Skip to content

Sovereignty Moves the Kill Switch. It Doesn't Fill the Referee Chair.

When a government can switch off a frontier model overnight, sovereignty answers who controls access. It does not answer who can independently say the model is trustworthy.

Owning and hosting your own AI model solves availability: no foreign government can switch it off. It does not solve trust. A model running on sovereign ground still cannot independently prove it stayed inside the bounds it was given when it acted, and the independent party who could measure that does not yet exist.

On a Friday evening, a single government directive switched off a frontier AI model for every foreign user in the world. A tool that hundreds of millions of people had been using all week went dark by the weekend. The company complied, disagreed in public, and started working to restore access. The capability had not changed. The access did, by decision, with immediate effect.

Set aside whether the directive was right. Reasonable people are arguing that out, and that argument is not mine to settle. The market's reaction is the interesting part.

The lesson the market took from this was about sovereignty. If one government can reach into a model you depend on and turn it off, then your dependency is a risk you didn't price. The conclusion followed fast and it followed everywhere: build on systems no foreign government can revoke. Run your own weights. Localize the stack. Europe moved in the same direction at the policy level, with a proposal that would push providers of critical workloads toward measures that ensure service continuity and away from foreign trade-control regimes that could cut that service off.

That instinct is correct, and it is also only half the problem.

Sovereignty answers a question about control. Who can switch this off, who can reach the kill switch, whose law governs the artifact. Those are real questions and the answers matter. A model you host yourself, governed by laws you actually live under, cannot be turned off by a directive from somewhere else. You have solved availability. You have made the thing not disappear.

You have not made the thing trustworthy.

Here is the gap that the sovereignty conversation walks right past. A European AI model running in a European data center under European law still cannot independently prove that it stayed inside the bounds it was given. Move the model onto sovereign ground and the harder question moves with it, untouched. When that model approves a transaction, edits a record, or acts on the physical world, who says whether it stayed in bounds at the moment it acted. Not whether the controls exist on paper. Whether they held. And measured by someone who does not also operate the model.

Availability you can engineer. You can relocate weights, sign new contracts, stand up local compute. The trust question does not move with the hardware, because it was never a hardware question. It is a question about who is allowed to keep score, and that seat does not get filled by moving where the model runs.

The case for building your own capacity is sophisticated, well-funded, and increasingly hard to argue with. It is also beside the point the day a model you fully own acts outside its authority and the only thing anyone wants to know is whether it stayed in bounds. Owning the field does not make you the referee. It just means the unanswered question is now running on your own ground.

This is the part worth sitting with. The proposed sovereignty rules would require operators to demonstrate independence from foreign control. Demonstrate to whom. Measured how. By what instrument, held by whom. A requirement to prove a property is not the same as the existence of an independent party who can measure it. The rule creates the demand. It does not supply the referee.

We have watched this shape resolve before, in every market where something started acting at scale and the people closest to it could not be the ones to grade it. Lenders did not get to grade their own borrowers, so a credit score came from someone who did not lend the money. Bond issuers did not get to rate their own bonds, so the rating came from someone who did not issue them. The products that had to be trusted most carried a safety mark from an independent lab, not the maker's own word. Each time, the verdict ended up in the hands of someone structurally separate from both the operator and the rule writer, because that separation was the entire point. The independence was not a feature of the score. The independence was the score.

Autonomy has now reached the same threshold, and it has already left the screen. The agent is also a drone holding a piece of airspace, a vehicle deciding to change lanes, a sensor system deciding what it just detected. Sovereignty over the model does nothing for the question of whether that agent stayed inside its authority at the moment it acted, in a domain where the cost of being wrong is not a deleted database row but a physical event you cannot roll back.

Let's make it concrete. An edge model on a drone is inspecting a power substation, running on local compute, fully sovereign, owned and hosted by the utility. It reads a thermal anomaly and, inside its granted autonomy, reroutes a maintenance crew and flags a breaker for isolation. Maybe it was right. Maybe it misread a reflection and just took a live feeder offline in a heat wave. The model did not disappear, no foreign government touched it, every box on the sovereignty checklist is green. And still nobody outside the utility can say whether the thing stayed inside the authority it was given at the instant it acted. Now run that same gap across a grid, a flight corridor, a water system. Sovereignty kept the model on. It did not put anyone in the chair who could say whether the model behaved.

So the sovereignty package and the kill-switch story are pointing at something real, and then stopping one step short of it. Yes, decide who can switch the model off. Yes, reduce the dependency. But the day a sovereign, locally hosted, fully compliant model acts outside its authority, the only question that will matter is the same one it has always been. Did it stay in bounds, and who is allowed to say so.

Moving the kill switch changes who holds the off button. It leaves the referee chair structurally as empty as it was. Filling that chair is a different kind of work, and it is the work worth naming before the next model goes dark.

I have written elsewhere about why that chair is structurally empty, and why it cannot be filled by any of the operators or coalitions currently asking you to trust them. The short version is that the seat belongs to someone with no stake in the answer and the reach to see the whole field. Sovereignty is necessary. It is not sufficient. The referee still has to exist.

I have been building toward that, on purpose, because the seat was structurally empty long before a model went dark on a Friday night, and it will still be empty on the Monday after the access comes back.

Frequently asked

Does AI sovereignty make a model trustworthy?

No. Sovereignty, owning and hosting your own AI model under your own laws, solves availability: no foreign government can switch the model off. It does not solve trust. A model running on sovereign ground still cannot independently prove that it stayed inside the bounds it was given when it acted. Availability is a control question. Trust is a measurement question, and moving where the model runs does not answer it.

What is the difference between AI model availability and AI model trustworthiness?

Availability is whether the model keeps running and cannot be switched off by someone outside your control. Trustworthiness is whether the model stayed inside its granted authority at the moment it acted, measured by someone who does not also operate it. You can engineer availability by relocating weights and standing up local compute. Trustworthiness cannot be relocated, because it was never a hardware property. It depends on independent measurement, not on where the model is hosted.

Why does building a sovereign or European AI model not solve the governance problem?

Because the hard question moves with the model. A European AI model in a European data center under European law still cannot independently prove it stayed within its authority when it approved a transaction, edited a record, or acted in the physical world. Sovereignty changes who holds the off button. It does not create an independent party who can say whether the model behaved. The referee chair stays empty even after the model is fully owned and locally hosted.

Does the EU Cloud and AI Development Act (CADA) require independent AI trust measurement?

The proposed rules would require operators of critical workloads to demonstrate independence from foreign control. A requirement to prove a property is not the same as the existence of an independent party who can measure it. The proposal creates demand for independent verification. It does not, by itself, supply the independent referee who produces the measurement. The rule creates the demand; it does not supply the referee.

Who should measure whether an AI model stayed within its authority?

Someone with no stake in the answer and the reach to see the whole field. The company that operates the model cannot credibly grade whether its own model behaved, and an industry coalition cannot rank its own members. Independent measurement requires a party structurally separate from both the operators and the rule-writers, the same separation that made a credit score independent of lenders and a product-safety mark independent of manufacturers. The independence is not a feature of the score. The independence is the score.

Why does AI trust matter for critical infrastructure and physical autonomous systems?

Because autonomy has left the screen. An edge AI model on a drone inspecting a power substation, a vehicle changing lanes, or a sensor system classifying what it detected can act outside its authority in a domain where the cost of being wrong is not a deleted database row but a physical event that cannot be rolled back. A fully sovereign, locally hosted model on critical infrastructure can still take a live feeder offline or misjudge airspace, and nobody outside the operator can independently say whether it stayed within its limits at the instant it acted.