Vendors will sell you "AI sovereignty" in 2026 the way they sold you "cloud-native security" in 2016: as a feature label bolted onto an architecture that did not actually change. The market is filling up with products that all call themselves an AI control plane, and they mean radically different things. Portkey brands itself "the control plane for AI" and routes your traffic across a thousand models. Chamath Palihapitiya's 8090 calls its Software Factory an "SDLC control plane" and writes your applications for you. Both are real. Both are control planes. Neither controls the same thing.
So when a vendor tells you their platform gives you a control plane, the honest answer is a question: a control plane over what? That question is the whole game, and almost nobody asks it before signing.
Three buyers, one architecture, a wave of sovereignty pitches
If you have been following this series, you have seen the lock-in problem from three seats. The operator whose workflows now live inside the vendor's surface. The services firm paying its own competitor to learn its playbook. The regulated enterprise that cannot put its data in someone else's cage. Three constituencies, one structural fact: context lives in the vendor, not the operator.
Vendors have noticed the anxiety, and the response is a flood of reassurance. "Vendor neutrality." "Enterprise sovereignty." "Bring your own model." "AI control plane." The words are everywhere and they are not comparable, because each describes a fix at a different layer of the stack. Some solve billing. Some solve logging. A very small number actually change who owns the thing the vendor is trying to capture. A buyer who cannot tell these apart will pay control-plane money for a billing redirect and believe they bought sovereignty.
The fix is not more vocabulary. It is a spectrum: a way to place any control plane on a ladder and see exactly how high it reaches.
"Control plane" already means five incompatible things
Walk the market and the label stretches across the entire stack. Nutanix announced an enterprise AI control plane for infrastructure orchestration. Broadcom frames the control plane as the next frontier of infrastructure sovereignty. IBM ships Sovereign Core for verifiable governance. Portkey's control plane lives at the API gateway, adding guardrails, PII redaction, and audit trails to model traffic. 8090's control plane sits at the software development lifecycle and ships finished code. These are not competing products in the same category. They are different layers wearing the same word.
This is why the comparison feels impossible. A buyer evaluating "AI control planes" is handed a router, a governance dashboard, a build platform, and an infrastructure layer, all using identical language, and asked to choose. The category vocabulary has collapsed five distinct architectures into one fuzzy label, and the collapse is doing real work for the vendors: it lets a routing product borrow the credibility of full sovereignty without delivering it. Un-collapsing it is the rest of this post.
The four levels run from billing up to the agent itself
Here is the spectrum. Each level controls strictly more than the one below it, and the jump between levels is architectural, not a feature you can toggle on.
Level 0 — Direct vendor SaaS. No control plane. The vendor owns the model, the workflow, the memory, and the audit trail. You send prompts and receive completions, and everything you build accumulates inside the vendor's environment. This is the default for most enterprise AI deployments today, including the ones that believe they have a strategy.
Level 1 — Token routing. The buyer decides which model handles which request. This is the gateway layer that sits between your apps and the model providers, products like LiteLLM routing across a hundred providers behind one interface, with fallback and budget controls. It solves real problems: billing consolidation, multi-model strategy, vendor diversification, redundancy when a provider goes down. What it does not solve is the prompt itself. Every prompt still passes through the vendor on its way to the model. The routing layer chooses the door; the methodology still walks through it.
Level 2 — Workflow routing. The buyer's own software layer sees and logs the whole workflow, not just the tokens passing through. This is where audit trails, internal observability, and workflow versioning live. 8090's SDLC control plane is a vivid example: it captures requirements, architecture decisions, and work orders with full audit trails for regulated industries. You gain genuine internal visibility. What you do not gain is anything about the model itself. The model calls still happen through vendor APIs, so the vendor still sees the inputs, and the platform itself can be the competitor. 8090 deploys to tens of thousands of EY consultants and, in its enterprise tier, retains the IP of the code it builds. A control plane that logs everything for you can still own what it produces.
Level 3 — Mounted-agent substrate. The durable agent (the instructions, the methodology, the accumulated memory, the identity, the audit trail) lives on a substrate the buyer controls. The model is demoted to a swappable runtime that processes inputs but never owns or accumulates the agent. This is the only level where the thing worth stealing is no longer in the vendor's hands. The model becomes an interchangeable input you can swap quarter to quarter, including for a local one, and the agent comes with you when you do.
The levels are cumulative, but the gap that matters is between 2 and 3. Levels 0 through 2 all leave the methodology where the vendor can keep it. Only Level 3 separates the agent from the model.
The sovereignty maps everyone is drawing measure the wrong axis
Here is where most of 2026's sovereignty thinking goes sideways, and it is worth being precise about why.
