Sovereign AI: from imperative to contract

This HFS Point of View is for CIOs and chief procurement officers stress-testing sovereign AI claims before they sign or renew vendor contracts.

Introduction

This HFS Point of View is a follow-on to CPOs, map your sovereignty risk before geopolitics does it for you. It is the second examination of rising executive anxiety for their digital and physical sovereignty in an AI-first world. Is sovereignty a strategic imperative that should shape the transformation of economies and supply chains, or just noise? What do we mean by sovereignty? What evidence is there of a threat? How can the CEO or the board test if enterprise sovereignty is secure?

We will show, with named, dated, attributable events from the last twenty-four months, that sovereign AI has moved from policy debate to procurement clause. We’ll provide a five-test methodology that any chief procurement officer (CPO) can apply at the next contract renewal. It surfaces the one unresolved question that will define the sovereign AI market between now and 2030: who underwrites it.

The headline finding is simple:

Sovereignty is real. Most of what is being sold as sovereignty is theater. The five stress tests in this paper are how the buyer separates them.

Framing: what sovereignty is, and what most of the market is selling instead

Jurisdictional sovereignty

Whose law applies? Data, model weights, and inference workloads reside within a defined legal jurisdiction and are subject exclusively to its laws, courts, and regulators and not foreign extraterritorial reach, such as CLOUD Act, FISA 702, or China’s National Intelligence Law. At the physical layer, compute, networking, power, and operating personnel sit on national soil, under domestic legal authority.

Operational sovereignty

Operational sovereignty is the ability to keep running when someone tries to switch you off, including resilience against geopolitical shock, sanctions, export controls, vendor withdrawal, kill-switches, and license revocation without catastrophic capability loss. It is tested by substitutability, not by location. At the physical layer, it includes redundancy across the hardware supply chain, multiple chip sources, multiple OEMs, and energy independence.

Strategic stack sovereignty

Strategic stack sovereignty requires end-to-end control of the layers that matter. Those layers run from chips, servers, networking, and power through cloud, foundation models, fine-tuning data, and applications to operators and humans-in-the-loop. A nation or organization is sovereign to the extent that it controls, or has credible substitutes for, the layers it deems strategically critical.

Note: Two further dimensions sit outside this taxonomy, national geopolitical sovereignty, as a tool of state economic strategy, and citizen sovereignty, as algorithmic accountabilities. Both are legitimate, but neither is contractable by an enterprise in the same way the three elements of sovereignty defined here are. This paper deals with the three on which enterprise action is possible today.

The point of the framing is to make a single observation possible, and it is the observation that drives everything else in this paper. Most of what is currently being sold as “sovereign AI” addresses only the first definition. A data center on home soil running US silicon, US software, and US foundation models, operated by a US-owned hyperscaler whose region has been rebranded “sovereign,” satisfies the procurement clause and almost none of the threat model. That is fantasy sovereign AI, but the events of the last 24 months summarized below are real, and they demonstrate that the threat is both real and present:

Anthropic Fable 5 / Mythos 5 suspension (Jun 2026): A US export-control directive ordered Anthropic to bar all foreign nationals from its most capable models. Compliance forced the company to disable Fable 5 and Mythos 5 for every customer worldwide, overnight, with no notice and no contractual recourse. Anthropic disputes the order and is contesting it, and customers lost the capability anyway. This is operational sovereignty failing at the model layer: export controls, a de facto kill-switch, and license revocation in a single event. The point for buyers is sharp: The vendor’s own resistance bought its customers nothing. Sovereignty over a proprietary frontier model is only as durable as its home government’s export policy.

French civil-servant migration (Apr 2026): The French government began migrating 2.5 million civil servants off Microsoft Windows for Linux. Public Accounts minister David Amiel said, “The state can no longer accept that our data, our infrastructure, and our strategic decisions depend on solutions whose rules, pricing and risks we do not control.”

