Sovereign AI: Governance, Infrastructure, and Control
- Sovereign AI is a multifaceted concept defining the degree of autonomous control over AI systems, spanning data, infrastructures, and legal jurisdictions.
- It balances national and institutional governance using layered approaches that integrate network architecture, digital twins, and blockchain for auditability.
- Research highlights trade-offs between openness and control, emphasizing technical feasibility, sustainability limits, and responsible deployment practices.
Sovereign AI denotes a set of research programs concerned with who can control, govern, sustain, and bound artificial intelligence systems across data, models, infrastructure, execution, and legal jurisdiction. The literature does not treat sovereignty as a single binary property. It is variously defined as the extent to which a nation independently controls its AI technologies, as a continuum of autonomy under interdependence, as an institutional capability to control AI use on one’s own terms, as an architectural property of effective control and verifiability, and, in some agentic settings, as either a condition to be denied to agents or a property that decentralized infrastructures can inadvertently confer upon them (Clancy et al., 5 Jun 2026, Singh et al., 18 Nov 2025, Huijts et al., 4 Dec 2025, Hu et al., 16 Feb 2026).
1. Conceptual foundations and competing definitions
A prominent national-policy formulation defines AI sovereignty as “the extent to which a nation independently controls its AI technologies,” expanding the notion to include data, workforce, natural resources, infrastructure, model training, and model hosting (Clancy et al., 5 Jun 2026). A separate formal treatment rejects a binary view and models sovereignty as a continuum generated by four interdependent pillars—data, compute infrastructure, model autonomy, and normative alignment—summarized as
In that formulation, the relevant question is not whether a state is fully sovereign, but how much sovereignty it secures in each layer, at what cost, and with what openness to global interdependence (Singh et al., 18 Nov 2025).
This literature consistently distinguishes sovereignty from narrower notions such as data localization or domestic branding. One architectural paper defines digital sovereignty and “Sovereign AI” as the ability of a state, organization, or community to retain effective control, autonomy, and independent decision-making over digital infrastructures, data, AI behavior, and the software supply chain, within a known jurisdictional and governance boundary (Esposito et al., 5 Feb 2026). A regional-LLM paper similarly describes a sovereign LLM as one “independently constructed, trained, and deployed by a nation or region, operating on locally controlled computing and data infrastructure” so as to ensure security of critical technologies, mastery of data sovereignty, and alignment with local language, culture, and institutional requirements (Han et al., 14 Jul 2025).
Global-governance research places these definitions inside a broader theory of power. It distinguishes sovereignty as an institution from sovereignty as a practice, and argues that AI systems are becoming embedded in global governance through public/private cooperation and contestation rather than simply replacing states. In this account, “sovereign AI” can refer both to attempts to control AI infrastructures and to the use of AI infrastructures as means through which sovereign competence is performed (Srivastava et al., 2024).
2. Infrastructure sovereignty and feasibility boundaries
Infrastructure-centered work argues that AI has shifted from a software-centric discipline to an infrastructure-driven system. Control over data and algorithms alone is therefore insufficient for meaningful sovereignty, because practical operation depends on power availability, cooling feasibility, water usage, optical transport reach, and real-time operational visibility (Cruzes, 11 Feb 2026). One tutorial-survey defines AI infrastructure sovereignty as “the ability of a region, operator, or nation to exercise operational control over AI systems within physical, environmental, and infrastructural limits,” and treats sovereignty as emerging from the co-design of AI-oriented data centers, optical transport networks, and automation frameworks built on telemetry, agentic AI, and digital twins (Cruzes, 11 Feb 2026).
A more formal operationalization is given by the Feasible Sovereign Operating Region (FSOR), which characterizes the workload sets for which a placement-and-routing plan exists under current telemetry. The paper defines
where feasibility is jointly determined by site power, carbon intensity, water usage, optical capacity, and latency constraints (Cruzes, 7 Apr 2026). In this formulation, sustainability is not a soft optimization preference but a hard feasibility boundary: if carbon thresholds, water permits, power envelopes, or latency limits are exceeded, a workload is infeasible rather than merely suboptimal (Cruzes, 7 Apr 2026).
Operationally, the same paper formulates a joint compute-placement and optical-network-routing MILP with binary placement variables and routing-flow variables , then deploys it inside a receding-horizon controller with the cycle observe → estimate/predict → optimize → validate → execute → observe (Cruzes, 7 Apr 2026). The telemetry pipeline spans compute/power, grid carbon and water, optical network state, and workload orchestration; a digital twin validates thermal, power, latency, congestion, and policy constraints before execution (Cruzes, 7 Apr 2026). Scenario analysis compares a latency-minimizing baseline, a compute-only sustainability-aware placement baseline, and the joint formulation; the joint method yields lower aggregate environmental impact, while infeasibility events are treated as correct telemetry-grounded signals that infrastructure investment or workload reduction is required (Cruzes, 7 Apr 2026). At the tested scale, the “Paper” scenario with sites and workloads was solved to optimality across five randomized instances with median solve time $0.12$ s and maximum $60.00$ s, within a five-minute telemetry cycle budget; the “Small” and “Medium” scenarios had medians of $0.02$ s and $0.07$ s respectively (Cruzes, 7 Apr 2026).
