IBM unveils Sovereign Core to embed AI data control

IBM has launched IBM Sovereign Core, a software foundation that it said embeds digital sovereignty controls into the software architecture for organisations running cloud-native and AI workloads.

The announcement comes as concerns grow over cross-border access to sensitive data and the extent of operational control customers hold when using third-party cloud services. IBM pointed to increased geopolitical tension and a more demanding regulatory environment as factors shaping investment decisions for both enterprises and governments.

Digital sovereignty has increasingly moved beyond data residency requirements. It now covers operational control of infrastructure and software, identity and access management, encryption key custody, auditability, and the jurisdiction where AI models run and where inference occurs.

IBM said IBM Sovereign Core targets enterprises, governments and service providers that want sovereign environments under their own authority. The company positioned the product as an alternative to architectures that add sovereignty controls as overlays on top of existing systems.

Sovereignty Embedded

IBM said the new software makes sovereignty "an inherent property of the software itself". It said customers can run deployments across on-premises environments, partner-managed infrastructure, and in-region cloud services. The company said organisations retain operational authority over software deployments, identity and access management, and encryption keys within jurisdictional boundaries.

IBM also described an approach that centres on a customer-operated control plane. The company said customers keep authority over deployment decisions and system configurations, without relying on an out-of-region vendor for day-to-day operational control.

The product also generates operational telemetry and audit trails inside the sovereign boundary, according to IBM. The company said this provides evidence for compliance and governance requirements and keeps artefacts within the selected jurisdiction.

IBM said IBM Sovereign Core is built on Red Hat's open source foundation. The company linked the offering to demand for environments that can host AI workloads with governance, traceability and auditability, including model hosting and inference under local oversight.

ASEAN Focus

IBM framed the launch as relevant to organisations in ASEAN that face pressure to scale AI while dealing with regulatory complexity and data sovereignty requirements.

"Across ASEAN, organisations are under growing pressure to scale AI while meeting increasingly complex regulatory and data-sovereignty requirements. Businesses need greater control over how sensitive data and AI workloads are accessed and operated. This is driving urgent demand for sovereign, AI-ready environments. With IBM Sovereign Core, clients can advance AI initiatives with confidence, balancing openness and agility with the compliance and operational autonomy required for sovereignty. This shift enables ASEAN to accelerate trusted AI adoption while retaining greater economic value," said Catherine Lian, General Manager and Technology Leader, IBM ASEAN.

IBM also cited analyst commentary on how organisations define sovereignty when AI moves from pilots into production systems.

"The sovereign AI conversation has focused on data residency, but that's only part of the equation," said Sanjeev Mohan, Principal, SanjMo.

"IBM Sovereign Core addresses the harder question: who controls the system and can you prove it to regulators? IBM takes a holistic approach spanning data, operations, technology, and assurance, with continuous monitoring. As AI moves into production, that kind of ongoing accountability becomes non-negotiable," said Mohan.

Another geopolitical lens has also shaped the market for sovereign services, with governments and regulated industries reviewing the risks of foreign jurisdictional reach.

"AI is accelerating the pace at which sovereignty questions move from theory to daily operations," said Erik Fish.

"As geopolitics, regulation, and data governance increasingly converge, governments and enterprises must move while demonstrating clear control over critical data and infrastructure. The challenge is no longer a trade-off between openness and sovereignty, but governing data, access, and infrastructure amid growing regulatory and geopolitical constraints," said Fish.

Deployment Options

IBM said customers can deploy IBM Sovereign Core in their chosen environment. The options include on-premises data centres, in-region cloud infrastructure, and deployments delivered through IT service providers.

The company said it is collaborating with IT service providers and has started an initial European rollout with Cegeka in Belgium and the Netherlands, and Computacenter in Germany. IBM said these partnerships centre on in-country operations and local compliance management.

"As organisations navigate increasingly complex compliance and regulatory requirements, we're seeing strong demand for digital platforms and software that allows sensitive data to remain within controlled, compliant boundaries," said Gaetan Willems.

"Partnering with IBM to offer a pre-architected solution through our in-country environment enables us to deliver enterprise-ready software to our clients, while allowing them to address local compliance standards," said Willems.

Computacenter also described the product as a way to reduce the time spent assembling separate components and validating sovereignty controls.

"With IBM Sovereign Core, we can focus on configuring the software to each client's specific use cases rather than spending months piecing together disparate components and validating sovereignty controls," said Christian Schreiner.

"It can significantly accelerate our time-to-value and let us help clients who previously couldn't consider AI solutions at all," said Schreiner.