Data Sovereignty Is Old News. Tacit Sovereignty Will Decide Who Wins In 2026. (OpenAI)

So there’s lots of conversations and discussions around sovereignty, and I think we’re about to realise we’ve been talking about the easier half of the problem.

For the last couple of years, “sovereignty” has mostly meant infrastructure choices, data residency, and legal jurisdiction. Important, yes. But familiar. We have patterns for it.

Then a different question started popping up in conversations: what about the sovereignty of tacit knowledge in your business?

That’s a really good point. And it’s messy.

Because tacit means within people’s head. Not explicit. Not neatly sitting in a database. And if you and your competitors are using the same AI tools, profit margin will be the only thing left if you cannot protect what makes you different.

Doesn’t matter how much you spend on encryption if your uniqueness walks out the door every Friday evening.

We Solved “Data Sovereignty” As A Pattern

Let’s give credit where it’s due. Data sovereignty has moved from vague anxiety to concrete procurement frameworks, contract clauses, and architectural patterns.

Leaders now have a clearer menu of options:

• Sovereign cloud regions and controls
• Data residency commitments and auditability
• Legal and operational guardrails for cross-border access
• Resilience planning if jurisdiction goes sideways

And that is the point. This part is becoming knowable.

Even so, it is still not a “tick-box and forget it” topic. It’s a board-level risk conversation because it touches continuity, customer trust, and regulatory exposure.

"At a basic level, data sovereignty is about control and responsibility. Who owns the data? Who decides how it’s used? Where it lives? And what values shape those decisions. We’re already seeing countries like Denmark push harder on this, questioning dependence on massive platforms and foreign cloud infrastructure. Not to retreat from the world, but to regain agency."
José Aron-Diaz, PMP, ACP

You can hear the shift in that framing. This is not only a technology decision. It is an agency decision.

Exec Path: What You Sponsor

• A clear sovereignty posture statement for your organisation
• A “jurisdiction goes wrong” tabletop exercise
• A vendor governance cadence that includes sovereignty, not only cost and uptime

Builder Path: What You Implement

• Data classification aligned to residency and access rules
• A repeatable pattern for encryption, key management, and logging
• A deployment playbook that can be audited without heroics

The Part We’re Avoiding: “Tacit Sovereignty”

Here’s the thing. Most businesses are still acting like sovereignty is only about where data sits.

But competitive advantage is often not the data itself. It is how your people interpret it, use it, decide with it, and act on it.

That is tacit knowledge.

• How your best account lead saves a renewal that looked dead
• How a delivery team spots risk early, before it becomes a headline
• How your culture makes decisions fast without being reckless
• How you build trust with partners, regulators, or customers
• The “how we do it here” that you cannot find in any handbook

And I’m not sure anybody is 100% sure what “tacit sovereignty” even means yet.

But I do think we can describe the failure mode:

• You invest heavily in sovereign infrastructure
• You adopt the same models and tooling as everyone else
• Your real differentiator becomes copyable because it leaks via people, prompts, and process
• Your only remaining lever becomes margin pressure

That’s a grim strategy.

The US Risk Scenario: What Leaders Quietly Worry About

In leadership circles, the scenario is not always “hackers break in”.

It is “jurisdiction goes wrong”.

• A sudden regulatory change
• A cross-border legal demand
• A vendor forced into a position where they must comply with an external order
• A forced exit or disruption that breaks continuity for months

If you are operating in Europe, the promise of sovereign cloud is that these risks become less existential.

And to be fair, the market is responding. We are seeing clearer sovereignty objectives, more explicit procurement standards, and more mature supplier offerings.

But this is where it gets interesting:

Even if the infrastructure risk is reduced, you still have a second-order risk.

Your “tacit edge” can be extracted socially, operationally, or accidentally. And AI accelerates that extraction.

AI Makes Tacit Leakage Easier Than Most People Admit

This is the part that makes leaders uncomfortable, because it is nobody’s fault and everybody’s responsibility.

