Point of view
Sovereignty washing: when "sovereign AI" isn't
Why a local region isn't sovereignty, the red flags to watch for, and what real control actually requires.
In short
Sovereignty washing is marketing a service as "sovereign" because it runs in a local data centre, while control still sits with a foreign provider, for example a UK region operated by a US company that can be compelled to hand over data under the CLOUD Act. Real sovereignty requires control of the model and data path, not just the location.
The trick: location without control
The sovereignty-washing playbook is simple: point to a local region or "UK data residency" and imply your data is therefore sovereign. But residency is about where data sits, not who controls it. If the operator is subject to foreign law, a local region doesn't stop foreign-government access, and if the model is rented, you don't control the capability either.
Red flags to watch for
- "UK region" as the whole pitch: Location is highlighted while ownership and jurisdiction are left vague.
- Foreign-owned operator: The provider is subject to laws like the US CLOUD Act regardless of where servers sit.
- Rented model: You can't export the weights or run the model independently.
- No air-gap option: If it can't run isolated, your data path still depends on someone else.
What real sovereignty requires
- Model ownership: You hold the weights and IP, not just an API key.
- Controlled data path: Inference runs inside your perimeter with no external dependency.
- True jurisdiction: The provider and deployment are genuinely under your country's law.
What this looks like with Locai
Compliance is easier to evidence when the model, the data, and the logs are all things you actually own, not things a vendor describes in a whitepaper.
Locai Labs believes organisations should own their intelligence. Renting access to a general-purpose model that lives on someone else's servers is fine for low-stakes work; for the AI that touches your data, your customers and your decisions, the model itself should be yours. That is the bet behind everything we build.
It is also a bet that an expert model beats a generalist on the work that actually matters to your business. A smaller model trained on your data, your language, your workflows and your edge cases routinely outperforms much larger generalists on the tasks you care about, and it does so on infrastructure you control. The goal is not the biggest model; the goal is the right model for your business.
And it is deployed sovereignly: an owned model that runs inside your perimeter, on-prem via Locai One, in your private cloud tenant, in a UK sovereign cloud, or fully air-gapped, depending on your residency and security requirements. Your prompts, your documents and your outputs stay inside your environment, under UK jurisdiction, with a data path designed to fit GDPR and the procurement standards regulated organisations are held to.
Frequently asked questions
What is sovereignty washing?
Marketing a service as sovereign based on local data residency while control remains with a foreign provider, so the "sovereignty" is superficial.
Is a UK data centre enough for sovereignty?
No. If the operator is subject to foreign law (e.g. the US CLOUD Act), a UK location doesn't prevent foreign access. Sovereignty needs control, not just location.
How do I spot sovereignty washing?
Look past "UK region" claims: ask who owns the operator, whether you own the model weights, whether it can run air-gapped, and which jurisdiction truly applies.
What is real sovereign AI?
A model you own, running inside your perimeter under your jurisdiction, with a controlled data path, so no third party or foreign government has an access route.
Book a sovereign AI briefing
A 30-minute session on owning your model: deployment options, the data path, and a clear cost range for your use case.