Sovereignty, Cross-Border Dependence, and Strategic Control
As AI capability becomes more concentrated in a small number of providers, jurisdictions, cloud platforms, and compute ecosystems, leaders face a harder strategic question: not only what can we buy? but also what dependence are we accepting when we buy it? This makes sovereignty a practical leadership issue, not only a geopolitical one.[24], [25], [33], [40], [41]
For many organisations, the question is not whether complete autonomy is possible. It is whether critical dependence is being accepted knowingly, with fallback, bargaining power, and enough control to keep operating when conditions change.
The most useful way to read this chapter is through six questions:
- Why does AI dependence become a sovereignty issue for some organisations and states?
- What risks follow from concentration in models, cloud, chips, and platforms?
- When do data location, jurisdiction, and cross-border transfer become strategic rather than legal details?
- How should leaders distinguish acceptable dependence from dangerous dependence?
- What capabilities improve strategic room to maneuver?
- How should this issue be handled differently by firms, public institutions, and national governments?
1. Why Does AI Dependence Become A Sovereignty Issue For Some Organisations And States?
Not every dependence is a sovereignty problem. Most organisations rely on external technology providers every day. The issue becomes strategic when an AI-dependent function is hard to replace, hard to inspect, hard to relocate, or hard to keep running if the provider, jurisdiction, or cross-border arrangement changes unexpectedly.[24], [25], [41]
The leadership mistake is to treat sovereignty as a political slogan that matters only to governments. In practice, the same underlying question appears across contexts:
- who controls the model, compute, hosting, and update path
- which jurisdiction can shape or interrupt access
- what happens if export controls, sanctions, contract disputes, or policy shifts affect the service
- whether the organisation can move, substitute, or contain the dependence in time
This is why sovereignty is not only about ownership. It is about strategic room to maneuver under pressure.
The first screen is easiest to read through four lenses:
| Lens | What To Ask | Why It Matters |
|---|---|---|
| Concentration | How many providers, cloud paths, or compute sources does this capability depend on? | High concentration weakens bargaining power and resilience |
| Jurisdiction | Which legal and policy environments govern access, transfer, disclosure, and interruption? | Cross-border dependence can change faster than technical design |
| Substitutability | How quickly could we switch provider, hosting model, or operating pattern if forced? | Low substitutability turns convenience into lock-in |
| Strategic consequence | What mission, service, or decision would be impaired if access changed suddenly? | The consequence of dependence should set the governance bar |
2. What Risks Follow From Concentration In Models, Cloud, Chips, And Platforms?
AI dependence is usually layered rather than singular. A team may think it depends on one model provider, when in practice it depends on a model provider, a cloud operator, a specific chip ecosystem, one identity and API layer, and a narrow set of integration tools all at once.[24], [40], [41]
That concentration creates several risks:
- commercial leverage risk: pricing, contract terms, and roadmap priorities are shaped elsewhere
- operational interruption risk: outages, service changes, or regional restrictions affect multiple capabilities at once
- policy and export risk: access to compute, models, or support can be altered by national policy decisions
- visibility risk: organisations often know their direct vendor, but not the full dependency chain underneath
- switching risk: migration looks possible in theory but becomes slow and expensive in practice
The strategic issue is not simply that concentration exists. It is that many organisations discover the depth of concentration only after AI has become embedded in important workflows.
3. When Do Data Location, Jurisdiction, And Cross-Border Transfer Become Strategic Rather Than Legal Details?
Data location and cross-border transfer are often treated as compliance settings. Sometimes they are. But they become strategic when they affect continuity, bargaining power, sector legitimacy, public trust, or the organisation’s ability to explain where sensitive information is processed and governed.[6], [21], [33], [96], [98]
This matters especially when:
- the data concerns citizens, customers, patients, or critical operations
- the use case sits inside public services, regulated sectors, or security-sensitive environments
- the provider’s retention, disclosure, or subprocessor model is opaque
- leaders may later need to move the workload, pause it, or defend it publicly
The right executive question is not only is this transfer legal today? It is does this arrangement preserve enough control if law, policy, supervision, or public expectations tighten tomorrow?
