Why Nations Cannot Afford to Leave Artificial Intelligence in Private Hands
Executive Summary
Artificial intelligence has crossed a threshold. It is no longer a commercial technology competing for market share. It is critical national infrastructure, embedded in healthcare systems, financial services, defense procurement, and government operations across allied nations. And yet the governance frameworks applied to it remain those of an early-stage commercial technology: voluntary, fragmented, and entirely dependent on the continued goodwill of a small number of private individuals.
This industry brief argues that governments and multi-state entities must establish sovereign AI frameworks with urgency. The case is not ideological. It rests on three converging realities.
The first is geopolitical sovereignty. Allied governments have allowed themselves to become operationally dependent on AI systems controlled by companies subject to the policy preferences of a foreign executive branch and the governance decisions of individual chief executives. Events in February and March 2026, in which the United States government banned a leading AI provider from all federal use within hours of a contractual dispute, and a rival provider immediately moved to fill that gap on different terms, demonstrated with clarity that governments depending on these systems had no seat at any table where those decisions were made.
The second is systemic risk. The conditions that characterized systemically important financial institutions in 2008 are now present in the AI sector: critical function concentrated in a small number of private entities, asymmetric risk distribution, and governance frameworks built for normal commercial conditions rather than systemic stress. The financial crisis established that the absence of sovereign continuity frameworks does not prevent catastrophic outcomes; it simply ensures that governments bear the cost of them without having shaped the conditions that produced them.
The third is the demonstrated pattern at the software infrastructure layer. The GSDRF’s primary research into open-source software sustainability has documented, with empirical rigor, the consequences of critical software infrastructure being left without sovereign continuity frameworks. The AI governance argument is that same argument applied one layer above, at higher stakes.
The central policy recommendation of this paper is not nationalization of the AI industry. It is the establishment of continuity obligations, accountability frameworks, and independent oversight structures commensurate with the systemic importance AI infrastructure has already acquired. The ownership question is a longer-term policy matter that legislators must begin examining. The continuity question is immediate.
For industry, the message is direct: sovereign AI frameworks are not a distant possibility. The EU AI Act is already in force. Regulatory postures are hardening across the UK, Australia, and New Zealand. The window for constructive engagement in shaping these frameworks is open now. It will not remain so indefinitely.
Section 1: The Geopolitical Sovereignty Case
1.1 The Dependency Problem
Allied governments, public institutions, and critical infrastructure operators have, over the past several years, embedded AI systems from a small number of US-based private companies into their operations at a pace that has significantly outrun the development of any corresponding governance framework. That dependency is now structural.
Those companies are subject to the governance decisions of individual chief executives. They are incorporated under US law, subject to the policy preferences and executive authority of the US government, and under no obligation, legal or otherwise, to consult with, notify, or consider the interests of the governments and institutions in other jurisdictions that have come to depend on their systems.
This is not a theoretical future risk. It is the present reality, and it became undeniable in the last days of February 2026.
1.2 The Anthropic-Pentagon Dispute: A Case Study in Sovereign Exposure
The dispute between Anthropic and the United States Department of Defense that culminated in late February 2026 is the most instructive case study in sovereign AI risk that has yet occurred. It warrants examination in detail, because its implications extend far beyond its immediate parties.
Anthropic, the developer of the Claude AI system, held a contract with the US Defense Department worth up to $200 million, under which Claude had become the first AI system deployed in the military’s classified network. The company had placed two restrictions on the use of its model: it could not be used for mass surveillance of American citizens, and it could not be used to power fully autonomous weapons systems. Anthropic’s position was that these restrictions reflected both the current technical limitations of AI and its own ethical commitments regarding the safe deployment of frontier models.
On 24 February 2026, Defense Secretary Pete Hegseth issued Anthropic CEO Dario Amodei a deadline: remove all restrictions by 5:01pm on 27 February, or face the cancellation of the contract and designation as a supply chain risk to national security. Anthropic refused. On 27 February, President Trump ordered every US government agency to immediately cease using Anthropic’s technology. Hegseth designated the company a supply chain risk, a classification normally reserved for companies associated with foreign adversaries. The designation had the practical effect of threatening the viability of Anthropic’s entire enterprise customer base, many of whose clients hold or seek government contracts.
