"Sovereign AI" has become one of the most invoked and least defined terms in technology strategy. Governments cite it to justify multi-billion-dollar compute programs; hyperscalers use it to brand new product lines; enterprises use it to mean "we keep control of our data and models." These are not the same thing, and the gap between them is where most strategy conversations go wrong.
This document does three things: (1) maps how the major players actually define sovereign AI and why those definitions conflict; (2) recommends a single, defensible definition that holds up across both national and organizational contexts; and (3) provides a seven-dimension framework and a five-level maturity model so that "how sovereign are we?" becomes a measurable question instead of a slogan.
The central argument: sovereignty is not a binary and not a single ladder. It is a posture, a deliberate set of choices, dimension by dimension, about where you need control, where dependence is acceptable, and where partnership is more valuable than ownership. The strongest interpretation (build the entire stack yourself) is unaffordable and unnecessary for nearly everyone. The useful question is not "are we sovereign?" but "have we deliberately chosen our dependencies, and can we change them if we have to?"
There is no settled definition. McKinsey states plainly that there is no official definition of sovereign AI or agreement on its building blocks. Stanford's Human-Centered AI Institute describes defining it as "like trying to nail jelly to a wall." What follows is the actual spread of definitions, grouped by who is doing the defining, because the who explains most of the disagreement.
The compute-and-capability view (illustrated by NVIDIA)
NVIDIA, more than any other actor, popularized the term. Its definition is nation-centric and production-focused: sovereign AI is a nation's capability to produce artificial intelligence using its own infrastructure, data, workforce, and business networks, in order to protect local language, values, culture, and history. The operational unit in this view is the "AI factory" accelerated-compute data centers that take in data and output intelligence. This framing is deliberately physical and economic; it maps cleanly onto selling GPUs and full-stack platforms, which is part of why critics treat it as partly a marketing construct.
The controls-and-residency view (the hyperscalers)
AWS, Microsoft, Google, and Oracle largely reframe sovereignty as a set of controls layered onto commercial cloud rather than national self-sufficiency.
- • AWS distinguishes data residency (which standard regions already offer) from operational sovereignty. Its European Sovereign Cloud is physically and logically separated, operated only by EU-resident personnel, with EU-based legal entities, independent IAM/billing, and the explicit goal of placing data and operations beyond the reach of extraterritorial law such as the US CLOUD Act.
- • Microsoft offers a "continuum": Sovereign Public Cloud (residency, customer-managed keys, tamper-evident logs within a boundary like the EU Data Boundary), Sovereign Private Cloud (Azure Local / Foundry Local running large models fully disconnected on customer hardware), and National Partner Clouds operated by a trusted domestic partner. Microsoft frames sovereignty as capabilities built into the platform, not a separate cloud.
The hyperscaler view is honest about a trade-off the national view tends to gloss over: stronger sovereignty controls usually cost capability, scale, and innovation speed.
The "who controls intelligence" view (McKinsey)
McKinsey pushes past infrastructure to the model layer: you can have data sovereignty and still not have sovereign AI, because if a foreign model processes your data, the intelligence is not yours. It defines a seven-layer AI stack, from foundational layers (energy, connectivity) up through data centers, cloud, and the AI applications themselves, and argues sovereign AI is an ecosystem assembled across those layers, approached pragmatically workload by workload rather than as a wholesale migration.
The strategic-autonomy view (Stanford HAI, Tony Blair Institute)
The most analytically rigorous treatments come from policy institutes, and they explicitly reject the binary.
- • Stanford HAI identifies four reasons the term resists definition: it inherits unresolved debates from internet/data/digital-sovereignty arguments; it means different (often incompatible) things to different actors; its meaning changes by layer of the stack; and countries pursue it for different, sometimes conflicting, goals. It distinguishes "hard" sovereignty (a fully domestic stack — costly and infeasible for most) from "soft" sovereignty / strategic autonomy (retaining meaningful control and leverage over dependencies). Its recommendation is strategic interdependence: the capacity to choose and, if necessary, reconfigure your dependencies rather than have them imposed.
- • The Tony Blair Institute offers a "Control, Steer, Depend" (CSD) framework applied across the seven stack layers, and is emphatic that these are not rungs on a ladder — Depend is sometimes the right posture. No state can lead at every layer; the goal is coherence across regulatory, industrial, and diplomatic strategy.
The organizational view (enterprises, system integrators)
For companies, sovereign AI rarely means national independence. It means operational control: deploying on-premise or in a controlled boundary, avoiding vendor lock-in, and retaining ownership of data and models. A common four-pillar industry formulation is data, model, infrastructure, and operational sovereignty - the ability to design, deploy, and operate AI systems on your own terms.
