Is my AI sovereign? A ten-point self-assessment
Ten binary checks reveal whether the AI you already run is genuinely sovereign, and failing any single one means it is not.
Test your AI against ten checks and it is sovereign only if it passes all ten, because one broken link hands control to someone else.
The question matters more in 2026 because control is now a compliance and continuity concern, not a preference. DORA has been in force across EU financial entities since January 2025, NIS2 covers essential and important entities, and the US CLOUD Act can compel a US-based provider to hand over data regardless of where its servers sit. Meanwhile the EU AI Act timeline shifted: high-risk Annex III obligations once due 2 August 2026 were deferred by the Digital Omnibus to 2 December 2027. Knowing whether your AI is sovereign is now a board-level answer, not a technical footnote.
What are the ten checks to score your AI against?
The ten checks cover weights, inference location, updates, egress, audit trail, kill switch, jurisdiction, governance, key custody and continuity, each scored a pass or fail.
- 1. Weights: pass if you physically hold the model weights; fail if a vendor account holds them.
- 2. Inference location: pass if inference runs on hardware you own; fail if prompts travel to a shared endpoint.
- 3. Update channel: pass if you stage and approve each update; fail if updates arrive silently.
- 4. Egress: pass if nothing leaves without an approved rule; fail if the system phones home by default.
- 5. Audit trail: pass if every action is logged and tamper-evident; fail if logs are editable or vendor-held.
- 6. Kill switch: pass if you can halt it locally and instantly; fail if shutdown needs a vendor console.
- 7. Jurisdiction: pass if no foreign law can reach the data; fail if a foreign statute can compel it.
- 8. Governance: pass if your policy binds the model; fail if the vendor's terms do.
- 9. Key custody: pass if you hold the signing keys; fail if the vendor escrows them.
- 10. Continuity: pass if it keeps running without the vendor; fail if a cancelled contract ends access.
How do the checks map to pass signals, fail signals and a sovereign design?
Each check has a pass condition to meet, a fail signal to catch and a substrate design that satisfies it, shown in the table below.
Mickai, our Sovereign Intelligence Operating System, is built and live and runs offline on operator-owned hardware with every action cryptographically sealed. The final column is kept separate so the checks read on their own merits and the SIOS simply illustrates one way to satisfy each.
| Check | Pass condition | Fail signal | How Mickai satisfies it |
|---|---|---|---|
| Weights | You hold the weights on your hardware | Weights locked in a vendor account | Sovereign weights on operator-owned hardware |
| Inference location | Inference runs on hardware you own | Prompts leave for a shared endpoint | Inference runs fully offline on your hardware |
| Update channel | You stage and approve each update | Silent auto-updates from a vendor | Updates operator-staged and signed before applying |
| Egress | Nothing leaves without an approved rule | Telemetry or prompts phone home | Zero-egress inbound perimeter blocks outbound calls |
| Audit trail | Every action logged and tamper-evident | Logs absent, editable or vendor-held | Post-quantum signed audit ledger seals every action |
| Kill switch | You can halt it instantly and locally | Shutdown depends on a vendor console | Local kill switch stops inference with no external call |
| Jurisdiction | No foreign law can compel the data | A US provider can be served under the CLOUD Act | Data stays on your soil, outside foreign compulsion |
| Governance | Your policy governs the model | Policy fixed by the vendor's terms | Operator-defined policy enforced at the substrate |
| Key custody | You hold the signing keys | The vendor holds or escrows your keys | Keys held by you, bound to hardware-attested identity |
| Continuity | It keeps running if the vendor disappears | A cancelled contract ends access | Runs offline, so continuity needs no vendor |
Where does your AI actually run, and who can reach it?
Your AI runs sovereignly only when inference happens on hardware you own, no prompts leave the perimeter and the system stays verifiable while fully offline.
Inference location and egress are the two checks operators fail most often. A model that runs on someone else's endpoint means your prompts, and the sensitive context inside them, cross a boundary you do not control. Sovereign design keeps inference on operator-owned hardware and wraps it in a zero-egress inbound perimeter: connections come in, nothing calls out unless an operator writes the rule. Because the system is verifiable while fully offline, you can prove what it did without trusting a remote dashboard.
