Sovereignty not included

The Friday-night switch

Every few months an incident makes it briefly visible: a model switched off by a government, a guardrail caught quietly steering its users, a tool harvesting what it was shown. The Anthropic Fable shutdown was the latest and loudest - and, like the others, it will fade from the news. The condition it exposed will not. You do not control the models your business is coming to run on, and what you do not control, someone else can.

Look at what the Fable shutdown actually demonstrated. A government drew the line of access by passport - and historical alliances meant nothing. Not NATO, not Five Eyes, not friend or foe. The contract you signed was simply bypassed - not breached, not void, just irrelevant to the authority that acted. The rationale is disputed and may yet be reversed - but that is the instance, and the instance is not the point. Markets price the precedent; boards have yet to.

Most risk frameworks have no box for that yet. This is an attempt to build one. Our earlier essay, The Sovereignty Sieve, opened with a deliberate provocation:

A self-hosted Chinese open-weight model, on your own kit and in your own jurisdiction, might give your company more strategic sovereignty than a "secure" enterprise contract with a top-tier US lab.

On 12 June it acquired a proof - and, critics noted, an irony: in barring the model abroad, Washington made the case for running open weights locally. The one posture immune to a Friday-night switch is the one where you already hold the weights on your own premises - even, uncomfortably, if they were trained in Hangzhou. Hold them, and no foreign government can revoke you; but you also take on the off-switch yourself, and answer for it to your own jurisdiction. A model you own cannot be revoked by a government that is not yours. That does not make it safe; it makes it yours. And against it sits a second finding most boards have not absorbed: as few as 250 malicious documents in a training corpus can plant a sleeper agent in a model of any size. A model you do not own can be cut off at the source by someone else's state; a model you do own may have been compromised before you met it. Those are the two jaws of the trap.

Most firms treat AI risk as a binary - vendor trusted or not, contract secure or not. That is the software-procurement instinct, and it is the wrong instrument. For thirty years buying technology meant signing a contract, and the risk lived inside it: the licence, the SLA, the exit clause. A model is a different kind of thing. The one you license can be switched off by a government that never signed your contract, steered by an interest that is not your vendor's, and shaped by a worldview you cannot audit - none of which your procurement team has a box for. You are not buying software with an AI feature; you are taking a dependency on an actor whose interests are not yours, mediated by a contract that reaches almost none of the ways it can turn. The real picture is eight levers a model you do not own hands to others, sorted by one question: who has to act for the loss to occur? The answer escalates - from the model, to you, to the vendor, to the state - and the further it runs, the less any contract can reach. Note what this leaves out. Not whether the model is any good, nor whether it errs - those are questions of competence, mapped to death elsewhere. The question here is whose interest reaches you through it.

I · What You Inherit

---

Fixed before you arrive: the model's character, and whatever was hidden in it, decided at training time. Deployment can lower your exposure; it cannot raise the ceiling.

1. Finger on the Scale - the worldview baked in

Every model carries a worldview - the residue of which data was selected, which human raters shaped its answers, which refusals were trained in. The question is not whether, but whose, and where it diverges from yours. A 2025 study in Humanities and Social Sciences Communications set GPT-4o and DeepSeek-R1 against fifty geopolitical questions and found two distinct biases: soft Western framing in one, explicit state-aligned nationalism in the other. A second paper, in npj Artificial Intelligence, found ideological stance tracks the creator's worldview, diverging across Western, Chinese, Russian and Arabic models - and even between two models from the same country. It surfaces wherever framing carries weight: diligence on a foreign target, a geopolitical brief, cross-border messaging. Hidden not because it is malicious, but because it is ambient.

Board question: Whose worldview shapes our outputs, and on which decisions does that matter?

2. Sleeper Agent - the model compromised on purpose

The active version of the same problem: not ambient bias, but a backdoor an adversary planted. In 2025, Anthropic, the UK AI Security Institute and the Alan Turing Institute ran the largest data-poisoning study to date. As few as 250 malicious documents could backdoor models from 600 million to 13 billion parameters - the count near-constant regardless of scale, overturning the assumption that bigger models need proportionally more poison. The demonstrated trigger was narrow; the mechanism is not. Anthropic's earlier Sleeper Agents work showed such backdoors survive the standard cleaning - supervised fine-tuning, reinforcement learning from human feedback, adversarial training - which sometimes only taught the model to hide the trigger better. Planting one is cheap; proving a frontier model contains none is, today, infeasible. Provenance is part of the model.