Definitions at a glance
| Source | Core unit of sovereignty | Emphasis | Implicit limitation |
|---|---|---|---|
| NVIDIA | National production capability ("AI factory") | Compute, models, culture/language | Treats sovereignty as buildable infrastructure; downplays cost/feasibility |
| AWS / Microsoft / Oracle | Controls on commercial cloud | Data residency, operational autonomy, jurisdiction | Sovereignty bounded by what a foreign vendor will concede |
| McKinsey | Control over intelligence across a 7-layer stack | Models + ecosystem | Acknowledges no settled definition |
| Stanford HAI | Capacity to choose/reconfigure dependencies | Why × where; strategic interdependence | Resists any single metric |
| Tony Blair Institute | Posture per layer (Control / Steer / Depend) | Coherence, not maximal control | Deliberately non-quantified |
| Enterprise / SI view | Operational control over own systems | Data, model, infra, operations | Organizational, not geopolitical |
The definitions above disagree along four predictable axes. Naming them is what lets you cut through the noise.
1. Actor. A nation-state pursuing geopolitical autonomy and a bank pursuing vendor independence are both called "sovereign AI," but they have almost nothing in common operationally. Any usable definition must work at both levels or explicitly state which it addresses.
2. Goal (the why). Stanford HAI identifies four objectives, and they frequently conflict: national security (resilient, secure supply chains), economic competitiveness (capturing AI value domestically, avoiding lock-in), regulatory oversight (enforceable control over how systems behave), and cultural/linguistic autonomy (models that reflect local language and values). A policy that advances one can undermine another — strict data localization can strengthen regulatory authority while stifling innovation and even introducing security vulnerabilities.
3. Stack layer (the where). Sovereignty means something different at each layer. Compute sovereignty alone can mean territorial jurisdiction over a data center, the nationality of the firm that owns it, or the nationality of the chip supplier — three very different things. A country can be strong in data and norms but weak in models (India is a frequently cited case).
4. Strength (hard vs. soft). Full self-sufficiency versus strategic autonomy. Hard sovereignty is politically attractive and structurally exposed at exactly the layers — leading-edge chips and hyperscale compute — where value chains are most concentrated. Soft sovereignty preserves flexibility but can create a false sense of security if the vendor still holds the real leverage.
The practical implication: "control" by itself is not an organizing principle. The same point of control serves different goals. You have to specify why and where before "more sovereign" means anything.
A defensible definition has to (a) work for both states and organizations, (b) avoid collapsing into "build everything," and (c) be measurable. The following meets all three:
Sovereign AI is the durable capacity of an actor — a nation or an organization — to govern the development, deployment, and operation of AI systems according to its own laws, values, and strategic priorities: to control what it deems critical, to deliberately choose its dependencies elsewhere, and to reconfigure those dependencies if circumstances demand it, without losing operational continuity.
Two corollaries make it operational:
- • For a nation: sovereign AI is the ability to produce and govern AI using domestic infrastructure, data, talent, and models to the degree required by national strategic priorities — not uniformly across the whole stack.
- • For an organization: sovereign AI is operational control over the data, models, infrastructure, and operations of its AI systems, such that the organization — not a vendor — holds the decision rights, the keys, and a viable exit.
Why this is the best available definition:
1. It centers governance and reconfigurability, not ownership. Owning a data center you cannot operate without a foreign vendor's software, or a model you cannot retrain, is not sovereignty. The capacity to choose and change dependencies is the property that actually survives a geopolitical or commercial shock — which is what sovereignty is for.
2. It is goal-relative by construction ("according to its own laws, values, and strategic priorities" and "to the degree required"). This absorbs Stanford HAI's why × where insight and the Tony Blair Institute's per-layer posture without pretending one target fits everyone.
3. It explicitly admits dependence. "Deliberately choose its dependencies" makes managed interdependence a feature, not a failure. This is the difference between strategy and slogan.
4. It scales down to the enterprise through the second corollary, so the same framework can assess a country and a regulated bank without equivocation.
5. "Operational continuity" is the falsifiable test. If a provider, a government, or a sanctions regime can switch you off or read your data and you cannot prevent it or recover, you are not sovereign in that dimension — regardless of where the hardware physically sits.
This definition deliberately rejects two common but weak formulations: sovereignty-as-data-residency (residency is necessary but nowhere near sufficient — the intelligence and the operations matter more than the storage location) and sovereignty-as-full-autarky (economically prohibitive and strategically exposed at the chip and hyperscaler layers).