The Pentagon’s threats were, as Amodei noted, inherently contradictory: one labelled Anthropic a security risk, the other labelled Claude as essential to national security. The contradiction is itself instructive. A system deemed essential to national security was subject to being withdrawn from service within hours by a single executive decision, with no notice to and no consultation with any allied government or institution that had itself come to depend on it.
Anthropic subsequently sued the Department of Defense on 9 March 2026, arguing that the supply chain risk designation was unprecedented, unlawful, and had caused the company irreparable harm. The litigation is ongoing. Talks between the company and the Pentagon have, at the time of writing, partially resumed.
It is important to be clear about what this case illustrates for governments outside the United States. The dispute was between an AI company and the US government, argued on American legal and constitutional grounds, resolved by American political and commercial pressures. No government in Europe, no institution in Australia or New Zealand, no NATO ally that had integrated Claude into any part of its operations, had any standing in those negotiations, any advance notice of the outcome, or any remediation framework prepared for the scenario in which the system they depended on was abruptly withdrawn from service.
That is the exposure. Not that Anthropic acted wrongly. On the assessment of this paper, Anthropic’s ethical position was defensible and its refusal to permit use for mass surveillance and autonomous weapons was reasonable. The point is that the entire determination of whether allied governments retained access to a piece of critical infrastructure was made without them, by people with no accountability to them, under pressure that had nothing to do with their interests.
1.3 The OpenAI Parallel: The Whims of CEOs Cut Both Ways
Within hours of the Trump administration’s ban on Anthropic, OpenAI announced that it had reached a deal with the Pentagon to provide its technology for classified networks. The terms under which OpenAI agreed to operate, as reported at the time, included exclusions preventing use for domestic surveillance or fully autonomous weapons without human approval. In substance, these were not materially different from the position Anthropic had taken.
OpenAI CEO Sam Altman stated publicly that he believed companies should work with the military provided they adhere to legal protections and shared red lines. He framed OpenAI’s position as consistent with Anthropic’s own principles.
The significance of this sequence for the purposes of this paper is not that OpenAI acted opportunistically or that Altman’s position was insincere. It is that, within a single working day, the AI system embedded in allied defense and intelligence infrastructure had changed, the terms under which it was provided had changed, and the company providing it had changed. None of those changes involved any consultation with, approval from, or even notification of the governments and institutions outside the United States that had operational dependencies on these systems.
The lesson is not that AI CEOs are unreliable. Some will hold principled positions under extraordinary pressure, as Amodei did. Others will move more fluidly in response to commercial and political incentives, as the market dynamics of the situation illustrate. The lesson is that the critical infrastructure of sovereign states should not be contingent on the character of any individual chief executive. Character is not a governance framework.
1.4 The Broader Geopolitical Frame
The AI sector has not yet had its Lehman Brothers moment.
The Anthropic-Pentagon dispute is the sharpest available illustration of the problem, but it sits within a much broader geopolitical reality. AI infrastructure concentration is a sovereignty risk for every nation that does not have its own frontier AI capability, and currently that means effectively every nation outside the United States and, to a limited and contested degree, China.
The European Union, the United Kingdom, Australia, and New Zealand are among the jurisdictions most acutely exposed. Each has allowed significant operational dependency on US-based AI systems to develop across government and critical infrastructure. Each is now, in various ways, confronting the implications. The EU’s AI Act represents the most developed legislative response. Regulatory challenges and litigation in Australia and New Zealand signal that those governments are recognizing the power imbalance even if comprehensive remediation frameworks remain nascent.
The direction of travel is clear. What is less clear is whether governments will move proactively to establish sovereign frameworks before the next systemic disruption, or reactively in response to one. The financial crisis precedent, examined in the following section, suggests that reactive responses are both more expensive and less effective than proactive frameworks. The AI sector has not yet had its Lehman Brothers moment. That is not an argument for complacency. It is an argument for acting while the window remains open.
Section 2: The Systemic Risk Case
2.1 Too Big to Fail: The Financial Crisis as a Governance Template
The phrase ‘too big to fail’ entered the policy lexicon in the context of the 2008 global financial crisis. Its meaning, stripped of the political controversy that surrounded it, was precise: certain institutions had become so embedded in the functioning of the broader financial system that their disorderly failure would produce consequences disproportionate to their own commercial significance. The systemic damage would be borne not by the institutions themselves, or their shareholders, but by governments and the populations they serve.
