Inside sovereign AI governance: How it works when the frameworks meet reality

Most organisations treat AI governance as a compliance exercise. They map controls to regulations, produce documentation, and declare themselves governed. This creates a dangerous illusion. The gap between publishing a governance framework and operating one under production conditions is where real risk accumulates, quietly and without triggering any of the checkboxes that were supposed to catch it.

Sovereign AI governance compounds this problem by layering jurisdictional politics, infrastructure dependencies, and geopolitical tension onto an already fragile compliance apparatus. The result is a domain where the organisations that look most governed on paper are often the least prepared for the scenarios that matter.

A systematic review of 13 leading trustworthy AI audit and assurance frameworks found that none simultaneously achieved advanced capability across governance, operations, and audit pillars. The researchers described this as a structural "posture-ready vacancy" in the current state of the art (Trustworthy AI Posture framework, 2025). Existing frameworks cluster into three disconnected groups: process-heavy but execution-weak frameworks, principle-heavy but audit-light policy instruments, and technically continuous but governance-disconnected technical proposals.

This fragmentation explains why compliance exercises feel productive without being protective. Organisations complete risk assessments, draft policies, and stand up committees. The documentation grows. The actual ability to detect, respond to, and learn from governance failures does not grow with it. Operational evidence is rarely systematically linked to governance claims, making demonstration of control adequacy inconsistent and resource-intensive.

The Unified Control Framework project synthesised 15 risk types and approximately 50 risk scenarios from existing governance literature, then discovered that the "operational" risk type was completely missing from established frameworks. Risk scenarios like "lack of inference data transparency" appeared in none of the existing taxonomies the researchers examined. The final control library contained 42 controls, each mapped to an average of 4.1 risk scenarios, but the authors acknowledged a critical limitation: they could not assess the degree of risk mitigation achieved by implementing any specific control.

This is the governance gap in miniature. Frameworks enumerate what should be controlled. They rarely measure whether those controls reduce the risks they target. The distance between "we have a control for this" and "this control works in production" is where governance fails silently.

Organisations prepare documentation. Regulators increasingly want operational evidence. Under the EU AI Act, signatories must provide unredacted access to their systemic risk management framework and updates to the AI Office within five business days of confirmation. Model documentation must be retained for 10 years after the model is placed on the market, with annual framework reviews required. Non-compliance with prohibited AI practices carries fines of up to EUR 35 million or 7% of worldwide annual turnover, whichever is higher.

The direction is clear: regulators are moving toward continuous, auditable proof of governance rather than periodic self-attestation. Organisations that invest heavily in documentation without building the operational infrastructure to generate this evidence are preparing for the wrong exam.

Sovereignty in AI is not a policy preference. It is an architectural constraint that propagates through every layer of the technology stack. Brookings Institution research characterises AI as a transnational stack with concentrated choke points across minerals, energy, compute hardware, networks, digital infrastructure, data assets, models, applications, and crosscutting enablers of talent and governance. Full-stack AI sovereignty is structurally infeasible for almost any country because of these transnational dependencies.

This means jurisdiction cannot be bolted on after system design. Every decision about where data resides, which models process it, who can access inference logs, and which legal regime governs disputes must be considered during architecture, not during compliance review. Canada's national AI strategy demonstrates this by explicitly distinguishing between what must be sovereign (compute resources for sensitive workloads) and what can be procured commercially (global foundation models). That distinction, made at the strategy level, is precisely the kind of design constraint that governance frameworks need to encode.

The US CLOUD Act of 2018 enables American authorities to access data held by US cloud providers abroad without authorisation or knowledge of the host country. Microsoft told the French Senate it could not guarantee that French citizens' data would not be transmitted to US authorities without explicit French government authorisation. These are not theoretical risks. They are documented capabilities of the legal infrastructure that underpins global cloud computing.

A study of 775 non-US data centre projects found that US companies served as operators for 18% of those projects while accounting for 48% of total data centre investment and 56% of AI investment. Even countries that build nominally "sovereign" facilities often rely on US hyperscalers for operations. AWS announced plans for a €7.8 billion European Sovereign Cloud; France's Bleu cloud de confiance is operated by Capgemini and Orange but built on Microsoft technology. The gap between sovereignty aspiration and operational reality is substantial, and governance frameworks that ignore supply chain provenance are governing a fiction.

