行业 AI 方案如何结合本地资源与客户信任

What Sovereignty Actually Requires: 第一性原理

To reason clearly about this, we need to be precise about what AI infrastructure consists of and where operational power actually resides.

Every AI deployment has three distinct layers:

This is the critical insight from the research: you can own the data plane entirely - you can hold the deed to the building and the title to the hardware - and still have zero operational sovereignty if the control plane or management plane depends on infrastructure outside your jurisdiction.

These dependencies take specific, auditable forms:

• License or entitlement validation calls to vendor servers
• Identity or token issuance from external identity providers
• Telemetry and metrics pipelines bound to vendor SaaS dashboards
• Remote configuration or optimization services controlled from vendor infrastructure
• Upgrade and patch orchestration requiring connectivity to vendor systems
• Container or model artifact registries not fully mirrored locally
• Key management or metadata services hosted outside jurisdiction
• Vendor support tunnels required for administration or incident response
• Firmware and out-of-band management controllers (BMC/IPMI) operating below the OS layer and often opaque to audit

Failure is typically silent: scheduling degrades, tokens expire, and upgrades stall. Authentication tokens expire. Upgrades block. Management functions become unavailable. The hardware remains, but control shifts to whoever governs those services.

The defining test for genuine operational sovereignty is therefore simple and binary:

Can this system operate at full capacity with zero outbound connectivity to vendor infrastructure - without vendor intervention, without configuration workarounds, as a tested and supported operational mode?

Not "mostly yes." Not "yes, but with the following exceptions." Not "yes, with advance notice." 

If not, sovereignty is conditional rather than absolute.

The Five Architectural Requirements

Genuine operational sovereignty requires satisfying five architectural conditions simultaneously. 

1. Control Plane Domesticity

All job scheduling, resource allocation, and system orchestration must execute on hardware within your jurisdiction, under domestic legal authority. You do not need to own the software - you need domestic operational control over it. This means it runs on infrastructure you operate, under legal frameworks you govern, administered by personnel under your authority.

A government can purchase perpetual licenses to infrastructure software and still lack control if the operational systems remain in vendor hands. Conversely, a government can achieve genuine control through a managed services arrangement that includes contractual capability transfer - if, and only if, the transfer is real, timed, and measurably complete.

2. Zero External Dependencies

At full operational capacity, the system must generate zero outbound calls to infrastructure outside its jurisdiction. This means container images, model weights, and system dependencies are cached locally. External services such as updates, monitoring, and support are pull-based - you initiate contact - not push-based, where the vendor's systems reach into yours. License validation, telemetry, and authentication do not require external connectivity.

Power grids, financial clearing systems, and defense communications are all designed to operate in isolation. 

3. Operational Independence

Your team - national citizens with domestic employment arrangements - can operate, upgrade, troubleshoot, and recover the system without vendor intervention. Identity management, policy enforcement, and audit logging run on local databases. The skills required to run the system at its full capability exist within your national workforce, not in a vendor's global SRE organization.

The Tony Blair Institute's research on talent and skills makes clear how scarce this capability is globally. Advanced AI infrastructure expertise is concentrated in a small number of firms and geographies. 

4. Hardware Agnosticism

The architecture must accommodate substitution of GPU vendor, networking vendor, and storage vendor without requiring a full platform re-architecture. 

GPU architectures evolve every two to three years. Any platform that is structurally coupled to a specific generation of hardware will require a fundamental rebuild at each refresh cycle rather than absorbing the upgrade gracefully. That coupling compounds into significant cost, downtime, and operational risk across whatever lifecycle the infrastructure ultimately serves.

As Brookings documents, advanced chip fabrication, lithography equipment, and GPU design are each concentrated in a small number of jurisdictions globally. Responsible infrastructure design - for AI or any other critical national system - accounts for concentration risk through architectural flexibility, regardless of how trusted today's suppliers are.

