Share
Facebook Facebook icon Twitter Twitter icon LinkedIn LinkedIn icon Email

Artificial Intelligence

How to build an AI-ready sovereign enterprise 

Published July 14, 2026 in Artificial Intelligence • 14 min read

As AI spreads through the enterprise, companies are losing something that few have thought to protect: the capacity to judge what their systems are doing and to change course when they need to. Securing data and infrastructure is the foundation, but sovereignty that stops there is not real sovereignty at all.

Rapid read:

  • Decisional and adaptive sovereignty belong on the board’s agenda
  • Use this guide to inventory and test your AI dependencies
  • Embed a rhythm for reassessment
More and more, businesses are treating sovereignty as an internal priority that has nothing to do with regulation at all.

On 3 June, the European Union announced its new Technological Sovereignty Package. These long-awaited recommendations are part of a coordinated effort to cut Europe’s dependence on non-EU providers across the entire technology stack. This package of measures is just the latest manifestation of a preoccupation with sovereignty that has become one of the defining features of the digital age. While the early evangelists of digital connectivity emphasized the free movement of data across borders, that commitment is now hedged around with caveats. Nations increasingly seek to protect the data of their citizens and businesses, to regulate its flow and residency, and to limit their economies’ reliance on the regulatory regimes and diplomatic goodwill of third-party states.

These national priorities have encouraged, and increasingly compelled, companies to pursue sovereign cloud strategies and “sovereign by design” principles that align businesses with regulatory policy. But concerns about digital sovereignty also surface for reasons that have nothing to do with the demands of policymakers.

More and more, businesses are treating sovereignty as an internal priority that has nothing to do with regulation at all. Just as governments seek to protect national sovereignty in the digital space, so too are companies increasingly seeking to reduce their dependency on third-party providers whose systems they cannot inspect, question, or easily leave. Sovereignty, in this sense, is something a company wants for itself – not because a regulator requires it, but because the alternative undermines the security of critical operations and erodes the capacity of the business to determine its own course.

In a recent survey of 309 IT leaders in major economies, 98% called digital sovereignty a priority, and more than half said they were already acting on it. That is real engagement with a real problem, and it is moving in the right direction. But most of this engagement is currently taking place on the technical level: digital sovereignty, as the term is generally used, means control over data and infrastructure – where data resides, who runs the servers, which jurisdiction’s law applies – and so it sits with CTOs, CIOs, and the IT function.

That is the right home for much of the work, but the allocation has an unintended consequence. Because sovereignty presents itself as a technical problem, it is rarely recognized as a strategic one – and so it seldom reaches the board as a core element of the company’s overall strategy. While many companies are building the technical foundations they need, the dimensions of sovereignty that are not reducible to an IT workstream go unaddressed, because no one has identified them as the board’s concern in the first place.

Artificial intelligence makes this blind spot all the more dangerous. AI changes what is at stake in every dimension of sovereignty. It deepens the technical danger posed by third-party dependencies while adding new threats. An organization that runs its decisions through a model it cannot inspect or replace is exposed in ways that go far beyond where its data happens to sit. As AI begins to shape not only what a company knows but how it decides, this has the potential to undermine the integrity of operational and strategic judgment itself. Sovereignty over data and infrastructure is a question of controlling data and infrastructure. Sovereignty in an AI-powered business becomes a question of guarding whether and how a company can think for itself, as one of this article’s authors argued in a recent MIT Technology Review report on sovereignty in the age of autonomous systems.

At present, questions of AI sovereignty are rarely raised at the highest levels. A recent Accenture survey found that only 15% of organizations treat sovereign AI as a matter for the CEO or board. Closing that gap means adopting a more comprehensive understanding of what sovereignty is. When it comes to AI, a genuinely sovereign enterprise is not defined by the proportion of its tech stack that it fully owns. Rather, it is the enterprise that maintains the capacity to make, enact, and revise its own choices. That capacity has a technical foundation, but it does not reside there. It resides in the people who can understand, question, and if necessary overrule what their AI systems do. Seen this way, sovereignty stops being a wall an organization builds against an external threat and becomes a set of capacities it builds and exercises from within.

These capacities operate across four dimensions. Two form the foundation: data sovereignty and infrastructure sovereignty, the control over information and systems on which everything else depends. Two more determine what an organization can actually do with that foundation: decisional sovereignty, the capacity to understand, interrogate, and govern the decisions AI systems make and shape; and adaptive sovereignty, the capacity to keep that judgment current as models, providers, and the landscape shift. The first two are the focus of today’s sovereignty conversation. The second two are where its future lies.