4. How Should Leaders Distinguish Acceptable Dependence From Dangerous Dependence?
Dependence is acceptable when it is visible, bounded, and governable. It becomes dangerous when it is hidden, mission-critical, and hard to reverse.
Leaders should usually tolerate dependence more easily when:
- the use case is non-critical
- the provider can be substituted with manageable disruption
- the organisation has clear contractual, technical, and operational fallback
- the information involved is not highly sensitive
- interruption would slow work but not disable a critical function
Dependence becomes more dangerous when:
- the service underpins critical decisions, public functions, or regulated operations
- the provider controls key updates, model behavior, and infrastructure with little transparency
- the workload is hard to port because of integration, tuning, proprietary tooling, or data gravity
- the organisation cannot operate safely in degraded mode
- leadership has not decided in advance what level of foreign or concentrated dependence is acceptable
Strategic Control View
| Dependence Pattern | Leadership Question | What Good Looks Like |
|---|---|---|
| Convenient externalization | Are we outsourcing undifferentiated capability or core strategic control? | External dependence is bounded and reversible |
| Cross-border processing | Can we explain where critical data and inference activity sit legally and operationally? | Jurisdiction and transfer choices are explicit |
| Concentrated model access | What happens if one provider changes terms, access, or availability? | Fallback and substitution are plausible, not aspirational |
| Mission-critical reliance | Would interruption materially weaken service continuity, safety, or legitimacy? | Dependence matches consequence, and degraded mode is real |
5. What Capabilities Improve Strategic Room To Maneuver?
The aim is not autarky. It is optionality.
Capabilities that improve room to maneuver usually include:
- a clear dependency map across model, cloud, chip, identity, data, and integration layers
- contractual terms that address portability, deletion, exit, and support under disruption
- architectural choices that reduce unnecessary lock-in
- internal capability to evaluate alternatives rather than rely on one vendor narrative
- approved degraded-mode plans when a preferred service is unavailable
- selective local, regional, or sovereign hosting for the most sensitive or mission-critical uses
These capabilities do not eliminate dependence. They make it more legible, more deliberate, and less likely to become strategic surprise.
6. How Should This Issue Be Handled Differently By Firms, Public Institutions, And National Governments?
The same problem appears differently across contexts.
Firms
Most firms should not aim for full sovereignty. They should aim for bounded dependence. The important questions are whether external reliance weakens bargaining power, exposes sensitive workflows, or leaves the firm unable to move when vendor terms or geopolitical conditions change.
Public Institutions
Public institutions should apply a higher bar where legitimacy, continuity, or citizen data are involved. Dependence that would be tolerable in a commercial workflow may be unacceptable when it affects public services, administrative accountability, or politically sensitive systems.[21], [22], [23]
National Governments
At national level, the issue expands beyond procurement. It includes compute capacity, infrastructure resilience, industrial policy, talent, standards influence, and the ability to avoid strategic exposure created by extreme foreign concentration.[24], [25], [41]
Leadership Context
- Large enterprises should identify where AI dependence is becoming embedded in revenue, operations, or high-value internal processes.
- Regulated sectors should treat jurisdiction, residency, and exit capability as strategy questions, not late compliance checks.
- Public institutions should set a stricter tolerance for opaque cross-border dependence in citizen-facing or mission-critical functions.
- National and ecosystem leaders should think in terms of capability stacks: compute, cloud, data, models, skills, standards, and trusted operating partners.
Final Perspective
The important question is not whether dependence can be eliminated. It is whether it is being chosen with open eyes.
After reading this chapter, a leadership team should be more disciplined in four ways:
- treat sovereignty as a control and continuity issue, not only a political idea
- look past the visible vendor to the full concentration and dependency chain
- judge cross-border arrangements by future maneuverability, not only present legality
- build enough optionality that an important AI capability can be slowed, moved, or contained without panic
The practical change is to stop asking only whether a provider is capable and start asking what strategic freedom the organisation gives up when that provider becomes embedded in critical work.
Key Questions for Leaders
- Which AI capabilities are becoming too important to rely on without fallback?
- Where do jurisdiction and data-location choices already constrain our room to maneuver?
- How much concentration risk are we accepting across model, cloud, and compute layers?
- Which uses require local, regional, sovereign, or multi-path control rather than simple external convenience?