AI changes how tacit knowledge escapes:

• People paste sensitive context into tools to get work done faster
• Teams “teach” systems through repeated prompts and examples
• Customer nuance ends up in chat logs, tickets, call transcripts, and internal summaries
• Playbooks become model behaviours without a clear ownership or access model
• Departing staff can take years of embedded know-how and turn it into instant advantage elsewhere

Also, sovereignty has moved beyond compliance language into market language.

"You cannot achieve AI sovereignty without first securing data sovereignty. For nations and enterprises alike, this is no longer just a compliance discussion, it is a strategic imperative for control."
Khurrum Ghori PMP

The control conversation is evolving. And the more AI gets embedded into how work happens, the more “control” means more than data location.

Exec Path: What You Sponsor

• A definition of what “our tacit differentiators” are, in plain English
• A policy for what can and cannot be put into AI systems, internal or external
• A people plan that treats knowledge retention as a risk domain, not an HR afterthought

Builder Path: What You Implement

• Prompt and context hygiene standards for teams using LLMs (large language models)
• Lightweight redaction and summarisation patterns before sharing sensitive context
• Access controls for internal knowledge bases, not open wiki sprawl

Why Encryption Patterns Don’t Fully Translate

We can encrypt data. We can secure systems. Those patterns are well understood.

But tacit knowledge is not only “data at rest”. It is:

• Behaviour
• Decision-making
• Relationships
• Timing
• Trust
• Craft

You can store fragments of it:

• Sales call libraries
• Postmortems and incident reviews
• Decision logs
• Customer research and win loss notes
• Apprenticeship style shadowing programmes
• Communities of practice

But even then, you are not “capturing the human”. You are capturing a trace.

That’s not a bad thing. It is still valuable. But leaders need to be honest about what can be made explicit and what must remain human.

And I think relationships are the real curveball. In some organisations, the relationship is the tacit. And I’m not sure you can store that into a model. Maybe you can. Maybe you can’t.

A Practical Definition Leaders Can Use In 2026

If you need a working definition for leadership conversations, try this:

• Data sovereignty is your ability to control data and systems under the jurisdictions and values you choose.
• Tacit sovereignty is your ability to keep your organisation’s unique ways of winning inside the boundary you intend, even as people, partners, and AI tools change.

Tacit sovereignty is not about owning people.

It is about:

• reducing single points of human dependency
• preventing accidental leakage of differentiators
• building a culture where knowledge transfer is normal
• ensuring the right things are documented, and the wrong things are not

The 30-Day Leadership Checklist (No Drama, Real Progress)

This stuff is genuinely hard. So I like 30-day moves that create momentum without pretending the whole thing is solvable in a quarter.

Week 1: Inventory Your Sovereignty Risks

• List your top 10 systems that would stop the business if disrupted
• Map them to jurisdictions and critical suppliers
• Identify where customer or regulated data flows cross borders
• Write down your “US risk scenario” in one page, plain English

Week 2: Identify Your Tacit Differentiators

• Ask three questions in your leadership team:
  • What do we do that competitors struggle to copy?
  • What do we know that is not written down?
  • Which relationships would hurt most to lose?
• Pick the top 5 tacit differentiators and name an owner for each

Week 3: Decide How You Will Capture What Is Captureable

Choose two or three capture methods and pilot them:

• Decision log for high-impact decisions
• Post-incident reviews that focus on “how we noticed early”
• Customer narrative library (wins, losses, objections, nuances)
• Internal “how we do it” playbooks for repeatable execution
• Mentoring and shadowing for relationship-heavy roles

Week 4: Put Governance Around Access, Use, And Exit

• Define what can be used to train internal models, and what cannot
• Set access rules for knowledge bases by role, not by convenience
• Add a leaver process step for knowledge transfer in critical roles
• Create an exception process that is fast, logged, and reviewable

The Leadership Operating Model That Stops This Becoming Theatre

If you do nothing else, make it operational.