The Dutch lithography on-prem migration (Current): A Dutch chip-equipment manufacturer under sustained attack from state actors is to go fully on-prem. No Microsoft, no Oracle. The company is building an in-house digital twin of its organization on a fully European open-source stack. Air gapping its innovation meetings: no phones, no laptops. The company considers its own technology vendors to be a strategic risk, and it is not waiting for contract renewal to act. That is what sovereignty paranoia looks like. The question for everyone selling sovereign AI is not whether clients are being paranoid. The question is how many of their clients are anywhere near this posture, how many should be, will the contract clause flow down the supply chain?

AWS Bahrain (Mar 2026): Workloads pinned to a single region by data-residency rules could not fail over when the region was struck. Residency rules became a resilience trap. Physical sovereignty without operational sovereignty turned into a single point of failure with a sovereignty label on it.

ICC exit from Microsoft (Sep – Oct 2025): When US sanctions targeted the International Criminal Court, Microsoft could not guarantee continuity of service to the Court. No contract clause let either party contest it. Standard force-majeure clauses in commercial alliance contracts do not cover state-actor targeting of named technology firms. That gap exists in almost every contract signed in the last decade.

Microsoft and Dutch civil service (early 2025): Microsoft shared the names, emails, and meeting minutes of Dutch civil servants and regulators implementing the EU Digital Services Act with the US House of Representatives. The CLOUD Act was leveraged to obtain the data to support investigation of EU enforcement of European platform regulation. This is jurisdictional sovereignty failing for EU regulators of US platforms using US-owned software to do their jobs. It is the smoking gun of the sovereign AI debate.

The cascade is now arriving in vendor contracts

The central principle, implicit trust between Western bloc nations since World War II, is now a contractual exposure. It is surfacing for CIOs in sovereignty clauses authored by sovereign buyers in their vendor supply chains. When sovereignty hits the private sector, it is in a contract clause, not a choice.

We will now focus on how a CIO and CPO determine the sovereign resilience in their supply chain.

Five sovereign stress tests

Our first HFS POV on this topic identified four pillars of digital sovereignty: jurisdictional control, operational portability, governance ownership, and infrastructure resilience. The four pillars are now five with the addition of stack interoperability: the ability to quickly swap vendors out, eliminating as far as possible vendor lock-in, is now an essential property of any sovereign stack. Together, these five suggested stress tests form the diagnostic that translates sovereignty from marketing hype to strong procurement and tests that vendors selling sovereign AI capability must answer.

What is the vendor’s definition of sovereignty and the exact controls they will contractually guarantee across data residency, administrative access, encryption key ownership, and audit rights? If any sit in the gap between marketing and the master services agreement, it is brochure copy, not sovereignty.

Residency is an easy yes, every hyperscaler now has region-bound offerings. Administrative access, key ownership, and audit rights are where vendors hedge. CLOUD Act compulsion makes admin-access guarantees structurally difficult for any US-domiciled provider, which is precisely what the Microsoft / Dutch civil servants case revealed. The vendors most likely to pass this test are operating-partner models such as S3NS in France, where the operating entity is independent of the underlying US-headquartered platform.

Ask the vendor to assume you, the client, will become strategically dependent on their stack, if you are not already. What is the exit plan? How long does it take a regulated client of scale to migrate fine-tuned models, data pipelines, and hardware supply onto a competitor’s stack at operational parity? And what financial penalty will you contractually accept if you obstruct or slow that exit?

Real exit timelines for any non-trivial enterprise workload run from 12 to 36 months at operational parity, gated by GPU supply rather than contract terms. France is currently providing the live empirical answer: The data moves in months, the operational rebuild may take years. The second half of the question, the financial penalty for obstruction, is where the market is genuinely silent. Standard commercial AI and cloud contracts contain liquidated damages favoring the vendor (early termination fees and minimum commitments). They almost never contain vendor-paid penalties for exit obstruction. The EU Data Act gives statutory exit rights; it does not set a remedy quantum. The penalty question is the one to insist on at contract negotiation.

