On a Tuesday morning in early 2024, a mid-sized German automotive supplier discovered that its proprietary design-optimisation algorithm — trained on two decades of manufacturing data and running entirely on a US hyperscaler — had been retrained overnight. The retraining was not malicious. It was automatic, a routine model update pushed by the cloud provider to improve performance across its platform. The problem was that the update had subtly altered the model’s behaviour in ways that affected the supplier’s output quality metrics. More troublingly, the supplier had no mechanism to roll back, audit, or even fully understand what had changed. Its AI — the system underpinning a critical competitive advantage — was running on infrastructure it did not control, governed by terms it had not fully read, updated on a schedule it had not approved.
That story has become a parable for a generation of technology executives reckoning with a disquieting realisation: that in the rush to deploy AI, many organisations have handed control of their most strategically sensitive systems to third parties whose interests are not always aligned with their own.
What AI Sovereignty Actually Means
The term AI sovereignty has attracted its share of buzzword fatigue, but the concept it describes is precise and consequential. AI sovereignty refers to an organisation’s ability to control its AI infrastructure, the data used to train and run its models, the model governance frameworks that determine how AI systems behave, and the regulatory compliance posture of its AI operations — without being structurally dependent on a small number of external providers whose decisions it cannot influence.
IBM’s Institute for Business Value, surveying more than 1,000 C-suite executives for its 2026 technology outlook, found that 93 per cent of global executives identified AI sovereignty as mission-critical to their strategic agenda. That number is striking not because it is surprising but because of the gap it implies between aspiration and reality.
Those risks include: regulatory non-compliance across jurisdictions with conflicting data localisation requirements; competitive exposure when proprietary training data is processed in shared cloud environments; operational vulnerability when a cloud provider’s outage, policy change, or contractual dispute disrupts mission-critical AI systems; and model drift, the phenomenon where model updates by a cloud provider alter the behaviour of systems an organisation has deployed and validated.
Why the Urgency Is Real — and Why It Is Right Now
The sovereign cloud market, according to Gartner, is projected to grow 4.5 times by 2028, reaching US$12.5 billion from approximately US$2.8 billion in 2024. That growth curve reflects a structural shift in how enterprises are thinking about AI infrastructure — not as a commodity to be procured from whoever offers the lowest price, but as a strategic asset that requires the same careful governance as intellectual property or financial reserves.
The structural driver is a convergence of three forces. First, regulation: at least 34 countries have enacted data localisation rules since 2022, creating a compliance environment where the default of running AI workloads on US-domiciled infrastructure is increasingly legally problematic. Second, geopolitics: the concentration of AI infrastructure in US hyperscalers has become a point of strategic vulnerability for governments and corporations alike, particularly as US export controls, sanctions regimes, and evolving regulatory frameworks create uncertainty about the continuity of service. Third, competitive intelligence: organisations are becoming more sophisticated about the risks of training proprietary models on shared infrastructure.
Forrester Research predicts that at least 15 per cent of enterprises will actively pursue private AI infrastructure strategies by 2027 — a figure that understates the trend among regulated industries, where the proportion is likely to be significantly higher.
The Regulatory Landscape: Four Jurisdictions That Define the Terrain
The European Union’s AI Act entered full enforcement in August 2026, establishing the world’s most comprehensive legal framework for AI governance. For multinationals operating in Europe, the Act’s requirements are not abstract: high-risk AI systems — including those used in hiring, credit scoring, law enforcement support, and critical infrastructure — must meet stringent transparency, audit, and human-oversight requirements. Fines for non-compliance reach €35 million or seven per cent of global annual turnover, whichever is higher. The Act also includes provisions on AI training data that, combined with GDPR requirements, create meaningful constraints on using European citizen data in US-hosted models.
India’s Digital Personal Data Protection Act of 2023 is now in active enforcement, with its data localisation provisions requiring that certain categories of personal data be stored and processed within Indian territory. The IndiaAI Mission has allocated ₹10,372 crore to build domestic AI compute infrastructure, training datasets in Indian languages, and a national AI governance framework. For multinationals operating in India, the combination of DPDP Act obligations and the IndiaAI Mission’s incentive structure is creating both compliance imperatives and genuine commercial opportunities in domestic AI infrastructure.
China operates the most comprehensive AI regulatory environment of any major economy, with the Cyberspace Administration of China’s generative AI regulations (2023), algorithm recommendation rules, and deep synthesis regulations creating a layered regime that effectively requires domestic AI infrastructure for any organisation operating in the Chinese market. The practical effect is that multinationals with Chinese operations are already operating dual AI stacks — one for China, one for the rest of the world — a model that is increasingly being studied by regulators in other jurisdictions.
