According to a news item published with a date of May 31, 2026, IBM is making a massive $15 billion investment in the fields of quantum and artificial intelligence security. Such an announcement would be market-shaping on its own, promising progress at the intersection of the two hottest technological domains. However, looking behind the news reveals a completely different, and perhaps more instructive, story for businesses. The body of the article is not about the promised investment at all, but about methods of user data collection and usage.
This kind of discrepancy highlights one of the most pressing challenges for companies operating in the digital age: the gap between surface-level information and the underlying technological and legal reality. At AIQ, we work with this reality every day, and this case is a perfect example of why a critical perspective and in-depth auditing are essential in all matters concerning AI.
Do you have a question about AI security? You can reach us here:
The Anatomy of Digital Noise: Headline vs. Content Contradiction
The most crucial element of this news is the stark contrast between its title and content. While the headline announces a strategic, forward-looking security investment, the body text details the following data processing practices:
- Use precise geolocation data.
- Actively scan device characteristics for identification.
- Store and/or access information on a device.
According to the article, all this is done for the purpose of “personalised advertising and content, advertising and content measurement, audience research and services development,” and it also mentions a “List of partners (vendors).” From an AIQ standpoint, this text is most likely an automatically inserted privacy notice or cookie consent panel that has, due to a technical error, overwritten the original article. The future publication date of 2026 further strengthens the suspicion that we are dealing with a significant anomaly.
In a corporate context, this means that decision-makers and development teams should never rely solely on news headlines. The noise of the digital ecosystem—from incorrectly aggregated news to misleading marketing materials—requires thorough verification of sources and critical analysis of content before drawing strategic conclusions.
Data Collection as an AI Security Risk: A GDPR and EU AI Act Perspective
Although the article’s content was likely misplaced by accident, the practices it describes perfectly illuminate the legal and security risks of AI systems’ data appetite. From AIQ’s perspective, these points are directly linked to the most stringent European regulations.
- GDPR Compliance: “Precise geolocation data” and “actively scan[ning] device characteristics” (device fingerprinting) are clearly classified as personal, and often special category, data under the GDPR. Collecting and processing them requires a very strong legal basis (typically explicit consent) and strict data security measures. The “List of partners” raises complex questions of cross-border data transfers and joint controller responsibilities, which deserve special attention during any audit.
- EU AI Act Compliance: The European Union’s AI Act applies a risk-based approach. An AI system that performs profiling, personalization, or behavioral influence based on the data described above could easily fall into the “high-risk” category. This would entail mandatory conformity assessments, transparency requirements, and continuous monitoring. The stated purpose of the data collection (“personalised advertising,” “audience research”) is precisely the area the AI Act aims to regulate.
From an AIQ standpoint, it is no longer sufficient for companies to focus only on the accuracy of their models. The legal and ethical audit of data collection processes is now an indispensable part of a responsible AI strategy.
The OWASP LLM Top 10 and Hidden Vulnerabilities
The data handling practices accidentally revealed in the article can be excellently mapped to the OWASP LLM Top 10’s most common vulnerabilities. These risks exist even if the data collection is seemingly lawful.
- LLM06: Sensitive Information Disclosure: This is the most obvious risk. If a model is trained on geolocation data and unique device identifiers without proper filtering and anonymization, it could reveal this information in response to a crafted prompt. Such an incident could lead to severe data privacy fines and reputational damage.
- LLM05: Supply Chain Vulnerabilities: The “List of partners” points directly to this issue. AI models often rely on external datasets, pre-trained base models, or third-party APIs. If a partner’s data handling practices are insecure, or the data they provide is compromised, the vulnerability can cascade through the entire system.
- LLM09: Overreliance: When a company places uncritical trust in an AI system whose data sources and internal workings are opaque, it takes on significant business risk. The purpose of the data collection described in the article is to influence user behavior. If the model is based on flawed or biased data, the business decisions derived from it will also be flawed.
Conclusion: What Can a European Enterprise Do?
The lesson from the contradictory news about IBM extends far beyond a single company or a mistyped article. It is a clear signal to the market: in the age of AI, critical thinking and thorough due diligence are more important than ever.
AIQ’s recommendation for Hungarian and EU-based companies is as follows:
- Audit your data flows: Map out exactly what data your AI systems are trained on and operate with. Verify the legal basis for data collection (GDPR) and the quality of the data.
- Conduct a supply chain analysis: Examine all external partners and data providers. Are you aware of their data security and handling practices?
- Employ proactive testing: Use LLM Red Teaming and vulnerability assessments to uncover hidden risks like sensitive data leakage before they can cause real damage.
- Train your team: Both decision-makers and developers need to understand AI-specific risks, the legal framework (EU AI Act, GDPR), and industry standards like the OWASP LLM Top 10.
The $15 billion promise is an attractive headline, but true business value and security lie in the details, in the careful handling of data, and in the continuous auditing of systems.