth 2.0, so there is no anonymous AI. Second, real-time attribute-based access control evaluated against agent identity, data classification, and request context. The very same policy logic the organisation already applies to human users, extended to machine actors. Third, validated encryption in transit and at rest, so the data never moves in the clear and never sits in the clear. Fourth, a tamper-evident audit trail streamed to the SIEM in real time, so the answer to “what did the agent access” is a report, not a forensic investigation.
This is the architectural pattern Europe’s regulatory trajectory increasingly demands. Controls at the infrastructure layer. Evidence artifacts that satisfy auditors on demand. Response readiness for data access requests, vendor failures, and cross-border transfer scenarios.
The Real Question for 2026
When a European bank’s autonomous trading assistant pulls client portfolios into a third-party inference service at three in the morning, whose GDPR obligation was that? When a hospital’s AI scribe summarises patient notes into a vendor’s logging pipeline, which Data Protection Officer signs off after the fact? These are not hypothetical edge cases. They are the ordinary consequences of building multi-agent systems on top of a data governance model that was designed for humans clicking buttons.
The $290 billion is going to be spent regardless. IDC’s forecast is not a recommendation; it is a description of a decision already made in thousands of European boardrooms. What remains undecided is whether that spend produces durable competitive capability or a growing pile of regulatory liabilities waiting for their first enforcement action.
Governance at the data layer is what separates the two outcomes. Every enterprise that gets this architecturally right in 2026 will spend the next five years compounding the advantage. Every enterprise that gets it wrong will spend those same five years explaining to regulators, customers, and shareholders why they did not.
