Questioning AI Sovereignty: Control vs Global Collaboration

Margaret Lin··Insights

Start with IBM’s question — what is “AI sovereignty?” — and then look at what’s strategically missing. The headline promises a tidy definition of control; the piece, as framed, gestures at national-interest rhetoric without getting into the economic plumbing that decides who actually wins when governments start planting sovereignty flags on AI.

Sovereignty, in the article’s framing, is almost a settings menu: keep data inside borders, keep models in “trusted” environments, assert national authority over critical systems. That polls well. It also glosses over the messier reality that contemporary AI is built on global supply chains: cloud platforms, chipmakers, open-source ecosystems, and a consulting layer that doesn’t respect borders nearly as cleanly as policymakers would like.

From my decade at Goldman Sachs I learned to pay less attention to what people call a policy and more to who gets paid because of it. If a government insists on data localization or model residency, vendors react the way markets always do: they either re-architect to comply, pass the cost through to customers, or swarm the capital city with lobbyists in expensive suits. The big cloud providers can absorb the engineering burden of local regions, compliance tooling, and sovereign support teams. Smaller clouds and startups generally can’t. Let’s be real: what gets sold as “national control” can easily turn into a subsidy for whichever hyperscaler already dominates the market.

That asymmetry is not a footnote; it’s the operating model. A sovereignty rulebook that treats infrastructure as infinitely fragmentable will reward the handful of firms that can afford to run parallel, jurisdiction-specific stacks and survive the audit carousel. Everyone else either becomes a niche layer on top of those platforms or exits the market. The policy you thought was hedging against dependency on foreign tech can, if written badly, harden that dependency.

The piece also blurs three very different concerns — security, privacy, and strategic independence — under a single sovereignty banner. Those are not interchangeable. Privacy regulation is about how identifiable personal data is collected and used. Security, especially national security, is about who can access which capabilities and under what conditions. Strategic independence is more about resilience: can a country maintain critical functions if a foreign supplier or rival state cuts them off?

Blend these into one “AI sovereignty” doctrine and you get clumsy tools: blanket localization and residency mandates that slow down collaboration, cripple cross-border research, and wrap every deployment in an extra layer of compliance. The firms with the scale to treat this as paperwork win. Everyone else pays with slower iteration cycles and higher costs.

There’s also a basic incentive question that the sovereignty framing often dodges: if governments demand onshore hosting and heavy controls in the name of security, who actually captures the economic upside of all that spending? The taxpayer funds it, sure. The value often accrues to incumbents that now sell premium “sovereign” offerings with fatter margins and stickier contracts. The article nods at trust and control; it’s quieter on who pockets the rent.

Then there’s open source — which the sovereignty conversation tends to treat like an inconvenient relative at a diplomatic summit. Open models are intentionally porous: code, weights, training recipes, and fine-tuning pipelines move freely across borders, GitHub repos, and research labs. Trying to wall that off with localization rules is technically awkward and politically brittle. Clamp down too hard and developers don’t stop; they route around you with containerized models, portable toolchains, and cloud-agnostic deployment patterns that are very difficult to police without collateral damage to legitimate research.

Here’s the paradox: the stricter the sovereignty posture, the stronger the incentive to design AI stacks that are modular, easily redeployable, and hard for any one jurisdiction to pin down. Control pushes people toward architectures that resist control. The math doesn’t lie there either.

Meanwhile, the commercial “solution” to sovereignty is already on offer. Major vendors now pitch national clouds, region-specific data stores, and AI platforms with knobs labeled “residency” and “compliance.” On one level, that’s responsive to legitimate concerns: critical health records, sensitive industrial IP, electoral systems — those really do merit special treatment. On another level, if policy stops at “buy sovereign services from a handful of global platforms,” governments are swapping one dependency (on open global infrastructure) for another (on a narrower set of private gatekeepers).

That’s the piece this sovereignty conversation regularly underplays: dependency risk is not just about geography or jurisdiction; it’s about concentration. You can have your data sitting on domestic soil, wrapped in national-compliance language, and still be one contract renewal away from a painful price hike or from discovering that your “sovereign” stack can’t be easily ported anywhere else. Shifting legal control without broadening the base of technical capability is more rebranding than resilience.

A common defense is that some degree of national control over critical AI is simply non-negotiable. That’s fair when you’re talking about defense systems, critical infrastructure, or genuinely unique national datasets. The trouble starts when the same doctrine is casually extended to every chatbot, analytics pipeline, and experimentation cluster. Then you’re not just trading a bit of efficiency for security; you’re hard-coding drag into the entire innovation cycle.

History has a way of repeating this pattern. Think about how strict telecom or financial-data localization rules played out in some markets: governments did achieve greater formal control, but they also entrenched a few large players, discouraged foreign entrants, and saw local startups build for export markets first because the domestic regulatory friction was too high. AI is likely to follow a similar script unless the policy tools get sharper.

So what would sharper look like? Not a single “sovereignty” switch, but a map. Define which assets truly require strong physical and legal anchors — certain defense systems, a subset of health and identity data, specific critical infrastructure models. For everything else, focus on interoperable standards: common audit frameworks, transparency obligations, incident-reporting norms that allow cross-border cooperation without demanding that every parameter sit on domestic soil. Pair that with industrial policy that builds domestic capability instead of just mandating domestic hosting.

Right now, the sovereignty conversation sounds reassuring because it promises control without pricing the trade-offs. As countries start writing actual procurement specs and data laws under that banner, they’ll discover whether they’ve bought themselves resilience — or just more expensive contracts with the same three vendors they were already using.

Edited and analyzed by the Nextcanvasses Editorial Team | Source: IBM

Disclaimer: The content on this page represents editorial opinion and analysis only. It is not intended as financial, investment, legal, or professional advice. Readers should conduct their own research and consult qualified professionals before making any decisions.

Back to all articles