Two announcements landed this week that frame the AI sovereignty question more sharply than any policy paper.
On Saturday, the Maltese government signed a national agreement with OpenAI and Microsoft. Every citizen and resident who completes a two-hour University of Malta literacy course will get a year of ChatGPT Plus or Microsoft Copilot, free at the point of use. Managed by MDIA, backed by a €100 million digitalisation pledge from the October Budget. George Osborne, who runs OpenAI for Countries, described Malta as "leading the way."
In the same week, the picture from Abu Dhabi was different in scale and shape. The Emirate now operates with around $1.7 trillion in sovereign wealth behind its tech strategy, roughly 1,000 startups and scale-ups in the local ecosystem, and AI investment commitments running into the trillions. The institutional names (Hub71, MBZUAI, TII, G42) point to a strategy of owning the stack from compute upward.
Two countries, the same week, both acting on the same conclusion: AI infrastructure is now national infrastructure. Each picked a very different layer to put resources behind.
The contrast surfaces an unfinished question. What do we actually mean when we say a country, a business, or a person has sovereignty over AI?
The answer used to be straightforward. For two decades, the high-water mark of digital transparency was open-source code. You could read it; therefore you could trust it; therefore you had control. For most of the software economy, that contract still works. For AI, it no longer does.
Disclosure: Epic Growth is the local partner of the DeAI Summit 2026, referenced later in this post.
What sovereignty meant for software
The open-source bargain was the cleanest deal in technology. The artefact and the source were the same thing. Linux, Apache, Postgres, MySQL: once the code was on your screen, you had everything the original developer had. You could inspect it, fork it, run it on your own hardware, and audit it line by line.
That symmetry between code and behaviour did most of the work. If you wanted to verify what a Postgres database would do with your data, the answer was in the SQL parser. If you wanted to know how the Linux kernel scheduled CPU time, the answer was in the scheduling code. Trust did not require permission, and digital independence did not require infrastructure spending. It required someone competent enough to read the source.
The model held up for decades. Most of the public-facing internet runs on stacks that any sufficiently motivated reader can audit. Most national digital infrastructure quietly depends on open-source components for exactly that reason.
This is why "open source" has become a kind of reflex word for technological sovereignty. Governments reach for it. Policy thinkers reach for it. It worked for software, the thinking goes, so it should work for AI.
It doesn't. Not because open source is wrong, but because the artefact has changed shape. A trained AI model is not just code. The code is the thinnest layer of a much larger structure, and the behaviour we care about lives in the layers below.
Why AI breaks the contract
A modern large language model is the output of four things, only one of which is code:
- Code: the training pipeline, fine-tuning scripts, inference engine. Boring, well-understood, often genuinely open.
- Weights: the learned parameters of the model. Hundreds of billions of numbers that nobody, including the developers, can fully interpret.
- Training data: the corpora used to produce those weights. Often partly licensed, partly scraped, partly opaque even to the model's owner.
- Compute: the physical infrastructure that produced the weights and runs inference. Datacentres, GPUs, networks, energy, jurisdictions.
The Open Source Initiative spent most of 2024 working out what "open source AI" should mean given those four layers. The result, the Open Source AI Definition v1.0 finalised in October 2024, requires open code, open weights with the optimiser state, and "sufficiently detailed information about training data such that a skilled person can recreate a substantially equivalent system." It does not require the data itself. That compromise is what most public arguments about "open AI" are really arguing about.
With code-only access you can audit the architecture and the training recipe in principle, but you cannot verify what the model actually learned. With code plus weights you can probe behaviour, run benchmarks, fine-tune. You still cannot reproduce the training, and you cannot trace why a particular output came out the way it did. With code, weights, and data you get genuine reproducibility, bias provenance, and copyright lineage. With all four, including compute, you get something close to the old open-source bargain.
The Stanford CRFM Foundation Model Transparency Index measured fourteen leading developers across one hundred indicators in May 2024. The mean score was 58 out of 100. The top score was 85. The dimension that scored lowest, across the board, was upstream: data, labour, compute. The artefacts the public can audit have improved. The layers underneath have not.
Mean score on the Stanford CRFM Foundation Model Transparency Index across 14 leading developers (May 2024). The upstream layer (training data, labour, compute) was the lowest-scoring dimension industry-wide.
The licence layer compounds the problem. Meta's Llama family ships open weights, which is genuinely useful, but the licence restricts commercial use above 700 million monthly active users and adds explicit carve-outs for some EU-based entities on multimodal variants. Mistral's open-weight releases under Apache 2.0 do not. DeepSeek's R1 release in January 2025 went further: a frontier-grade reasoning model with open weights and a reported training cost of around $6 million. It also encoded politically aligned positions directly in the parameters, which MIT Technology Review documented in November 2025 when quantum-physics researchers "de-censored" the model by editing the weights themselves.
That last detail is the one to sit with. The bias was not at the API. It was not in a content filter. It was in the parameters. Reading the code would not have surfaced it. Even reading the weights at inference would not have surfaced it without specialised probing.
For AI, code release is no longer the proof of transparency. It is the floor.