A genuinely good map already exists. Traefik's five levels of AI sovereignty runs from data residency up to "true sovereignty," full portability across vendors without rearchitecting. It coins a useful phrase for the failure mode, "sovereignty theater," where the sovereign infrastructure turns out to depend on a SaaS control plane in Virginia. A parallel piece on what sovereignty requires at runtime nails the same diagnosis: false sovereignty is when "the workloads run locally, but the routing logic, policy enforcement, telemetry pipeline, or identity authority still resolve to external SaaS systems." Both are right, and both are useful. But both measure the wrong axis for the problem this series has been describing.
Their axis is infrastructure: where does the model physically run, and where do routing, policy, and identity resolve? That axis matters enormously for data residency and runtime control. But it is a different question from the one that determines whether you are funding your own replacement. Traefik is admirably honest about the boundary. Its model governs infrastructure control, and by its own account, workflow methodology and agent design patterns "remain vendor-dependent even at Level 5." You can climb all the way to the top of the infrastructure ladder, run a model in your own datacenter with the internet switched off, and still have an agent whose instructions, memory, and learned methodology live in a format and a surface the vendor defines.
Two questions, not one. Where does the model run is the infrastructure question. Does the vendor get to keep the methodology is the agent question. The maturity models answer the first and leave the second sitting in the vendor's database. The pattern-leakage problem lives entirely in that second question, and no amount of infrastructure sovereignty touches it if the durable agent is still the vendor's to hold.
The one question that separates the levels
Strip away the labels and there is a single diagnostic that places any control plane on the spectrum:
When my workflow runs, does the vendor learn the methodology, or only process the input?
If the answer is "learn," meaning your instructions, your accumulated memory, and your refined process live in the vendor's surface and become part of the context that makes you hard to leave, you are at Level 0, 1, or 2, no matter how the product is branded. A token router that leaves your agent in the vendor's hands is a Level 1 product with a sovereignty sticker. If the answer is "only process," meaning the durable agent lives on your substrate and the model sees a transient input it cannot keep, you are at Level 3.
Run that question against the pitches in your inbox and most claims of sovereignty fall apart on contact. The vendor that routes your tokens has not stopped seeing your prompts. The platform that logs your workflows still ships them through an API the vendor owns. The local-model deployment that left the agent definition sitting in the vendor's console moved the inference and kept the lock-in: sovereign hardware, captive methodology.
Why the top of the ladder is finally reachable
For most of the last five years, separating the agent from the model was a nice idea that required infrastructure most teams could not build. That has changed, and the change is what makes this spectrum actionable rather than aspirational.
The durable agent layer turns out to be small. Instructions, memory, identity, and audit trail are kilobytes to megabytes per agent: text and structured records, not gigabytes of weights. The runtime layer has gotten portable in the other direction. Local models are competitive for a growing share of tasks, inference is increasingly bring-your-own, and harness diversity is now the norm rather than the exception. Substrates now exist to host the durable layer independently of whichever model executes it. Tokenrip is one such substrate. It holds the mounted agent on infrastructure the operator controls, while the model is mounted at runtime from wherever makes sense for the job. It is the same portable-agent architecture the earlier posts described, read now as the answer to the control-plane question rather than a product feature. None of these existed at scale five years ago; all of them do now, which is why a question that used to be academic is suddenly a purchasing decision.
A framework for the next sovereignty pitch you hear
The next time a vendor claims a control plane, sovereignty, or vendor neutrality, four questions place the claim on the spectrum before the demo even starts:
Routing level. What does this control plane actually route: tokens, workflows, or agents? The answer tells you the level directly. Tokens is Level 1. Workflows is Level 2. The agent itself is Level 3.
Methodology exposure. The single question from the last section, asked straight across the table: when our workflow runs, do you learn the methodology, or only process the input? "Learn" caps the product at Level 2 no matter what the label on the box says.
Vendor blow-up survivability. If the underlying model provider has an incident tomorrow, what survives: a billing redirect, workflow continuity, or the full agent? Level 1 saves your billing. Level 2 saves your logs. Only Level 3 saves the thing you actually built.
Local-model compatibility. Can the same workflow run on a local model we control, without rebuilding it? If the agent is portable, the answer is yes by construction. If swapping the model means rebuilding the workflow, the agent was never separated from it.
A vendor whose "sovereignty" product fails these is selling you a label. Run the four questions in order and the level falls out of the answers. You do not need the vendor's category claim at all.
What the spectrum does, and what it doesn't
The four questions are a decoder ring, not a purchase order. They will not tell you that Level 3 is always the right buy. A team that genuinely needs only billing consolidation should buy a Level 1 router and not pretend it bought sovereignty. What the spectrum does is end the equivocation. It puts all three buyer anxieties from this series onto one architectural axis, and it shows that the sovereignty pitches answering them mostly operate a rung or two below where the anxiety actually lives. The infrastructure maturity models, valuable as they are for data residency, measure a different ladder entirely and concede that the agent stays vendor-dependent at their summit.
So the question was never whether you have a control plane. By 2026 everyone has one, or will be sold one. The real question is which level of the stack it reaches, and whether, when the model you bet on has its bad day, the thing you spent two years building walks out the door with the vendor or stays home with you.