Strategic Studies AI Policy Geopolitics

AI Sovereignty Is the New Stack Question: Why India, the EU, and the US Are Recompiling Their Technology Base

Dipankar Sarkar
Dipankar Sarkar · · 6 min read

When I did the Graduate Certificate in Strategic Studies at The Takshashila Institution in 2018, the syllabi still treated cyberspace as an annex to traditional national security. Eight years later, sovereignty over compute, models, and data has become the primary stack question — and the answer is being written simultaneously in at least three jurisdictions, none of which agree.

This essay is a field report. The data is from public policy documents, regulatory filings, and primary-source research I have done as a Takshashila alumnus, an AI architect who has shipped production agentic systems for regulated industries, and the founder of Neul Labs — a Rust-native AI agent infrastructure company.

1. The Sovereignty Stack, Defined

AI sovereignty is the ability of a jurisdiction to (a) spec, (b) audit, (c) deploy, and (d) enforce AI systems within its territory, without depending on a foreign platform for any one of those four functions. Each of the four has technical and policy dimensions:

LayerTechnicalPolicy
SpecOpen model weights, reproducible training pipelinesExport controls on training compute, model registries
AuditLocal evaluation harnesses, red-team infrastructureAlgorithmic accountability laws, regulator access
DeployDomestic GPU capacity, sovereign cloudData residency rules, public-procurement preferences
EnforceKill switches, runtime policy gatesLiability frameworks, jurisdictional reach

A jurisdiction is sovereign only if it can do all four on its own. Most are sovereign on one or two, dependent on the rest.

2. The Three Compiling Blocks

The United States — “Compute and Standards”

The US has a near-monopoly on frontier training compute (NVIDIA GB200/NVL72 stacks, the cloud, the model labs). Its sovereignty play is to keep the spec and deploy layers under domestic control via export controls (October 2022 + October 2023 + January 2025 AI Diffusion Rule), CHIPS Act subsidies, and procurement preference for US-hosted models in the federal stack.

It is the most powerful single-jurisdiction position. It is also brittle: the standards it sets are global only as long as the rest of the world is willing to follow. The CHIPS Act money runs out in 2027. The Diffusion Rule is already under WTO challenge. The bet is that the world keeps buying US stacks.

The European Union — “Regulation as Infrastructure”

The EU is sovereign in the enforce and (partly) audit layers. The AI Act (entering force in phases through 2027), the GDPR, the Digital Operational Resilience Act (DORA), the NIS2 directive, and the EHDS regulation together turn compliance into a positive infrastructure: if you can pass a CE-marked audit, you can ship in 27 markets.

The bet is that “Brussels-effect” regulation will force global stacks to localise. The risk is that compliance becomes a moat for incumbents and a barrier for European challengers.

India — “Demand Sovereignty, Negotiate on Compute”

India has the largest AI demand surface outside the US (1.4B people, UPI, Aadhaar, IndiaStack, ONDC, the IndiaAI Mission). Its sovereignty play is to control the spec layer through public model initiatives (BharatGPT, Airavat, the 18,693-GPU IndiaAI compute cluster), to control the deploy layer through Digital Public Infrastructure (DPI) export, and to leverage the demand side at WTO and bilateral negotiations.

The bet is that scale + DPI gives India a seat at the standards table it could not win on compute alone. The risk is that without sovereign GPU capacity, India will always be a buyer of foreign model weights and inference infrastructure.

3. The K-shaped Outcome

By 2030, I expect a K-shaped AI world:

  • Top stack: US hyperscalers + US-allied jurisdictions (UK, Japan, Korea, Australia) on US-origin compute, US-origin models, US-origin standards.
  • Mid stack: EU + India + Brazil + Indonesia, running mixed-origin stacks with strong local audit and enforce layers.
  • Long tail: A long tail of jurisdictions that depend on whichever of the above will sell to them, with periodic sovereignty crises when geopolitics turns.

The interesting cases are the mid-stack players. They have the demand to be price-makers, not price-takers, but they need to actually build the audit and enforce infrastructure. The EU has the regulation; India has the DPI export playbook; Brazil has its own data-protection regime. The convergence question is whether the mid-stack can agree on mutual recognition of AI audits, the way pharmaceutical regulators have done for decades.

4. What This Means for Builders

If you are shipping AI into regulated industries (financial services, healthcare, public sector), the questions you should be asking your vendor and your customer in 2026 are:

  1. Where does inference run? Jurisdictional clarity beats cost optimization.
  2. Who audits the model? A CE-marked audit is a sellable asset; a self-attested model card is not.
  3. What is the kill switch architecture? A defensible system has a runtime policy gate, not a post-hoc PDF.
  4. What is the data-residency story? Both for training and for RAG context.
  5. What is the export-control story? If you are using weights that may be re-classified, your customer is exposed.

These are the questions I built Neul Labs to make easier. They are also the questions I find most founders I advise still not asking.

5. The Takshashila Frame, Eight Years On

Strategic studies at Takshashila taught me to read policy documents the way a compiler reads source: as artefacts that constrain the space of possible actions. The 2018 cohort was reading the EU’s General Data Protection Regulation as it was about to bite. The 2026 cohort is reading the AI Act, the Diffusion Rule, and the IndiaAI Mission the same way.

The difference is that in 2018 the question was “is this regulation enforceable?” In 2026 the question is “is this jurisdiction sovereign?” The bar has moved because the stack has moved.

If you are building in this space, my offer is the same one I make on the consulting page: bring me in early, before the architecture is locked. The sovereignty decisions are made in the first three sprints. They are very expensive to undo later.

— Dipankar Sarkar Founder, Neul Labs · Takshashila alumnus (Strategic Studies) · IIT Delhi

This essay is also published on Substack.