In the AI era, digital sovereignty is quickly becoming a default design requirement that underpins trust, resilience, and security.
Around the world, AI is graduating from pilot phase to full-scale production in small and large organisations alike. But the biggest shift is the rise of agentic AI - systems that can plan, call tools, and take actions across multiple systems with limited human oversight. In response to this rapid progression, leaders in many organisations are turning to digital sovereignty to protect the security and resilience of their systems and data.
The move to production-phase AI projects is being celebrated by those who see the opportunity that AI represents. Yet, the shift to broader AI implementation signals an evolution towards an increasingly connected organisational architecture that is making IT executives uneasy. Agentic AI intensifies that unease: when AI can initiate actions (not just generate content), sovereignty and security controls must extend beyond data to include decision rights, execution pathways, and verifiable human override. As AI expands into core services and sensitive workflows, it also increases exposure to sovereignty-relevant risks: from supply chain and vendor access pathways, cross-border legal and operational dependencies, and inadvertent data leakage via prompts, telemetry, and logs. In short, agentic AI makes it harder to stay fully in control of where data and workloads run, who can access them, and what the system is allowed to do. That combination is causing leaders to reexamine where data is processed, governed and controlled, making digital sovereignty a non-negotiable foundation for AI-enabled organisations.
Not all sovereignty is created equal
Digital sovereignty is often reduced to data residency. In practice though, digital sovereignty in the AI era is multi-layered: it spans where data resides, who has privileged access, how day-to-day operations are governed, how third-party suppliers are controlled, and how easily you can exit or port workloads without losing autonomy. In the agentic era, sovereignty risk is not abstract, it is operational.
Key risks include:
- Loss of control over execution, as agents take multi-step actions across tools and systems
- Expanded and less-visible data flows, through prompts, tool calls, memory, telemetry, and logs
- Cross-border legal and operational dependence, when models, orchestration layers, or support access sit outside your jurisdiction
- Auditability and accountability gaps, if you cannot reliably explain, constrain, and evidence what an agent did and why.
AI is changing the sovereignty risk equation: systems are now more interconnected, and data moves faster than many organisations can keep up with. As a result, it’s easier for security or compliance gaps to appear. It has transformed sovereignty from a technical question to a strategic consideration that is pivotal to supporting critical decision-making, operational continuity, and business resilience.
Sovereignty is vital to modern infrastructure. Yet, crucially, not all sovereignty is the same. Many “sovereign” claims one might hear today rely on retrofitted controls and add-ons. In contrast, sovereign-by-design approaches embed security, compliance, and control at the foundations, meaning that sovereignty isn’t dependent on workarounds and exceptions later. Sovereignty is not the same as security. However, if done right, it can become a powerful mechanism that makes security, compliance, and risk decisions more enforceable by tightening control over where data and workloads run, who can access them, and which parties are accountable.
Sovereign-by-design: the opportunity for New Zealand
New Zealand is positioning itself to seize the potential of AI and lift the country’s competitiveness by bolstering its AI sector, having clearly signalled its intent to scale AI adoption with the government launching its first national AI strategy in 2025. The strategy frames AI as a major productivity opportunity and includes an estimate, drawn from industry research cited publicly, that AI could add $76 billion to GDP by 2038. In parallel, the New Zealand Ministry of Business, Innovation and Employment outlined its “Investing with Confidence” strategy which explicitly focused on accelerating private-sector AI adoption and innovation; and publicly announced an investment of up to $70 million over seven years to accelerate AI research and commercialisation through the New Zealand Institute for Advanced Technology.
With AI shaping up to be a core part of how New Zealand competes, innovates, and delivers services, it makes sense for organisations to proactively design digital sovereignty from the outset. The pace of AI innovation will continue to accelerate, making deliberate moves to maintain control over data, governance, and operational independence an obvious smart decision. Making “sovereign-by-design” a central pillar of an AI roadmap will help drive innovation while managing risk and aligns well to the country’s growing focus in assurance and risk governance. The good news is that some industries are leaning into the opportunity to manage future risk with digital sovereignty.
Powering the economies of tomorrow
New Zealand’s organisations provide for a strong example of how sovereign-by-design can look in practice. HPE is working with telcos and service providers in New Zealand to modernise infrastructure, strengthen architectural control across hybrid environments, and support critical national connectivity. These programs show how governance, security, and operational control can be built into the foundation of digital platforms, enabling organisations to scale AI and digital services while remaining aligned to jurisdictional, resilience, and regulatory requirements
More broadly, sector-led investment in unified, locally governed digital platforms is helping organisations improve control over how data is hosted, accessed, and managed in New Zealand. Designed with onshore deployment and clear governance guardrails from the outset, these approaches support stronger digital sovereignty while preserving the flexibility needed to evolve with changing regulatory and operational demands.
These implementations point to a practical reality: sovereignty cannot be an afterthought. It must be a strategic differentiator that forms the bedrock that helps organisations avoid getting bogged down by complexity and move faster with purpose and confidence.
Four key digital sovereignty considerations
As the pace of AI innovation accelerates, organisations are waking up to the fact that true data ownership and operational sovereignty are now inseparable from agility and modern innovation. As agentic AI becomes mainstream, the sovereignty question gets more practical: can you demonstrate end-to-end who has authority over the system, where the agent runs and acts, and what hard limits and audit trails prevent it (or any supplier) from doing something outside policy?
- AI (especially agentic AI) multiplies sensitive data flows. As AI systems pull from more sources and become more embedded in decisions, organisations must consider where data is processed and governed. This includes the less obvious data flows created by AI itself, such as prompts, retrieval-augmented generation (RAG) queries, model telemetry, and logs, plus agent memory and tool-call payloads, all of which can move sensitive information across systems and suppliers if governance is not designed in from the outset.
- AI raises the bar for resilient, compliant operation (not just performance). When AI becomes operational, the bar shifts from performance alone to consistent, auditable operation within the security and compliance constraints of regulated environments. Rather than bolting controls on after deployment, sovereign-by-design anticipates these constraints upfront and supports operation in constrained settings, such as limited connectivity, strict access requirements, or the need for local processing. This matters even more for agentic systems, where failure modes can include unintended actions, not just incorrect outputs.
- AI forces clearer accountability and tighter control across vendors and platforms. Patchwork “sovereign” approaches - multiple vendors, mismatched controls, unclear accountability - become harder to manage as AI scales. That’s why embedding sovereignty controls at the foundations is a recurring theme in current sovereign-by-design thinking. The goal is to reduce dependency on opaque access pathways, minimise privileged third-party reach, and make audit trails defensible across the full stack.
- Agentic AI requires enforceable guardrails: policy, permissions, and provable human override. If an agent can take actions, sovereignty depends on your ability to constrain those actions: what tools it can call, what data it can access, where it can execute, and what escalation paths require human approval. Sovereign-by-design architectures should make these controls explicit and testable: fine-grained tool permissions, onshore execution options, immutable logging, and “stop/kill switch” mechanisms that work in practice, not just on paper.
Leaders are increasingly unwilling to trade away capability just to satisfy compliance checklists. Yet, compliance still matters, and expectations are rising that it shouldn’t come at the expense of capability, speed, or control. Today’s leaders demand next-generation private IT infrastructure with cloud agility, engineered for control, compliance, and advanced AI and cloud-native capabilities.
