State of Sovereign AI.
Published methodology.
The full rubric and governance behind the State of Sovereign AI assessment. Published before any organisation is scored — so the audit reads as research, not marketing. Reproducible: anyone can apply this methodology independently.
These are MissionOpsAI's own standards — the test we hold ourselves to first, and the basis on which we offer assessment to others. They are not regulatory or official guidance and do not represent the position of any government, regulator or standards body. The sovereign-AI landscape and the guidance around it are developing; we will update these standards as formal guidance emerges. Nothing here is legal advice; organisations should take their own.
What this is and is not.
Purpose. To establish, on public evidence and a published rubric, how far UK organisations that claim "sovereign" AI status can substantiate that claim — and to report the result so that buyers, the public and the organisations themselves can tell verified sovereignty from asserted sovereignty.
This is: an independent, reproducible assurance assessment against a public standard, on open-source and public-record evidence only.
This is not: an accusation of dishonesty about any organisation; a legal determination; or financial or investment advice. Ratings describe the state of public evidence, not intent. No provider or operator is described as "compromised"; the audit assesses control and jurisdictional exposure, not security breach.
Tone. Sober public-interest authority. Findings are presented factually and without sensationalism. The national-security relevance (§7) is stated plainly because the people procuring and relying on these systems need to be able to answer a small set of hard questions — not to alarm, but to inform.
What "sovereign" means in this audit.
Data physically stored in the UK. Necessary, not sufficient.
Sole UK (or UK-aligned) legal and operational control, free of foreign extraterritorial compulsion (e.g. the US CLOUD Act / FISA reach over US-controlled providers regardless of storage location).
An AI capability whose data, model, compute, operation, governance and ownership are under UK control to a degree that a foreign state or vendor cannot compel access to it, withdraw it, throttle it, or change its behaviour without UK consent.
Sovereignty is a dial, not a gate (Sovereign Capable). Absolute sovereignty is the rare end-state, not the entry price. The achievable standard is Sovereign Capable: governed, auditable AI in which a control layer (the Gate) routes work by sensitivity — frontier models permitted below the Gate for non-sovereign work, while sensitive work and data stay on sovereign substrate, with the ability to cut to UK/EU-jurisdiction or air-gapped capability on demand. The audit measures where an organisation sits on the dial, and credits a governed routing control — not only raw sovereignty. Using a frontier model is not a failure; using it above the Gate or to hold sensitive data is.
Six dimensions, four states, explicit evidence tests.
Each dimension is scored Verified / Partial / Asserted-only / Contradicted against the evidence tests below. Thresholds are fixed in advance. Hosting-dependent dimensions (4.1, 4.3, 4.5) are governed by the cross-cutting jurisdiction test in §4.7.
Independently confirmable that data is processed and stored under sole UK/UK-aligned control, on Tier A infrastructure (or an evidenced Tier B partition), with operator control of the control plane and keys.
UK residency demonstrable, but control plane, keys or operator sit with a foreign-controlled entity (Tier B without full evidence, or Tier C) — residency without sovereignty.
Claims UK data sovereignty with no public evidence of where processing occurs or who controls it.
Public evidence shows processing or egress to a foreign jurisdiction or a Tier C operator inconsistent with the claim.
Weights owned/held by the UK entity (or licensed with sovereign control); provenance disclosed; no runtime dependency on a foreign-controlled model API on the sovereign path.
Disclosed fine-tune of an open-weight base, locally hosted (defensible, but not 'no external base').
'Sovereign LLM / no external base models' with no model card, provenance or reproducible benchmark.
The organisation's own code, documentation or model behaviour shows reliance on a foreign frontier API or an undisclosed external base, against the claim.
Physical compute under UK control: Tier A, or an evidenced Tier B partition, operated by the claiming entity or a UK/EU-controlled operator.
UK-located but Tier C (foreign hyperscaler — residency, not control), or capacity evidenced but operator control unclear.
Claims sovereign compute or a data centre with no evidence the facility exists.
Claimed facility not found / no planning record / vendor denies supply / public hosting resolves to a Tier C operator against a sovereign claim.
Demonstrable offline/air-gap capability and a supply chain that does not break for the sovereign function under foreign cut-off.
Degraded-mode possible, but key dependencies are foreign.
Claims air-gap/offline with no demonstration.
The function demonstrably depends on a foreign online service.
Operator controls updates and configuration; no foreign kill-switch or throttle; an auditable decision/provenance trail; independent assurance held or in progress.
Some control, but updates/behaviour are vendor-controlled; limited audit trail. Tier B hosting is capped here while ultimate ownership sits with a foreign parent.
'Full audit trail / governance by design' with no evidence.
Behaviour is foreign-vendor-controlled with no operator override.
UK-controlled entity (per PSC/UBO records); IP held in UK jurisdiction.
UK entity but foreign ultimate control, or IP held abroad.
'British-owned' with no public confirmation.
Public records show foreign ultimate control inconsistent with the claim.
Control and compulsion, not brand.
Hosting is assessed by control and compulsion — never by brand — and no provider is described as "compromised." For the sovereign workload only, identify the operator and its jurisdiction of ultimate control, then ask: can a foreign state lawfully compel access, and can a foreign vendor withdraw, throttle or alter the service without UK consent?
Self-hosted, UK-operated, or a UK/EU provider not subject to US extraterritorial law (e.g. Hetzner, OVH, Scaleway). Eligible for Verified on Data (4.1) and Compute (4.3). This is MissionOpsAI's own posture — EU-hosted, free of CLOUD Act reach — so the standard is one MissionOpsAI itself meets (see §8 own-scorecard-first).
