Starved by Design: The Sovereign AI Paradox

The TL;DR is that Sovereign AI is being sold as a capability upgrade for our most sensitive work, when the opposite is closer to the truth. The more classified the network, the worse the Artificial Intelligence running on it tends to be, and that is baked into the physics of how these systems are built, not a funding gap we can spend our way out of. As Australia invests in Sovereign and next-generation capability through programs like the Australian Signals Directorate's REDSPICE and the National AI Plan (Australian Signals Directorate, 2022; Department of Industry, Science and Resources, 2025), we owe ourselves an honest conversation about what a sealed enclave can and cannot do.
This article argues that the honest national posture is to master the control of AI, not to chase the fantasy of creating it.
The question I keep coming back to is this: why do we assume the high side gets the best technology, when everything about the high side is designed to stop technology working the way modern AI needs it to?
Introduction
Sovereign AI is the buzzword of the moment, and like most buzzwords it means five different things to five different people in the same meeting. For some it means training frontier models onshore. For others it means running someone else's model on Australian soil. For the National Security community it usually means one thing above all, keeping the data, the model, and the inference inside a boundary we control.
That instinct is correct. The problem is that the same boundary that keeps our secrets safe also starves the AI we put behind it, and almost nobody selling Sovereign AI into government wants to say that out loud.
The Starvation Chain
Modern AI is hungry. Retrieval-Augmented Generation (RAG) needs a constantly refreshed corpus. Fine-tuning needs data to learn from. Frontier models need to be reached and updated. Every one of those needs assumes data can move.
On a classified network, data cannot move freely. That is the entire point of the network. So follow the chain, because each link forces the next:
Classification boundaries stop data flowing. Material sits at OFFICIAL, PROTECTED, SECRET or above under the Protective Security Policy Framework (PSPF), and moving it up or down is a controlled, deliberate act, not a background process (Department of Home Affairs, n.d.).
Data that cannot move cannot feed the model. Your retrieval index goes stale. Your fine-tuning set is a fraction of what exists. The model reasons over yesterday's picture.
A stale model on an air-gapped network cannot phone home. There is no route out to a frontier provider. You run what you can host locally.
What you can host locally is smaller and older. A model you can stand up inside a sealed enclave is, today, behind the frontier, and it costs more to serve because you are buying and running the hardware rather than renting inference by the token.
So the causal end point is this. The higher the classification, the more the AI is starved, the smaller and staler the model, and the higher the cost per unit of capability. The high side gets worse AI precisely because it is the high side. That is not a criticism of anyone's engineering. It is the shape of the constraint.
Creation Versus Control
This is where the Sovereign AI conversation splits, and where I think we lose the plot.
There are two very different ambitions hiding under one word. The first is AI creation, building and training frontier-scale models ourselves. The second is AI control, being able to run, govern, secure, and assure models onshore, whoever built them.
Creation is largely a fantasy for a nation our size, and we should be honest about why. Frontier training demands compute at a scale that a handful of hyperscalers and nation states can muster, and for now the gap is widening. Announcing a sovereign model is easy. Standing up the compute, data, talent, and ongoing training to keep it competitive is a different order of problem, and the numbers do not favour us. Programs like REDSPICE meaningfully lift our sovereign capability (Australian Signals Directorate, 2022), but capability to run and defend is not the same as capacity to create at the frontier.
Control, on the other hand, is achievable and is the thing that actually matters for national security. Can we host a capable model inside a boundary we own, assure it, evaluate it, log it, and keep foreign legal reach away from it? That is a solvable engineering and policy problem, and it is where the money should go.
This distinction is not academic. When a foreign-hosted model is involved, data residency in an Australian region does not give you sovereignty, because the provider can still sit under extraterritorial legal reach through instruments such as the United States CLOUD Act (Clarifying Lawful Overseas Use of Data Act, 2018). Residency is about geography. Control is about jurisdiction. Confusing the two is how you buy a sovereign badge and inherit a foreign subpoena.
