Sovereignty
Which laws can reach your AI stack.
Your data-residency contract governs where data is stored. It has no force over which legal regime can compel the data your AI calls pass through. That gap is the exposure.
The trap
You're not choosing a model.
You're choosing a jurisdiction.
You know where your data is stored. Do you know whose laws can compel the data your AI passes through? Most regulated firms can't, until someone with legal authority asks.
The contract stops at the API
Your residency agreement governs your store. It has no force over the model your application then calls into, which now sits under whatever legal regime that provider answers to.
Reach follows the entity, not the data
Every major jurisdiction can compel a provider headquartered under it to disclose data, wherever in the world that data is held. Where you stored it stops being the question.
The agentic multiplier
A fifty-step reasoning loop touching customer records and policy documents is fifty crossings of that line, not one. Exposure compounds at every hop.
The four sovereignties
Control at every layer that actually matters.
For a bank, an insurer, a healthcare system or a defence contractor, "where does the prompt go, and who can compel it?" is not a detail. It's the whole question.
Jurisdictional sovereignty
The question isn't where the data is stored, it's whose law can compel it. Vidai sits inline so the data that crosses the legal boundary is the data you chose to let cross, masked and policy-checked, and nothing else.
Infrastructure sovereignty
Deployed entirely inside your VPC, data centre or fully air-gapped. No phone-home, no usage telemetry. You own the deployment and the upgrade cadence, not a vendor's roadmap.
Vendor sovereignty
Adding or switching a model becomes a configuration change, not a six-month procurement cycle. One security review covers every provider. Your multi-model strategy stays yours.
Regulatory sovereignty
Governance can't live at the application layer for a regulated platform. One horizontal boundary keeps AI inside the compliance regime you already operate under, with no new third party in the data path.
What stays in, what crosses
You decide the line. The engine enforces it.
Vidai is one horizontal boundary in front of every app, agent and model. Sensitive content is masked and policy-checked before anything crosses to a provider, and nothing crosses unseen.
Why not a SaaS gateway
A cloud gateway is the exposure, not the fix.
A hosted AI gateway routes every prompt through someone else's infrastructure before it reaches the model. That doesn't close the sovereignty gap, it adds another party to it.
Why the clock is running
A sovereignty curve and a cost curve, at once.
The principle is universal. UK and EU financial services is just where the regulators have moved first, which makes it the clearest worked example of where everyone is heading.
Regulatory framing draws on the author's article in FinTech Scotland on the AI sovereignty trap.
Deployment
Small enough to be simple. Serious enough to trust.
See it inside a real deployment.
A 20-minute walkthrough on infrastructure that looks like yours, air-gapped if that's your reality.