On 3 June, the European Union announced its new Technological Sovereignty Package. These long-awaited recommendations are part of a coordinated effort to cut Europe’s dependence on non-EU providers across the entire technology stack. This package of measures is just the latest manifestation of a preoccupation with sovereignty that has become one of the defining features of the digital age. While the early evangelists of digital connectivity emphasized the free movement of data across borders, that commitment is now hedged around with caveats. Nations increasingly seek to protect the data of their citizens and businesses, to regulate its flow and residency, and to limit their economies’ reliance on the regulatory regimes and diplomatic goodwill of third-party states.
These national priorities have encouraged, and increasingly compelled, companies to pursue sovereign cloud strategies and “sovereign by design” principles that align businesses with regulatory policy. But concerns about digital sovereignty also surface for reasons that have nothing to do with the demands of policymakers.
More and more, businesses are treating sovereignty as an internal priority that has nothing to do with regulation at all. Just as governments seek to protect national sovereignty in the digital space, so too are companies increasingly seeking to reduce their dependency on third-party providers whose systems they cannot inspect, question, or easily leave. Sovereignty, in this sense, is something a company wants for itself – not because a regulator requires it, but because the alternative undermines the security of critical operations and erodes the capacity of the business to determine its own course.
In a recent survey of 309 IT leaders in major economies, 98% called digital sovereignty a priority, and more than half said they were already acting on it. That is real engagement with a real problem, and it is moving in the right direction. But most of this engagement is currently taking place on the technical level: digital sovereignty, as the term is generally used, means control over data and infrastructure – where data resides, who runs the servers, which jurisdiction’s law applies – and so it sits with CTOs, CIOs, and the IT function.
That is the right home for much of the work, but the allocation has an unintended consequence. Because sovereignty presents itself as a technical problem, it is rarely recognized as a strategic one – and so it seldom reaches the board as a core element of the company’s overall strategy. While many companies are building the technical foundations they need, the dimensions of sovereignty that are not reducible to an IT workstream go unaddressed, because no one has identified them as the board’s concern in the first place.
Artificial intelligence makes this blind spot all the more dangerous. AI changes what is at stake in every dimension of sovereignty. It deepens the technical danger posed by third-party dependencies while adding new threats. An organization that runs its decisions through a model it cannot inspect or replace is exposed in ways that go far beyond where its data happens to sit. As AI begins to shape not only what a company knows but how it decides, this has the potential to undermine the integrity of operational and strategic judgment itself. Sovereignty over data and infrastructure is a question of controlling data and infrastructure. Sovereignty in an AI-powered business becomes a question of guarding whether and how a company can think for itself, as one of this article’s authors argued in a recent MIT Technology Review report on sovereignty in the age of autonomous systems.
At present, questions of AI sovereignty are rarely raised at the highest levels. A recent Accenture survey found that only 15% of organizations treat sovereign AI as a matter for the CEO or board. Closing that gap means adopting a more comprehensive understanding of what sovereignty is. When it comes to AI, a genuinely sovereign enterprise is not defined by the proportion of its tech stack that it fully owns. Rather, it is the enterprise that maintains the capacity to make, enact, and revise its own choices. That capacity has a technical foundation, but it does not reside there. It resides in the people who can understand, question, and if necessary overrule what their AI systems do. Seen this way, sovereignty stops being a wall an organization builds against an external threat and becomes a set of capacities it builds and exercises from within.
These capacities operate across four dimensions. Two form the foundation: data sovereignty and infrastructure sovereignty, the control over information and systems on which everything else depends. Two more determine what an organization can actually do with that foundation: decisional sovereignty, the capacity to understand, interrogate, and govern the decisions AI systems make and shape; and adaptive sovereignty, the capacity to keep that judgment current as models, providers, and the landscape shift. The first two are the focus of today’s sovereignty conversation. The second two are where its future lies.