Who controls the weights, updates and keys?
You are sovereign only if you hold the weights, approve updates and custody the signing keys yourself, with identity hardware-attested and bound to the ledger.
Weights, updates and keys decide who really owns the intelligence. If a vendor can change your model overnight or holds the keys that sign your records, the system answers to them. Sovereign custody means the weights sit on your hardware, every update is operator-staged and signed before it applies, and the signing keys never leave your custody. Identity is hardware-attested and bound to the audit chain, so every action traces to an attested actor. The audit ledger is sealed with post-quantum signatures: FIPS 204 (ML-DSA) and FIPS 205 (SLH-DSA) sign it, while FIPS 203 (ML-KEM) handles key encapsulation and never signs. The substrate carrying these guarantees is protected by 104 filed UK patent applications and 2,340 claims, owned by Mickai LTD (Companies House 17166618), filed and patent pending.
Which jurisdiction and governance actually bind your AI?
Sovereignty holds only when no foreign law compels your data, your own policy governs the model, and kill switch and continuity outlast any vendor.
Jurisdiction is the check that survives every technical control. Servers on home soil do not help if the operator is a US-based provider, because the CLOUD Act reaches the provider, not the rack. Sovereign governance puts your policy, not a vendor's terms, in charge of what the model may do, and it holds even when disconnected. A local kill switch lets you stop inference instantly, and continuity means the system keeps running if the vendor disappears. Cross-model consensus across 50 brains, 25 domain and 25 operational, keeps decisions checkable rather than resting on a single opaque model.
“Sovereignty is not a feature you switch on; it is a chain of custody that either holds end to end or does not.”
Is a public cloud assistant ever the right choice?
Public cloud assistants are the right pick for general productivity, but they cannot be sovereign for your sensitive data because control stays with the provider.
Public cloud assistants earn their place. For drafting, summarising and everyday productivity, services like ChatGPT, Microsoft Copilot and Google Gemini are fast, capable and the sensible default. The line to hold is your most sensitive data: regulated records, classified material and anything that cannot lawfully leave your control. For that tier, a shared endpoint fails several of the ten checks by design, because weights, inference and keys sit with the provider. This is an architecture point, not a criticism of any company. On cost, the honest framing is scaling behaviour: sovereign inference trades a shared per-call meter for capacity you own, so unit economics improve as usage grows rather than rising with every query. We share specifics in briefings, not publicly.
Frequently asked questions
How many checks does my AI need to pass to be sovereign?
All ten. Sovereignty is binary rather than a score out of ten, because a single fail hands some element of control to a party outside your perimeter. Weak weights custody or a silent update channel undoes strong controls everywhere else. Treat any fail as a fail for the whole system.
Can I make a public cloud assistant sovereign with the right settings?
No. Settings can tighten egress and logging, but the weights, inference and keys still sit with the provider, so several checks fail structurally. Those assistants remain excellent for general productivity. For sovereign workloads, the substrate itself has to change.
Does the EU AI Act force sovereign AI by 2 August 2026?
No. The high-risk Annex III obligations once due on 2 August 2026 were deferred by the Digital Omnibus to 2 December 2027, with embedded Annex I high-risk moving to 2 August 2028 and Article 50 transparency largely unchanged. Sovereignty is about control and continuity, which matter regardless of any single deadline.
What signs the audit ledger, and is it quantum-safe?
The ledger is sealed with post-quantum signatures under FIPS 204 (ML-DSA) and FIPS 205 (SLH-DSA). FIPS 203 (ML-KEM) handles key encapsulation and never signs. That separation keeps the audit trail verifiable even against a future quantum adversary.
Does Mickai publish its prices?
Shared in briefings, not publicly. In writing we describe scaling behaviour and ratios rather than figures, because sovereign deployments vary by hardware, data tier and continuity requirements. A briefing lets us map the ten checks to your environment before discussing commercials.




