In recent months, the race to build and deploy artificial intelligence (AI) has escalated into an urgent power grab. What began as a competition over models, compute, and talent has become a high-stakes geopolitical struggle over data, including who controls it, where it resides, and who may access it. Now, a once-overlooked concept is surging to the forefront of policy and national strategy: data sovereignty.
Governments are putting money into sovereign AI by building local data centers, improving national computing resources, and creating rules to keep data inside their countries. Europe’s push for digital independence and the growing tensions over AI investments in the Middle East show a similar trend. Now, having control over data is strongly linked to economic strength, national security, and technological freedom. But this focus also brings up an important question.
The conversation to date has focused almost entirely on where data is stored and processed. However, far less attention has been paid to how that data actually moves, which is a fundamental oversight in nearly all of these efforts. As a result, that blind spot is quickly becoming one of the most important and politically charged issues in the AI era.
See also: A CDO Cheat Sheet for Sovereign AI
The Illusion of Sovereignty
Data sovereignty strategies typically start with a straightforward rule: keep data within designated geographic borders. This approach leads to localized cloud regions, national AI clusters, and strict data residency regulations. In theory, data, compute, and policy enforcement all remain within the country.
In reality, data rarely stays put. Even when stored locally, it is constantly in motion—moving between services, syncing across systems, supporting real-time applications, or feeding AI models. In that movement, it often crosses borders in milliseconds, routed dynamically across a global network infrastructure. Because this infrastructure was never designed with data sovereignty in mind, data movement routinely challenges organizations trying to comply with local data sovereignty laws.
This creates a paradox. Despite the constant movement of data across borders described above, organizations may believe they are compliant simply because their data is ‘ at rest’ within national boundaries. However, data in motion routinely traverses foreign jurisdictions. To address this, organizations must look beyond traditional residency strategies and actively reassess how they manage data flows and mitigate cross-border risks.
See also: The Impact of Data Sovereignty on Integration Strategy Requires a ‘Goldilocks’ Solution
The Collapse of “Mere Transit”
For decades, the concept of “mere transit” offered a kind of legal gray zone. If data passed through a country without being stored or processed there, it was generally not considered subject to that country’s laws. That assumption has eroded. Court decisions, particularly in Europe, have increasingly challenged the idea that transit is legally neutral. The reasoning is straightforward. If a country has the technical capability and legal authority to intercept data as it passes through its networks, then transit itself introduces risk.
This shift has profound implications for data sovereignty. Sovereignty is no longer just about endpoints; it now extends to the routes that data takes. Because these data pathways are often complex and less visible, organizations may overlook how data sovereignty could be affected by data merely transiting through certain jurisdictions.
See also: Sovereign AI Explained: How and Why Nations Are Developing Domestic AI Capabilities
The Hidden Complexity of Data Movement
Internet traffic is routed for efficiency, not jurisdiction. Decisions are made in real time by protocols that prioritize speed, cost, and availability. As a result, data traveling between two points within the same country can still cross that country’s borders, depending on how networks are interconnected. Traffic between two European cities, for example, may be routed through infrastructure on another continent before reaching its destination.
These routing decisions are largely invisible to the organizations sending the data. Traditional monitoring tools focus on performance metrics, such as latency, uptime, and packet loss, but provide little insight into the geopolitical implications of the path itself. This lack of visibility creates a systemic gap between policy and reality. Organizations are held accountable for the geographic destinations of their data, but often lack tools to identify the exact international routes their data may take.
See also: What Is Sovereign AI? Why Nations Are Racing to Build Domestic AI Capabilities
A Growing Geopolitical Fault Line
As AI adoption grows, this gap is becoming politically significant. AI systems depend on substantial volumes of data flowing continuously across networks. Training models, running inference, and allowing real-time decision-making all require constant data movement. The more advanced the system, the more dependent it becomes on uninterrupted, high-speed data flows.
At the same time, governments are becoming more aggressive in exercising control over their data. Sovereign AI strategies are emerging alongside stricter data localization laws, cross-border transfer restrictions, and increased scrutiny of foreign infrastructure dependencies, underscoring the growing view that data control is a technical and political imperative. Now, these trends are colliding.
On one side is the technical reality of a globally interconnected internet. On the other hand, a political push toward national control and digital borders. This tension is felt not just between countries but also within organizations, which must balance the need for efficient, global data operations with evolving regulatory requirements.
Why AI Raises the Stakes
AI is making an existing problem harder to ignore. There is now much more data moving around, and a lot of it is highly sensitive. Training data, customer inputs, internal documents, and real-time outputs are constantly in motion. When something goes wrong, the exposure is not always small or contained. Most of the time, it scales with the system.