The conditions that produced that outcome are now recognizable in the AI sector. A small number of private entities control systems of critical importance to multiple governments and economic sectors. The benefits of those systems accrue privately. The catastrophic downside risk, the scenario in which access is abruptly lost, terms are unilaterally changed, or a provider fails commercially, is borne collectively by the governments and institutions that have allowed the dependency to develop.
The financial crisis also established a second lesson that is directly applicable here. The absence of sovereign continuity frameworks does not prevent catastrophic outcomes. It simply ensures that when those outcomes occur, governments must respond under maximum pressure, with minimum preparation, at maximum cost. The ad hoc interventions of 2008, the emergency bailouts, the improvised resolution mechanisms, the political contortions required to justify spending public money to rescue private institutions, were the direct consequence of governance frameworks that had not kept pace with the systemic importance of the institutions they were supposed to oversee.
The Lehman Brothers parallel is worth stating directly. In a scenario where a major AI provider faces abrupt commercial failure, is sanctioned by a foreign government, or is subjected to the kind of designation that the Trump administration applied to Anthropic, the governments depending on that provider’s systems face a choice between a managed transition, if continuity frameworks exist, and an emergency scramble, if they do not. The cost of the former is a fraction of the cost of the latter.
2.2 The International Monetary Architecture as Governance Model
The International Monetary Fund, the European Central Bank, and the US Federal Reserve did not come into existence because governments wanted to control their economies. They came into existence because governments recognized that systemically important economic functions required governance structures that were technically credentialed, insulated from short-term political pressure, and empowered to act in the long-term systemic interest rather than the immediate commercial or electoral one.
The central bank independence model is the most relevant template for sovereign AI governance, and for a reason that goes beyond structural analogy. Central bank independence was designed specifically to address the problem of technically complex, systemically critical functions being governed by institutions subject to the short-term incentives of elected officials or private market participants. Neither elected officials nor private market participants are well-positioned to make governance decisions about systemically critical AI infrastructure. The same logic that produced central bank independence produces the case for an Independent AI Oversight Council.
Such a body would not build AI systems. It would not direct their development. It would do what central banks do: establish and enforce the systemic stability conditions under which AI infrastructure can operate safely. In practical terms, this means continuity obligations, mandatory transition planning, transparency and reporting requirements, and the authority to intervene when those obligations are not met.
The institutional form matters. A body that reports to elected governments is subject to the same political pressures that make elected governments poor governors of technically complex systemic risk. The ECB model, with a defined and limited mandate, technical independence, and democratic accountability through transparency and reporting rather than direct political control, is the appropriate template.
2.3 The Spectrum of Sovereign Intervention
There is an important distinction to draw, both analytically and politically, between the different forms sovereign intervention in the AI sector might take. Conflating them weakens the argument and obscures the range of achievable policy options.
At one end of the spectrum is full state ownership: a government acquires an AI company outright, as it might acquire a failing bank or a strategic energy asset. This is not a fantasy position in all jurisdictions. France’s tradition of strategic state ownership, Germany’s willingness to take equity stakes in critical industries, and the EU’s capacity to mandate structural remedies under competition law all create contexts in which ownership is a credible policy instrument. For most Western democracies, however, full state ownership of commercial AI companies is politically and practically difficult as a default position, and this paper does not advocate for it as such.
At the other end of the spectrum is mandatory continuity infrastructure: AI companies operating in critical sectors are required to maintain model escrow arrangements, transition plans, and structured access agreements that allow governments to manage a change of provider without operational disruption. This is analogous to the bank resolution planning requirements introduced after 2008, under which systemically important financial institutions are required to maintain ‘living wills’ detailing how they could be wound down in an orderly fashion. It is achievable, bounded, and politically defensible.
Between these poles lies a range of intermediate options: mandatory licensing regimes, state-backed continuity funds, equity participation requirements, and structured access agreements with allied governments. The appropriate instrument will vary by jurisdiction, sector, and the specific nature of the AI dependency in question.
The central argument of this paper is for the continuity infrastructure end of this spectrum as the immediate and achievable policy ask, with state ownership acknowledged as the backstop option that legislators in appropriate jurisdictions should begin examining. Continuity infrastructure is not a compromise position. It is the foundational governance requirement without which all other policy options are moot.
