The UK's AI Sovereignty Problem Goes Deeper Than Which Model You Buy

The UK has a narrow window to act. The infrastructure decisions being made right now, on compute, data, models, and governance, will shape democratic power for decades.

Last month, I had the honour of presenting evidence to the All-Party Parliamentary Group on AI, chaired by Lord Tim Clement-Jones in the UK House of Lords. The session brought together policymakers, technologists, and researchers to examine a question that sits at the heart of the UK's digital future: what does it actually mean to be sovereign in the age of AI?

The answer, I argued, is more uncomfortable than most policy conversations acknowledge.

The Question We're Not Asking Loudly Enough

There is a tendency in AI policy discussions to frame sovereignty as a model procurement question. Which foundation model should the public sector use? Should it be domestic or foreign? Open-source or proprietary?

These are valid questions. But they are the wrong starting point.

My central premise to the APPG was this: AI sovereignty requires governing the entire physical stack, from energy and compute, through data and models, all the way up to governance and talent. Fixate only on the model layer, and you miss where the real leverage sits.

This year's announcements of hyperscale data centres, facilities running hundreds of thousands of GPUs at hundreds of megawatts, illustrate the point vividly. When infrastructure at that scale is bundled with proprietary cloud, chips, and exclusive model capacity, the long-term competitive advantage doesn't sit at the application layer. It sits beneath it. Whoever controls the physical stack can tax, prioritise, or constrain everyone else, including frontier labs that still need someone else's machines. Parliaments don't set those prices. Commercial contracts do.

I saw this dynamic first-hand during research my team conducted with DeepMind's GraphCast weather model. We set out to validate its economic benefits for UK industries, from sole traders and construction firms to farming and renewable energy operators. A genuinely public interest use case. But when we tried to create an infrastructure-agnostic deployment, we encountered material cost and latency penalties outside the Google stack. A brilliant model had failed the sovereignty test because the UK couldn't run, audit, and evolve it on contestable infrastructure.

Introducing the Seven-Layer Public AI Stack

To make this concrete for policymakers, Cognizant has developed a seven-layer Public AI Stack framework. Each layer represents a distinct domain of strategic dependency and a distinct set of chokepoints where lock-in or lock-out risk can accumulate:

1. Applications: user-centred design with human override mechanisms
2. Models: governing foundation models and agentic boundaries
3. Data: lawful partnerships and public data commons
4. Compute: pooled access with anti-lock-in architecture
5. Energy: reliable, low-carbon power for AI workloads
6. Talent: public-sector capability with mission-linked retention
7. Governance: risk-tiered regulation and independent auditing

The layers are tightly intertwined. Choke-points typically emerge at the boundaries between them, not within a single layer in isolation. This is a lesson I carry from my earlier career as a research scientist at NASA Goddard, working on mission design and space situational awareness: minimise single points of failure to maximise resilience. The discipline applies just as directly to national AI infrastructure.

Three Concrete Actions for UK Policymakers

Rather than a theoretical manifesto, I left the APPG with three concrete calls to action.

First, map your choke-points. Conduct a systematic audit of lock-in and lock-out exposure across all seven layers. Where are UK strengths at risk if pricing shifts, export controls tighten, or service terms change? This mapping exercise should be treated with the same seriousness as a national security risk assessment, because increasingly, it is one.

Second, govern through procurement. Procurement is the strongest practical policy lever available to government right now. Every contract with an AI supplier should include minimum assurance gates and risk-tiered scoring criteria. This doesn't require new primary legislation to begin. It requires political will and technical capability in the contracting function.

Third, build on our unfair advantage. The UK has genuine strengths across several layers of the stack: world-class research institutions, a mature financial and legal services sector, strong data protection frameworks, and deep expertise in responsible AI. The task is to identify those layers, map the innovations that connect them, and fund the gaps that create strategic resilience. This means sustaining collaboration across industry, government, and academia rather than treating them as separate tracks.

Global Engagement Is Not the Problem – Ungoverned Dependency Is

I want to be clear about what this argument is not. Strategic dependence on foreign hyperscalers is not an indictment of global trade. The UK cannot, and should not, try to build every layer of the AI stack domestically. That would be neither feasible nor desirable.

It is, however, a portfolio risk. And like any portfolio risk, the response is diversification and active management, not panic, and not complacency.

The UK has a narrow window. The choices made now will shape what democratic institutions can actually do with AI for generations. The infrastructure decisions being locked in today carry prohibitive costs to reverse once dependencies solidify.

The question for Parliament, for procurement authorities, and for industry is not whether to engage with global AI infrastructure. It's whether we do so with our eyes open to the full stack, and with the governance mechanisms in place to ensure the UK retains genuine choice.