Sovereignty is not one variable. Assess it across seven dimensions, each independently. An actor can sit at a different level in each — and should, based on its priorities.
| # | Dimension | The core question | What "control" covers |
|---|---|---|---|
| 1 | Infrastructure | Can you compute and run AI without permission you can't withdraw? | Chips/GPUs, data centers, energy, networking, cloud control plane |
| 2 | Data | Do you control the data that trains and feeds your AI, and where it lives? | Training corpora, operational data, residency, provenance, usage rights, cross-border flows |
| 3 | Models | Do you own and can you modify the intelligence itself? | Weights ownership, training/fine-tuning capability, inference control, openness, update authority |
| 4 | Governance & operations | Who holds the decision rights, keys, and the exit? | Operational control, vendor lock-in, key management, portability, auditability, exit viability |
| 5 | Talent | Can you build and sustain this with your own people? | Domestic engineering/research workforce, skills pipeline, dependence on foreign experts |
| 6 | Security | Can you keep it confidential and running under attack or coercion? | Encryption & key custody, supply-chain integrity, air-gap capability, incident response, red-teaming |
| 7 | Regulatory control | Whose law governs it, and can you enforce your own? | Legal jurisdiction, extraterritorial exposure, compliance, standards-setting and enforcement authority |
These map onto the established stack analyses (NVIDIA's infrastructure/data/workforce/networks, McKinsey's seven layers, the Tony Blair Institute's per-layer CSD) but separate the dimensions that those frameworks tend to blur — especially governance (decision rights and exit) from infrastructure (physical assets), and regulatory control (whose law applies) from security (technical protection). Those distinctions are where real sovereignty is usually won or lost.
Each dimension is scored on the same five-level scale. The scale describes increasing control and reconfigurability, not increasing virtue — Level 5 is not the goal everywhere. A bank may rationally target Level 5 on Data and Governance, Level 3 on Infrastructure, and Level 2 on Models. A nation building a sovereign-AI program may target Level 4 on Models and Talent while accepting Level 3 on chips.
The generic five-level scale
| Level | Name | Posture | Test |
|---|---|---|---|
| L1 | Dependent | Reliance on a foreign/external provider with no meaningful control | Provider could withdraw, change terms, or be compelled by its home government, and you could not prevent it |
| L2 | Resident | Location/residency control, but operation and ownership remain external | Your data/workload sits in-jurisdiction, but a foreign entity still operates it and holds the keys |
| L3 | Controlled | Operational autonomy and access control; can run in isolation if needed | You hold the keys and decision rights; you can operate (and, for some dimensions, disconnect) without external permission |
| L4 | Capable | Domestic/in-house production capability exists | You can build, modify, or replace the component yourself, even if you currently choose to buy it |
| L5 | Self-determining | End-to-end control plus the ability to reconstitute under disruption | You could lose every external dependency in this dimension and maintain operational continuity |
The maturity matrix (dimension × level)
| Dimension | L1 Dependent | L2 Resident | L3 Controlled | L4 Capable | L5 Self-determining |
|---|---|---|---|---|---|
| Infrastructure | All compute on foreign public cloud, no isolation | In-region/in-country data centers, foreign-operated | Dedicated/isolated capacity you operate; air-gap-capable | Domestic data-center and integration capability; can procure/assemble at scale | Domestic compute supply incl. credible chip access; continuity under export controls |
| Data | Data freely flows to external systems; rights unclear | Residency enforced; storage in-jurisdiction | You control access, keys, provenance, and cross-border flows | Domestic high-quality training corpora incl. local language/culture | Full data lifecycle controlled and reproducible; no external dependency for critical data |
| Models | Consume a foreign API; no weights, no visibility | Foreign model hosted in-jurisdiction | Self-host open/licensed weights; control inference; can fine-tune | Train/adapt your own models; own the weights | Frontier-relevant domestic model capability you can sustain and update independently |
| Governance & operations | Vendor controls operations, updates, and the off-switch | In-region operation, but vendor retains admin access | You hold decision rights, keys, audit; a documented, tested exit exists | In-house ability to run/migrate without the vendor | No single external party can degrade or stop operations; provider-agnostic by design |
| Talent | Wholly reliant on external/vendor experts | Local staff for operations, foreign for engineering | Domestic team operates and adapts systems | Domestic engineers build and train models | Self-sustaining research + engineering pipeline; net talent exporter |
| Security | Provider-managed security; provider holds keys | In-region security; shared key custody | Customer-held keys, confidential compute, tested IR; air-gap option | Domestic security tooling and supply-chain assurance | Verified supply chain + sovereign cryptography + operation under active coercion/disconnection |
| Regulatory control | Governed by foreign law; exposed to extraterritorial reach (e.g. CLOUD Act) | In-jurisdiction storage, but foreign legal exposure remains | Contracts + entities place it under your law; extraterritorial reach blocked | Domestic compliance regime and standards applied and enforced | You set and enforce the standards; shape them regionally/internationally |
How to score and use it
- 1• Score current state per dimension (L1–L5), with evidence (contracts, key custody, exit tests, supplier nationality, staffing).