Section 3: The Open-Source Software Continuity Bridge
3.1 The Pattern Established at the Infrastructure Layer
The argument for sovereign AI governance does not exist in isolation. It is the continuation of a pattern that the GSDRF’s primary research has documented with empirical rigour at the software infrastructure layer on which AI systems are built.
The GSDRF’s analysis of GHArchive data covering the period 2015 to 2025, drawn from original BigQuery primary research, has established several findings directly relevant to this argument. Open-source software project health showed a COVID-period bounce followed by an incomplete recovery. From 2023 onward, a divergence between event activity and contributor activity emerged, consistent with AI-generated noise inflating apparent activity while genuine human contributor engagement declined. From 2024 into 2025, the decline in established OSS projects accelerated sharply.
Crucially, the research identified a clear bifurcation in outcomes. Projects with profit-motivated institutional investment behind them, such as VS Code, Hugging Face Transformers, and NixOS, sustained their contributor ecosystems. Projects with extractively-backed or commercially indifferent support structures collapsed. The determining variable was not the technical quality of the project or its importance to the broader ecosystem. It was whether a sustained institutional commitment to its continuity existed.
3.2 The Sovereign OSS Fund as Proof of Concept
The GSDRF has separately developed the case for a Sovereign OSS Fund, structured around mandatory contributions scaled to deployment intensity and governed by an Independent Review Council modelled on central bank independence. The argument rests on precisely the same logic that this paper applies to the AI layer: critical infrastructure that is systemically important but commercially fragile requires sovereign continuity frameworks to protect against the consequences of its failure.
The Sovereign OSS Fund proposal is therefore not merely analogous to the sovereign AI governance argument. It is its direct predecessor. If the case for sovereign intervention holds at the OSS infrastructure layer, the same argument applied to the AI systems built on top of that layer is not a radical extension of principle. It is the consistent application of a framework that has already been established.
For policymakers and legislators examining sovereign AI governance proposals, the OSS fund model provides a working template. It demonstrates that the governance instruments required are not novel. They exist in adjacent policy domains and have been developed with the specific characteristics of software infrastructure in mind.
3.3 The Compounding Risk
The interaction between OSS decline and AI dependency is not additive. It is multiplicative. AI systems are, in significant part, built on OSS foundations. The models, the training infrastructure, the deployment tooling, the security frameworks, all have substantial open-source components. As OSS project health at the foundation layer degrades, the AI systems built on it become less reliable, less secure, and more dependent on the continued commitment of the small number of well-capitalised institutions that are sustaining those foundational projects.
A sovereign AI governance framework that does not address the OSS layer is therefore incomplete. And an OSS continuity framework that does not extend its logic to the AI layer built on top of it is addressing the foundation while ignoring the structure. A coherent sovereign technology policy must address both layers as a connected system, or it addresses neither adequately.
Section 4: A Policy Framework for Sovereign AI
4.1 Core Principles
Any credible sovereign AI governance framework must rest on four core principles if it is to be both effective and politically sustainable.
The first is proportionality. Governance obligations should be scaled to systemic importance. AI systems embedded in critical national infrastructure carry different obligations than AI systems used in commercial applications. The framework should be tiered accordingly.
The second is technical independence. The governance body must be insulated from both short-term political pressure and commercial influence. This is the central lesson of the central bank independence model. Credibility depends on it.
The third is continuity primacy. The foundational obligation is continuity of access: the assurance that a government or institution depending on an AI system can manage a change of provider, or a disruption to service, without operational catastrophe. All other governance obligations flow from this.
The fourth is international co-ordination. AI infrastructure is global. Fragmented national frameworks create regulatory arbitrage and reduce effectiveness. The EU’s demonstrated capacity to export regulatory standards through market access leverage provides the most credible vehicle for international co-ordination, and should be the anchor of any multilateral sovereign AI governance effort.
4.2 The Tiered Intervention Model
Sovereign AI governance should operate across a defined spectrum of intervention levels, with the appropriate level determined by the systemic importance of the AI deployment in question.
Tier 1: Mandatory Continuity Infrastructure. All AI systems deployed in critical national infrastructure must maintain model escrow arrangements, transition plans, and structured access agreements. This is the minimum viable sovereign governance requirement and the immediate policy ask of this paper. It is analogous to bank resolution planning and is achievable through existing legislative mechanisms in most jurisdictions.
