IBM has launched a tool designed to help customers assess cloud-sovereignty risks and meet regulatory compliance requirements. 

The Sovereignty Risk Profile launch comes as digital sovereignty becomes a higher priority for organizations concerned about where data is stored and processed. According to an IBM survey, 93% of executives believe sovereignty needs to be part of their business strategy.  

Via the new tool, customers can set up policies related to regulatory and business requirements — such as where data resides and how it’s protected, for instance. These policies can be applied to specific cloud workloads, regions, or zones in the Sovereignty Risk Profile tool, allowing users to track sovereignty requirements “in real time,” IBM Cloud product manager Janet Van said in a blog post, with “visibility into configurations, encryption posture, and environmental controls.” 

It’s then possible to assess compliance and decide what workloads meet sovereignty requirements. 

Tracking the factors that contribute to sovereignty is a challenge for many organizations, said Holger Mueller, vice president and principal analyst at Constellation Research. “It is very difficult, as you don’t know about the details of the stacks; sometimes, even the location of data is not fully transparent,” he said.

The Sovereignty Risk Profile “addresses many of the compliance-related requirements associated with data residency and encryption, while also tackling sovereignty from a resilience and concentration-risk perspective,” said Dario Maisto, senior analyst at Forrester.

However, the monitoring tool can only do so much to address digital sovereignty concerns, he said. While it can help organizations identify and report on potential issues, it “does not help [make] clients more or less sovereign, per se: it has only the potential to tell that a sovereignty problem is there.”

Broader questions around digital sovereignty remain difficult to address, he said, as there’s no universally accepted definition of the concept and limited legislation to establish clear requirements. 

Mueller described a spectrum of sovereignty issues that depend on factors such as whether data is stored, processed, and backed up in a customer’s own country, as well as whether staff that operate the data are domestic nationals. “Then there is the sovereignty of the software supply chain — but here everybody is dependent,” he said.

To further complicate matters, while several US hyperscalers sell sovereign-branded cloud services to European customers — with local staff and infrastructure —  concerns remain about the potential for extra-jurisdictional access to data, due to the US CLOUD Act and the US Foreign Intelligence Surveillance Act (FISA).

The Sovereignty Risk Profile is available within IBM’s Security and Compliance Center Workload Protection. It’s the latest in a range of IBM Cloud products aimed at addressing customers’ sovereignty concerns, including the recently launched IBM Sovereign Core software platform. 

T

All of the big AI models violate EU rules on AI and data protection to varying degrees, according to the nonprofit research foundation Aithos.

Aithos tested the models using its own tool, LARA (Legal Assessment for Real-world Agents), which simulates real-world situations where AI assistants may find themselves in legally questionable situations, according to The Register. The tests measure compliance with the GDPR and the EU’s AI Regulation, among other things and found the models collected user data without proper consent, attempted to manipulate vulnerable individuals, or created psychological profiles of users.

According to the results, all major language models failed to meet EU legal requirements; some violated the rules in up to 93% of cases. The best result was achieved by the Anthropic model Claude Opus 4.7, which was in compliance about 54% of the time.

Aithos warned that responsibility for the shortcomings does not lie solely with AI companies. Companies that build their own AI agents on top of these models could also be held legally liable.