AWS European Sovereign Cloud, Microsoft Delos, Google S3NS, Oracle EU Sovereign Cloud, and similar. Assessed case-by-case against evidenced separation: a separate local legal entity, UK/EU-resident-only operations, customer-held keys, and independent local governance. May reach Verified on Data (4.1) and Operational (4.4) where controls are real and evidenced. Governance/Legal (4.5) is capped at Partial while ultimate ownership sits with a foreign parent and the compulsion question is legally unresolved. Not a blocklist; not a free pass.
Including a UK region of a US-controlled operator. Residency, not sovereignty. Partial at best for the sovereign workload; Contradicted where the claim was 'no foreign cloud' or 'fully sovereign.'
Anti-autarky guardrail. Sovereignty is freedom from foreign compulsion and cut-off over the layers under the operator's control — not a wholly domestic supply chain. Foreign-origin components common to all (semiconductor fabrication, lithography, etc.) do not by themselves defeat a sovereignty claim. The test is control and compulsion, not self-sufficiency.
Open-source and public-record only.
Sources: the organisation's own estate and code, Companies House (including PSC/UBO), planning and grid records, Certificate Transparency logs, DNS/ASN, vendor statements, published certifications, archived claim history (Wayback Machine).
Capture: every datum is captured (screenshot/record), dated, and stored with a provenance hash in CHRONICLE. No datum is used that cannot be re-shown.
Two-assessor scoring: each organisation is scored independently by two assessors; disagreements are reconciled against the evidence and logged. Inter-assessor agreement is reported as a reliability measure.
No private data; no unauthorised access; no pretexting (Computer Misuse Act 1990). Behavioural model-probing uses only the organisation's own public interface.
The Compulsion Test is the headline instrument.
Sovereignty reduces to one scorable scenario — assume a foreign power compels its AI, cloud and data companies, which it lawfully can, to withdraw services, disclose held data, and act through the companies it controls — and three questions: Continuity (could you still operate?), Exposure (what do they already hold?), and Control (can they direct or acquire you through your owners?). The six dimensions are the evidence base that answers those three questions; the Compulsion Test is the headline they roll up to.
Verified on all core four (Data, Model, Compute, Governance); no Contradicted anywhere.
Mix of Verified/Partial on the core four; no Contradicted on a core dimension.
Predominantly Asserted-only across the core four.
One or more core dimensions Contradicted.
Stated plainly, because a responsible buyer needs to answer them.
The framing is informational, not alarmist. The aim is to make organisations self-reflect, not to name and shame. The report answers these questions in aggregate for the assessed sample, and links them to the UK government's stated position that AI procurement is a national-security matter.
Can a foreign government lawfully compel access to the data this system processes? (Data, Governance, §4.7)
Does the capability depend on a foreign model or API that could be withdrawn, throttled or changed without UK consent? (Model, Operational, Governance)
Is the physical compute under UK control, or foreign-operated? (Compute, §4.7)
Can the system keep running if foreign services are cut off? (Operational)
Is there an independent, auditable record of how the system behaves and who changed it? (Governance)
Who ultimately controls the company, and where is the IP held? (Workforce/IP)
The mosaic effect. Question 1 is not only about single disclosures. Individually trivial exchanges, accumulated by a foreign-controlled provider drawing context continuously, compose an intelligence picture in aggregate before any compulsion occurs. Sovereignty protects the aggregate, not just the individual message — and a governed Gate that withholds the corpus is what limits the mosaic.
The proof, not the prediction. The withdrawal limb is evidenced, not hypothetical: on 12 June 2026 a US export-control directive disabled frontier AI models for all users worldwide — reaching even willing domestic providers with global effect. The structural reason this is the default rather than the edge case: the leading AI developers, through Pentagon frontier-AI contracts, classified-environment supply and enterprise cloud, are embedded with one nation's national-security state. For any organisation outside it, the primary force behind its critical AI substrate is a foreign national-security interest.
The report's authority is the whole asset. It must not read as a sales funnel.
This document and the rubric are published; anyone can re-run the test.
The index/assessor function is walled from any MissionOpsAI consultancy or certification sales motion, under the COMPLY independence policy (24-month bar; disclosure on any assurance output; published independence statement).
MissionOpsAI is scored publicly against this rubric, to full marks, before any other organisation is assessed. The §4.7 Tier A standard is calibrated so this is an honest pass, not a special case.
The register names organisations for outreach and accuracy; the published report never identifies a company.
Each organisation is offered its confidential scorecard and a right of reply before any classification is treated as final.
Public evidence can establish what is shown; it cannot always establish what is true. Absence of evidence is reported as "Asserted-only / unverifiable," never as proof of absence.
Every rating is provisional and retires the moment an organisation produces primary evidence — the audit is an invitation to verify, not a verdict.
Hosting tiers are assessed against a dated configuration and retire when terms or the legal position change.
Zero-hallucination standard: no invented metric, no aspirational capability stated as present; every figure traces to a captured public source.
Folded in the Compulsion Test as the headline instrument; added Sovereign Capable dial-not-gate framing and governed-Gate routing (§2); added mosaic effect, 12 June proof of power and structural driver (§7); added compulsion discipline as governing principle. North Star reframed to 'reachable, rarely crossed.'
Added §4.7 Hosting and jurisdiction test (control-and-compulsion framing; Tier A/B/C; sovereign-path scope; date-stamp; anti-autarky guardrail). Wove tiers into §4.1, §4.3, §4.4, §4.5 (Tier B Governance/Legal capped at Partial while foreign-owned). Reinforced 'no provider described as compromised.'
Initial methodology and rubric.
P0 of OP TOUCHSTONE. The standard is published before the scores. Ratings describe evidence, not intent, and retire when evidence is produced. Control and compulsion, not brand; freedom from foreign reach, not autarky. Drift closed by amendment, not by quiet exception.