Tier 2: Independent Oversight Accountability. AI systems of defined systemic importance must report to an Independent AI Oversight Council on continuity, security, and transparency obligations. The Council’s mandate is defined and limited; it does not direct development but enforces the systemic stability conditions under which AI infrastructure operates.
Tier 3: Structured Access and Licensing. For AI systems of the highest systemic importance, mandatory licensing regimes and structured access agreements with participating governments provide additional resilience. State-backed continuity funds, modelled on the Sovereign OSS Fund architecture, provide a financial backstop.
Tier 4: State Participation and Ownership. In scenarios where a provider of critical AI infrastructure faces commercial failure or is otherwise unable to meet its continuity obligations, state ownership or equity participation is the backstop of last resort. Legislators in appropriate jurisdictions should develop the legal and financial frameworks for this option before it is needed, not in response to a crisis.
4.3 The Jurisdictional Opportunity: EU Leadership and Multilateral Co-ordination
The European Union is the most credible anchor for a multilateral sovereign AI governance framework, for reasons that are structural rather than aspirational. The EU has demonstrated, through GDPR and now the AI Act, that it can export regulatory standards globally by virtue of market access leverage. Companies operating in EU markets must comply with EU frameworks regardless of where they are incorporated. That leverage is real, has been tested, and has proven effective.
The EU AI Act, already in force with phased implementation obligations, establishes the foundational regulatory architecture on which a sovereign AI governance layer can be built. It addresses risk classification and prohibitions. What it does not yet fully address is continuity infrastructure and systemic risk governance of the kind this paper advocates. The extension of the AI Act framework to incorporate the continuity obligations described above is both legally achievable and politically consistent with the EU’s established regulatory posture.
The United Kingdom, post-Brexit, has both the incentive and the regulatory capability to develop a complementary framework rather than a derivative one. A UK-EU co-ordination mechanism on AI governance continuity standards would extend the reach of both frameworks and reduce the regulatory arbitrage risk that fragmentation creates.
Australia and New Zealand’s active and increasingly assertive regulatory posture towards large technology platforms, as evidenced by Australia’s News Media Bargaining Code and subsequent legislative interventions, signals political readiness for the kind of sovereign AI governance framework this paper describes. Their participation in a multilateral co-ordination mechanism anchored by the EU and UK would significantly extend its geographic reach and credibility.
4.4 Timeline: This Is a Two to Three Year Question
The framing of sovereign AI governance as a future policy concern is no longer accurate. It is a present policy urgency.
The EU AI Act is in force. High-risk AI system obligations are phasing in. The regulatory architecture exists. The question is whether the continuity infrastructure layer is added to it through deliberate legislative action or whether it is constructed reactively in response to the first major AI continuity failure.
The UK’s post-Brexit regulatory agenda includes AI governance as a priority. The institutional capability exists. The political will is developing. The window for proactive framework design is open now.
Australia and New Zealand have demonstrated that they are willing to move decisively when they perceive a structural power imbalance between large technology platforms and the public interest. The Anthropic-Pentagon dispute will not have gone unnoticed in those jurisdictions.
Industry and public sector decision makers who are treating sovereign AI governance as a five to ten year horizon question are misreading the pace of regulatory development. The more realistic planning horizon is two to three years for initial legislative frameworks in leading jurisdictions, with compliance obligations following within the standard implementation period thereafter.
Section 5: A Briefing for Industry
5.1 The Honest Assessment
This section speaks directly to industry leaders in the AI sector and in the enterprise organisations that depend on AI infrastructure. The message is not adversarial. It is practical.
Sovereign AI frameworks are coming. The political conditions that produced the EU AI Act, the regulatory assertiveness of Australia and the UK, and the object lesson of the Anthropic-Pentagon dispute have created a political environment in which legislative action on AI governance continuity is not a possibility but a matter of timing. The question for industry is not whether these frameworks will exist, but whether the industry will have shaped them or been subjected to the version written without its input.
The history of technology regulation does not favour the second option. GDPR was written largely without meaningful industry co-design. The compliance costs, the legal uncertainty, and the regulatory friction that followed were, in significant part, the consequences of that absence. The AI Act, developed over several years with extensive consultation, is materially better calibrated. The lesson is available to be learned.
