Disclaimer: The whitepaper discussed below was originally shared with me by IBM's Analyst Relations team. Views and analysis are my own.
IBM's February 2026 whitepaper "Digital Sovereignty in the Era of Hybrid Cloud and AI" makes a correct point: digital sovereignty is a modernization conversation, not just compliance. As leaders accelerate AI adoption, they must retain authority over how these systems operate.
But the whitepaper does not clarify what sovereignty actually means operationally within specific industries. The regulatory pressure on a bank differs fundamentally from pressure on a healthcare system. A telco faces different infrastructure risks than a government agency.
IBM correctly identifies four interdependent dimensions: data, AI, operational, and technology. But which dimension matters most depends entirely on industry context. This analysis applies that framework across the four sectors the whitepaper discusses.
IBM's Perspective on Industry Requirements
According to IBM, digital sovereignty provides organizations clear authority over their digital ecosystem, regardless of vendor dependencies. Here is how they view the requirements across key sectors:
- Government and Public Sector: Agencies need dependable control over data, AI systems, and operational processes with secured, compliant data sharing across departments and transparent audits.
- Financial Services: Banks need control over real-time payments, critical data flows, and AI-driven models with automated compliance capabilities and continuous evidence generation.
- Healthcare: Organizations need strict ownership of patient, genomic, and clinical data with secured information sharing across hospitals, research institutions, and diagnostic partners.
- Utilities and Telcos: These organizations must keep operations under authorized control to reduce exposure to external threats, supply chain issues, and other risks.
The Analyst Take: The Reality of Sovereignty
Across all sectors, sovereignty is fundamentally about control, not technology choices.
Government: Operational Sovereignty First
Government sovereignty is fundamentally about control, preventing foreign adversaries from influencing critical systems. Data residency requirements do not prevent compromise if the infrastructure depends on vulnerable supply chains or untrusted personnel.
Most government systems operate fragmented technology landscapes spanning decades. Implementing transparent audits across mainframes, cloud deployments, isolated email systems, and classified networks is primarily an organizational problem, not technical. Air-gapped networks maintained by defense contractors operate outside public cloud frameworks entirely. This environment cannot benefit from IBM's hybrid cloud approach.
Priority for government CIOs: Start with operational sovereignty. Know who operates systems and what they did. Most government agencies cannot reliably audit access today. Technology sovereignty (infrastructure choice, avoiding lock-in) comes second. AI sovereignty is emerging but remains vague in regulatory requirements.
Financial Services: Regulatory Arbitrage
Banks face conflicting regulatory requirements across borders. US law demands OFAC sanctions screening. EU law demands GDPR data protection. China and the Middle East impose data localization mandates. These requirements contradict each other.
Continuous evidence generation sounds sensible until applied to real-time payment systems operating at sub-second latency. Auditing cannot happen in real time without breaking performance. Banks split the problem: real-time execution in one environment, asynchronous compliance auditing in another.
Regulators increasingly demand explainability in AI models. Which model denied the credit application? How was it trained? Was it biased? This is regulatory liability, not just governance. Owning infrastructure does not solve it.
Priority for bank CIOs: Technology sovereignty matters most. Lock-in to a single cloud provider's AI services prevents pivoting when regulators demand explainability the vendor cannot deliver. Data sovereignty is table stakes. AI sovereignty is the real battleground; you must govern the models making business-critical decisions, even if you do not build them.
Healthcare: Interoperability Without Leakage
Healthcare pressure is not data ownership in the cloud sense. It is interoperability without data leakage. A patient moves between hospitals. Hospital B needs Hospital A's records for continuity of care. HIPAA permits this sharing for treatment, but requires protection in transit and auditable access logs.
Most healthcare organizations run proprietary EHR platforms (Epic, Cerner) that enforce access controls but create vendor lock-in and limit interoperability. Hospitals cannot easily share data between different EHR systems.
Genomic data is not just about individuals. It reveals information about relatives. Privacy laws are evolving around familial and population-level genetic data. This requires stricter controls than clinical data, yet enables researcher access for population studies. Secured information sharing assumes interoperability technology exists and scales. In practice, healthcare systems still share data via secure fax and encrypted email.
Priority for healthcare CIOs: Data sovereignty (knowing where patient data lives and who accesses it) comes first. Operational sovereignty is secondary; most systems depend on vendor operations already. Focus on contractual controls over vendors. AI sovereignty barely applies yet, but will become urgent as hospitals deploy AI for imaging analysis and diagnosis support.
Utilities and Telcos: Supply Chain and Geopolitics
For utilities and telcos, sovereignty is not about cloud architecture. It is about critical infrastructure protection and geopolitical risk.
Utilities cannot rebuild supply chains from scratch. They depend on vendors for hardware, firmware, software, and services. Backdoors introduced during manufacturing or supply chain compromise cannot be solved by owning infrastructure. The compromise happens at the hardware level.
Utilities face regulatory mandates (NERC CIP in North America, NIS Directive in Europe) that impose prescriptive security controls, not just ownership requirements. Telcos face geopolitical restrictions; the US and allied governments have effectively banned Huawei and other Chinese equipment from critical infrastructure on the grounds of potential backdoors or intelligence access. Avoiding lock-in to a single vendor means little if that vendor is the only one permitted by government regulation.
Priority for utility and telco CIOs: Technology sovereignty is critical, but reframe it as supply chain visibility. Know which vendors supply critical components, where they are manufactured, and what vulnerabilities exist. Operational sovereignty (tight access controls on production systems controlling critical infrastructure) is non-negotiable. Data sovereignty matters less; the risk is system takeover, not data theft.
Strategic Next Steps
Effective sovereignty implementation begins with a rigorous assessment of what it actually looks like across an organization's business, data, operations, and regulatory obligations. To move from reactive defense to proactive governance, leaders must implement controls consistently across IBM's five critical layers: infrastructure, platform, applications, data and AI, and operations.
Start with your sector's highest-impact sovereignty dimension. For most organizations, this is operational sovereignty first; knowing who operates systems and auditing their actions. Collect continuous evidence, because sovereignty claims without proof are worthless. Verify controls work through regular audits and communicate your sovereignty posture to regulators, customers, and stakeholders. The future belongs to those that can prove, not just claim, they are in control of their digital assets.
Works Cited
IBM Corporation. "Digital Sovereignty in the Era of Hybrid Cloud and AI." IBM, Feb. 2026, https://www.ibm.com/downloads/documents/us-en/15db45ee46d202ea.