Your vendor is US-headquartered, it is Monday morning, export controls tightened overnight, cloud access is restricted, and certain chips can no longer ship to Europe. For a European client on their stack, what works on Day One, and what breaks on Day One? Not principles. Components.

This question exposes the gap between contingency frameworks and operational reality. Vendors will reach for resilience language, framework references, and architectural diagrams. The AWS Bahrain example is the cleanest evidence that residency without resilience is theater. The Dutch railway approach, electrifying the network while mothballing rather than scrapping the diesel locomotives, is the metaphor for the right answer. Real sovereignty keeps the fallback alive even when the new capability works. Sovereignty without optionality is brittleness with branding. As of June 2026, this scenario is no longer hypothetical: the Anthropic Fable 5 suspension is exactly this Monday-morning shock, an overnight export-control action, and it struck the model layer, not just chips and cloud.

Ask vendors for their five-year geopolitical scenario planning in plain English. What do they expect to change in US-EU-China dynamics that may materially affect access to compute, updates, and support? And what investments are they making now to reduce that risk for European customers? If they cannot answer, you do not have a sovereignty strategy; you have a sovereignty brochure.

Accenture’s published research finds that only 15% of organizations have a CEO or board-level owner for sovereign AI. Only 22% apply sovereignty oversight to AI models, and 46% cite compliance as their primary motivation. The governance ownership pillar is entirely missing for most of the market, which is precisely how vendor lock-in dressed as sovereignty propagates: into a buyer-side vacuum.

For each layer of the stack, be it chip, server, network, cloud platform, foundation model, fine-tuning, application, or operator, show the substitute. If any layer has no credible substitute today, that layer is the lock-in.

Exhibit 1: Sovereign? Audit your stack

Source: HFS Research, 2026

Interoperability is essential. This test surfaces where it breaks down. The four most common single-substitute points in today’s sovereign AI stacks are CUDA (Compute Unified Device Architecture) at the compute layer, proprietary fine-tuning toolchains at the model layer, vendor-specific embeddings at the data layer, and GPU supply concentration across the whole. Open standards are necessary but not sufficient. The test is operational substitutes at parity today, not roadmap commitments.

A data center on home soil is the most visible, marketable, and saleable expression of sovereign AI and the easiest to confuse with the genuine article. Building one provides territorial comfort. It may not deliver operational independence.

Applying the three definitions: A sovereign data center running TSMC NVIDIA silicon on CUDA, hosting a US-headquartered platform, and US-trained foundation models, satisfies jurisdictional sovereignty on paper. It satisfies neither operational sovereignty nor strategic stack sovereignty in practice. It is a sovereign warehouse, not a sovereign capability.

Physical sovereignty is necessary but not sufficient. It controls latency, basic jurisdictional exposure, and some attack surface. It does not control admin access, key ownership, model lineage, or supply continuity. The AWS Bahrain example is the clearest evidence: workloads pinned to a single region by data-residency rules could not fail over when the region was struck. The sovereignty label became the single point of failure.

European independence on paper, debt in operation

In the race for sovereign AI capability, are European nations building strategic independence or strategic debt? Europe commands only 5%–10% of global AI compute capacity against 60%–75% in the US. Billions are now being committed to AI gigafactories and sovereign infrastructure. The strategic question is whether those billions are closing the gap or creating expensive, fragmented capability that still depends on US chip supply chains and hyperscaler operations.

Europe is paying frontier prices for sub-frontier capability in fragmented national programs that will struggle to reach scale, and the underlying European AI growth may not support the spend.

• If Europe holds only 5%–10% of global AI compute, closing that gap with public money is a generational commitment, not a five-year program.
• Treating Mistral or Aleph Alpha as frontier-competitive bets is strategic debt; treating them as a negotiating chip and an optionality reserve is strategic intelligence.