Roles

• Executive sponsor: sets priorities, removes blockers
• Product or ops owner: runs the weekly loop
• Risk and compliance partner: sanity-checks and records decisions
• Data steward: classifies and governs key datasets
• Incident lead: owns containment and learning when something goes wrong

Rituals

• Weekly 30-minute sovereignty review (one risk, one action)
• Monthly “tacit differentiators” check-in (what moved, what leaked, what improved)
• Quarterly jurisdiction scenario refresh

Logs

• Decision log: what we decided, why, risk trade-offs, review date
• Knowledge register: what exists, who owns it, who can access it
• Incident log: what happened, severity, containment, prevention

This is what makes sovereignty real. Not a slide deck.

Red Flags To Watch (Before It Becomes A Crisis)

These are the signals I look for when tacit sovereignty is already leaking:

• People rely on a few individuals for critical outcomes
• Teams cannot explain why they win deals, only that they do
• High staff churn in “relationship roles” with no knowledge transfer
• AI tools are used informally with no shared standards
• Documentation exists, but nobody trusts it
• Partners know your process better than your own internal teams

If any of those feel familiar, it is not a reason to panic.

It is a reason to get started.

Closing Thought: 2026 Is The Year This Gets Real

We can keep talking about sovereign cloud and secure data centres. We should.

But the next frontier is tacit sovereignty, and it is going to decide who stays differentiated when the tools are the same for everyone.

That’s going to be an interesting journey for 2026.

Links

• AWS named Leader in the 2025 ISG report for Sovereign Cloud Infrastructure Services (EU)
  https://aws.amazon.com/blogs/security/aws-named-leader-in-the-2025-isg-report-for-sovereign-cloud-infrastructure-services-eu/
  Trust rating: high
  Reason: Practical, current view of how “sovereign-by-design” is being implemented in EU sovereign cloud offerings.
  Date written: 2026-01-09

• Europe Seeking Greater AI Sovereignty, Accenture Report Finds
  https://newsroom.accenture.com/news/2025/europe-seeking-greater-ai-sovereignty-accenture-report-finds
  Trust rating: high
  Reason: Research-led snapshot of the European push toward AI sovereignty and the strategic trade-offs leaders are navigating.
  Date written: 2025-11-03

• 2025 Priorities and Trends for Knowledge Management
  https://www.reworked.co/knowledge-findability/2025-priorities-and-trends-for-knowledge-management/
  Trust rating: high
  Reason: Directly relevant discussion of tacit versus explicit knowledge and the organisational challenge of capturing what is in people’s heads.
  Date written: 2025-03-04

• Digital Sovereignty in Europe in 2025: What's 'Plan B'?
  https://www.idc.com/resource-center/blog/digital-sovereignty-in-europe-in-2025-whats-plan-b/
  Trust rating: high
  Reason: Analyst perspective on real-world sovereignty risks, including jurisdiction and forced exits, and how organisations respond pragmatically.
  Date written: 2025-08-27

• Cloud Sovereignty Framework - European Commission
  https://commission.europa.eu/document/download/09579818-64a6-4dd5-9577-446ab6219113_en
  Trust rating: high
  Reason: Authoritative definition of sovereignty objectives in EU institutional cloud procurement.
  Date written: 2025-10-27

Quotes

• LinkedIn (Snigdha Dewal)
  https://www.linkedin.com/pulse/taming-cloud-unlocking-trust-data-sovereignty-2025-snigdha-dewal-fbrxc
  Trust rating: high (derived from validated source list)
  Reason: Evidence that privacy expectations and trust pressures are now central to sovereignty discussions.
  Date: 2025-06-15

• LinkedIn (José Aron-Diaz, PMP, ACP)
  https://www.linkedin.com/pulse/data-sovereignty-dummies-because-thats-how-i-learned-josé-atuze
  Trust rating: high (derived from validated source list)
  Reason: Plain-English definition of sovereignty focused on control, responsibility, and agency.
  Date: 2025-12-28

• LinkedIn (Khurrum Ghori PMP)
  https://www.linkedin.com/pulse/ai-sovereignty-begins-data-unavoidable-truth-first-step-ghori-pmp-pcisf
  Trust rating: high (derived from validated source list)
  Reason: Clear linkage between data sovereignty and AI sovereignty, framed as strategic control.
  Date: 2026-01-05