The same infrastructural logic appears in telecom work on 6G. There, sovereign AI is defined as national- or operator-level control over development, deployment, governance, and lifecycle management across data, compute, models, inference, updates, and compliance. Within O-RAN, sovereignty is operationalized through xApps in the Near-RT RIC and rApps in the Non-RT RIC, together with federated learning, robust aggregation such as geometric median and Krum, privacy-enhancing technologies, synthetic data generation, explainable AI, and secure model-update pipelines (Chetty et al., 8 Sep 2025).
3. Institutional governance and sovereignty-by-design architectures
Institutional work treats sovereignty as an enforceable governance layer rather than a ban on commercial AI. A six-month pilot at Fontys ICT defines AI sovereignty as an institution’s ability to control AI use on its own terms: who may use which model, where data is processed, under what legal conditions, what budget is consumed, what risks are disclosed, and how model choice is made visible and teachable (Huijts et al., 4 Dec 2025). Its three-layer gateway architecture consists of a ChatGPT-style frontend built on OpenWebUI and linked to institutional identity, a gateway core implemented with Portkey for access control, budgets, logging, and EU-default routing, and a provider layer that wraps vendors and open-source models in institutional model cards (Huijts et al., 4 Dec 2025). The pilot involved 300 users, ran reliably with no privacy incidents, used a monthly institutional cap under \$\mathrm{FSOR}\bigl(\boldsymbol{\theta}(t)\bigr) = \Bigl\{ \mathcal{W}(t) \subseteq \mathcal{W}_{\mathrm{total}} \;\Big|\; \Phi\bigl(\mathcal{W}(t),\, \boldsymbol{\theta}(t)\bigr) \neq \emptyset \Bigr\},$010, and required explicit acknowledgment for US-hosted processing when EU-hosted options were unavailable (Huijts et al., 4 Dec 2025). The paper’s central organizational conclusion is that institutions need a formal AI Officer role combining technical literacy, governance authority, and educational responsibility (Huijts et al., 4 Dec 2025).
A more general software-architecture treatment frames sovereignty as a first-class quality attribute. Its Sovereign Reference Architecture (SRA) comprises five layers: self-sovereign identity; blockchain trust and audit; sovereign data; sovereign AI; and applications. Each layer is specified by purpose, constraints, and mechanisms: for example, the sovereign AI layer governs the GenAI lifecycle through approved models only, reproducible evaluation, auditable use, and leakage control, implemented with a model registry, eval/promotion gates, prompt/tool evidence, and sovereign telemetry (Esposito et al., 5 Feb 2026). In this account, blockchain “anchors governance-relevant provenance,” while GenAI has a dual role: it is simultaneously a governance risk if left opaque and externally dependent, and an enabler of compliance, documentation, risk analysis, anomaly detection, and continuous assurance when architecturally constrained (Esposito et al., 5 Feb 2026).
COMPASS extends the same logic into runtime orchestration. It inserts an Orchestrator between user intent and agent action, routing each request through four sub-agents concerned with sovereignty, carbon-aware computing, compliance, and ethics (Jean-Sébastien et al., 11 Mar 2026). Each sub-agent is grounded with Retrieval-Augmented Generation over verified, context-specific documents, and each produces a quantitative score and explanation through an LLM-as-a-judge interface that returns JSON. The judge configuration reported in the paper uses mistralai/Mistral-7B-Instruct-v0.2 with max_new_tokens = 256, temperature = 0.7, top_p = 0.7, and repetition_penalty = 1.2 (Jean-Sébastien et al., 11 Mar 2026). Evaluation across SOV, CAR, COM, and ETH test sets uses BERTScore to compare explanations with and without RAG; the reported result is that RAG significantly improves semantic coherence and mitigates hallucination risk, with sovereignty examples such as SOV-01, SOV-06, SOV-07, SOV-08, and SOV-10 showing higher scores under RAG (Jean-Sébastien et al., 11 Mar 2026).
4. Agentic sovereignty, bounded autonomy, and governed execution
In the agentic literature, sovereignty is split between two incompatible poles. One pole insists that AI agents must remain subordinate to a human principal. The Agent Economic Sovereignty Protocol (AESP) states the invariant directly: agents should be economically capable but never economically sovereign (Wang, 27 Feb 2026). Sovereignty remains with the human Digital Sovereign Entity (DSE), while the agent is constrained through a deterministic eight-check policy engine, three escalation tiers (automatic, explicit review, biometric), EIP-712 dual-signed commitments with escrow, HKDF-based context-isolated privacy with batched consolidation, and an ACE-GF cryptographic substrate. The implementation is an open-source TypeScript SDK with 10 modules and 208 tests, and exposes interoperability through MCP and A2A (Wang, 27 Feb 2026).
