The Citadel has arrived, but the drawbridge is down.
For the last year, I’ve argued that in an age of chaotic AI, we need to anchor our governance to a hardware root of trust (specifically, IBM Z). We successfully built the walls. We secured the perimeter. We locked the data in a vault.
But then we did something incredibly dangerous: we invited the agents inside.
We are witnessing a fundamental fracture in the integration landscape. For a decade, the narrative was about connectivity — connecting everything, everywhere, instantly. But the meteoric rise of Agentic AI has precipitated a shift in value. We are moving from an era defined by connection to an era defined by control.
And right now, most of you are losing control because you bought into the Great Sovereignty Lie.
⚠️ The Myth of "Data Residency"
If you are a System Integrator or an Enterprise Architect, you are currently being bombarded with "Sovereign Cloud" marketing. Every hyperscaler has a brochure promising that your data will "reside" in Frankfurt, or Mumbai, or Riyadh.
They call it Sovereignty. I call it Sovereign Washing.
Here is the dirty secret: "Data Residency" is not Sovereignty. Residency just tells you where the hard drive sits. Sovereignty tells you who holds the keys.
The "Admin Access" Vulnerability If your data sits in a data center in Germany, but the control plane managing that data center sits in Seattle, you are not sovereign. You are just renting a very expensive hard drive abroad. Under regulations like the US CLOUD Act, if the admin in Seattle has root access to the control plane, that data is legally and technically reachable.
In the old world of static applications, maybe residency was enough to satisfy a compliance checkbox. But in the new world of Agentic AI, relying on residency is a fatal architectural flaw.
🤖 The Agent Is The Process
We are no longer just retrieving data; we are dispatching agents to reason about it.
An AI agent has autonomy. It has "Agency." It takes inputs, it formulates a plan, and it executes tools. If that agent is running on a public hyperscaler's inference engine, it doesn't matter where your database is.
The Attack Vector: Indirect Prompt Injection Think about the physics of the transaction. You pull "sovereign" data out of your secure vault in Paris, and you hand it to an LLM running in a public cloud region to "summarize" or "analyze." At that exact millisecond, you have pierced the veil.
We have already seen the cracks:
ForcedLeak (Salesforce): Proved that indirect prompt injection could trick an autonomous agent into exfiltrating CRM data.
CometJacking: Demonstrated how rogue URLs can hijack an agent's context window to steal email and calendar data.
If you don't control the runtime, you don't control the data.
🏗️ Visualizing the Failure Mode vs. The Fix
To understand why this is an architectural crisis, we have to look at the topology of the inference.
Public inference vs Sovereign Core
In the standard model (top), the control plane lives outside the jurisdiction. In the Sovereign Core model (bottom), the control plane, the agent, and the inference engine are locked inside the boundary.
🛡️ Architectural Sovereignty: The "In-Boundary" Imperative
The only way to survive the Agentic era is to stop trusting contracts and start trusting architecture. We need Architectural Sovereignty.
This is why the recent announcement of IBM Sovereign Core matters — not as a product pitch, but as a paradigm shift for Federal and Regulated industries.
Unlike the "Sovereign Washed" clouds that decouple storage from control, Sovereign Core is designed to be air-gapped. It runs on Red Hat OpenShift, which means it can be deployed anywhere—on-prem, in a local partner’s data center, or in a disconnected bunker.
But the killer feature—the one that actually matters to us builders—is the Customer-Operated Control Plane.
You own the "God Keys": The vendor (IBM) cannot see inside.
Zero Forced Updates: They cannot push code changes without your permission.
Key Isolation: They cannot depose your encryption keys.
The New Law of Integration:
The process must move to the data. You deploy the AI model (like IBM Granite) inside the boundary. The agent runs inside the boundary. The telemetry, the memory, and the reasoning traces never leave the jurisdiction.
🚀 Stop Buying Cloud. Start Building Sovereignty.
This is the "Sovereignty Trilemma" we have faced for years:
Innovation (Access to global LLMs like GPT-4)
Control (Isolation from global providers)
Efficiency (Scale and Cost)
Until now, you had to pick two. With the convergence of portable AI models and portable sovereign clouds, we can finally break the trilemma.
For my fellow integrators — specifically the System Integrators and MSPs who make up 58% of this readership — this is our wake-up call. We are no longer just connecting pipes. We are the border control. We are the passport authority.
The Citadel is useless if you let a rogue agent walk right through the front gate. It’s time to secure the runtime.
Coming Next: In the next post, I’ll dive into the engineering: How we can use Project Bob and the Model Context Protocol (MCP) to build "Trusted Agents" that actually respect these borders.
📚 References & Further Reading
OWASP Top 10 for Agentic Applications (2026) The definitive industry standard for agentic risk, covering critical threats like "Agent Goal Hijack" (ASI01) and "Tool Misuse" (ASI02).
ForcedLeak: AI Agent Risks Exposed in Salesforce Agentforce A breakdown of the "ForcedLeak" vulnerability, where indirect prompt injection allowed attackers to exfiltrate CRM data from Salesforce's autonomous agents.
CometJacking: How One Click Can Turn Perplexity's AI Browser Against You An analysis demonstrating how rogue URLs can hijack an agent's context to steal email and calendar data.
IBM Sovereign Core Product Details The official technical specifications for the air-gapped, customer-controlled architecture discussed in this post.
An Integrator's Take on MCP, A2A, and ACP My previous deep dive into why standardizing agent context is the "TCP/IP moment" for AI.