Sovereignty

Which laws can reach your AI stack.

Your data-residency contract governs where data is stored. It has no force over which legal regime can compel the data your AI calls pass through. That gap is the exposure.

YOUR JURISDICTION Your apps & agents Data-residency contract Your contract has force only on this side. THE LINE ANOTHER LEGAL REGIME Model providers Any SaaS gateway That regime can compel this data, wherever it sits. every prompt crosses

The trap

You're not choosing a model.
You're choosing a jurisdiction.

You know where your data is stored. Do you know whose laws can compel the data your AI passes through? Most regulated firms can't, until someone with legal authority asks.

01

The contract stops at the API

Your residency agreement governs your store. It has no force over the model your application then calls into, which now sits under whatever legal regime that provider answers to.

02

Reach follows the entity, not the data

Every major jurisdiction can compel a provider headquartered under it to disclose data, wherever in the world that data is held. Where you stored it stops being the question.

03

The agentic multiplier

A fifty-step reasoning loop touching customer records and policy documents is fifty crossings of that line, not one. Exposure compounds at every hop.

The four sovereignties

Control at every layer that actually matters.

For a bank, an insurer, a healthcare system or a defence contractor, "where does the prompt go, and who can compel it?" is not a detail. It's the whole question.

01

Jurisdictional sovereignty

The question isn't where the data is stored, it's whose law can compel it. Vidai sits inline so the data that crosses the legal boundary is the data you chose to let cross, masked and policy-checked, and nothing else.

02

Infrastructure sovereignty

Deployed entirely inside your VPC, data centre or fully air-gapped. No phone-home, no usage telemetry. You own the deployment and the upgrade cadence, not a vendor's roadmap.

03

Vendor sovereignty

Adding or switching a model becomes a configuration change, not a six-month procurement cycle. One security review covers every provider. Your multi-model strategy stays yours.

04

Regulatory sovereignty

Governance can't live at the application layer for a regulated platform. One horizontal boundary keeps AI inside the compliance regime you already operate under, with no new third party in the data path.

What stays in, what crosses

You decide the line. The engine enforces it.

Vidai is one horizontal boundary in front of every app, agent and model. Sensitive content is masked and policy-checked before anything crosses to a provider, and nothing crosses unseen.

YOUR NETWORK · YOUR VPC Apps & agents Customer records Policy documents Vidai. you decide what crosses masked · policy-checked OpenAI Anthropic Bedrock · Vertex model providers · outside

Why not a SaaS gateway

A cloud gateway is the exposure, not the fix.

A hosted AI gateway routes every prompt through someone else's infrastructure before it reaches the model. That doesn't close the sovereignty gap, it adds another party to it.

One more jurisdiction in the path. Your data now crosses the SaaS vendor's infrastructure and the model provider's. The gateway's own legal regime becomes one more party that can be compelled.
It phones home by design. A SaaS gateway has to see your traffic and usage to bill and operate it. Vidai has no telemetry, no usage callback, no outbound beacon, and you can verify that on the wire.
Their uptime is your uptime. A hosted hop in front of every AI call is a critical third party you don't control, the exact concentration risk supervisors now ask about.
Small enough to be yours. The in-path engine is a single ~25MB binary, not a platform. It drops inside your VPC, or fully air-gapped, without a new cluster to run.

Why the clock is running

A sovereignty curve and a cost curve, at once.

The principle is universal. UK and EU financial services is just where the regulators have moved first, which makes it the clearest worked example of where everyone is heading.

Regulatory framing draws on the author's article in FinTech Scotland on the AI sovereignty trap.

The legal ground keeps moving. Cross-border data frameworks are repeatedly challenged and overturned. Architecture built on today's arrangement inherits tomorrow's reversal.
Supervisors are already here. Regimes like CTPR and DORA are live and AI concentration risk is explicitly on the supervisory agenda. Other regulators and sectors are moving the same way.
The volume is coming. Machine-initiated AI traffic is forecast to surge sharply. Application-side governance fails expensively under that load, not loudly.
Retrofitting costs more. Build the control plane now, while it's an architecture choice, or rebuild it later under regulatory pressure on someone else's timeline.

Deployment

Small enough to be simple. Serious enough to trust.

One engine on the hot path. The part in your AI traffic is a single ~25MB binary. The dashboard and management layer run separately, and only the engine sits inline.
Air-gap ready. No outbound calls required to operate. Deploy where there is no internet egress at all.
Your keys, your network. Provider credentials and traffic never transit a third party, including us.
Drop-in. Transparent deployment: a base-URL change, not an SDK refactor. Sovereignty without a rebuild.

See it inside a real deployment.

A 20-minute walkthrough on infrastructure that looks like yours, air-gapped if that's your reality.