Your Government Has No Idea Where Its Data Actually Lives

India is building 58,000 GPUs inside its own borders this year to train AI on Indian languages and Indian data. That sounds like a serious infrastructure commitment, and it is. What it does not tell you is whether the government agency uploading citizen health records to that system knows who holds the encryption keys.

Probably not. That is the actual story.

On March 4th, Info-Tech Research Group published a blueprint for public sector IT, and the findings are uncomfortable. Governments pushing hard on digital sovereignty, the whole "our data stays in our country" project, often have no operational framework for checking whether that is even true. Vendors manage the encryption keys. Data crosses borders in ways nobody mapped. And the US CLOUD Act can compel American cloud companies to hand over data stored abroad if a US court asks nicely enough.

The Gap Between the Policy and the Server Room

Your national government might have a beautiful sovereignty mandate printed on official letterhead. It may have signed procurement contracts with locally operated cloud providers. What it probably does not have: a heat map of where sensitive data actually flows, an audit of which third-party vendors touch that data, or a clear answer on who controls access when things go wrong.

Andy Best at Info-Tech put it plainly: "Without clear jurisdictional boundaries and accountable ownership, governments risk discovering their exposure only when a disruption or legal challenge forces the issue."

That sentence should bother you if you have ever filed a tax return, applied for a benefit, or interacted with a government health portal. Your data is in there somewhere. The system built to protect it may be running on aspirational policy instead of actual controls.

Critics of the sovereignty sprint have a fair point: prioritizing domestic systems over global standards risks fragmenting AI development and locking citizens into less efficient local ecosystems. That tension is real. But the alternative, handing citizen data to foreign clouds subject to foreign legal claims, is not a neutral default. It is a choice with consequences.

Sovereignty Without Auditability Is Just Branding

The fix is boring and specific. Governments need to complete phase one of what Info-Tech is recommending: actually assess what controls exist over their data and AI systems before building phase two. Not announce sovereignty. Not sign contracts. Audit. Map the data flows. Get the encryption keys back from vendors. Know the answer before a court case makes you find out the embarrassing way.

Sovereign cloud AI can work. The architecture exists. Countries that combine domestic governance with certified cloud models are doing this right. The problem is not the technology; it is procurement offices signing sovereignty deals without the technical controls to match.

AI spending hits $2.5 trillion this year. Governments are rushing to automate everything from benefits processing to border management. Every one of those systems runs on data about real people. The question of who controls that data is not abstract geopolitics. It is whether a foreign court can access your tax history because your government signed a contract with the wrong cloud vendor and never checked the fine print.

India's 58,000 GPUs are a serious bet. They mean nothing if the data training those models can still be subpoenaed in Virginia.