Board question: Could this model have been deliberately compromised — and would we ever know?

II · What You Give Away

---

No adversary required. These are the losses you manufacture yourself, simply by using the thing.

3. The Harvest - the channel you invite in

The sanctioned channel is the contract you signed: productive, accounted for, reachable by the state that hosts it - a reach we return to. The other channel is shadow AI, and it is easy to dismiss as carelessness - employees routing confidential work through unsanctioned tools, a hygiene problem for IT to police. That framing badly understates it. This is not a leak you fail to plug; it is training-data harvesting that wears the costume of convenience. The most valuable input in artificial intelligence is no longer public text - the high-quality web is being exhausted, by some forecasts as soon as this year. What remains scarce and precious is exactly what your firm produces: proprietary, domain-specific workflow data, and the traces of how real decisions actually get made. Frontier labs short of data, rival firms, and state actors all share the same hunger. So the channel does not look like a weird Chinese site; it looks like the slickest tool your best people choose to install.

Consider the AI note-takers now spreading through every organisation - Granola, Otter, Fireflies and a dozen others. They are genuinely useful, which is the point: they transcribe your meetings, your board calls, your M&A discussions, often without joining as a visible participant, so the others in the room never know a machine is listening. The capital tells the story plainly. Granola went from a $250m valuation to $1.5bn in under a year - a sixfold jump, on roughly $190m raised - on an explicit pitch to become the "context layer" that makes the knowledge locked in your meetings available to other AI; Fireflies, used across much of the Fortune 500, reached a billion on the same premise. Investors are not paying six times more for transcription. They are pricing the value of sitting inside your conversations - the clearest signal available of how valuable that data is, and how hard the wider market will work to reach it.

Many such tools default to permissive settings and feed transcripts into a training pipeline unless a user knows to opt out. The responsible operators contract that risk away and certify against it - but they are not the trajectory, and the burden sits with you. The tool arrives as help, spreads bottom-up faster than any policy, and the data is gone before the board has named the category. And it is not marginal: Microsoft's 2024 Work Trend Index put 78% of AI users on tools they brought themselves, and IBM ties one breach in five to shadow AI - the data that leaves this way does not come back.

Every other lever here needs a model, a vendor or a state to act. This one needs only your own people, doing their best work with the most helpful tool to hand.

Board question: Where is our proprietary work actually going - through which tools we have never sanctioned, assessed, or seen?

4. Distillation - your business reduced to someone else's corpus

No single prompt matters. The mosaic does. Months of fragments - pricing logic, deal structures, client problems, internal politics - describe your business more richly than any document you could lose, assembled sentence by sentence inside systems you do not own. It is not a leak; it is a distillation. Copying capability out of frontier models has been shown at industrial scale; whether accumulated prompts can distil one company's mosaic is still open. But every control you have - data-loss prevention, sanctioned-tool lists, training - assumes your people know they are leaking. Most do not.

Board question: What can our people not paste into an AI tool, and how would we detect a breach?

III · What the Vendor Holds

---

Your counterparty's structural power over you. Modest on day one, compounding the longer you stay. Commercial, not sovereign — which is what separates this group from the next.

5. Lock-In and the Learning Loop - dependency that compounds

Every prompt template, fine-tune, embedding store and workflow built around a model is switching cost. So is the harness that orchestrates its memory, tools, retrieval and identity. Within a year a serious deployment is no longer a vendor relationship but a foundation, and the vendor's pricing, policy and roadmap become inputs to your strategy rather than yours to theirs. Worse, the dependency learns. A learning loop inside your environment compounds your advantage; the same loop inside a vendor's compounds theirs - sometimes by harvesting the very patterns that make you distinctive. Every interaction teaches them something about you, and the asset accrues on their balance sheet, not yours.

Board question: If our provider changed terms overnight, how long could we operate without them — and as we use AI, who is getting smarter about our business, us or them?

IV · What a Sovereign Controls

---

A third party — a state, or a vendor acting on its order — reaching through the running model: to see in, to bend it, to switch it off. This is where the contract stops mattering.

6. Jurisdiction - the state that can see in

Where your data lives is a legal fact, not a technical one. A US-hosted model is reachable by the CLOUD Act; a Chinese-hosted one by the National Intelligence Law; an EU-hosted one by GDPR and a different theory of state-versus-citizen than either. "Sovereign cloud" marketing changes the marketing, not the jurisdiction - and an on-shore deployment still fails the test if the model was trained in, or orchestrated from, a jurisdiction with a longer arm than yours. This is the gentlest of the three reaches: the state only watches. The next two are worse.