The best available accelerators should absolutely be deployed. It means the platform's orchestration layer abstracts the hardware interface cleanly enough that when the next generation arrives - or when procurement conditions shift for any reason - the transition is a configuration change, not a reconstruction project.

5. Auditability and Explicit Dependencies

Every component must be locatable. Every operator must be identifiable. Every data flow must be mappable. Regulators and national security authorities must be able to verify, not merely assert, that the system operates within its defined boundaries. External dependencies must fail visibly - with clear error states and explicit operational consequences - rather than silently degrading capability. Any hybrid or burst configuration that involves external connectivity must require explicit policy authorization rather than being the default behavior.

If you cannot demonstrate to a regulator exactly where every component runs, you cannot claim sovereignty.  

The Economics Nobody Is Talking About

The policy literature on sovereign AI has extensively analyzed geopolitical dependencies and regulatory frameworks. It has almost entirely ignored how AI infrastructure is financed, and that omission materially shapes sovereign outcomes.

The traditional AI infrastructure supply chain extracts margin at every layer. When these stack, a government running AI on commercial cloud is effectively paying venture-capital returns on what should be utility-priced assets.

Critical infrastructure is financed at low cost of capital because assets are long-lived and demand is predictable. AI infrastructure shares these characteristics at the physical layer. The compute layer is less settled. Nobody yet knows whether GPU clusters follow a three-year consumer electronics cadence or a five year plus enterprise pattern. But the financing model should not be decided by that uncertainty. Infrastructure financing with defined refresh provisions is how every other critical infrastructure category handles technological evolution. Power plants add generation capacity without rebuilding the grid.

The question governments should be asking is not whether to partner with external providers, but what kind of partnership they are entering: one that builds domestic capability toward independence, or one that deepens dependency while calling itself sovereignty.

The Sovereignty Spectrum, Reframed as Architecture

Most frameworks describe sovereignty as a spectrum - from Oxford’s compute layers to McKinsey’s tiers and the Tony Blair Institute’s Control/Steer/Depend continuum. These approaches are directionally correct but tend to classify countries based on what they own.

A more useful lens is what happens when external conditions change.

Sovereignty is not a static property of asset ownership. It is a measure of resilience; what a system can continue to operate, sustain, or recover when vendor relationships shift, geopolitical alignment changes, or supply chains are constrained.

A country can own infrastructure and still be operationally dependent. Another can own little but have a clear path to independent operation through capability transfer and control over critical systems. Ownership provides assets. Operational independence provides agency.

Sovereignty is agency.

The architecture that follows is not a technical specification. It is what agency looks like in practice by prioritizing operational independence, resilience, and efficiency across power, compute, and control.

Power, as the Foundation

An AI 交付 at national scale is the most power-dense industrial facility of its type ever built. A single large-scale training run can consume the equivalent energy of a small city. Grid interconnection timelines in most countries run three to five years, longer than infrastructure refresh cycles, and legacy grid infrastructure was not designed to concentrate 500 MW at a single site.

The answer is behind-the-meter architecture: co-locating compute with dedicated generation, establishing a private electrical connection that bypasses shared grid constraints. The sovereign AI facility becomes its own energy customer, achieving utility-grade reliability and long-term price stability on a schedule that serves national priorities rather than grid planning cycles.

The WEF research identifies energy as a structural constraint for most economies' AI ambitions. The Tony Blair Institute notes that "countries enter this new landscape from profoundly different starting points" on energy. Norway's hydropower, France's nuclear capacity, and Middle Eastern solar potential are genuine structural advantages. But even energy-constrained nations can resolve this through co-located generation, grid hardening, and power purchase agreements structured as infrastructure financing rather than consumption costs.