The realistic European play is not full-stack parity with the US or China. It is regulatory sovereignty (the AI Act), and selective sovereign capability in narrow strategic domains (defense, critical infrastructure, and healthcare), and optionality in foundation models. Anything else is buying optionality at frontier prices and labeling its independence.

Dutch universities illustrate what real European sovereignty looks like at the working level. Higher education institutions across the Netherlands are coordinating to map their digital infrastructure and identify their Big Tech vulnerabilities. Utrecht University has built the assessment tool that others will use. Together, they intend to negotiate better contracts. This is not a gigafactory. It is shared diagnostic capacity, pooled bargaining power, and indigenous tooling.

Accountability by design: Who underwrites the sovereign stack, and who carries it when it fails?

Should the GSI leading a sovereign-stack alliance underwrite the offer?

Who should own the alliance model for sovereign AI delivery: the hyperscaler, the GSI, the hardware vendor, or the national government? With $100 billion expected to flow into sovereign AI compute by 2026, it is important that roles, accountabilities, authority, and underwriting liabilities for all are clear, in particular for the alliance lead.

Our position is straightforward. If the GSI proposes the solution stack, it should underwrite the sovereignty commitment behind it. That divides the roles cleanly:

• The government owns the outcome specification: which workloads, in which sectors, need which level of sovereignty.
• The GSI owns integration and accountability, including the principal-contractor role, with end-to-end liability for the assembled stack.
• Hyperscalers and hardware vendors are substitutable suppliers, not principals.

The structural consequence matters more than the role allocation. Whoever owns the alliance owns the lock-in, so the alliance must be engineered to make exit cheap rather than impossible—a principal contractor carrying the outcome, sitting above a rotatable, exitable supplier panel. Exit-by-design should now govern every sovereign AI alliance contract being written.

S3NS (Thales / Google Cloud, France) shows that the model is working in practice. It is an independent entity established by Thales, certified under SecNumCloud, providing sovereign cloud services to French-regulated entities. The platform runs on hardware S3NS owns and operates, with the hyperscaler’s software licensed on top under terms that let it keep running if the US-side relationship is severed—hyperscaler technology, sovereign operator, contractable separation. A similar arrangement is being stood up in Germany. It is one of the few credible answers to “What works on Day One under shock?” for European regulated clients, and direct evidence that exit-by-design is an achievable contractual construction, not an aspiration.

When physical AI fails, who is accountable?

As AI embeds into critical national infrastructure, including factories, logistics, energy, and healthcare, the partnership structures being built today are not equipped to carry the consequences of failure. Accountability currently defaults to nobody by design. Commercial alliance contracts are explicitly written to limit liability, not absorb it, so when physical AI fails, liability flows down the path of least legal resistance, and that path almost always terminates at the operator at the end of the chain, not the model provider, the chip vendor, or the integrator who assembled the stack.

Aerospace already solves this. Tier-1 and Tier-2 suppliers carry product liability into the airframe; a component maker whose part contributes to a crash is on the hook regardless of who installed it. They do not just deliver components; they carry consequences. No equivalent exists in sovereign AI alliances today, and it needs to.

There is a window to fix this. The EU has pushed its compliance deadline to December 2027 (Annex II to 2028) while it clarifies how organizations must comply. Three commercial structures need to crystallize before then:

• Outcome-based or risk-shared pricing, where the principal contractor takes a premium and shares the downside if sovereignty fails materially.
• Force-majeure clauses that explicitly cover state-actor targeting.
• Liquidated damages for exit obstruction.

Open-source vs proprietary models

The sovereign AI debate is often characterized by a choice between proprietary and open-source models. At HFS, we believe both play a part in a sovereign stack.

• Open-weight models (Llama, Mistral, DeepSeek, Qwen) give nations inspection and adaptation rights that proprietary models cannot.
• Open does not mean neutral. DeepSeek is open-weight; it is also Chinese-trained, with Chinese reinforcement learning from human feedback (RLHF) preferences embedded. A nation deploying it inherits both. Open source is a vector of influence, not an escape from one.
• Proprietary still has legitimate roles in commercial domains where IP, warranty, and frontier capability matter. Mature enterprises will run both, governed by the same provenance and red-teaming framework.