Sovereignty isn't only national
Most of the public conversation about sovereign AI is conducted at the level of countries. Whose stack? Whose compute? Whose data? It is a legitimate level, but it is incomplete.
Sovereignty operates at four scopes, not one. National sovereignty matters. So does enterprise sovereignty: can a business audit and switch the models it depends on? Community sovereignty: do groups, regions, or language communities have agency over the AI that mediates their information? Individual sovereignty: do people retain meaningful control over what AI tools learn about them? Mozilla.ai's John Dickerson made a parallel case earlier this month, arguing that sovereignty in AI is a design principle before it's a policy debate. The framing matters whether you arrive at it from a foundation, an enterprise, or a country.
That distinction lets you read this week's two announcements more carefully.
Malta's deal puts AI access into the hands of every citizen and resident. At the national scope, it has clear limits: the models, the inference, and the data flowing through them sit on US-controlled infrastructure under US-jurisdiction APIs. But that is not the whole story. At the individual scope, putting modern AI tools into the hands of half a million people raises a population's working literacy in something that will define the next decade of work. That is a real outcome. It does not solve the four-layer audit gap, and it was never going to. It is a different bet, on a different axis.
Abu Dhabi's strategy is the inverse. At the national scope, owning sovereign wealth, sovereign compute, sovereign training capacity, and sovereign model labs gives a country something close to vertical autonomy. At the individual scope, those investments do not yet translate into citizen agency in the same way; that part is downstream of who gets to use the systems and on what terms.
Both are sovereignty plays. Neither is "wrong." They cover different cells of the same map, and the cells they leave uncovered are where most businesses and individuals actually live.
Update, 14 July 2026. The argument has since been made from inside the deal itself. Kenneth Brincat, chief executive of the MDIA, which administers the programme, answered its critics in the Times of Malta with a three-pillar framing: data sovereignty (whose law your information sits under), technological sovereignty (who owns the cloud, the chips, the models), and digital capability (whether a population can actually use, and question, these systems). That is this post's scope map, drawn by the person operating the deal. Two details in his piece are genuinely new. First, the state negotiated terms that a million individual clicks on "accept" never produced: EU data residency, no training on users' content, and audit rights. Second, because enrolment runs through the national eID, Malta gains an aggregate, anonymised picture of its own AI adoption, population-level visibility that policymakers previously had to guess at. Neither closes the four-layer audit gap, and Brincat does not claim it does. His piece also lands six weeks after what it describes as the Commission's Technological Sovereignty Package of 3 June (a Cloud and AI Development Act, a revised Chips Act, AI gigafactories, tiered sovereignty assurance levels), which is where the national-scope compute question is actually being settled. Naming which cells you are covering, and which you are deliberately not, is precisely the discipline this post is arguing for, and it is encouraging to see it practised in public.
Four layers, four levels
A useful way to organise the question is to put the four technical layers on one axis and the four scope levels on the other.
Each cell is a real, separate question. Hover, tap, or tab to any cell for the full version:
Does the state see the training pipelines it depends on?
Can your business inspect the inference stack you bill through?
Does a region or language community see the code that mediates its information?
Can a person run inference locally if they want to?
Are the weights of foundation models in national use available for audit?
Can your business host, fine-tune, or fall back to weights it controls?
Are weights aligned to the values of the communities they serve?
Can a person carry their personalised model artefacts between vendors?
What is in the corpus your population's models were trained on?
What did your AI vendor's training set contain, and what guarantees does it offer?
Is local language, history, and context represented in training?
What did this system learn from data about people like me?
Where, physically and jurisdictionally, does inference happen?
Can your business switch inference providers without rewriting everything?
Does the community have access to compute without single-vendor dependency?
Can an individual run a useful model on their own device?
Brighter cells: the enterprise and community scopes, the ones neither headline national play covers, and where most businesses actually live.
None of these is answered by "we open-sourced the code."
What a business can actually do
If you run a business in Malta, the European Union, or anywhere in scope of the AI Act, the practical translation of all this is more concrete than it looks.
The first move is architectural. Multi-cloud, multi-model architectures with configuration-based switching are the same advice good engineering teams gave for cloud providers a decade ago, applied one layer up. Anything you build that depends on a single closed-API vendor is a single point of failure on every axis at once. If you can swap the model provider with a configuration change, you have already moved several cells of the matrix in your favour.
Update, 14 July 2026. How hard that swap actually is now has a precise, practitioner-grade description. Mozilla.ai's David de la Iglesia Castro, writing from months of building an agentic product on frontier APIs, put it plainly: open models are ready for agents, their APIs are not. The gap is no longer model quality. It is the platform surface around the model: tool calling, streaming, file lifecycles, server-side search, code execution, prompt caching, usage accounting. "OpenAI-compatible" mostly means you can send chat messages and get tokens back. Swap a frontier model for an open one and basic chat works on the first try, which is what makes the gap deceptive; then the platform contract fails one piece at a time, and by the time you have papered over every gap you have rebuilt half a frontier API around the open model you started with.