Bare Metal, Not Virtualization

For sovereign AI deployments, bare metal is not a performance preference. It is a sovereignty requirement. Virtualization layers introduce external management dependencies and impose overhead that independent benchmarks have measured in the high-single to low-double digit percentage range, translating directly into wasted energy and capital. More fundamentally, bare metal enables hardware-enforced isolation across compute, storage, and networking. 安全 boundaries become properties of the physical system rather than software configurations.

A bare metal foundation does not imply rigidity. Modern bare metal platforms layer cloud-native AI services directly on physical infrastructure: supercomputer clusters, GPU instances, Kubernetes environments, inference endpoints, fine-tuning pipelines, all provisioned from the same hardware pool without introducing new dependency layers.

A Heterogeneous Control Plane

Real sovereign AI clusters are not homogeneous. They contain mixed GPU generations from either a single or multiple vendors, mixed network fabrics, mixed storage systems. This is not a failure of planning - it is the inevitable result of procurement cycles, hardware evolution, and the sensible goal of avoiding single-vendor lock-in. The control plane must be designed for this reality from the beginning.

This requires bare-metal provisioning as a base primitive, Kubernetes-native orchestration on top for workload scheduling across hardware classes, and hardware-level isolation components - such as NVIDIA BlueField DPUs - that enforce tenant isolation and root of trust at the network and storage level without depending on hypervisor or software-layer security.

Multi-Site Federation

Sovereign nations have portfolios of locations: defense facilities, research institutions, government data centers, commercial partnerships, each with different security classifications, energy profiles, and administrative jurisdictions. The control plane must federate compute across these sites while respecting data residency and classification boundaries. Workload placement policies must be enforceable at the platform level. Unified observability must provide a single view of utilization, health, and policy compliance across all sites. Scheduling must account for real-time energy availability per site, particularly for behind-the-meter facilities with variable generation profiles.

The critical design principle: every site must be capable of independent operation if connectivity to other sites is severed. Isolation must be the safe failure mode, not the exceptional one.

Tenancy as Policy, Not Compromise

企业智能体 infrastructure serves multiple national stakeholders simultaneously with radically different security requirements. Building separate infrastructure for each classification level is enormously wasteful and frequently impractical.

The alternative is a unified platform with tenancy enforced at the infrastructure level. Soft tenancy shares GPU nodes between tenants using platform-enforced namespace isolation, appropriate for research and development workloads. Strict tenancy reserves entire GPU nodes for single tenants, appropriate for production government services and regulated environments. Private tenancy provides a fully dedicated single-tenant environment with independent platform management, appropriate for defense, intelligence, and national security missions requiring complete segregation.

These are not organizational conventions. They are architectural properties. A single national AI fleet can support innovation, efficiency, and the most sensitive national security missions simultaneously without duplicating infrastructure.

The Stakes

The Tony Blair Institute puts the urgency in the sharpest terms: "Countries that fail to adopt and deploy AI at scale risk ceding their competitiveness and, ultimately, elements of their sovereignty to those who do." Critically, the same report makes clear that the risk runs in both directions: not just the risk of failing to build AI capability, but the risk of building AI capability that is structurally dependent on foreign control planes - capability that can be withdrawn, degraded, or weaponized by actors outside your jurisdiction.

Nations that invest in the appearance of sovereign AI without the operational reality are not making a neutral choice. They are committing to a dependency that compounds over time, as vendor lock-in deepens, domestic operational capability atrophies for lack of use, and the technical gap between locally-owned infrastructure and the frontier widens.

The nations that get this right - that build genuine operational independence over their AI infrastructure, that achieve the kind of control plane sovereignty that makes the other levels of the Oxford framework mean something - will not merely have competitive advantage in the AI era. They will have the foundational capability from which all other strategic options become available: the ability to train models on their own data, to develop applications that serve their own populations, to partner with international actors from a position of genuine agency rather than managed dependence.

Sovereignty in the age of AI is not a single decision or a single investment. It is a sustained architectural commitment. It is designed, monitored, and maintained. It is not finished.

But it has to start in the right place. Not at the data center. At the control plane.