Model provenance raises parallel concerns. When an organisation deploys an open-weight model wrapped in a proprietary execution framework, the EU AI Act's rigid legal separation between "provider" and "deployer" breaks down. Research on the AI Act's applicability to agentic systems found that deployers who fundamentally alter agency by wrapping models with execution frameworks fall into a regulatory grey zone with no clear framework for attributing liability.

Sovereign AI systems can fragment markets, slow global AI development, reduce economic competitiveness, and become tools for digital authoritarianism without proper governance safeguards. This tension between sovereignty and scale is not resolvable through frameworks alone. It requires explicit strategic choices about which layers of the AI stack a given jurisdiction will control directly, which it will procure under negotiated terms, and which it will accept as dependencies.

India's approach illustrates one resolution: application-led sovereignty through multilingual foundation models, voice systems, and AI-enabled interfaces adapted to local languages and service needs, rather than competing at frontier scale. The EU AI Continent Action Plan commits approximately €200 billion to developing infrastructure, increasing data centre capacity, and supporting local industry through procurement policy. These are different bets, reflecting different risk appetites and industrial strategies. Governance must be designed to support whichever bet an organisation's jurisdiction has placed, not to paper over the tensions between sovereignty and scalability.

Deloitte reports that 72% of boards have one or more committees responsible for risk oversight, and more than 80% have one or more risk management experts. Yet governance of AI systems requires a different kind of expertise than governance of financial or operational risk. Boards are advised to recruit AI professionals with operational experience implementing successful AI projects, not just risk management generalists.

The Unified Control Framework was validated through structured interviews with six to seven AI governance practitioners representing diverse roles: data scientists, AI governance consultants, enterprise practitioners, and policy experts. Even in a research context, assembling the right mix of perspectives required deliberate effort. In production governance, the default composition of risk committees tends to over-represent legal and compliance functions while under-representing the engineering staff who understand how models behave, what failure modes look like, and what monitoring is feasible.

Risk assessment is the visible machinery of governance. Risk appetite is the invisible force that determines which assessment findings get acted on. Tolerance policies must account for multiple risk sources: financial, operational, safety and wellbeing, business, reputational, and model risks, according to the NIST AI Risk Management Framework. But in practice, organisations rarely make their risk appetite explicit across all these dimensions.

The result is governance that appears comprehensive on paper while systematically ignoring categories of risk that the organisation has implicitly decided to accept. When a model exhibits bias that regulatory guidance flags as high-risk, the response depends less on what the risk assessment says than on how much reputational, legal, or financial exposure the leadership team is willing to tolerate. Making risk appetite explicit and documenting those trade-offs is harder than producing a risk register, which is precisely why most governance frameworks avoid requiring it.

The NIST AI RMF explicitly calls for separating test and evaluation professionals from AI system developers, with independent staff reporting through risk management functions to counter groupthink and ensure course-correction. This structural recommendation addresses a real failure mode: when the people building systems are also the people assessing whether those systems are governed, the assessment becomes self-referential.

Diverse teams with varied experience, disciplines, and backgrounds are better equipped to anticipate AI risks, but require explicit senior leadership commitment. Without that commitment, organisational incentives override diversity benefits, and governance committees default to the perspectives of their most senior (and typically least technical) members.

AI systems are inherently dynamic and may perform unexpectedly after deployment. The NIST framework treats incident response plans as standard governance practice, not an optional add-on. Yet the Unified Control Framework analysis found that incident response (Control-042) had to be added after initial framework development because it was not captured in the original 41 controls derived from existing governance literature.

Incident reporting timelines under the EU AI Act vary by severity: cybersecurity breaches within 5 days, operational disruptions within 2 days, deaths within 10 days, and serious health or environmental harm within 15 days. These are tight windows that require pre-established processes, clear escalation paths, and technical infrastructure for root cause analysis. Organisations that treat incident response as a section in a policy document rather than a rehearsed operational capability will discover the gap between framework and reality at the worst possible moment.

