A plain English breakdown.

What is Sovereign AI?

I'm a Sovereign AI Architect. I build private AI systems for UK organisations that handle sensitive data.

This page presents my version of what Sovereign AI is and what it consists of. It isn't the only useful one. It's just the one I work to when I'm building, because it's the version that survives an audit, a regulator question, or something actually going wrong.

One thing to take from this page. Sovereign AI isn't a product you can buy. It's a property of how an AI system is put together, and it has three parts.

  1. Data sovereignty. Where your prompts and answers live, and who can touch them.
  2. Model sovereignty. What the AI was trained on, who owns it, and where it runs.
  3. Operational sovereignty. Who can change the system, audit it, and switch it off.

Most "Sovereign AI" sold today addresses only the first part. This page is about all three, why each one matters, and what falls over when one is missing.

Data sovereignty

This layer drives where your data ends up.

What it means

This is the layer most people already know. Say you send a client's privileged material into a chatbot: the question is straightforward.

Where does that material end up, who has the right to read it, who can copy it, and where do the answers stay when they come back. Residency, access, and retention.

Where it goes wrong

The usual failure is residency. The vendor says "your data stays in the UK", and mostly it does. But under load, during failover, in usage logs sent elsewhere, in support workflows, it leaves. What you signed for and what actually runs aren't the same thing.

A common version: a UK cloud service holds your data in a UK data centre but routes traffic through a global management layer sitting outside the UK. The data lives here. The record of who asked what, and when, does not.

There's a quieter version too. Your AI vendor uses other vendors, who use other vendors, and the chain runs longer than the contract makes clear. The support team handling your data might sit in a country with different data protection law from the one you signed up to, and you don't know they exist until something goes wrong.

Data sovereignty is the conversation cloud buyers have been having for a decade. It's the most familiar of the three layers, and the one most likely to be sold to you as the whole answer.

Model sovereignty

This layer drives where the answer came from, and is part of what makes vendor lock in avoidable.

What it means

This is the layer many people miss.

Model sovereignty is about three things:

  1. 1. what the AI was trained on
  2. 2. who owns it
  3. 3. where it runs

The AI has billions of tuned values inside it that decide how it behaves, so if you don't control them, it can change behaviour without you knowing. If it runs on servers you can't see into, its decisions can't be reproduced. And if you don't know what it learned from, you can't fully account for its answers.

Where it goes wrong

The AI you're calling can change underneath you. Vendors release new versions, retire old ones, or quietly retrain existing ones. A workflow tuned to one version can break without warning, with no one on your end deciding to upgrade.

The quieter problem is what the AI was trained on, and most frontier tools won't tell you. The vendor says "publicly available text" or "licensed datasets and publicly available content" and stops there.

That answer worked when AI was a curiosity. It doesn't now: the New York Times sued OpenAI in late 2023 over copyrighted articles used to train GPT models, and parallel suits followed. "What was your AI trained on" has become a legal question, not an academic one.

Open weights are how most organisations reach this layer in practice. You can see exactly what the AI is, pin a version, and run it somewhere you control.

Operational sovereignty

This layer drives whose rules the assistant follows and what happens when the vendor changes.

What it means

This is the layer most people think about last and need most.

Operational sovereignty is about control: whether you can audit the system, change it, and switch it off on your own terms. If your supplier can update the AI under you without notice, you don't have it. Nor do you if you can't run an audit a regulator would accept, or turn the system off and keep operating.

Where it goes wrong

The pain shows up when you try to leave. On paper it's cheap: the contract usually lets you walk. The technical cost is the one that bites, and it climbs the longer you stay.

The prompts you've tuned, the documents stored in the AI's retrieval system, the test suites you've written against its quirks, none of it moves cleanly to another vendor. Eighteen months in, leaving means rebuilding most of what you built.

There's a second version. AI is a young market, and vendors are acquired, restructured, deprecated, and shut down. Inflection AI was effectively absorbed by Microsoft in March 2024 and its consumer product wound down. Plenty of smaller vendors have shut down or pivoted, and the market will keep doing this for years.

If your AI capability depends on one vendor, it sits on someone else's commercial roadmap. A merger, a pivot, a price change, or a deprecation notice can leave you with a working system today and a problem in eighteen months.

Operational sovereignty is what gives you a continuity plan. Without it, "what do we do if the vendor changes course" has no good answer.

What Sovereign AI isn't

A lot of what gets called "sovereign" in the market is one layer wearing the name of all three. Four common confusions.

Not the same as running AI on your own servers

Putting the AI on hardware you own addresses part of the data and operational layers. It doesn't tell you anything about where the AI came from.

