I build AI that remembers, and I build it open. For me that isn't a marketing choice, it's a conviction: AI in real enterprise use belongs in the open. Not out of ideology, but because it's the only way you truly know what happens with your own data. Let me make the case, and be honest about where it breaks down.
Most companies pick their AI by the model. Which one is strongest, fastest, cheapest. To me that's the wrong first question. The first question is: can you verify what the system does with what you entrust to it? For almost everything sold as enterprise AI today, the honest answer is no. You get a promise, not a right to inspect.
The comfort of "open weights" doesn't hold
A reflex I see often is to reach for an open model. It feels sovereign, but it doesn't deliver what the name suggests. "Open weights" is not the same as open source. The Open Source Initiative has explicitly called Meta's "open" Llama license open-washing. More importantly: even a fully open model doesn't make your application auditable. The model is only the engine. What happens to your data is decided by the layer above it: the application, the memory, the orchestration, the governance. For most vendors, that exact layer stays hidden.
What has to be open, and what does not
So let me put it precisely. Not "AI must be fully open." Rather: the layer that touches your company's data must be open and auditable. The model underneath you may rent and swap like a supplier. The memory and the rules by which your AI handles your knowledge, you should own and be able to inspect. Sovereignty isn't a question of where your data sits, but of who controls the layer that turns it into value.
Why open, and what is wrong with the slogan
Here honesty matters more than the convenient line. "Open source is more secure" is not a defensible claim; the available studies show no systematic security advantage, as a much-cited analysis noted back in 2009. The real reason is older and deeper. It sits in a foundational security text from 1975: a system must not rest its security on the secrecy of its mechanism, only on well-protected secrets like keys and credentials. Translated: the mechanism by which your AI handles your data must not be a trade secret. Openness doesn't give you the vendor's word, it gives you the ability to have auditors of your own choosing look for themselves. To me, that is the whole difference between trust and control.
The honest limits
So that this does not become a sales promise, the limits belong with it. Openness raises your short-term exposure, because attackers can read along. It doesn't guarantee anyone actually audits. And even audited source isn't automatically what ends up running as the binary. Openness is not a seal of approval. It is the precondition that makes auditing possible at all, and that precondition simply does not exist in closed systems.
Why this matters now
That this is not an academic question, the state itself now makes clear. In 2026 Germany's Federal Office for Information Security (BSI) published a criteria catalog that names the core risk directly: "cyber dominance," the ability of vendors to retain permanent access to their customers' systems and data. It isn't an obligation, but it makes measurable what was long only a bad feeling. Anyone who wants to renegotiate, switch, or simply know what is happening tomorrow needs the auditable, transferable layer today.
The uncomfortable objection
Doesn't openness give away your edge? Only if your edge is in the source code. In serious systems it isn't. It's in the architecture of the memory, in the governance, in how humans and machines work together, and in years of execution. That is why a viable business model and real openness don't exclude each other. The path is open core: the core, everything that touches your data, is open and auditable; you pay for operation, efficiency, and support. And when that is meant seriously, there is a promise you can make in public: what is open once never moves behind a paywall.
I don't say this from a distance
My memory core is open source. The system on top we build as open core, under a license that preserves openness instead of extracting from it. It is mid-development, and we build it in the open. I consider that the most honest form of independence. Not "trust us," but "see for yourself."
The real strategic question
It isn't which model you choose this year. It's whether you can inspect, audit, and if needed take over the layer that turns your data into value, at any time. Everything else is borrowed control. And trust you can't verify is just another word for dependence.