The Master Never Held
Nikesh Arora came back from more than 200 European meetings with two fears that most readers filed under separate headings. They are the same fear, at different altitudes, and they name a layer nobody owns yet.
Buyers reportedly wanted to know how to discover, govern, and stop autonomous agents once those agents start acting on their own. And the pause of two frontier models a week earlier had left them worried about relying on any model they do not control. One question sounds like security. The other sounds like procurement. Both ask for a decision made before a machine acts, and reversible after it does. Stopping a rogue agent and refusing a model you no longer trust are the same motion performed at different altitudes.
Governance keeps appointing a master
Enterprise data governance has failed for thirty years because it kept trying to appoint a master. Master data management promised one golden record every system would bow to. The governance committee promised one authority every request would clear. Both assumed the cure for disorder was a single source everyone agreed to obey.
The single trusted model is that mistake in a new location. For two years the industry answered AI risk the way it always answers risk, by naming one authority and standardizing on it. Pick the best model, route everything through it, build the stack on its behavior. The master came back, wearing weights.
Then the master got switched off. A government directive took two frontier models offline for foreign users, and because a model cannot check nationality at the token, the models went dark worldwide inside a day. Enterprises that had made one model their golden record learned what every master eventually teaches. A single point of authority is a single point of failure, and this one answered to a government that was not theirs.
Two forces met at the moment of use
Two shifts turned that lesson from theory into operating reality.
Models became abundant and substitutable. Open weights arrived from Chinese and European labs, cheaper and close enough for most work, with a capable model now sitting at every deployment tier. The model layer commoditized while nobody was looking. Abundance is good news, except abundance means no single model is load-bearing, and revocability means any one of them can vanish by policy.
At the same time, agents began to transact. Software stopped answering questions and started taking actions across systems it does not own. The count of consequential machine decisions per hour rose by orders of magnitude, and each one is a place where the wrong thing can execute against a real record.
Abundant, revocable models below. Autonomous, cross-system action above. Both forces converge on the same instant, the moment a machine is about to do something, and both demand a decision there rather than a report afterward.
Governed selection, extended
Choosing which model runs a workload is an authorization decision. N° 022 named this pattern at the model-selection surface where AI gateways route per request at the network edge. The extension here is that governed selection is not confined to the routing surface. It applies to the sovereignty and procurement surface as well, because those are the same architectural question asked at different altitudes. Which model may serve this workload, given who is asking, what data will be touched, what jurisdiction the request sits in, and whether the authority to revoke still belongs to the enterprise or has moved somewhere else. That is one decision, adjudicated in flight, resolved before the model runs.
This is federation, not mastery. No canonical model that every request must obey. No committee convened after the fact. A control plane sits above whatever models exist and adjudicates each use against context and consequence, the way an authorization layer has always worked. The models underneath stay plural and swappable. The decision about which one may act stays governed.
The federated logic is the one that already fixed identity and context in prior waves. Resolve at query time, score the confidence, keep the source systems authoritative, move no copy, appoint no master. Apply the same shape to model access, and the sovereignty problem stops being a procurement crisis. It becomes a decision the enterprise already knows how to make.
What this asks of buyers, builders, and regulators
Buyers should retire the question they have been asking. It was never which model to trust. It is who governs the choice among models, and whether the authority to revoke belongs to them. Build for portability, put a governing layer above the models, and keep the revocation path live so no directive elsewhere can freeze the work here.
Regulators are drafting this without the name. The European Commission's Cloud Sovereignty Framework, adopted October 2025, defines eight sovereignty objectives that a cloud service must satisfy for public-sector tenders. The third of those objectives, SOV-3, is specifically Data and AI Sovereignty, and it asks for documented control over data location, processing, and AI model governance. The Commission's proposed Cloud and AI Development Act, tabled in June 2026, extends the existing three-tier assurance model with a fourth Sovereign tier, and applies the sovereignty criteria as first-class procurement considerations at the highest sensitivity levels. These frameworks describe governed selection written as compliance. The rule is arriving whether or not the tooling is ready to satisfy it.
Every large vendor will ship its own model and its own agent, each governed inside its own walls. That is category validation, not competition for this layer. Vendor-specific control governs one estate. The transaction that crosses estates has no one adjudicating it, and cross-vendor authority is the seat still open.
When every model can be switched off, the asset worth owning is the authority to decide which one runs.
Cross-link: this piece extends the runtime-authorization arc opened by N° 020 (The Authorization Gap), developed at the model-selection surface in N° 022 (The Decision Moved to the Edge), and continued at the prompt-classifier surface in N° 023 (The Legible Boundary). Where those essays argued containment must be decided at execution against a specific action, this essay applies the same architecture to the model-sovereignty and procurement surface: the authority to decide which model may serve which workload, revocable, cross-vendor, above the model layer. Companion in spirit to N° 011 (The Control Plane Cannot Be Where the Data Sits) on where authority has to live in a federated architecture. Grounding sources: Nikesh Arora's remarks on European customer meetings (July 2026); European Commission Cloud Sovereignty Framework (October 2025, SOV-3 Data and AI Sovereignty); European Commission proposed Cloud and AI Development Act (June 2026).