AI and Data Sovereignty: Control in Autonomous Systems

When generative AI first moved from research labs into real-world business applications, many enterprises made a tacit bargain: “Capability now, control later.” This meant feeding proprietary data into third-party AI models to gain powerful results, even if it meant data passing through systems not owned by the enterprise, under governance not set by them. This approach is no longer viable as AI agents begin operating autonomously across sensitive systems and data, according to MIT Technology Review AI on May 14, 2026 [1]. The core issue is establishing genuine control over models and data estates, breaking dependence on centralized providers—a priority for 70% of companies, per EDB data cited by Dallas [1].

The distinction between data sovereignty and AI sovereignty is critical for operators. McKinsey clarifies that one can have data sovereignty without sovereign AI [3]. Data sovereignty focuses on keeping sensitive data, critical systems, and regulated workloads under tighter control, even while using international technology suppliers [2]. AI sovereignty, however, extends this to the AI models and algorithms themselves, ensuring operational independence, particularly as AI and autonomous systems become central to critical infrastructure and even national defense [6]. This means organizations require verifiable guarantees that their data, models, and workflows are protected during execution, not merely relying on compliance policies [4].

For operators, this translates into a need for designing AI systems that can simultaneously comply with multiple national data sovereignty regimes, or risk stalling deployment altogether [5]. This is particularly acute for enterprises with strict data sovereignty requirements, which should prioritize architectures allowing for self-hosting to ensure full control over data processing and compliance [7]. Solutions are emerging, such as Fortinet’s expansion of its NVIDIA tie-up, which aims to secure enterprise AI deployments while maintaining performance, controlling costs, and meeting data sovereignty requirements through offerings like FortiAIGate [8]. This partnership directly addresses the accelerating shift toward autonomous AI agents, which creates unprecedented demand for secure, high-performance enterprise computing platforms [8]. The challenge for operators is to integrate these secure, sovereign AI capabilities without sacrificing the performance and scalability offered by cloud-based AI. This often means exploring confidential computing and other privacy-enhancing technologies that can provide execution-time guarantees for data and models [4].

What operators should do

Operators must immediately audit their existing and planned AI deployments to identify data flows and model dependencies that violate emerging AI and data sovereignty requirements, particularly for autonomous agents. Prioritize architectures that support confidential computing or on-premise/hybrid deployments for sensitive workloads, and engage with vendors to demand verifiable execution guarantees for data and models, moving beyond mere contractual compliance. Begin developing internal expertise in privacy-preserving AI techniques and secure multi-party computation to build a resilient, sovereign AI strategy.