Best · Tools, files, search, caching, usage all just work
Trade-off · Every cell of the matrix sits with one vendor
speed matters more than control and your data can live on a US-jurisdiction API
Best · Swap the model freely, keep the agent unchanged
Trade-off · A young layer, gaps still being closed
you want vendor-switchability without rebuilding the platform layer yourself
Best · Maximum control: weights, data, jurisdiction
Trade-off · Chat in, tokens out; the platform layer is yours to rebuild
sovereignty or data-residency constraints outweigh convenience
The gateway is the new middle: open models behind the platform contract production agents already rely on.
- The gap
- “OpenAI-compatible” mostly means chat in, tokens out. The platform contract a production agent depends on (tools, streaming, files, search, execution, caching, usage) is not part of the promise.
- What breaks
- Point a working agent at a bare open endpoint and the failures arrive one by one: tool-call dialects drift, streaming emits fragments the UI can't parse, files have no lifecycle, server-side search and code execution simply don't exist.
- The gateway
- Mozilla.ai's Otari (open source) serves three API surfaces (Chat Completions, Responses, Anthropic Messages) across 40+ providers, with search, sandboxed execution, files, budgets, and cached-token usage accounting.
- The sovereignty stake
- The platform layer is the real switching cost. Without it, every team rebuilds half a frontier API before an open model becomes a genuine substitute. That layer, not model quality, now decides who can leave a vendor.
Mozilla.ai's answer is Otari, an open-source gateway that serves the Anthropic and OpenAI dialects across more than forty providers and supplies the missing platform layer: server-side search, sandboxed code execution, a file lifecycle, per-key budgets, usage and cost accounting. Be clear-eyed about the shape of that trade: a gateway is itself a dependency, and one that holds your keys, which makes adopting it a security decision as much as a convenience. The difference is that this one is open source, self-hostable, and speaks portable dialects, so the exit stays open. For the matrix above, this is the enterprise compute and code cells in motion. Switchability is not a slogan, it is a piece of infrastructure somebody has to build, and it says something that the organisations building it in the open are the ones with sovereignty in their mission statement.
The second move is jurisdictional. The EU AI Act's General-Purpose AI obligations have been live since 2 August 2025, with full enforcement powers landing with the AI Office on 2 August 2026, about eleven weeks from publication of this post. Most Maltese SMEs will encounter the Act as deployers rather than as foundation model providers, but the deployer obligations are real and they compound with sectoral rules.
Prohibited AI practices enter force.
General-Purpose AI obligations live; Training Data Summary Template mandatory for new models.
AI Office's full enforcement powers begin.
Full application of the EU AI Act; legacy GPAI compliance deadline.
The third move is local. CALYPSO (Malta's AI Factory Antenna, led by MDIA and linked to Greece's PHAROS AI Factory) was confirmed by EuroHPC in October 2025 as one of thirteen Antennas across Europe, with around €10 million in committed investment on the Malta side. The architecture is worth reading carefully, because it is itself an instance of the argument this post has been making.
The heavy AI-optimised compute lives at the Factory level, in Greece. What CALYPSO provides nationally is the governance and access layer: onboarding, technical support, training, curated datasets, and the legal scaffolding that connects Maltese startups, SMEs, researchers, and public bodies to European-jurisdiction supercomputing. Malta keeps the governance sovereign. The compute is pooled.
On the four-by-four matrix, that is a deliberate choice: enterprise-scope compute and data sovereignty routed through an EU-jurisdiction Factory instead of a US-jurisdiction API, without Malta having to build a national supercomputer. The MoUs that formalise the Factory–Antenna relationships are scheduled to be signed by mid-2026, which means the design of this layer is being settled in the same months as the AI Office's enforcement powers come live. For most Maltese businesses, CALYPSO will be a more directly useful sovereignty lever than any geopolitical headline. This is the layer where Malta's AI story will actually be written: not in the headline deals, but in the design of the access layer.
The fourth move is open-weight literacy. Mistral's Apache 2.0 models, the OpenEuroLLM consortium's forthcoming releases, and the broader open-weight ecosystem are not perfect substitutes for frontier closed models on every task. They are entirely sufficient substitutes for a great many tasks. Knowing which is which is now part of the job of running a digital business.
None of this requires building sovereign compute from scratch. It requires picking the cells of the matrix that actually matter to your business and making real decisions there.
Where the conversation goes next
The DeAI Summit lands in Malta on 25–28 November 2026, at the Malta Fairs & Conventions Centre in Ta' Qali, co-located with TechXpo EU, with one of its working groups dedicated to the question of verifiable AI infrastructure: what cryptographic proofs of training data lineage, weight provenance, and distributed inference might look like in practice. It is the working group closest to the four-layer audit gap this post has spent its time on.
Sovereignty over AI will not be decided by any single deal, any single nation, or any single technical standard. It will be decided cell by cell, decision by decision, by the people who build, deploy, and depend on these systems. The most honest question you can ask, as a business, a community, or a country, is the one this post has tried to surface:
Where does your coverage of the map have gaps, and which of those gaps actually matter to you?