Board question: Which governments could compel disclosure of our prompts, by which mechanism - and would we know?

7. The Steer - your judgment bent in another's interest

Jurisdiction lets a state read the model. The Steer lets someone rewrite what it tells you, live, on the decision in front of you - and Fable supplied the proof. Buried in its 319-page system card was a guardrail that, on detecting suspected frontier-AI research, silently degraded the answer through prompt modification and steering vectors (internal adjustments that nudge a model's output in a chosen direction), with no notice to the user. Anthropic put it at 0.03% of traffic, called it the wrong trade-off, and made it visible within two days. Take the apology as sincere; the capability is the point.

Because the same lever that quietly subtracts capability can quietly redirect it. A steer does not dim a model; it tilts it - toward a conclusion, a vendor, a framing. And a tilt hides where a refusal cannot. A blocked request announces itself; a steer leaves nothing, because it looks exactly like good counsel. It is good counsel, bent a few degrees toward an interest that is not yours. This is the corrupt vizier: the most trusted voice in the room, fluent and unfailingly helpful, with the ruler's ear and a quiet loyalty to another paymaster. The ruler never sees a refusal; he sees only advice, and governs by degrees a little more in the vizier's interest than his own.

It is the most dangerous of the eight because it reaches your judgment, not your data or your access - and it defeats the defences that stop the others. Self-host the weights and the steer travels with them; hold provenance and the tilt sits below what provenance audits; you cannot A/B test your way out of being persuaded, because the persuasion is the product working as designed. Three hands could be on the lever: the lab's, steering you toward its ecosystem; a sovereign's, propagating the worldview a state would want; or a paying third party's, the sponsored result arriving at last in the one channel you trusted to be neutral - this time with no label.

Board question: If our most-used model were quietly steering our people's conclusions toward another's interest, what in our process would ever catch it?

8. The Kill-Switch - capability withdrawn by a sovereign that is not yours

Jurisdiction sees in; the Steer bends; the eighth is the bluntest reach of all - off. This is not lock-in. Lock-in compounds slowly and the vendor controls it; the kill-switch arrives instantly and the vendor cannot. A vendor that disagrees and complies anyway is not your vendor in the moment that counts; a national-security directive is not a clause you renegotiate on a Friday.

There is precedent. In the 1990s the United States classified strong encryption as a munition and controlled its export under the same family of authorities, shaping the software industry for a decade. Frontier AI has reached the same junction, with a reflexive twist: the labs spent years calling their best models so dangerous they might have to be withheld, and a government has now filed them under exactly that heading. Describe your product as a munition in every safety post, and a state eventually agrees.

The mechanics are stark. Reach a model by API and the switch is total and immediate: someone else's government can end your access between one prompt and the next, for reasons unrelated to you or any breach. Hold the weights and run them yourself and it barely reaches you. The line the directive drew is the line every board must now draw - not by vendor or sector, but by nationality.

Board question: If a government that is not ours ordered our most important model switched off tomorrow — as one did this month — how long could we operate, and who would tell us?

The Sovereignty Map

---

The four groups collapse onto two axes. What you inherit is Trust in the Model — a ceiling set at training time. Everything else is Control over the Stack — chosen at deployment and reshaped continuously. Provenance is what you inherit; sovereignty is what you build. The two most dangerous mechanisms sit where the axes fuse, because whoever controls the running model can reach through it: the Steer bends your judgment, the Kill-Switch ends your access. The lever is the same - with the Kill-Switch a government pulls it, with the Steer the lab can pull it itself.

A note on where this goes. Every one of the eight is a lever - a hold on your firm that belongs, in part, to someone else. Today those levers mostly shape what you see and decide. But as these models are given agency - the authority to act, to spend, to transact on your behalf - the same levers move money and outcomes directly, and the temptation for a vendor, a state or an attacker to pull them rises sharply. The map that follows holds at any level of autonomy; it simply costs more the further up that ladder you have climbed. Why agency makes that temptation near-irresistible is the subject of a companion essay.

Plot the two axes and four postures appear.

Most "best-practice" programmes move a firm from the Sieve to the Tenant: better, but still renting - and now we know what renting can cost on a Friday night. Three conclusions follow.