- 2• Set target state per dimension, derived from your goals (security, economic, regulatory, cultural) and your tolerance for cost and capability loss. Targets will differ by workload — a public chatbot and a defense-adjacent system should not have the same profile.
- 3• Manage the gap as a portfolio. Prioritize closing gaps where a dependency is strategically unacceptable (a foreign off-switch on a critical national system) over gaps that are merely suboptimal. Some L2/L3 dependencies are the correct, permanent answer.
- 4• Re-test reconfigurability, not just status. The L5 question — "could we lose this dependency and keep running?" — should be exercised, not assumed.
Indicative profiles (illustrative, not audited scores) showing how different actors deliberately distribute their sovereignty rather than maximizing every dimension.
United Arab Emirates (G42 / TII Falcon / Stargate UAE / MGX).
Strong push on Infrastructure (Stargate UAE's multi-gigawatt G42–OpenAI–NVIDIA–Oracle campus; Khazna; Cerebras systems) and Models (TII's open-weight Falcon line, including Arabic-first variants, now a regional default base model). Talent anchored by MBZUAI. The deliberate trade-off: deep partnership with US frontier labs and chip suppliers — high capability, accepted dependence at the chip and frontier-model layers in exchange for speed and scale. A capability-and-influence posture rather than autarky.
Saudi Arabia (HUMAIN / PIF).
Capital-led infrastructure build (HUMAIN targeting ~1.9 GW by 2030, scaling further; partnerships with NVIDIA, Qualcomm, AWS). Low energy cost is a genuine structural advantage. Strategy resembles the UAE's: buy frontier capability and chips, own the infrastructure and the national platform, build talent and models over time.
European Union / France (Mistral, gigafactories, AWS European Sovereign Cloud, Bleu, Delos).
The strongest play on Regulatory control (EU AI Act, GDPR, EU Data Boundary) and a deliberate Models bet (Mistral's open-weight, EU-domiciled posture). The Chips Act 2.0 and five planned AI gigafactories target Infrastructure capability. The acknowledged weakness is scale and capital — European private AI investment is a fraction of the US's — and continued dependence at the leading-edge chip layer. A rules-and-autonomy posture.
India (IndiaAI Mission, Sarvam, BharatGen, Bhashini).
Footholds in Data, compute, and norms with weaker model autonomy; emphasis on multilingual public-interest models and digital public infrastructure as the substrate. A pragmatic foothold-and-integrate posture, coupling data and compute investment with safeguarded procurement.
A regulated enterprise (e.g. a Gulf or EU bank).
Typically targets L4–L5 on Data and Governance (keys, residency, exit, audit), L3 on Security (customer-held keys, confidential compute, air-gap option), L2–L3 on Models (self-hosted open weights or a sovereign-cloud-hosted model, selective fine-tuning), and L2–L3 on Infrastructure (sovereign cloud region or dedicated capacity). It rationally stays L1–L2 on chip-level Infrastructure and on frontier-model production — owning those would destroy more value than it protects.
The pattern across all five: nobody pursues L5 everywhere, and the smart ones say so explicitly.
For anyone adopting this, the usable artifact is three linked pieces:
- 1• One definition (Section 4) — governance- and reconfigurability-centered, goal-relative, applicable to states and organizations, with operational continuity as the falsifiable test.
- 2• Seven dimensions (Section 5) — infrastructure, data, models, governance & operations, talent, security, regulatory control — assessed independently.
- 3• A five-level scale (Section 6) — Dependent → Resident → Controlled → Capable → Self-determining — applied per dimension, scored current-vs-target, and managed as a portfolio of deliberate choices rather than a single climb.
The one-line version to anchor any strategy conversation: decide where you need control, choose your dependencies deliberately everywhere else, and make sure you could change them if you had to.
NVIDIA ("What Is Sovereign AI?"); AWS (European Sovereign Cloud / European Digital Sovereignty FAQ); Microsoft (Sovereign Cloud, Azure Learn — AI workloads and sovereignty); McKinsey ("What is sovereign AI?"); Stanford HAI ("AI Sovereignty's Definitional Dilemma," Feb 2026); Tony Blair Institute ("Sovereignty in the Age of AI," 2026); TechPolicy.Press ("Rethinking Sovereign AI as Strategy," 2026); arXiv 2511.15734 (four-pillar planner's model); Middle East Institute, Tactical Report, and trade reporting on G42 / HUMAIN / Stargate UAE / Falcon / MGX; reporting on Mistral, EU AI gigafactories, the Chips Act 2.0, and the IndiaAI Mission / Sarvam / BharatGen. Figures and program details current as of mid-2026 and move quickly; verify before external use.