5.2 Why Well-Designed Sovereign Frameworks Serve Industry Interests
The reflexive industry objection to sovereign AI governance frameworks is that they chill innovation, create bureaucratic overhead, and reduce competitive agility. This objection has surface plausibility and limited analytical depth.
Regulatory clarity reduces uncertainty. The single greatest cost of the current unregulated environment is not compliance overhead. It is the uncertainty premium that enterprise customers, institutional investors, and government procurement officials apply when they cannot assess the governance risk of the AI systems they are considering deploying. A credible sovereign governance framework, by establishing clear and consistent obligations, reduces that uncertainty premium and expands the addressable market for compliant providers.
Independent oversight reduces litigation risk. The accumulating litigation and regulatory challenge that AI companies face across the EU, Australia, New Zealand, and now in the United States itself is not a temporary feature of an early market. It is the predictable consequence of systemically important technology operating without adequate governance frameworks. A credible independent oversight body reduces the political and legal surface area for that litigation by establishing that governance obligations exist and are being enforced.
Continuity obligations are commercially valuable. Enterprise customers and government procurement officials are increasingly requiring assurance that the AI systems they depend on will remain available, on consistent terms, for the planning horizons they operate across. A provider that can demonstrate credible continuity infrastructure is more attractive than one that cannot, all else being equal. Sovereign governance frameworks, by mandating continuity infrastructure, level the playing field and prevent the race-to-the-bottom dynamics that make continuity assurance commercially difficult to offer unilaterally.
5.3 What Constructive Engagement Looks Like
Constructive engagement with sovereign AI governance framework development is not a public relations exercise. It is a strategic imperative, and it has a specific content.
It means participating actively in legislative consultation processes, with substantive technical input rather than lobbying against the principle of governance. It means proactively developing and publishing continuity infrastructure that demonstrates the industry can meet reasonable sovereign governance expectations without waiting for legislation to mandate it. It means engaging transparently with independent oversight bodies on reporting and accountability obligations rather than treating them as adversarial.
It also means accepting that the era in which individual AI companies could unilaterally determine the terms on which governments and their institutions access critical AI infrastructure is ending. That is not a regulatory overreach. It is the natural and appropriate consequence of AI infrastructure crossing the threshold from commercial technology to critical national infrastructure. The companies that recognise and adapt to that reality will be better positioned in the regulatory environment that is coming than those that contest it.
Conclusion
The argument of this paper is not about whether artificial intelligence is beneficial. It is, in most of its applications, enormously so. It is not about whether the companies developing frontier AI are acting in bad faith. The Anthropic case is instructive here: the company’s refusal to permit its technology to be used for mass surveillance of citizens or to power fully autonomous weapons is not a radical or outlying position. It is entirely consistent with the prohibited use categories established under the EU AI Act, with the stated policies of most allied defense ministries, and with the ethical frameworks that the broader AI industry has itself publicly endorsed. What was unusual in the Anthropic-Pentagon dispute was not Anthropic’s position. It was the US executive branch’s demand that a private company abandon protections that are, by any international standards measure, established norms of responsible AI deployment. That context matters for how industry leaders read the dispute: not as evidence that AI companies are ungovernable, but as evidence that governance frameworks which depend on the alignment of a single national executive with international norms are insufficient protection for anyone.
It is tempting to read the sovereign AI governance argument as primarily a concern for non-American governments and institutions. It is not. American companies operating in sectors with any government adjacency face the same continuity and dependency risks as their international counterparts, in some respects more acutely. The supply chain risk designation applied to Anthropic in February 2026 did not distinguish between European and American enterprise customers. It threatened the operational continuity of any organization, domestic or international, that had integrated Claude into systems touching government work. Those organizations had no advance notice, no seat at the table, and no prepared response. American enterprises are inside the same governance gap as everyone else. In certain scenarios, given their direct and unmediated exposure to domestic executive authority, they are deeper inside it.
This paper is, at its core, about closing that gap. The governance frameworks required are not punitive towards industry, and they are not designed to be. The central bank independence model, the bank resolution planning requirements, the market access leverage mechanisms that underpin EU regulatory standards, the Sovereign OSS Fund architecture: these frameworks exist to create the conditions under which systemically important institutions can operate sustainably, with the confidence of the governments and populations they serve. AI infrastructure has crossed the threshold that makes equivalent frameworks necessary. That is not a judgement on the industry. It is a description of how far it has come.
