Jerry Caviston is CEO of Archive360, helping enterprises protect, govern, and unlock the value of their data.
getty
For years, data sovereignty has been treated primarily as a compliance checkbox. That era is over. As AI becomes the primary engine of enterprise value creation, data sovereignty has evolved into something far more consequential: a question of whether your AI strategy is defensible at all.
The shift is happening faster than most executives realize. Gartner projects that by 2027, 35% of countries will rely on region-specific AI platforms, up from just 5% today. Governments are racing to build sovereign AI stacks, with Gartner estimating that competitive nations may need to commit 1% of GDP to AI infrastructure by the end of the decade.
This is not a regulatory footnote. It is a restructuring of the global technology landscape that breaks the assumption that AI can be built once and deployed globally. In practice, this means enterprises must now design AI systems that can comply simultaneously with multiple national data sovereignty regimes, or risk stalling deployment altogether.
The original data sovereignty model was narrow by design: keep classified information within borders to protect national security assets. The rules were clear, the scope was limited and most enterprises could manage it with the right legal counsel and a well-configured data center.
Then, the EU’s General Data Protection Regulation (GDPR) expanded the aperture to include personal data. Governments began designating entire sectors such as energy, financial services, healthcare and critical infrastructure as matters of national interest requiring localized data controls. Then AI fundamentally changed the rules.
Sovereignty is no longer just about where data lives. It now extends to where AI systems run, where models are trained and where inference occurs. It also extends to whether the foundation model an enterprise deployment relies on was built using data that crossed a border it should not have. These are not abstract technical questions; they are questions of whether AI can be used at all.
The regulatory landscape enterprises now navigate is not a single fence to clear, but an expanding maze of overlapping jurisdictional requirements. What was once a manageable compliance exercise of consolidating environments and standardizing controls is no longer viable for companies operating across borders. A financial services firm running AI-driven risk models across the EU, the Gulf and Southeast Asia must comply with multiple regulatory frameworks at the same time, and those frameworks often conflict. Enterprises that assumed they could build once and deploy everywhere are discovering that assumption is expensive to unwind. These overlapping requirements do not affect all parts of AI systems equally.
Inference is the easier problem to solve. With the right architecture, companies can geo-constrain where AI models run and where outputs are generated. Training is a different matter entirely. Most enterprises are not building foundation models from scratch. They are deploying tools built on models trained by third parties, often on data aggregated across jurisdictions before any sovereignty requirements are applied. This creates a provenance problem that cannot be fully resolved after the fact.
Regulators have not yet issued clear guidance on how far upstream sovereignty obligations extend, but the direction of scrutiny is clear. Enterprises relying on externally trained foundation models should be asking hard questions now about what data those models were built on. Regulators will eventually ask the same questions, and "we did not know" is not a defensible answer.
The consequences of getting sovereignty wrong are already showing up in production. Global enterprises entering new markets increasingly face procurement and partnership requirements that include demonstrable data residency and AI governance controls. Without them, deals can slow down or fail during diligence.
Organizations that have spent months deploying AI tools discover that their data pipelines cross jurisdictional boundaries in ways that create unacceptable regulatory exposure. AI initiatives get paused, or worse, quietly shelved. The business case collapses.
At the center of these challenges is not infrastructure, but governance.
The burden of proof to comply with data sovereignty regulations has expanded. Enterprises have to be able to demonstrate where data originated, how it moved, who and what accessed it and where AI inference ran. At its core, this is a provenance problem: enterprises must be able to prove where data came from, how it moved and how it was used by AI systems. That level of provable lineage is not just good hygiene; in an era of sovereign AI requirements, it is table stakes for operating in major markets.
AI programs built on ungoverned or unverifiable data are risky and indefensible. When a regulator, a board member or a prospective partner asks whether AI is operating on data it is authorized to use, in jurisdictions where it is permitted to run, executives need to be able to answer that question with evidence.
Enterprises must treat governance as provable infrastructure rather than assumed policy, which means applying classification and policy controls at the point of data ingestion so governance travels with the data rather than being retrofitted after the fact.
From there, the focus should shift to consolidating data from siloed systems into a unified governance layer that enforces policy consistently across communications, enterprise applications and AI interactions, all while maintaining immutable audit trails that record who accessed what, when and under which policy. Critically, this should extend to AI itself by capturing AI prompts and outputs as governed, auditable records to ensure that when regulators or partners ask how AI is being used, the answer is backed by evidence.
The governance foundation companies build today is not overhead. In a sovereign AI world, the companies that can prove control will be the ones allowed to operate.
Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。