I implore all of those reading this, to sit down, read the legislation and understand the multitude of pathways that can play out, which enable data to meet it's maker. It isn't a silver bullet, and there is cause for concern when applied to this problem statement.
Only Variety Can Absorb Variety
There is a law from cybernetics that explains why even control has a ceiling, and it is worth sitting with. In 1956 W. Ross Ashby stated the Law of Requisite Variety: to regulate a system, a controller needs at least as much variety, as many distinct possible responses, as the system it is trying to control (Ashby, 1956). Put plainly, only variety can absorb variety. A thermostat can control a room because a room's behaviour is simple. Nothing that simple can control a frontier model, because a frontier model's range of possible behaviours is astronomically larger than any oversight mechanism, a review board, a test suite, or a single human in the loop, can bring to bear.
This is the honest limit on the word control. You can host a model onshore, log it, evaluate it, and keep foreign legal reach away from it, and you should. But you cannot out-vary it. Complete behavioural control of a frontier model is not a backlog item, it is a structural impossibility, because the controller will always hold less variety than the thing it controls.
So the move is not to match the model's variety. It is to shrink the variety you have to control in the first place. Narrow the task. Bound the operating envelope. Wrap the probabilistic core in deterministic guardrails. Keep a human on the consequential calls, where their judgement, not their raw variety, is what counts. This is why creation is the wrong race, it is a variety contest a mid-sized nation cannot win, and why control is achievable only when you design the system to need less of it. Sovereignty as control is not the power to match a frontier model. It is the discipline to give it less room.
The So What?
So if the high side is starved by design, and creation is a fantasy, what does an architect actually do? A few things, and none involve pretending the enclave gets the same assistant as the corporate network.
Bring the model to the data, not the data to the model. On the high side the data will not come to you. Design for local inference against local corpora, and accept the capability trade.
Treat cross-domain solutions as first-class architecture. The controlled movement of data between classifications determines whether your model is fed or starved. It deserves the same design attention, and scrutiny, as the model itself.
Budget for the sovereign penalty upfront. On-premises inference on your own hardware costs more than metered cloud inference. If your business case assumes frontier-API economics on an air-gapped network, it is wrong before it starts.
Stay model-agnostic. Do not back a single horse. The frontier moves and geopolitical trust shifts. A thin model layer that lets you swap models without rewriting applications is the architectural expression of sovereignty as control. It is also where you shrink the variety you have to govern: one governed seam with its own logging, provenance, and guardrails, instead of a different captive model in every tool.
Now, I will grant that synthetic data, retrieval tricks, and distillation can close some of this gap, and the field moves quickly. That is a separate and worthwhile conversation for my architecture friends. It changes the size of the constraint, not its direction.
Conclusion
We are at risk of selling the national security community a fantasy, that sovereign AI on the high side will feel like the tools they use at home. It will not, and the sooner we are honest about that, the better the architecture we will build.
The path forward is not louder promises. It is honest design that treats the starvation chain as a fixed constraint, spends its effort on control rather than the vanity of creation, and tells the customer the truth about what a sealed enclave can and cannot do.
So here is the question I would leave every leader with. Are you buying sovereign AI because you have understood the trade, or because the word sounds like safety? Because those are very different purchases, and only one survives contact with the network.
Thanks for reading.
The views expressed in this article are my own and do not represent those of my employer, or any of my clients.
See related: Beyond the Hype: Unveiling the Multi-Cloud Mirage in Public Sector Cloud Strategy.
References
Ashby, W. R. (1956). An introduction to cybernetics. Chapman & Hall.
Australian Signals Directorate. (2022). REDSPICE blueprint. Australian Government. https://www.asd.gov.au/sites/default/files/2022-05/ASD-REDSPICE-Blueprint.pdf
Clarifying Lawful Overseas Use of Data (CLOUD) Act, Pub. L. No. 115-141 (2018).
Department of Home Affairs. (n.d.). Protective Security Policy Framework. Australian Government. https://www.protectivesecurity.gov.au
Department of Industry, Science and Resources. (2025, December 2). National AI Plan. Australian Government. https://www.industry.gov.au/publications/national-ai-plan


