Can you build sovereign AI on open models? Sovereign AI vs open-source AI
Open weights are a necessary ingredient of sovereign AI, not the whole; sovereignty also needs owned inference, controlled updates, provable audit and jurisdiction control.
Open weights alone are not sovereign AI, only a necessary ingredient. Sovereignty adds owned inference, a controlled update channel, an audit record and in-jurisdiction operation.
This question matters more in 2026 because regulated buyers face converging obligations. DORA has applied since January 2025, NIS2 covers essential and important entities, and the EU AI Act timeline has shifted: the Digital Omnibus deferred high-risk Annex III obligations, once due 2 August 2026, to 2 December 2027, with embedded Annex I high-risk moving to 2 August 2028 and Article 50 transparency largely unchanged. Meanwhile the US CLOUD Act can still compel a US-based provider regardless of where its servers sit. Open weights are often sold as the answer to all of this. They are not.
What do open weights actually give you?
Open weights give you a runnable, inspectable model you can host yourself, fine-tune on your data and study in the open, without vendor lock-in.
The value is real. You can pull the weights, run them on your own machines, tune them on private data and inspect how they behave. That removes the hard dependency on a single cloud vendor and lets an engineering team read and modify what they deploy. For many workloads this is enough. But an open licence describes what you may do with a model, not the guarantees a regulator, an auditor or a board will ask you to demonstrate.
Where do open weights stop short of sovereignty?
Open weights say nothing about who ships updates, whether inference stays on your hardware, whether actions are provably logged, or whether data leaves your jurisdiction.
An open licence is silent on operations. It does not say who signs the next update you install, whether the model can quietly call an external endpoint, whether an incident can be reconstructed months later, or whether a subpoena in another country can reach your deployment. Those are the questions sovereignty answers, and they concern the running system, not the weights sitting on disk:
- Who controls the update channel that ships new weights
- Whether inference runs on hardware you own
- Whether every action is provably recorded
- Whether data can leave your jurisdiction
“Sovereignty is not a property of the weights; it is a property of the system that runs them, updates them and records what they do.”
Sovereign AI vs open-source AI: what is the real difference?
Open-source AI is about the licence and the weights. Sovereign AI is about control of the whole stack: inference, updates, proof, hardware identity and jurisdiction.
| Capability | Delivered by open weights alone | Delivered by sovereign AI |
|---|---|---|
| Run offline | Possible, if you host it yourself | Yes, offline by default on owned hardware |
| Control the update channel | No, you take whatever you download | Yes, gated, signed and operator-approved |
| Prove what the model did | No native audit record | Yes, a post-quantum signed audit ledger |
| Bind to hardware identity | No, weights run anywhere | Yes, hardware-attested identity in the audit chain |
| Meet jurisdiction rules | Partial, depends where you host | Yes, in-jurisdiction with a zero-egress perimeter |
Can you prove what the model did?
Open weights carry no memory of their actions. Sovereign AI seals every action to a post-quantum signed audit ledger that can be reconstructed and checked.
A model on its own keeps no trustworthy record of what it did. Sovereign AI closes that gap by sealing every action to an append-only audit ledger. In our substrate the ledger is signed with post-quantum signatures: FIPS 204 (ML-DSA) and FIPS 205 (SLH-DSA) sign the entries, while FIPS 203 (ML-KEM) handles key encapsulation and never signs. Each entry is tied to a hardware-attested identity, so an auditor can confirm not only what happened but which physical machine did it, and that the record has not been altered.
Does running open weights keep your data in your jurisdiction?
Not by itself. Where you run open weights is a deployment choice. A US-based provider can be compelled under the CLOUD Act regardless of location.
Location alone is not jurisdiction control. Even self-hosted open weights can leak through an outbound call or a management plane, and a provider incorporated in the United States can be compelled under the CLOUD Act regardless of where its servers sit. Sovereign AI answers this with a zero-egress inbound perimeter and in-jurisdiction operation, so sensitive data has no default path out. This is where the honest line between options sits. Public services such as ChatGPT, Copilot and Gemini are excellent for general productivity and open collaboration, and they are the right choice for most everyday work. The narrower point is that the most sensitive, regulated data should not be routed to any provider that can be compelled offshore. That is a design boundary, not a criticism, and it is why regulated buyers watching DORA, NIS2 and the EU AI Act keep sovereign options on the table.
How does Mickai turn open weights into a sovereign system?
We treat controllable weights as one input, then add owned inference, a gated update channel, a signed audit ledger and hardware-bound identity on operator-owned hardware.
We treat controllable open weights as one ingredient and build the rest of the guarantees around them. Mickai is a Sovereign Intelligence Operating System, a SIOS, and it is built and live: it runs offline on operator-owned hardware with every action cryptographically sealed. Fifty brains, twenty-five domain and twenty-five operational, coordinate the work, and cross-model consensus lets several models check each other rather than trusting one output. The models we run are referenced by sovereign aliases, never by any upstream name. The underpinning architecture is covered by 104 filed UK patent applications and 2,340 claims, owned by Mickai LTD (Companies House 17166618), filed and patent pending.
Frequently asked questions
Can I be sovereign just by self-hosting an open model?
Self-hosting is a start, not sovereignty. You still need a controlled update channel, a signed audit record, hardware-bound identity and in-jurisdiction operation. Without those, you have a private deployment rather than a sovereign system that a regulator or auditor can trust.
Is open-source AI less secure than sovereign AI?
Open source is not less secure by nature, and inspectable weights can be a real security advantage. The difference is control of the surrounding stack: who ships updates, whether actions are recorded, whether data can egress and whether the deployment stays inside your jurisdiction. Sovereign AI closes those gaps.
Can Mickai run fully offline?
Yes. Mickai is a SIOS that runs offline on operator-owned hardware, with a zero-egress inbound perimeter and every action sealed to a post-quantum signed audit ledger. Nothing needs to reach an external cloud for the system to operate.
Do I have to abandon public AI services like ChatGPT or Copilot?
No. Those services are excellent for general productivity and are the right pick for most everyday work. The point is narrower: the most sensitive, regulated workloads should not be routed to a provider that can be compelled offshore, and those belong on a sovereign system.
How does Mickai keep its audit record tamper-evident?
Every action is sealed to an append-only ledger signed with post-quantum signatures, FIPS 204 (ML-DSA) and FIPS 205 (SLH-DSA), while FIPS 203 (ML-KEM) handles key encapsulation. Each entry is tied to a hardware-attested identity, so an auditor can confirm what happened, which machine performed it and that nothing was altered.