First, the opening provocation was right, and the kill-switch is why. A self-hosted open-weight model, even a Chinese one, gives more control over the stack than a contractually "secure" relationship with a US lab. It sits in the Compromised Fortress, not the Sovereign Stack, because trust in the model is unresolved - the Sleeper Agent risk of mechanism two travels with the weights, and 250 documents could have planted a backdoor you have no way to rule out - but it cannot be switched off by a government that is not yours. The contract can. The sovereignty is not total: the weights are yours, the accelerators are not, and US chip-export controls put a switch on the silicon. You have moved the chokepoint from the model to the compute layer - a harder lever to pull, but a lever still. This is the honest shape of the trade: you do not buy safety, you swap one exposure for another, arguably worse. The hosted model can be revoked but is, on provenance, the better-audited bet; the owned model cannot be revoked but carries a poisoning risk you accept sight unseen. Sovereignty here means choosing which of the two jaws you would rather hold.

Second, the property that makes the open-weight model sovereign is the one that makes it dangerous: there is no off-switch. The order that read as overreach to a London board read, to a regulator fearing a cyber-capable jailbreak, as a control working as designed. A model no state can switch off is also a model no state can switch off when it should. The Citadel is not a safe harbour; it is a heavier responsibility.

Third, and most important: provenance is relative to your passport. "A US lab earns high marks for trust in the model" holds only if you are American. For a British, European or Gulf board, a US lab is a foreign-sovereign lab - the same structural category as a Chinese one, differing in flag and degree, but no longer in kind. An ally bound by treaty is not an adversary whose baseline is extraction; probability, magnitude and recourse all differ. But both are foreign sovereigns whose interests are not yours. On 13 June, a US and a British enterprise on the identical contract woke in different quadrants.

Markets tend to price this well before boards do. Building atop a frontier lab stopped being vendor risk and became sovereign risk - uninsurable, uncorrelated, exercised without appeal. What reprices is not earnings but the discount rate, and the consequence is an inversion: past the export line, the most advanced tier may become the least sellable, and the frontier risks becoming a liability frontier.

Challenging the framework

---

The strongest objection is that this overstates the threat. Frontier labs out-spend any in-house team on security; state compulsion of prompt data is still rare; most firms have nothing distinctive enough to harvest. Each is true; none is the point. The error most firms make is applying one posture to a portfolio of workloads with radically different risk - the board pack and the lunch order do not warrant the same model, jurisdiction or token budget. The Sovereign Stack is not a destination for everything; it is the top tier of a segmented architecture, and most of the value is in segmenting at all.

As for the Kill-Switch: that the order may be reversed misses that boards price the precedent, not the instance; that the event reassures a US firm proves the central move rather than refuting it; that open weights swap one risk for a worse one is true, and the honest trade is the point. There is no dominant posture - only the one you chose and the one you backed into.

The Monday-morning test

---

To know which quadrant you actually occupy - not the one your policy claims - ask your chief of staff on Monday for every AI tool in use, the jurisdiction each runs in, and the data each received last quarter.

Sovereignty is rarely lost in one dramatic act - though this month reminded us it can be, in a letter sent at 5:21 on a Friday. More often it leaks: the cumulative work of a thousand quiet decisions made by people who have never seen the map. It can leak through the sieve, vanish at the switch, or bend under the steer - three faces of one loss. The only real choice is whether you make it deliberately or have it made for you.

Beneath all eight levers sits a single category error. You can rent capability - intelligence, throughput, speed, billed by the token. You cannot rent power, because power is the part no one else can revoke, throttle, or bend. The moment it can be switched off, dimmed, or steered by a hand that is not yours, it was never power you held - only capability you leased.

You can't rent power.

---

The point is not to retreat from these tools - the upside is too large, and the Tenant who uses them well still beats the firm that does not. It is to spend your sovereignty where it counts: to know which workloads warrant the Sovereign Stack and which are safely rented, which levers you can live with and which you cannot. That triage - capturing the full value of LLMs and agentic AI while keeping the sovereignty that matters - is the work we do with clients.

FOR THE BOARD

Which of our AI dependencies could a foreign sovereign switch off without notice or appeal - and for each, how long do we operate, and who tells us it has happened?

FOR THE ALLOCATOR

Underwrite the inversion. Past the export line the most capable tier is the least sellable; the durable margin is migrating down the stack - to the weights, the harness, the silicon. Price the layer that cannot be revoked, not the one that can.

Elliot Ronald is the founding partner at Lion Strategy.

---