Frontier model concentration risk stopped being hypothetical

I was at Bharat Innovates 2026 in Nice last week, where one theme ran through almost every conversation: digital sovereignty, and who controls the AI that enterprises and governments now depend on.

The timing was sharp. Just before the event, on 13 June 2026, the US Commerce Department issued an emergency export-control directive restricting one of the most advanced frontier models from use by foreign nationals, citing national security. As reported by Time and Fortune, the provider disabled access to comply.

That action is contested. A judge has paused it, the Department of Justice is appealing, and earlier models from the same provider remain available internationally. Treat it as a live dispute, not settled.

The lesson holds either way. Access to a single frontier model, for an entire class of users, can change overnight by decision of a government that is not yours. That is frontier model concentration risk, and it is no longer a thought experiment.

What Bharat Innovates 2026 was really about

Bharat Innovates 2026 ran in Nice from 14 to 16 June, convened by India's Ministry of Education and bringing together 120 deep-tech start-ups. It was inaugurated by Prime Minister Narendra Modi and President Emmanuel Macron.

Macron spoke to the importance of trustworthy AI and digital sovereignty. Modi framed AI as something that should work for everyone, his "AI for All" line.

AI for ALL

Two heads of state, on one stage, putting sovereignty and trust at the centre of the AI conversation. The signal for any board is plain. The question of who controls your AI, and under whose laws, has moved from policy panels into procurement and risk committees.

(Pictured: Disseqt founder and CEO Apoova Kumar with "the father of the Indian IT revolution", Infosys co-founder, Narayana Murthy

Why a "sovereign model" is the wrong answer

The instinct, hearing all this, is to go shopping for a sovereign model trained at home, hosted at home, owned by a provider in your own jurisdiction.

That instinct misreads the problem. Frontier capability is concentrated in a small number of providers, and most enterprises will run more than one model over the life of a single AI system. Foreign-domiciled AI model dependency is the default condition, not the exception.

Models also move. They get restricted, deprecated, and re-priced, and better ones arrive every few months. Tie your governance to a specific model and you rebuild your governance every time the model changes.

The durable answer sits one layer down. Build the assurance underneath the model, so it holds whichever model you run, and so it survives the day a model gets switched off.

Model-agnostic AI assurance is the control that survives the swap

Model-agnostic AI assurance means the testing, the controls, and the audit record live in infrastructure you own, independent of any single provider.

When a model is restricted or deprecated, you swap the model and keep the assurance. Your adversarial tests still run, your runtime policy still enforces, and your AI Evidence trail still proves what the system did, before and after the change.

This is the through-line from the sovereignty conversation to the operational reality. The full governance-stack mechanics, the data-residency and jurisdiction layers, get the deeper breakdown elsewhere. This post is about why model independence is now the load-bearing design choice.

Sovereignty, read operationally, is about control you can keep. A control you lose the moment a provider in another country changes its terms was never really yours.

The EU AI Act puts the obligation on you, not the provider

There is a regulatory edge to this that boards underestimate. Full applicability of the EU AI Act lands in August 2026, and the EU AI Act deployer obligations sit on the organisation running the system.

Where the model provider is domiciled does not transfer the obligation. If a high-risk system has to be documented, tested, and monitored, you carry that duty even when the model is built and hosted on another continent.

So the export-control story and the compliance story are the same story. If your provider can be restricted by a foreign government, and your obligation stays with you regardless, your assurance cannot be something you rent from that provider.

It has to be produced and held inside infrastructure you control. That is the only version of the AI Assurance Lifecycle that survives both a model swap and an audit.

How we built Disseqt for this

We built Disseqt as The Assurance Layer for Enterprise AI Operations, model-agnostic by design. The lockup is Test & Detect. Protect & Enforce. Prove & Comply.

Test and Detect runs adversarial testing on whatever model sits underneath, so a model swap does not reset your coverage. Protect and Enforce applies policy at the inference layer at runtime, independent of the provider. Prove and Comply produces AI Evidence, the portable, deployer-owned audit record held inside your own stack.

That is the point of a model-agnostic assurance layer across the full AI Assurance Lifecycle. The model is a component you can change. The assurance is the part you keep.

Bottom Line

A government switched off a frontier model for a whole class of users overnight, and two more put sovereignty at the centre of the AI conversation the same week. Frontier model concentration risk is now a board question.

The answer is not a sovereign model. It is model-agnostic, deployer-owned assurance, so when the model changes, your testing, controls, and AI Evidence survive the change.