The challenge intensifies with agentic systems. Research on the EU AI Act's applicability to agentic architectures found that the Act's reliance on "reasonably foreseeable misuse" is structurally flawed because agentic systems dynamically generate novel, unprogrammed execution paths that are inherently unforeseeable by original developers. You cannot write an incident response plan for failure modes that emerge from continuous reason-act-observe loops if your governance model assumes all risks can be enumerated in advance.

A single AI decision can simultaneously violate GDPR, the Digital Services Act, and the AI Act, triggering multiple investigations and enforcement mechanisms with potentially cumulative fines. Research on global AI governance illustrates this with a social media platform whose biased content moderation system could violate all three frameworks at once.

The contradiction problem worsens across borders. The NIST AI RMF identifies a fundamental regulatory tension where AI debiasing techniques that rely on demographic information can conflict with legal prohibitions on intentional discrimination. An organisation operating across the EU, US, and Asia-Pacific faces a patchwork of requirements: China's Personal Information Protection Law requires local data storage, the EU AI Act imposes conformity assessments on high-risk systems, and the US lacks federal AI legislation while individual states adopt divergent approaches. Only five of fifty US states have adopted comprehensive data legislation, leaving California's Consumer Privacy Act as the de facto US data regulation.

Governance frameworks that assume a single jurisdictional context cannot handle these contradictions. Organisations need governance architectures that explicitly model where obligations conflict and define resolution strategies rather than pretending coherence exists.

Of the eight cloud service providers approved for Canadian government use, seven are American. ThinkOn is the only non-American company on the list. When compliance requirements point toward a small set of approved vendors, procurement decisions made in the name of governance can create dependencies that undermine the sovereignty those decisions were meant to protect.

Current sovereign cloud contracts frequently obscure details about data access, algorithms, and operational control from legislative scrutiny. Microsoft returned $9.7 billion to shareholders through dividends and buybacks in Q2 2025 while simultaneously scaling sovereign cloud infrastructure for governments. The commercial incentives of cloud providers and the governance objectives of their government clients are not naturally aligned, and procurement frameworks that treat vendor certification as equivalent to governance assurance miss this structural tension.

Saudi Arabia's SDAIA National Data Governance Platform illustrates the extreme case: biometric databases connected with predictive policing algorithms, citizen sentiment analysis from social media, all built on sovereign cloud infrastructure that satisfies data residency requirements while enabling surveillance capabilities that many governance frameworks would classify as unacceptable risk.

Traditional point-in-time audits cannot scale with the dual expansion of vertically evolving governance complexity and horizontally distributed, agentic AI deployments operating at machine speed. The shift from periodic audit to continuous assurance is not an incremental improvement. It is an architectural change to how governance operates.

Research on runtime compliance monitoring found that inter-judge agreement rates on regulatory compliance ranged from 51.5% to 69.1% across five regulatory criteria when using small language models as automated judges. Question-order bias alone degraded agreement by up to 25 percentage points. Three structural failure modes emerged: truth bias (systematic default to "compliant"), reasoning/output dissociation (correct violation detection paired with false compliance scores), and prompt architecture sensitivity. These findings suggest that automated compliance monitoring, while necessary, introduces its own governance challenges that must be understood and managed.

The EU AI Act's high-risk compliance obligations, originally set to apply from August 2026, were postponed to December 2027 under the AI Act Omnibus. This delay reflects the difficulty of operationalising continuous compliance, not a lack of regulatory ambition.

EU AI Act compliance analysis requires gathering compliance information from multiple supply chain components, harmonising that information, and rendering a compliance prediction across all components. Research on automated compliance analysis found that current processes are too complex and time-consuming to enable rapid verification during development. Compliance analysis that happens only at deployment checkpoints misses the engineering decisions made months earlier that determine whether a system can be governed at all.

The practical implication is that governance must be embedded into engineering workflows: into CI/CD pipelines, model registries, data catalogues, and deployment automation. A Policy Abstraction Pattern that decouples regulatory obligations from technical implementations allows the same assurance mechanics to operate across multiple jurisdictions without requiring code-level refactoring. This is governance as infrastructure, not governance as oversight.