The United States has moved in a deregulatory direction under the current administration, with executive orders prioritising AI deployment speed over governance frameworks. For US-headquartered multinationals, this creates an asymmetric compliance burden: less constraint at home, but increasing obligations in every other major market they operate in.
Sovereign AI in Practice: Who Is Building What
The clearest signal that AI sovereignty has moved from policy discussion to capital allocation is the scale of sovereign AI infrastructure investments announced in the past eighteen months. France’s commitment to Mistral AI — including a 1.4 gigawatt AI campus and preferential procurement for French-developed models in public sector applications — represents a deliberate attempt to create a European alternative to US foundation models. The UAE’s G42, working with Falcon model development, has positioned itself as the sovereign AI infrastructure provider for the Gulf Cooperation Council and, increasingly, for African markets. Saudi Arabia’s HUMAIN initiative, which secured an agreement to deploy 18,000 of NVIDIA’s GB300 GPUs — representing a significant share of global AI compute capacity — has set an explicit ambition to host six per cent of global AI compute by 2034.
In India, the IndiaAI Mission’s compute tender has attracted bids from domestic and international providers, with the government prioritising GPU clusters that can be operated under Indian jurisdiction and governance frameworks. The mission’s parallel investment in datasets in Hindi, Tamil, Telugu, and other Indian languages addresses the second dimension of sovereignty: the training data that shapes how AI systems understand and represent Indian contexts, languages, and priorities.
The Hyperscaler Dependency Problem
The challenge for most organisations is not a lack of strategic intent but a lack of practical alternatives to hyperscaler dependence. AWS, Microsoft Azure, and Google Cloud collectively host an estimated 97 per cent of enterprise AI workloads outside China. Their infrastructure advantages — scale, global footprint, breadth of AI services, integration with enterprise software stacks — are real and not easily replicated. An organisation that decided today to migrate its AI workloads to sovereign infrastructure would face 12 to 24 months of migration complexity, significant cost, and potential capability degradation during the transition.
The UK government’s 2025 review of public sector cloud dependency found that several critical national infrastructure operators had become so deeply integrated with a single cloud provider that migration was functionally impractical without multi-year programmes and significant investment. That dependency, the review noted, was not the result of poor decision-making — it was the natural consequence of optimising for capability and cost over a decade, without building sovereignty considerations into procurement frameworks from the outset.
The lesson for private sector leaders is the same: sovereignty is easiest to build into AI architecture at the point of initial design, and progressively more expensive to retrofit as integration deepens.
A Four-Step Framework for Multinational Leaders
The first step is classification. Not all AI systems require sovereign infrastructure. A model used for internal HR communications carries different sovereignty requirements than one used for product design, financial modelling, or regulatory compliance. The starting point is a classification exercise that maps each AI system against four dimensions: the sensitivity of the data it processes, the competitive significance of the insights it generates, the regulatory jurisdiction in which it operates, and the operational criticality of the system to the business.
The second step is contract audit. Many organisations do not have a clear picture of what their AI and cloud contracts actually permit the provider to do with their data and models. This audit frequently produces surprises: provisions for model training on customer data, broad rights to use aggregated data for service improvement, and limited commitments on model versioning and rollback are common. The audit creates the negotiating brief for contract renegotiation and informs the build-versus-buy decision for sovereign infrastructure.
The third step is building a sovereign layer. This does not mean abandoning hyperscalers for the most sensitive AI systems. It means building a hybrid architecture in which the most strategically sensitive workloads run on infrastructure that the organisation controls — whether on-premise, in a sovereign cloud, or through a regional provider subject to the relevant jurisdiction’s legal framework — while less sensitive workloads continue to benefit from hyperscaler scale and capability.
The fourth step is regulatory intelligence. The AI regulatory landscape is moving faster than most organisations’ compliance functions can track. Building a systematic capability to monitor regulatory developments across the jurisdictions where the organisation operates — and to translate those developments into architecture and procurement decisions before they become compliance obligations — is the difference between strategic sovereignty and reactive scrambling.
The Road Ahead
The organisations that treat AI sovereignty as a compliance checkbox will find themselves in a perpetual state of reactive adjustment as the regulatory environment evolves and geopolitical risks materialise. Those that treat it as a strategic architecture decision — made deliberately, early, and with the same rigour applied to financial risk management — will find that sovereignty and competitive advantage are not in tension. They are, increasingly, the same thing.
The 93 per cent of executives who told IBM that AI sovereignty is mission-critical are not wrong. The question is whether their organisations will build the infrastructure, governance frameworks, and procurement disciplines to give that aspiration operational substance — or whether, in two years, they will be telling a version of the German automotive supplier’s story to their own boards.
