Governments and regulated industries are spending heavily on “sovereign” AI. The market is projected in the hundreds of billions by 2030. And yet, if you ask ten vendors what “sovereign” means, you get ten answers — each one carefully drawn to include that vendor’s own product.
That is not a standard. It is marketing with a compliance label stapled on.
The gap
“Data residency” has become a stand-in for sovereignty. A system can store data in the right country while still calling home, depending on a hosted model it does not control, and failing the moment the network is cut. The buyer cannot tell the difference, because there is no agreed test to apply.
When everyone defines the word, the word means nothing. Procurement officers are left buying sovereignty they have no way to verify.
What POSS is
POSS — Privacy-first Open Source Software — is a neutral, testable definition of sovereign software. It is built around ten principles, and each one comes with a concrete way to check it: no telemetry, self-hostable, open license, reproducible builds, no open-core, air-gap capable, no external dependencies, documented, community-governed, and time-tested.
The point is not to be clever. The point is to make “is this sovereign?” a question with a verifiable answer that is the same in every jurisdiction.
POSS v0.1 is a draft. It is published for discussion, not yet ratified — the principles are stable in intent, but their exact wording and verification criteria will change before v1.0. That work happens in the open.
Why a foundation, and why this one
A standard is only as trustworthy as the body that keeps it. A vendor cannot be the neutral arbiter of sovereignty — its incentives point the wrong way. So POSS is held by the Osprey Foundation, a globally neutral, non-government body bound by five non-negotiable principles: it is non-commercial, non-affiliated, non-proprietary, non-extractive, and non-permanent.
The foundation sells no software and no consulting. It has no product to protect and no government to answer to. That is not a limitation — it is the entire reason a government that can trust no vendor might trust the standard.
What happens next
The standard is the first deliverable. The reference implementation, AERIE, follows — a local-first AI workspace that lets anyone watch the principles hold in practice rather than take them on faith. A certification program comes after that.
POSS is developed in the open, and it belongs to everyone who adopts it. If you want to challenge a principle or sharpen a definition, that is exactly the work that needs doing. Come do it with us.