Construction is seen as a laggard on AI — and that's true. But the reason isn't technophobia, it's a concrete, justified risk. In the Bluebeam survey on AI in construction, 42% of AEC decision-makers name data-sharing security as the biggest AI challenge — more than cost and complexity (33%).
For construction firms, planning offices and engineering practices that isn't an abstract worry but a question of confidentiality, procurement law and liability. Let's look at the numbers — framed honestly — and at what actually helps.
What the Bluebeam numbers show — and what they don't
The most-cited AI hurdle in construction is data security. 42% of AEC decision-makers name data-sharing security as the biggest challenge, 69% have already slowed their AI initiatives over uncertainty about future regulation, and only 27% use AI productively. Yet the adopters themselves see clear ROI — and that is the real tension.
| Metric (Bluebeam 2026) | Value | Meaning |
|---|---|---|
| Data security as the biggest AI hurdle | 42% | most-cited, ahead of cost/complexity (33%) |
| AI plans slowed by regulation concerns | 69% | uncertainty about future rules |
| Use AI productively | 27% | adoption remains uneven |
| Want to expand AI use (among adopters) | 94% | clear pull towards scaling |
| Saved at least $50,000 | 68% | proven ROI among adopters |
| Saved 500–1,000 hours | 46% | proven time gain |
A note for honesty belongs here: this is an international survey by Bluebeam (part of the Nemetschek Group) of 1,000+ technology decision-makers across the US, UK, France, Germany and Australia, conducted online in July 2025. Germany was one of five countries surveyed — on an even split, an estimated ~150 voices would come from Germany — and there is no published Germany-only cut, so the 42% is a global figure, not a DACH-only value. It is also vendor-commissioned research, not peer-reviewed. That qualifies the precision, not the direction: the German sector picture says the same.
Why construction firms in particular hesitate: the data is the business
Construction firms don't tip their project data into a third-party cloud lightly, because that data is legally protected. Construction plans, BIM models, structural calculations, cost estimates and tender and contract documents are trade secrets, are subject to procurement confidentiality, and routinely contain personal data. An uncontrolled outflow touches three legal regimes at once.
Trade-secret protection is conditional. Under § 2 GeschGehG, information is protected only if it is the subject of "reasonable secrecy measures under the circumstances". Those measures are not optional but a precondition — tip a secret into an uncontrolled external tool and you risk that it never qualifies as a protected trade secret at all. The case law is strict here: blanket confidentiality clauses do not suffice as a reasonable measure (Aachen Labour Court, 13 Jan 2022). That is not an AI-specific ruling, but the principle holds: control over where the data goes is part of the duty to protect it.
In the tender process, confidentiality is added. Under § 5 VgV, the public contracting authority may not pass on information marked confidential and must safeguard the integrity and confidentiality of bids; in review proceedings, § 165 GWB protects business and trade secrets during file access. And finally the GDPR applies: project documents often contain personal data, and Art. 5 GDPR requires purpose limitation and appropriate technical safeguards. Consumer AI, depending on provider and tier, reuses inputs for training by default — a purpose no one consented to.
| Project data in … | external cloud AI (consumer tier) | local, sovereign AI |
|---|---|---|
| Data residency | often outside the EU, provider-controlled | inside the company, on your own hardware |
| Inputs as training data | possible by default depending on tier | excluded, no external APIs |
| Trade-secret protection | at risk (no control over data location) | preserved (a reasonable measure) |
| Procurement confidentiality (§ 5 VgV) | hard to evidence | evidenceable, because in-house |
| GDPR purpose limitation & deletion | at the provider | under your own control |
| Traceability | none | complete audit trail |
Germany is digitalizing construction — but AI lags behind
German construction has been digitalized systematically for years, yet on AI the sector lags. With the Stufenplan Digitales Planen und Bauen (2015) and BIM Deutschland, the BIM method has been mandatory for federal infrastructure since 2021 and for federal building construction since end-2022. So the data increasingly exists in structured form — the ideal basis for AI.
That is exactly what makes the reticence striking. The IW Köln institute puts AI adoption in construction at around 22% — one of the lowest of any sector, while economy-wide Bitkom now reports 36% of companies using AI. At digitalBAU 2026 (24–26 March 2026, Cologne, around 11,000 trade visitors), "AI in construction" was one of four lead themes with roughly 90 talks. The interest is there — what's missing is an architecture that makes AI usable without giving up the project data. More BIM data means more valuable but also more sensitive material; the question "where is this processed?" doesn't shrink, it grows.
How a local, permission-aware AI resolves the 42% hurdle
The effective lever is not abstaining from AI but the right architecture: bring the AI to where the data has to stay anyway. A local, permission-aware AI moves models and data onto your own hardware — with no external APIs. Project data does not leave the company, and the sector's biggest hurdle falls away structurally.
This is exactly where Lokalaise comes in: a grounded AI platform on your own hardware that connects bills of quantities, BIM and tender data, contracts and minutes without them ever leaving the company. Permission-aware retrieval limits access to documents the given user is authorized to see; an audit trail makes every use traceable — the precondition for actually being able to evidence confidentiality (see Security & data sovereignty). Concrete construction use cases such as a bill-of-quantities comparison or a quote review then run on your own data instead of in third-party clouds.
That this path brings not just security but the proven ROI is shown by the Bluebeam survey itself: 94% of adopters want to expand their AI use. Why uncontrolled AI use also gets expensive, we showed using shadow AI; why data residency is not the same as data sovereignty, using BSI C3A. To be clear: Lokalaise is an enabler, not legal counsel — which of your project data falls under which protection regime is something to clarify with your legal team. We provide the technical foundation for it.
Your next steps
Three questions show how large your AI data-security risk in construction is:
- Data location: Do you know where your project data ends up when employees use AI today — and whether the provider reuses inputs?
- Duty to protect: Can you evidence "reasonable secrecy measures" for trade secrets and confidential tender documents?
- Control: Is AI access permission-aware and reviewable after the fact?
Wherever you hesitate, it's worth a closer look. In a short demo we'll show how a local, permission-aware AI takes the construction sector's biggest hurdle out of your risk calculation — and makes the productivity gain achievable.
Frequently asked questions
Conclusion
Construction firms hesitate on AI not out of technophobia but for a sound reason: project data is confidential, and tipping it into an external cloud AI can touch trade-secret duties, procurement law and the GDPR. The answer is therefore not abstinence but architecture. A managed, local AI keeps plans, bills of quantities and contracts inside the company — and makes the proven productivity gain that early adopters already see achievable. Data security and AI benefit are not mutually exclusive; you just have to bring the AI to where the data has to stay anyway.
Written by
Marius Gill
CTO @ Lokalaise