Chinese models like DeepSeek come with Chinese values embedded. DeepSeek does not acknowledge Taiwanese Independence Day; the model returns either an incorrect answer or no answer at all. The weights are open, but the values are baked in. In deploying an open-weight model, you still inherit whatever alignment, RLHF, and training-data choices the upstream provider made, and those choices may be exactly why the model is open in the first place!

Significant open-source programs, like DeepSeek and Qwen, are not corporate altruism. They are a deliberate strategy of national power, building operational dependency on the Chinese model lineage, propagating Chinese alignment choices into national AI deployments, undermining the US commercial barrier around frontier capability, and countering US chip export controls with software the controls cannot reach. The West has been engaged in an ideological debate over open versus closed AI. China is running a geopolitical strategy, and it matters for any organization taking a position on which open-weight foundation models to rely on.

Real sovereignty requires governance over both open and proprietary models:

• Provenance: Where did this model come from? Who trained it? On what data, and with what RLHF?
• Red teaming: What does the model do when probed in sensitive domains? What biases, refusals, or alignments has it inherited?
• Domestic adaptation capability: Can the nation or organization modify what is being deployed?
• Audit trail across the lifecycle: Who has access? What is being logged? What is being shipped back upstream?

Standing up red-teaming and provenance capability across models in use is sovereignty work, but simply buying a Mistral subscription is not. The same point applies to proprietary models: governance over the contract, including audit rights and substitutability, is what makes proprietary deployment sovereign.

From cost-first to risk-first procurement

Enterprise IT procurement has focused on the mantra of cheaper, faster, and deeper outsourcing of operational layers. Buyers must now be optimizing for unit cost, and optimizing for survivability under sovereign shock is an additional resilience test.

This shift has immediate procurement implications, reshaping vendor selection and contract structure:

• Vendor selection criteria are reweighted toward contractable resilience and exit capability, away from price and features.
• “Sovereign-compliant” claims require evidence. The five stress tests earlier in this POV are the evidence.
• Multi-cloud is no longer enough; two US hyperscalers do not constitute resilience against a US policy shock. Vendor concentration must include jurisdictional concentration.
• Open-weight foundation models become the default for sovereignty-sensitive workloads, not because they are cheaper, but because they are auditable and substitutable. They are also a defense against a foreign government’s export order, like the Anthropic Fable 5 suspension.
• GSI selection favors principal-contractor models with declared underwriting posture.
• The CPO assumes ownership of sovereignty exposure across all material technology contracts, not just AI.

The Bottom Line: Those that lean into the Sovereignty Gap can define the standard. The organizations that wait will have to comply with it.

The sovereignty dust will not settle in 2026; it will start to harden into contract clauses in the supply chain of sovereign buyers. Organizations that draft the new contracts will define the market’s shape through 2030. The organizations that wait will inherit the terms others write.

The stress tests outlined in this paper constitute the most practical instrument available today for translating the new market reality into contractable terms. The underwriting gap will close through commercial pressure, regulatory finalization under the EU AI Act, or both. Sovereignty in 2026 is decided in procurement, not in principle. So, decide which side of that line you intend to be on, and act before the clauses are written for you.

Net:

1. Test before you sign. Run all five stress tests on every material contract and treat no claim of sovereignty as proven without evidence of substitutes at parity today.
2. Underwrite before you sell. If, as a GSI, you propose the stack, carry it, with principal-contractor liability giving exit-by-design and a specific force-majeure clause that names state-actor risk.
3. Put a board-level owner on sovereignty exposure across every material technology contract, not just AI.
4. Lead before you are led.

The opportunity is the contract renewal: apply the five tests and write the terms before someone writes them for you.