Research on translating AI Act requirements into verification activities found that decomposing legal requirements into operational sub-requirements grounded in authoritative standards reduces interpretive uncertainty. Verification activities characterised along two dimensions (type of verification and lifecycle target) create a reusable reference for consistent compliance verification. The key insight is that governance becomes tractable when it is expressed in the same language as the engineering systems it governs.

Governance frameworks contain assumptions about what risks exist, how they manifest, and what controls are adequate. Those assumptions can be wrong. The Unified Control Framework's discovery that operational risk was entirely absent from existing frameworks illustrates how blind spots persist in mature governance literature. If the frameworks themselves have gaps, organisations that implement them faithfully will inherit those gaps without knowing it.

Red-teaming governance means testing whether your controls work under adversarial conditions, not just whether they exist. It means staging scenarios where cross-border obligations contradict each other and observing whether your governance machinery produces a coherent response. It means having technical staff attempt to deploy a non-compliant model through your standard workflow and seeing whether your controls detect it. Governance that has never been tested under stress is governance that has never been tested.

The US Department of Commerce banned Nvidia from selling A100, A100X, and H100 graphics processing units to customers in China in 2022, explicitly using trade policy to constrain AI capability development. The United States and European Union have each passed major semiconductor bills in response to AI competition with China. Export controls, compute access, and regulatory frameworks are no longer separate policy domains. They are instruments of a single strategic competition.

The Pentagon demanded guardrail-free access to Anthropic's Claude models and threatened to invoke the Defence Production Act or designate the company as a supply chain risk if it refused. Anthropic refused, drawing a hard line against mass domestic surveillance and fully autonomous weapons use cases. This confrontation illustrates a tension that governance frameworks must acknowledge: the same governments that set AI governance standards also have strategic interests that can conflict with those standards.

The United States hosts approximately 75% of global AI supercomputer performance, with China at 15% and the rest of the world at 10%. Europe invested €47 billion in AI infrastructure while US firms plan at least $650 billion in AI-related capital expenditure in a single year. These numbers define the playing field on which sovereignty discussions occur.

India hosted the February 2026 AI Impact Summit, bringing sovereign AI to the international stage. India's governance approach prioritises equitable access, climate resilience, and inclusive growth rather than frontier model development, reflecting sovereignty concerns that differ fundamentally from those of the US or EU. China's approach uses regulation as a tool of state control: the Internet Information Service Algorithmic Recommendation Management Provisions require companies to promote content following the Communist Party's line while restricting unfavourable content. China had an estimated 626 million facial recognition cameras installed by 2020.

These competing visions mean that "sovereign AI governance" carries radically different meanings depending on who is defining it. Governance frameworks that assume a shared understanding of what sovereignty means, or what it is for, will fail when applied across jurisdictions with incompatible political commitments.

Without interoperable standards, governments import pre-configured intelligence: models trained elsewhere that reflect foreign assumptions about acceptable risk, accountability, and social values. As AI systems evolve from static models into agentic systems capable of autonomous tool invocation and database access, the interfaces governing those interactions become strategic choke points.

Middle-power countries' AI sovereignty depends not on replicating frontier model development but on ensuring systems can be integrated, governed, audited, and replaced on national terms. Open standards preserve optionality by allowing governments to adapt rules over time, switch providers, and layer domestic priorities onto shared technical foundations. The practical recommendation from governance researchers is that governments should form interoperability blocs by aligning technical standards with neighbouring economies to create collective markets large enough to compel global AI providers to comply.

Canada's Directive on Automated Decision-Making offers a concrete model: government departments must conduct Algorithmic Impact Assessments, publish reports publicly, and provide recourse mechanisms for affected citizens. This transparency requirement operates at the governance layer regardless of which cloud infrastructure provider operates underneath. Governance that depends on the goodwill of infrastructure providers is not governance. Governance that can be verified independently of infrastructure providers is.

The EU AI Act requires Member States to establish national AI regulatory sandboxes for testing and validation of innovative AI systems under regulatory supervision. Yet sandbox participation is voluntary, and sandboxes may prove unattractive to innovators due to confidentiality concerns, inability to relax legal rules during the sandbox period, and inability to deliver presumption of conformity with the AI Act. Differing approaches taken by individual national sandboxes risk undermining uniform interpretation of the Act, potentially motivating innovators to engage in sandbox arbitrage.