Foundation layers

The two dimensions that dominate today’s sovereignty conversation are also the most concrete: control over data and control over the infrastructure on which AI runs. They matter – they are the foundation everything else is built on, and nothing above them stands without them. But they are a foundation, not the whole structure.

AI has given data sovereignty a new and sharper significance.

Data sovereignty

AI has given data sovereignty a new and sharper significance.

Data sovereignty and AI sovereignty connect across three dimensions:

  • Security. Beyond existing concerns about data breaches, AI introduces specific new threats. Data shared with third-party AI systems may be retained and used in ways the organization did not authorize, while data gathered from AI tools may itself be poisoned or corrupted, compromising the integrity of the systems that depend on it.
  • Regulatory frameworks. Established frameworks such as the EU’s GDPR already govern cross-border data flows, but compliance requirements specific to AI are tightening rapidly across jurisdictions. Organizations without structural control over how their data is processed – where it is ingested, what models it trains, and on whose infrastructure – will find it increasingly difficult to meet obligations that are still evolving.
  • Value creation. An organization’s proprietary data is now a uniquely valuable resource on which AI capabilities can be trained and adapted. No competitor has access to that data – unless control of it is lost. Ceding control to a vendor or a frontier AI model may mean surrendering the very resource that could make the organization’s AI strategy genuinely distinctive.
The risk of loss of access was starkly illustrated by the collapse of Builder.ai in 2025

Infrastructure sovereignty

Like data sovereignty, infrastructure sovereignty is not new: organizations have always had to manage their dependence on the hardware and software on which their operations run. AI gives infrastructure sovereignty a new dimension, because the critical software in an AI stack is the model itself, and models are software of an unusual kind. The behavior of AI models is not written in code that can be inspected and edited but trained into their weights, so only organizations with the capacity to retrain a model can change how it behaves. Infrastructure sovereignty for AI is therefore the capacity to control and, where necessary, migrate or modify the layers of the stack on which an organization’s AI capabilities run:

  • The compute and acceleration layer that provides processing power.
  • The model and algorithm layer that houses foundation models.
  • The orchestration and tooling layer that connects models to workflows.
  • The application layer that makes AI accessible to users.
    (The stack’s foundation, the data and storage layer, is the territory of data sovereignty, covered above.)

As reliance on those capabilities deepens, so do the dangers of dependency: not only losing access to critical systems, but ceding authority over how they behave. A well-governed infrastructure relationship can deliver considerable practical control through vendor transparency, audit provisions, and aligned incentives. But that control is structurally contingent: it exists at the provider’s discretion and can be withdrawn when terms change or priorities diverge.

The risk of loss of access was starkly illustrated by the collapse of Builder.ai in 2025. Once valued at $1.5bn and backed by Microsoft and SoftBank, the platform filed for bankruptcy when its revenues were revealed to be a fraction of what had been claimed. The SME clients who had built entire product lines on the platform were left high and dry when the capabilities they relied on disappeared.

But lost access is only the most visible risk. Organizations that rely on external providers also cede, to varying degrees, authority over how those systems behave. Anthropic’s recent dispute with the US Department of Defense turned on exactly this point: not whether the government could access the models, but on what terms it could use them. Anthropic refused to grant unrestricted use, and even the DoD could not simply override that refusal; access to the models did not carry with it the power to set the terms on which they ran.

If even the US government cannot secure complete authority over the infrastructure beneath its AI, no enterprise should expect to. The question, then, is not whether complete autonomy can be achieved, but whether dependencies are known, adopted with full awareness, and governed appropriately, and whether adequate contingency plans exist for the worst case.

AI and digital transformation programs

Build the skills to lead in a digital world

Transform your career and business with next-generation AI and digital skills

Explore programs

Strategic agency layers

The foundation layers address what an organization controls. The remaining layers are concerned with what the organization does with that control: whether it can exercise independent judgment over its AI systems, and whether it can keep revising that judgment as the landscape shifts. These are the dimensions of sovereignty that the current discourse – and most organizations – have yet to engage with seriously. Securing where AI runs, after all, does nothing to secure the judgments AI makes and shapes.

Decisional sovereignty

Decisional sovereignty is the capacity to retain meaningful control over how an organization’s judgments are formed as AI becomes embedded in its operations. It has three dimensions.