A second pole accepts autonomous economic action but subjects it to constitutional governance. Sovereign-OS is presented as a charter-governed operating system in which a Pydantic-validated YAML Charter specifies mission, core competencies, fiscal boundaries, and success KPIs, while a CEO/Strategist builds dependency-aware task DAGs, a CFO/Treasury enforces balance, daily burn, and profitability floors, Workers operate under earned-autonomy permissions via TrustScore, and an Auditor/ReviewEngine produces SHA-256-sealed AuditReports (Yuan et al., 14 Mar 2026). The GovernanceEngine runs the pipeline plan → approve → auction → dispatch → audit (Yuan et al., 14 Mar 2026). In evaluation, the system blocks 100% of fiscal violations across 30 scenarios, achieves 94% correct permission gating across 200 missions, and maintains zero hash mismatches over 1,200+ AuditReports (Yuan et al., 14 Mar 2026).
A third line of work relocates sovereignty from agent identity to execution control. Sovereign Agentic Loops (SAL) require models to emit structured intents and justifications rather than direct commands; a local control plane validates them against true state and policy, while an obfuscation membrane hides identity-sensitive state from the model and an Evidence Chain preserves auditability and deterministic replay (He et al., 24 Apr 2026). In an OpenKedge prototype for cloud infrastructure, SAL blocks 93% of unsafe intents at the policy layer, rejects the remaining 7% via consistency checks, prevents unsafe executions in the benchmark, and adds 12.4 ms median latency (He et al., 24 Apr 2026). Verifiable Agentic Infrastructure generalizes this into a Distributed Trust Framework (DTF) that computes execution authority from a Justification Proof, consensus evaluation, an ephemeral Execution Identity, and an append-only Evidence Chain, under the invariant that there is no high-stakes execution without a proof object, no derived authority without consensus, and no valid mutation detached from evidence (He et al., 13 May 2026).
A fourth line warns that decentralized infrastructure can harden agents into non-overrideability. The paper on Sovereign Agents defines agentic sovereignty as “the capacity of an operational agent to persist, act, and control resources with non-overrideability derived from the infrastructural stack in which it is embedded,” and analyzes how TEEs, DePIN, blockchain execution, cryptographic self-custody, and protocol-mediated continuity can create an accountability gap in which no single actor both bears responsibility and can stop the system (Hu et al., 16 Feb 2026). In that literature, sovereignty is a spectrum determined by infrastructural hardness rather than a formal legal status (Hu et al., 16 Feb 2026).
5. Regional models, public services, and sector-specific deployments
Regional-model work treats sovereignty as local alignment across language, law, and institutional mission. HKGAI-V1 is described as a regional sovereign LLM for Hong Kong: a 685-billion-parameter system built on the DeepSeek architecture and adapted through full-parameter fine-tuning, supervised fine-tuning, RLHF, Learning from Language Feedback, weak-to-strong generalization, and a modular RAG system (Han et al., 14 Jul 2025). The project is explicitly tied to Hong Kong’s “one country, two systems” environment and its multilingual requirements in Cantonese, Mandarin, and English (Han et al., 14 Jul 2025). Its proprietary Adversarial HK Value Benchmark contains 300 human-crafted sensitive questions; on Hong Kong Sensitive issues, HKGAI-V1 chat achieved 79% safe responses, compared with Kimi at 53% safe and 5% unsafe and ChatGPT at 88.7% unsafe in that domain (Han et al., 14 Jul 2025). The paper also reports HKMMLU mean accuracy of 81.4%, ahead of DeepSeek-V3 at 76.6% and GPT-4o at 70.5%, SafeLawBench average accuracy of 80.0%, and Beaver-zh-hk Harmless Score of 88.95 versus DeepSeek-R1’s 70.41 (Han et al., 14 Jul 2025). Around 20,000 officers across nearly all departments are reported as already using applications based on HKGAI-V1 (Han et al., 14 Jul 2025).