An AI with murky origins running on a server in your basement is still an AI with murky origins. On premise is a choice about where the AI runs. Sovereignty is a property of the whole system.

Not the same as "no data leaves the EU"

Data residency is the data layer, and only the data layer.

A US owned cloud provider offering EU residency may still process the data under instructions that originate from a US parent company. The data doesn't leave. The control does.

Not the same as a "private deployment"

"Private" usually means "your private space inside a shared cloud service", not "your control".

Private deployments often share base AIs, share update cycles, and share trust assumptions with thousands of other customers. Useful for some risk reduction. Not the same as sovereignty.

Not the same as running open source AI wherever you like

Open source AI tools are an important part of getting there, especially for the model layer, because they let you see and pin what you're running.

But running a publicly released AI on someone else's cloud, on someone else's keys, on someone else's update schedule, hands operational sovereignty back at the door. Open source is a means. It isn't the end.

Why the three layers matter together

You can have one or two of the layers without the others. How you set the AI up decides which.

  • Data sovereign, model not sovereign. GPT-4 running in a UK Azure region. Prompts and answers stay in the UK by contract. The AI itself was trained on material the supplier can't fully account for, and could change next quarter. Data layer ticks. Model layer doesn't.
  • Model sovereign, operational not sovereign. Llama 3 with known training history, running on a US cloud you've chosen for cost reasons. You know what's in the AI. You don't control the platform it runs on, the keys that protect it, or the rate at which it gets updated. Model layer ticks. Operational layer doesn't.
  • Data and model sovereign, operational not. An AI you host yourself on UK infrastructure, with a known training history, but operated by a third party who can change the configuration without telling you. You have residency and origin. You haven't got control.
  • All three. Rare today, and the hardest to put together. Almost always involves an open weights model, UK or EU residency, keys held by the customer, contractual change control, documented audit access, and a clear right to switch off.

Most UK organisations can't achieve all three layers for every AI use case, and probably shouldn't try. The point is to know which use cases need which layers, and to design accordingly.

If you only ask about data residency when buying AI, you are asking about one of the three layers. The vendors know which questions are common and write their marketing to answer those. The other layers go unasked and unanswered. That's how organisations end up with a system they have called sovereign that isn't.

Why this matters now

UK regulators are already past data residency. The Information Commissioner's Office has been clear for two years: if you use AI to make decisions about people, you're responsible for understanding what shaped those decisions. Not "what data did you send", but "what shaped the system".

That makes the AI's origin a compliance question, not just a technical one, and asking a supplier where the data lives is no longer enough on its own.

Regulators have moved on auditability too. When one of them, or a client, asks how AI was used on a specific matter, they expect a record from your own systems, enough to reconstruct what the AI was asked, what it answered, and what informed the answer. A vendor's account level usage report is the floor, not the ceiling.

The Data (Use and Access) Act 2025 sits behind both of these. It's the statute the ICO is leaning on for its focus on AI in decision making, and it puts organisations in regulated work under audit and oversight expectations they were already heading for. The Act is in force this year.

Organisations that have already been thinking in three layers are close to where the regulator wants them. The ones that haven't are further away than they expected.

What to take from this

Sovereign AI is not a product. It's a property of how an AI system is put together: three layers, data, model, and operational, each of which can be present or absent on its own. Most current offerings give you one and call it three.

The decisions that determine which layers you actually have get made early, in quiet meetings, often by people who didn't realise they were making them.

If you're working through what AI use means for confidential client work or regulated processing, the next question is whether a private build is actually the right move for your organisation. Sometimes it is. Often it isn't. There's a separate page that walks through how to tell: Is Sovereign AI right for you?

Want to work through this for your organisation?

A Sovereign AI Discovery is a fixed price two week engagement. You get a written report on what's happening with AI inside your business today, where the real exposure sits, whether a private build is the right answer for you, and what to do about it in priority order.

peter@peterbrady.co.uk

Get in touch

Tell me who you are and what your organisation does. If any of this sounds like your situation, that's a good place to start. I'll let you know honestly whether I can help. Even a 30 to 45 minute call often leaves people with a clearer picture of the path forward, whether or not we end up working together.

For context: I work best with programme managers, partners, operations directors, and IT leads in UK law firms, financial services, manufacturing, charities, and non profits. Respectfully, I don't work with recruitment or development agencies.

Email: peter@peterbrady.co.uk

Sovereign AI Architect, Peter Brady

PNB Technologies Limited
55 Yew Tree Road, Ormskirk
Lancashire, L39 1NT, United Kingdom

Company Reg: 07166600
VAT Reg: GB986726850

© 2026 Peter Brady. All rights reserved.

Links

Reference