  • The first is governance of the AI-driven decision itself, which includes the capacity to interrogate the assumptions built into the tools an organization has adopted, and to judge whether a given recommendation should be acted on. Every AI tool an organization adopts arrives with assumptions built into it, about what counts as relevant information, how conflicts should be resolved, and what kinds of outputs are appropriate. These parameters were selected by engineers and developers who may never encounter the organizations that use their products. In most enterprises, they go entirely unexamined. The model works, the outputs look reasonable, and nobody asks what was assumed along the way. Yet these assumptions shape consequential decisions daily, and they may sit squarely at odds with the organization’s own stated values or strategy. At present, only 22% of organizations extend sovereignty oversight to their AI models – the layer where these judgments are actually being formed.
  • The second is the preservation of human decision-making capacity. AI does not only make decisions; it can erode an organization’s ability to make them. Research on cognitive offloading consistently finds that heavy reliance on external tools can weaken cognitive skills; early evidence suggests AI tools are no exception. At the individual level, professionals can lose the expertise and analytical habits that let them tell a sound AI output from a flawed one. At the organizational level, the consequences are more severe: governance frameworks are only as strong as the humans who oversee them, and once those people can no longer independently assess what the AI produces, oversight structures are hollowed out. The organization keeps the appearance of decisional sovereignty while the substance drains away.
  • The third is control over AI’s wider influence on organizational judgment. A system need not make a decision to shape one. An AI-powered employee sentiment dashboard that monitors the workforce and reports to managers decides nothing. Yet in choosing which signals to surface, how to weight them, and how to frame the result, it shapes every decision taken on the basis of the data it generates. The same holds wherever AI mediates between raw information and human judgment, such as in risk scoring, customer analytics, or hiring processes. In each case the system makes decisions by proxy, filtering and framing in ways that invisibly shape how the organization understands its own situation. This is the dimension that is hardest to see, and for that reason the dimension over which it is easiest to lose control.

These three dimensions are not independent. They converge and compound in ways that can be difficult to anticipate. Agentic AI casts this convergence in sharp relief. To deploy AI agents is to bring in digital workers whose allegiance has not been secured: they arrive with assumptions their adopters did not choose, they take over the tasks through which human expertise was once built, and they shape behavior through decisions no one is monitoring for influence. And because some agents revise their own behavior over time, governing them means reckoning not just with what they do now but with what they might become.

Across all three dimensions, decisional sovereignty is ultimately a leadership responsibility, not a technical one: it falls to senior leaders, not the technology function, to own the terms on which AI-shaped judgments are formed.

An organization can be frozen in two different ways and from two different directions.

Adaptive sovereignty

Adaptive sovereignty is the capacity to change course over time – to reassess and revise the organization’s AI posture as models, providers, and the landscape itself shift. If decisional sovereignty concerns the judgments an organization forms now, adaptive sovereignty concerns whether it can form them differently later. The two are distinct: an organization can exercise impeccable judgment about its current systems and yet still find itself frozen when the ground moves beneath it.

An organization can be frozen in two different ways and from two different directions. It can be blinded – left unable to see that a better alternative exists – or made rigid – able to see the alternative but unable to move to it. And each of these limitations can be imposed from outside, by a vendor relationship, or from within, by the organization’s own practices. The result is four distinct failure modes (Figure 1).

Adaptive sovereignty
Figure 1. The four ways an organization loses adaptive sovereignty
Note: Left column: Imposed by the provider. Right column: Self-imposed
Top row: You can't see the option. Bottom row: You can't act on it.

The external failures are the familiar ones. Hard lock-in is the visible kind, and because it is visible it can be audited and planned around. Soft lock-in is subtler and more dangerous. When a single vendor’s framing comes to define what an organization believes AI can do, what good implementation looks like, and which alternatives are worth considering, it has been captured at the level of judgment itself: its choices feel autonomous but are bounded by a worldview it never chose. Essentially, the vendor’s roadmap becomes the client’s strategic horizon.

The internal failures are less frequently discussed but no less paralyzing, because here the organization freezes itself. It can fail to keep learning – never building the capacity to track and judge emerging models and new providers, so that a better option arrives unrecognized. This is a self-imposed cousin of conceptual capture: the same blindness to alternatives, reached not because a vendor’s frame captures the cognitive space but because the organization never thought to look for something different. Or it can fail to rebalance. Knowing the landscape is not the same as being able to act on it; an organization needs deliberately constructed machinery to redirect itself – retiring failing initiatives, scaling promising ones, reweighting as priorities and risks change – rather than letting each adoption turn into a permanent, unreviewed commitment. This is what a repeatable management system provides. Lloyds Banking Group’s GenAI Control Tower is one such model: a cross-functional forum that continuously prioritizes use cases, reallocates resources, and rebalances the portfolio across time horizons and risk – including, when the technology moves, abandoning projects that are already underway in favor of better ones.

Protect the conditions for human judgment.

Where to start

The four dimensions described above define what enterprise sovereignty is. Sustaining it is a matter of practice. Here are four moves that give leaders somewhere to begin.