The events of February and March 2026 have made the cost of that absence visible in a way that is difficult to dismiss. The window for proactive sovereign AI governance frameworks is open. It will not remain so indefinitely, and the frameworks constructed in response to the next major AI continuity failure will be more expensive, less well-designed, and more politically contentious than those built in anticipation of it.
Sovereign AI frameworks are coming, on a two to three year legislative horizon in leading jurisdictions. The companies and institutions that engage constructively now, helping to shape continuity infrastructure that is workable, proportionate, and technically credible, will be better positioned than those that wait. More than that: they will have contributed to a governance environment that is better for the industry as a whole, because it is one that governments and the public can trust. That trust is the condition on which the continued expansion of AI into critical systems depends. It cannot be assumed. It has to be built. Sovereign governance frameworks are how it gets built.
References
The Anthropic–Pentagon Dispute
- Axios : Anthropic says Pentagon’s ‘final offer’ is unacceptable (26 February 2026) 🔗
- CNN Business : Anthropic rejects latest Pentagon offer (26 February 2026) 🔗
- CNN Business : Trump administration orders military contractors and federal agencies to cease business with Anthropic (27 February 2026) 🔗
- CNBC : Trump admin blacklists Anthropic as AI firm refuses Pentagon demands (27 February 2026) 🔗
- NPR : OpenAI announces Pentagon deal after Trump bans Anthropic (27–28 February 2026) 🔗
- CBS News : Anthropic CEO: We’re trying to ‘deescalate’ Pentagon AI standoff (4 March 2026) 🔗
- CNN Business : Anthropic sues the Trump administration after it was designated a supply chain risk (9 March 2026) 🔗
- Fortune : Anthropic sues the Pentagon after being labeled a threat to national security (9 March 2026) 🔗
- The Washington Post : Anthropic sues Pentagon over being labeled a national security risk (9 March 2026) 🔗
- Tech Policy Press : A Timeline of the Anthropic–Pentagon Dispute (9 March 2026) 🔗
EU AI Act and Regulatory Framework
- European Parliament and Council of the European Union : Regulation (EU) 2024/1689 of the European Parliament and of the Council (Artificial Intelligence Act) (2024) 🔗
- European Commission : Guidelines on Prohibited Artificial Intelligence Practices established by Regulation (EU) 2024/1689 (4 February 2025) 🔗
- European Parliament : Guidelines for military and non-military use of Artificial Intelligence (2021) 🔗
- Tech Policy Press : Europe’s AI Act Leaves a Gap for Military AI Entering Civilian Life (10 March 2026) 🔗
- Future of Privacy Forum : Red Lines under the EU AI Act: Understanding Prohibited AI Practices and their Interplay with the GDPR (2025) 🔗
Australia and Platform Regulation
- Australian Competition and Consumer Commission : News Media Bargaining Code (2021) 🔗
- Parliament of Australia : Treasury Laws Amendment (News Media and Digital Platforms Mandatory Bargaining Code) Act 2021 (2021) 🔗
- Bossio, D. et al. : Australia’s News Media Bargaining Code and the global turn towards platform regulation (2022) 🔗
GSDRF Primary Research
Global Software Development Research Foundation (2025–2026). “OSS Sustainability and AI Impact: Primary Research on GHArchive Data 2015–2025.” Original BigQuery analysis. Internal research dataset, GSDRF.
Global Software Development Research Foundation (2025–2026). “Future Proofing Software Development.” GSDRF Policy Paper.
Financial Crisis and Systemic Risk Governance
- Financial Stability Board : Reducing the Moral Hazard posed by Systemically Important Financial Institutions (October 2010) 🔗
- Basel Committee on Banking Supervision : Global systemically important banks: assessment methodology and the additional loss absorbency requirement (2011) 🔗
- Council on Foreign Relations : The Defense Production Act of 1950: History, Authorities, and Considerations for Congress (2020) 🔗
GSDRF Primary Research
- Stop Killer Robots Campaign : What are the AI Act and the Council of Europe Convention? (2023) 🔗
- Paul Hastings LLP : European Commission & AI: Guidelines on Prohibited Practices (2025) 🔗
Global Software Development Research Foundation | Policy Research | March 2026