Sovereignty Meets AI: A Cybersecurity Bonanza with a Regulatory Kick

If 2025 was the year that pushed sovereign and Artificial Intelligence (AI) to tech superstardom, 2026 is the year when they converge to form the Sov-AI megastar. Perhaps blackhole might be a more appropriate term, as it pulls in and swallows all kinds of security technologies into its conjoined mass. Enabling sovereignty—whether through cloud (a highly focused area for hyperscalers and neoclouds), for data (with strong emphasis for protection during creation and in transit), or through a software stack (notably through security IP)—there is no lack of appetite for either. In fact, the market seems famished for any solution that can concretely qualify these underlying technologies, with demand seemingly working its way down the stack to uncover security solutions that can address these (and preferably both simultaneously). From cloud services to silicon root of trust, market solutions are ripe for the taking; but how much is novel and how much else is just cloaking existing tech with new robes?

Looking at sovereignty, this once nebulous concept is starting to come into focus. One of the key drivers for sovereignty has undoubtedly been regulation and policy, notably from Europe with the General Data Protection Regulation (GDPR), but increasingly also from Asia-Pacific with various national data protection laws coming into force in the last few years. The United States has also upped the ante with its own various policies and regulations, though they remain limited to the federal and sectoral level, underscored by national security concerns rather than fundamental privacy rights. These include Executive Order (EO) 14028, the Federal Risk and Authorization Management (FedRAMP) program, and the National Infrastructure Simulation and Analysis Center (NISAC)/Cybersecurity and Infrastructure Security Agency (CISA) secure-by-design guidance, which individual states are increasingly supplementing (e.g., the California Consumer Privacy Act (CCPA)/ California Privacy Rights Act (CPRA)).

However, the talk of the security world has really been the European Union’s (EU) Cyber Resilience Act (CRA), bringing the concept of sovereignty more sharply into focus. With regulators touting it as the new building block of the EU’s digital sovereignty strategy, it adds to the growing body of legally binding instruments in the security space, such as NIS2, EUCS, DORA and RED, as well as some other new upcoming instruments, such as the EU SEALs (certification levels) within the EU Cloud Sovereignty Framework, which will provide different levels of sovereignty scoring for Requests for Proposal (RFPs). Built on the core concepts of cybersecurity and resilience, the EU is carving out a leadership role in what digital sovereignty should look like.

Clear regulatory frameworks that prescribe and proscribe cybersecurity are a boon for the market, easily commercialized into compliance-enabling products and services. And today, Artificial Intelligence (AI) is being folded into the sovereignty play, adding even more appeal to a waxing tech. AI protection is primarily directed at securing the valuable IP that is the Machine Learning (ML) algorithm. But increasingly, there is concern with protecting the model from misuse and adversarial manipulation that can exploit inherent vulnerabilities (e.g., evasion and poisoning attacks). And there are further concerns with Agentic AI, with agents moving to access data beyond the digital “borders” of an organization; for example, by reaching into an EU branch within a U.S.-headquartered company to access data there.

Underlying these issues is the fact that ML models, and AI in general, are not typically designed with security in mind, though ML attack types have been common knowledge for more than a decade (albeit within a relatively closed circle of niche professionals). Only with the startling success of Generative Artificial Intelligence (Gen AI) in the last 2 years has concern around AI security started to surface. The result has been a concentration of activity on defining (and often repositioning) the security technology that can address these issues.

It is perhaps timely that the sovereignty discussion is at an all-time high; AI development can certainly benefit from this attention. The last 2 to 3 years has seen a spate of standards and regulations emerging to define what AI security should look like: ISO/IEC 42001, U.S. NIST AI RMF 1.0, ISO/IEC 23894, ISO/IEC 27090, ETSI EN 304 223, the EU AI Act (coming into force this year), and the EU Cloud and AI Development Act, currently in discussions, which is expected to clarify sovereignty further. This has provided the beginnings of frameworks that are so appealing to the market—and vendors are responding enthusiastically with solutions that marry both AI and sovereignty through the promise of secure, jurisdiction-controlled AI stacks that span infrastructure, models, and data.

Sovereign AI clouds sit at the top of the pyramid and are the most popular offering to date, with providers promoting any number of sovereign features, including data residency, confidential computing, federated model governance, user controlled keys, in-region hosting, local data control, etc. However, many of those features will be enforced by existing security technologies, stitching together secure software fabric and hardware root of trusts: security IP, trusted execution environments, Virtual Public Cloud (VPC) isolation, secure containerization, hardware security modules, encryption technologies, digital certificates and Public Key Infrastructure (PKI), Bring Your Own Key (BYOK)/Keep Your Own Key (KYOK)/External Key Management System (EKMS), Zero Trust Network Access (ZTNA), Identity and Access Management (IAM), policy controls, etc. Nothing new here really, but an amalgamation of existing tech to effectively enable compliance with these new market demands, and ultimately policy and regulation.

The upshot is that this forces security considerations in architectural and system design, pushing trust as a core tenet of digital infrastructures. Sovereignty, in particular, also opens up the doors to commercialization of other privacy-enhancing technologies such as multi-party computation, homomorphic encryption, differential privacy, zero-knowledge proof, and synthetic data, to name a few. Many have been around for some time, but struggled to find mass-market appeal, in large part due to their complexity and requirements for significant optimization to make them commercially viable. Better hardware was needed, but with the massive boost in hardware developments being driven by AI (and in parallel Post-Quantum Cryptography (PQC)), there is a growing window of opportunity that may finally make these technologies viable. Certainly, much will depend on supply chain resiliency and manufacturing capacity, and while these may be subject to the volatile geopolitical landscape today, resulting shocks are quickly absorbed in the relentless march of technology evolution. Cybersecurity is no exception; it will ride the Sov-AI wave until the end, molding technologies developed over the last few decades to this new trend and adapting to the demands to create a more trusted and secure digital ecosystem, mapping tightly to new regulatory and policy requirements to ensure maximum market appeal.