Sovereign stress test: how do I know I’m in control of my AI and data?

This is a guest blog post by Jozef de Vries, Chief Product Engineering Officer, EDB.

In 2025, the UK government announced a Sovereign AI Unit with up to £500 million of funding allocated to the cause. The goal: harness AI’s capabilities to unlock economic growth and enhance UK national security. The UK isn’t alone in its realisation that control is strategic. Schleswig-Holstein, a German state, is building an entirely open-source, digitally sovereign ecosystem, explicitly citing security as the key driver.

It’s now clear that control over digital infrastructure has become a significant global priority. To cater to this increasing need, more ‘sovereign’ offerings are cropping up. But are they offering what they claim?

What does ‘true sovereignty’ look like?

To understand why demand for sovereignty is rising and how to properly implement it, first we must define it. True sovereignty as an enterprise is about having choice and control. It means your data isn’t trapped in silos and your workloads can run wherever and however you need—across public clouds, private environments, or the edge. Sovereignty ensures you decide where data resides, how it’s governed, and who can access it. Without that level of control, enterprises risk exposing sensitive data, intellectual property, and model outputs to public large language models. This undermines security, compliance, and the integrity of their AI systems.

Sovereignty also extends beyond where data lives. It’s about who ultimately controls the infrastructure it runs on. Building everything yourself isn’t the only pathway but relying on providers bound by external jurisdictions can compromise it.

A clear example is the US CLOUD Act, updated last year, which allows US authorities to request access to data stored on systems owned or operated by US-based companies—even if that data physically resides abroad. This then puts into question the protection of any UK data stored by cloud providers headquartered in the US.

It’s worth noting at this stage that location does play a role in sovereignty, but it’s only one layer in a more complex ecosystem. Enterprises aren’t designing for in-region proximity solely; they’re designing for control. Control depends on far more than where data or computing power physically resides; even within a region, it may not be readily available.

‘True sovereignty’ comes down to knowing what is happening to your systems at all times, by whom and why changes are being made. It depends on whether the architecture reflects the legal, operational, and ethical obligations at the point of use. When enterprises evaluate existing architectural solutions – or explore new ones – and request proof of full control based on these factors, they gain a clearer picture of just how sovereign they truly are.

Just relying on a ‘sovereign’ product label isn’t enough, and I recommend all organisations ensure these investigations are part of procurement mechanisms moving forward.

The AI ROI with sovereignty

Enterprises that move beyond policy statements and make sovereignty a mission-critical design principle are reaping the return of their AI investments.

EDB’s global research found that just 13% of enterprises fall into this category. These leaders are achieving five times greater ROI from their AI and data investments are run twice as many agentic and generative AI use cases. These organisations aren’t just aspirational in their sovereign futures; they are deliberate. They operationalize it as a non-negotiable for how data, infrastructure, and AI models are built and governed from the start.

The risks of not getting it right

It was recently reported that Police Scotland does not have control of its data, as they are now unable to see where it was being held and processed. The implications of this are huge; the lack of access governance and oversight is hugely problematic for Police Scotland as they hold incredibly sensitive data.

For enterprises, this brings to light a harsh reality: being in control of your data, being sovereign, is essential to safely scale. In a world with advancing technological systems, customers will want to know that the vendor they are working with is on this journey with them. This mistrust needs to be stamped out.

Many have begun to onboard vendors who promise sovereignty and the gains that come with it, but the organisations are not properly engaging with ‘true’ sovereignty as defined above and assessing if they are actually getting what they need. This not only creates legal risks (as seen with Police Scotland) but also business repercussions, as the lack of full control hinders these organizations from realizing the intended positive effects.

Really, all of this comes down to that one word: control. When assessing new offerings, you need to put forward the key question: Do I have full control of where my data lives and is accessed from, now and forever? If you don’t, the tool isn’t protecting your organisation from the risks associated with external providers getting access, let alone doing what you need to get that sovereignty ROI.