AI systems rarely operate on their own. They depend on many services, layers of infrastructure, and third-party providers. Data travels between all these parts, often across networks that no single team fully controls or understands. AI capability is now seen as a national asset. Governments are watching data flows more closely because they affect who can build advanced models, speed up training, and get early insights. This scrutiny is resulting in new policies and increased pressure.
All of this changes how we think about data movement. It is no longer just a background task for infrastructure teams. Now, organizations need to manage it directly, both as a risk and as part of their overall strategy.
The Risk of False Compliance
One immediate consequence of this shift is the emergence of “false compliance.” Organizations invest in localized infrastructure, implement data residency controls, and align with regulatory frameworks. From a policy perspective, they appear compliant. However, if network paths do not align with these controls, the compliance posture can be misleading.
Data that briefly transits a high-risk jurisdiction may still be subject to surveillance laws, even if it is never stored there. These routing anomalies challenge data sovereignty by exposing data to unintended regions outside existing controls, sometimes without triggering traditional security alerts. This leads to compliance being assumed rather than verified. As regulators gain a deeper understanding of data flows, organizations may need to provide detailed evidence of data routing to demonstrate actual compliance and uphold data sovereignty, rather than relying on assumed policy adherence.
Addressing this issue requires a shift in how organizations think about data governance. It is no longer enough to control where data is stored. Organizations must understand and increasingly control how it moves. That begins with visibility.
Without clear insight into routing paths, jurisdictions, and network dependencies, accurately assessing risk is impossible. Traditional tools are not designed for this. They provide snapshots, not context. Metrics, not meaning. What is needed is a more comprehensive view—one that connects technical routing data with geopolitical and regulatory context. Only then can organizations begin to ensure that their data management practices meet their compliance obligations and regulatory requirements.
The Emergence of Path Sovereignty
As these gaps become more obvious, the focus is turning to something more practical: IP path sovereignty. IP path sovereignty is the assurance that data travels only through legally and operationally compliant routes. It extends the idea of sovereignty beyond data at rest into data in motion, where the real exposure lies. The assumption that encryption makes the physical path irrelevant is no longer legally or technically tenable. If data traverses a jurisdiction with the capability or authority to intercept it, that path itself becomes a point of risk.
This is not about stopping data from crossing borders. The modern internet relies on these flows. Instead, it is about checking facts instead of making assumptions. Organizations need to know exactly which countries their data passes through, which networks handle it, and what legal rules apply along the way. This need is already part of current regulations.
Transfer Impact Assessments require organizations to evaluate the laws and practices of the countries their data touches. Operational resilience frameworks require visibility into third-party dependencies and concentration risk. None of this can happen without knowing the data’s path.
For governments, this creates a tougher challenge. Building sovereign AI is not possible solely by keeping infrastructure local if network paths remain open to risk. Policies that focus only on where data is stored leave a critical gap in how it moves.
For enterprises, this has an immediate impact. Data governance, security, and compliance efforts can’t stop at the application or cloud level anymore. They must extend into the routing layer itself. Without this, organizations are left in the dark, with important decisions about data movement happening out of their sight and control.
A Fragmenting Digital Landscape
The internet was meant to cross borders freely, but that idea is changing. Governments are tightening control over data, and organizations want to avoid risks from other countries. As a result, the global network is splitting along geopolitical lines. What used to be one open system is slowly dividing into areas shaped by policy, regulation, and national interests.
We can already see this change happening. The digital world is becoming more fragmented, often called a “splinternet,” where separate areas of connectivity are forming. These areas are not completely cut off from each other, but they follow different rules, face different risks, and have different ideas about control. The internet is not likely to break apart completely, but the vision of a single, borderless network is being replaced by something more complicated.
What Comes Next
The politics around data sovereignty are still evolving, but some trends are clear. Countries are taking more control over their citizens’ data, asking for data to be stored locally, or setting new rules for how data moves. Compliance frameworks may begin to require greater transparency around routing paths and transit jurisdictions. Enterprises will face increasing pressure to demonstrate not just where their data resides, but how it travels. This will require new tools, new processes, and a deeper integration of network intelligence into governance models.
Meanwhile, the technical community will need to grapple with the limitations of an internet architecture that was never designed for this level of scrutiny. Balancing openness with control, efficiency with sovereignty, and innovation with regulation will be a major challenge in the age of AI.
As AI continues to transform industries and economies, how data moves will matter as much as where it is stored. The routes data takes, which are often hidden or ignored, are becoming key points of risk and control. We can no longer afford to overlook this.
