At 23, a founder is asking investors to bet $20 billion on a three-year-old startup. That’s Mercor, an AI training marketplace that according to Bloomberg already holds at least one term sheet at that valuation. But the footnotes of this valuation surge also tell of a recent incident that could cool enthusiasm: a few months ago, a data breach cost the company its most coveted client, Meta.

Mercor acts as an intermediary between businesses that need labeled datasets and a global network of human annotators—a critical link in the AI supply chain, especially when big tech players like Meta are involved, with their enormous data volumes and strict confidentiality requirements. The breach, while details remain private, led Meta to sever the collaboration, a blow that for many startups would be fatal but here appears almost a footnote amid a rapidly inflating valuation.

The numbers are dazzling: hitting $20 billion would place Mercor among the most highly valued AI companies, despite revenue and scale that are still hard to compare with industry giants. Term sheets aren’t closed rounds, but they signal an appetite that the market continues to show for the data economy, even when cracks in governance appear.

This is where sovereignty and security come into play. For enterprises that outsource training data processing, a breach is not merely a technical mishap—it’s an existential risk that can trigger audits, contractual penalties, and a ripple effect on the trust of the entire enterprise customer base. With GDPR in full force and the EU AI Act taking shape, accountability extends along the whole supply chain. It’s no surprise that many organizations are accelerating toward deployment models that reduce the attack surface: on-premise pipelines, hybrid setups for fine-tuning, and internal data curation. The goal isn’t to abandon the cloud, but to choose where to place the most sensitive processes. Those evaluating these options encounter familiar trade-offs: the total cost of ownership (TCO) of self-hosted infrastructure for LLMs can be high, yet data control and predictable operating costs tip the balance when compliance tops the priority list.

The Mercor case doesn’t reveal whether the market will reward transparency or whether investors’ memory will be short. But it does show that in AI, as in energy, a data spill can make even the most promising rig look risky.