This illustrates a broader principle: governance instruments that do not adapt to how organisations and regulators learn are governance instruments that will be routed around. The five-layer AI governance framework spanning from regulatory mandates through standards, assessment methodologies, certification processes, and operationalisation identified critical gaps including missing standardised assessment procedures and reporting mechanisms. Frameworks are starting points, not endpoints. The organisations that treat governance as a living system, continuously updated based on operational experience, incident data, and regulatory evolution, will be the ones whose governance survives contact with production.

Several indicators suggest governance exists on paper but not in practice. Your risk register has not been updated since it was created. Your incident response plan has never been exercised. Your technical staff cannot describe the governance process without consulting documentation. Your compliance controls have never rejected a deployment. Your cross-border data flows have not been re-evaluated since your last regulatory mapping.

The most telling signal is absence. Governance that never generates friction, never delays a release, never surfaces a finding that changes a decision, is governance that is not operational. Real governance creates tension between speed and safety, between capability and compliance. If that tension is invisible, either the governance is not being applied or the risk tolerance is so high that the governance is decorative.

Organisations beginning their sovereign AI governance journey should start with dependency mapping: cataloguing where their AI stack relies on specific jurisdictions, vendors, and infrastructure providers, and identifying which of those dependencies create governance obligations they are not currently meeting.

Organisations with established governance should invest in operational testing: exercising their incident response processes, stress-testing their cross-border compliance logic, and verifying that their controls produce the evidence regulators will require. The shift from "we have a framework" to "our framework works" is where most governance programmes stall.

Organisations at advanced maturity should focus on continuous assurance infrastructure: embedding governance into engineering pipelines, automating compliance evidence generation, and building the technical capability to demonstrate governance posture in real time rather than through periodic reports. The managed interdependence model, mapping dependencies by layer, prioritising feasible interventions, diversifying suppliers, and embedding interoperability through technical standards, provides a strategic template for governance that acknowledges the reality of transnational AI supply chains while maintaining meaningful sovereign control.

Sovereign AI governance is where technical architecture, regulatory complexity, and geopolitical strategy converge. Getting it right requires more than frameworks and checklists. It demands architectural thinking, operational discipline, and the strategic clarity to distinguish between governance that protects and governance that merely performs. If you are building AI systems that must operate across jurisdictions, withstand regulatory scrutiny, and exploit the full technical potential of what modern AI makes possible rather than settling for the fraction most organisations achieve, get in touch with Agathon.

• Mind the Gap: How the Technical Mechanisms of Agentic AI Outpace Global Legal Frameworks
• The Unified Control Framework: Establishing a Common Foundation for Enterprise AI Governance, Risk Management and Regulatory Compliance
• Who judges the judges? Governance from metrics: a runtime framework for continuous LLM compliance monitoring
• A Five-Layer Framework for AI Governance: Integrating Regulation, Standards, and Certification
• Global AI Governance Overview: Understanding Regulatory Requirements Across Global Jurisdictions
• Is AI Sovereignty Possible? Balancing Autonomy and Interdependence
• The AI Sovereignty Paradox at Home and Abroad
• AI Governance for Board Members
• Compliance Cards: Automated EU AI Act Compliance Analyses amidst a Complex AI Supply Chain
• Assessing High-Risk AI Systems under the EU AI Act: From Legal Requirements to Technical Verification
• NIST AI RMF Playbook — Govern
• Trustworthy AI Posture (TAIP): A Framework for Continuous AI Assurance of Agentic Systems
• The Geopolitics of AI and the Rise of Digital Sovereignty
• Succeeding in the AI Competition with China: A Strategy for Action
• What Does a 'Sovereign Cloud' Really Mean?
• How National AI Clouds Undermine Democracy
• Rethinking Sovereign AI as Strategy
• Why AI Sovereignty Depends on Interoperability Standards
• Operationalising AI Regulatory Sandboxes under the EU AI Act: The Triple Challenge of Capacity, Coordination and Attractiveness to Providers