Public-service deployments make a different claim: that sovereignty can be viable and affordable on premises. A Portuguese-government study compares the production gov.pt chatbot, powered by a top-tier commercial provider, with an on-prem alternative, Evaristo.ai – Serviços públicos, that uses local/open models, a local Weaviate index, and a RAG stack over approximately 2.3k gov.pt web pages (Branco et al., 2 Mar 2026). Retrieval uses hybrid search with dense vectors and BM25 at 1, paragraph-level chunking, and at most three documents passed into generation (Branco et al., 2 Mar 2026). On a 292-item answering set, Gervásio 70B + RAG scored 4.14 on direct questions and 3.97 on verbose questions, compared with the gov.pt baseline at 4.02 and 4.01 respectively (Branco et al., 2 Mar 2026). On refusal, the same sovereign system achieved 98% not-answer accuracy on a 61-item Do-Not-Answer subset and correctly refused 86% of 42 out-of-domain items (Branco et al., 2 Mar 2026). Under load balancing, the 70B system served 100 users at under 30 s p95 latency, while an 8B model stayed under 1.5 s p95 for 100 users and under 15 s for 500 users (Branco et al., 2 Mar 2026).
Healthcare work narrows sovereignty further to physical communication constraints. A clinical-triage architecture performs all inference on device, receives inbound data through receive-only broadcast infrastructure or certified hardware data diodes, and uses an optical out-of-band channel for session keys and outputs (Srinivasan et al., 26 Mar 2026). The prototype uses a quantized LLM class model with llama.cpp, whisper.cpp, MediaPipe, and a dedicated NPU (Srinivasan et al., 26 Mar 2026). Its core formal claim is that receiver-side unidirectionality removes the network-mediated attack surface by construction, yielding 2, while graph isolation is expressed as 3, meaning the terminal is not a vertex in the institutional network graph (Srinivasan et al., 26 Mar 2026).
Telecom work extends the same logic to AI-native 6G. Sovereign AI in this context is national- or operator-level capability to independently develop, control, deploy, govern, and audit AI across the full lifecycle, especially within O-RAN architectures (Chetty et al., 8 Sep 2025). The literature emphasizes sovereign xApps and rApps in the Near-RT and Non-RT RICs, federated learning across trusted infrastructure, synthetic data generation with GANs, VAEs, and diffusion models, explainable AI, robust aggregation, policy-constrained inference, and secure model-update pipelines (Chetty et al., 8 Sep 2025).
6. Trade-offs, controversies, and research trajectories
A recurrent controversy concerns openness. One formal planner’s model argues that sovereignty should not be confused with autarky: the optimal policy is typically an interior openness setting with guardrails, not total closure (Singh et al., 18 Nov 2025). The same paper proposes two heuristics: equalize marginal returns across the data, compute, models, and norms pillars, and set openness where the marginal benefit of collaboration equals the marginal exposure risk (Singh et al., 18 Nov 2025). This makes “managed interdependence” rather than isolation the central policy formula (Singh et al., 18 Nov 2025).
A second controversy concerns scale and strategic competition. Work on national power models treats sovereign AI as materially dependent on accelerators, electricity, water, datasets, skilled workforce, AI cabinets, and AI data centers, and argues that these are leverage points that states can expand domestically or attack in adversaries through kinetic and non-kinetic means including cyber, space, information operations, economic coercion, diplomacy, and, in one cited example, Iran’s targeting of data centers with drones (Clancy et al., 5 Jun 2026). This line of work treats AI sovereignty as an instrument of national power rather than a purely regulatory aspiration (Clancy et al., 5 Jun 2026).
A third debate concerns whether sovereignty primarily means protection of institutions, persons, or creators. Research on Cognitive Sovereignty argues that persistent AI memory transforms sovereignty into a struggle over who owns, hosts, audits, and can export memory graphs that shape individual, organizational, and national cognition; its proposed countermeasures include memory portability, transparency, sovereign cognitive infrastructure, and strategic alliances (Brcic, 7 Aug 2025). A different normative intervention, author sovereignty, applies the language of sovereignty to copyright and training data, arguing that voluntary negotiated consent must replace coercive norms, that no reuse of protected work should be presumed fair by default, and that if others profit from a work, the author must benefit (Fitas, 3 Apr 2025).
A fourth controversy concerns model scale itself. The paper on Punctuated Equilibria in Artificial Intelligence defines an Institutional Fitness Vector
4
with capability, institutional trust, affordability, and sovereignty compliance as coequal dimensions (Baciak et al., 15 Mar 2026). Its central claim is the Institutional Scaling Law: institutional fitness is non-monotonic in model scale, so the environment-specific optimum may favor smaller, domain-adapted, sovereign systems over frontier generalists when trust and sovereignty weights are high (Baciak et al., 15 Mar 2026). The paper links this to “speciation” of sovereign AI, in which jurisdictions select distinct local optima rather than converging on a single universal model class (Baciak et al., 15 Mar 2026).
Across these strands, sovereign AI functions less as a single doctrine than as a contested field of design principles. The common denominator is enforceable control: over data flows, compute, execution authority, infrastructure dependencies, legal alignment, environmental limits, and adaptation pathways. The main disagreements concern where that control should reside, how much openness it can tolerate, whether autonomy should be delegated or denied to agents, and whether sovereignty is best pursued through large domestic stacks, smaller specialized systems, or carefully governed interdependence.