  • Put sovereignty on the board’s agenda and give it an owner. As long as sovereignty is treated as a technical matter and left distributed across the data, compliance, and IT functions, no one owns it as a whole, and no one is accountable when it slips. Name a single senior owner  whose remit spans all four dimensions and make sovereignty a standing board concern rather than something that surfaces only when a contract or a regulator forces it.
  • Inventory your AI dependencies and test each against three questions. For every system the organization relies on, across data, infrastructure, and models, ask: 1) whether the dependence was consciously chosen or merely drifted into; 2) whether it is actively governed or left to run on its own; and 3) whether the organization could exit it if needed or is effectively locked in. The dependencies that come out badly on any of the three are your starting points for future planning.
  • Implement a standing rhythm for reassessment, with genuine decisional authority. Sovereignty is exercised through enduring practices, not one-off decisions. Good practices include regular interrogation of the assumptions that systems carry, scanning for better alternatives, and rebalancing your portfolio of AI initiatives as conditions change. Institutionalize the practice through a recurring cross-functional body with the authority to retire, switch, and reprioritize, not merely to advise.
  • Protect the conditions for human judgment. Judgment is a capacity, and capacities decay when they go unused. As AI takes over more of the analytical work and single vendors supply more of the conceptual framing, an organization can lose both the expertise to evaluate what its systems produce and the ability to imagine alternatives. Neither loss will appear on any report, so they must be guarded against by design.

Ensuring the long-term sovereignty of your organization

The vendors selling sovereignty are right that data and infrastructure matter, but they are wrong that control of them is enough. An organization can hold its own data, run its own tech stack, and still cede the things that ultimately determine whether it governs its own use of AI – the capacity to judge what its systems are doing and the freedom to change course when needed. Those capacities are built and kept through practice, and they are the responsibility of the people who lead the organization. Sovereignty, in the end, is less about what an enterprise owns than about which decisions it keeps in its own hands.

Authors

Faisal Hoque

Faisal Hoque

Executive Fellow at IMD and founder of SHADOKA and NextChapter

Faisal Hoque is a transformation and innovation leader with over 30 years of experience driving sustainable innovation, growth, and transformation for global organizations, including Mastercard, American Express, GE, PepsiCo, JPMorgan Chase, IBM, Northrop Grumman, the US Department of Defense, and the Department of Homeland Security. He is the founder of SHADOKA and NextChapter, among other companies, and is a three-time winner of Deloitte’s Technology Fast 50 and Fast 500 awards. Hoque is a best-selling and award-winning author of 11 books, including the USA Today and LA Times bestsellers Reimagining Government (2026) and Transcend (2025), a Financial Times book of the month named a “must-read” by the Next Big Idea Club. His 2023 book Reinvent was published in association with IMD and became a #1 Wall Street Journal bestseller. His research and thought leadership have been recognized globally; he also serves as a judge for MIT’s IDEAS Social Innovation Program.

Dr. Paul Scade

Paul Scade

Honorary Fellow at the University of Liverpool and a partner at SHADOKA

Paul Scade is an historian of ideas and an innovation and transformation consultant. His academic work focuses on leadership, psychology, and philosophy, and his research has been published by world-leading presses, including Oxford University Press and Cambridge University Press. As a consultant, Scade works with C-suite executives to help them refine and communicate their ideas, advising on strategy, systems design, and storytelling. He is an Honorary Fellow at the University of Liverpool and a partner at SHADOKA.

Dr-Pranay-Sanklecha

Pranay Sanklecha

Founder of The Philosophy Practice and partner at SHADOKA

Pranay Sanklecha is a philosopher, writer, and management consultant focusing on the intersection of technology, ethics, and practical leadership. Formerly an academic philosopher at the University of Graz, Sanklecha’s research on intergenerational justice includes a book published with Cambridge University Press. He now works with businesses to design and implement philosophy-led frameworks that deliver practical value. He is the founder of The Philosophy Practice and a partner at SHADOKA.    

Related

Learn Brain Circuits

Join us for daily exercises focusing on issues from team building to developing an actionable sustainability plan to personal development. Go on - they only take five minutes.
 
Read more 

Explore Leadership

What makes a great leader? Do you need charisma? How do you inspire your team? Our experts offer actionable insights through first-person narratives, behind-the-scenes interviews and The Help Desk.
 
Read more

Join Membership

Log in here to join in the conversation with the I by IMD community. Your subscription grants you access to the quarterly magazine plus daily articles, videos, podcasts and learning exercises.
 
Sign up

Log in or register to enjoy the full experience

Explore first person business intelligence from top minds curated for a global executive audience