Automation Anywhere redefines Sovereign AI with the Spectrum of Control model
The concept of Sovereign AI is changing — and fast. Automation Anywhere just introduced a new way of thinking about data sovereignty in the age of intelligent agents, and it has everything to do with the moment the artificial intelligence industry is living right now.
For a long time, the conversation revolved around a single point: where data is stored. Makes sense, right? With data localization regulations spreading around the world — three-quarters of countries already have some rule along these lines, according to a McKinsey survey — companies naturally focused on making sure information stayed within the right borders. Data residency policies, zero-copy architectures, and regional controls became the gold standard for anyone who needed to operate across multiple jurisdictions without stepping out of line.
But then AI went beyond analysis. It started to act. And when an AI doesn’t just read data but makes decisions, triggers processes, and moves information across different systems at the same time, the question is no longer just where the data is — it becomes what happens to it while AI is working.
That’s the central point Automation Anywhere brought to the surface with its model called the Spectrum of Control. The idea is simple to understand but complex to execute: data control needs to follow every step of execution — not just the place where information sits at rest, but the entire path it travels while AI is in action. 🤖
When AI starts acting, the game changes completely
Think of it this way: for years, companies built data policies around repositories — databases, servers, regional clouds. The logic was almost static. Data lives here, rules protect that space, and everyone is happy with compliance. But agentic AI broke that logic entirely.
A modern AI agent doesn’t just query a database and return a response. It navigates between systems, accesses APIs, feeds other processes, generates outputs that become inputs for other tools — all of this in fractions of a second, often without direct human intervention along the way. These systems move data across workflows, trigger chain reactions, and interact with multiple environments simultaneously. It’s a type of behavior that creates new exposure points that simple data residency and zero-copy architecture just can’t cover on their own.
This new AI behavior creates a type of vulnerability that traditional regulations are still trying to keep up with. When an automated workflow processes European customer data, for example, it needs to respect GDPR not just when that data enters the system — but at every stage of the journey, including the moments when AI is inferring, classifying, making decisions, or passing information along to another agent or system.
The data might well be stored within the correct borders, but if processing happens somewhere else, or if an AI agent chains actions that move that data through environments outside the original regulatory scope, compliance can be compromised anyway. This isn’t a hypothetical scenario — it’s a real one for any global company adopting intelligent automation at scale.
This is exactly why the concept of Sovereign AI is being reinterpreted by the industry. Data sovereignty is no longer just a matter of physical geography — it’s a matter of active governance throughout the entire execution. And the more autonomy AI agents gain to run complex workflows, the more that governance needs to be granular, traceable, and enforced in real time, not just audited after everything has already happened.
Receive the best innovation content in your email.
All the news, tips, trends, and resources you're looking for, delivered to your inbox.
By subscribing to the newsletter, you agree to receive communications from Método Viral. We are committed to always protecting and respecting your privacy.
What Mihir Shukla said about the new model
Mihir Shukla, CEO and chairman of the board at Automation Anywhere, summarized the shift pretty directly when presenting the concept. According to him, companies are no longer just asking where their data is stored — they want to know what happens to that data when agentic AI acts on it.
For Shukla, Sovereign AI is not a single architecture or a product category. It’s a spectrum of control. Organizations need to define how their data is processed, accessed, and governed based on their own regulatory and operational requirements, and work with partners who can apply that control consistently across data, infrastructure, and workflows.
That statement matters because it positions data sovereignty as something that can’t be solved with a one-size-fits-all solution. Every company has a different context — industry, jurisdiction, data sensitivity, level of automation already in place — and needs the flexibility to define where each control applies.
The Spectrum of Control and what it actually proposes
The Spectrum of Control model from Automation Anywhere starts from a pretty straightforward premise: not every company has the same level of risk or the same appetite for control — and because of that, data sovereignty in the AI era needs to be treated as a spectrum, not as a binary on-or-off switch.
According to the definition the company presented, the Spectrum of Control allows organizations to maintain control across five fundamental dimensions:
- Where data and metadata reside — the physical and logical location of information remains important, but now as part of a larger set of controls.
- How data is processed — including whether it is copied, moved, or processed at its source without unnecessary transfer.
- Who can access the data — with granular access controls that include the organization owning its own encryption keys.
- Where work happens and how actions are executed — ensuring that AI agents operate within the boundaries defined by the company.
- Which legal jurisdictions apply to data access — allowing the organization to define which legislation governs each specific operation.
At one end of the spectrum, you have organizations using shared public cloud infrastructure with less direct control over where and how models process information. At the other end, you have companies that require completely isolated environments, with models running on-premises, no data leaving the internal perimeter — and full traceability of every action an AI agent takes.
Between those two extremes, there’s a huge range of possible configurations, and that’s exactly where the Spectrum of Control becomes relevant. The goal isn’t to push every company toward the most restrictive model possible — that would be operationally and financially unviable for most. The goal is to give organizations the tools and clarity to understand where on the spectrum they currently sit, where they need to be according to their applicable regulations, and how to adjust automated workflows to respect those boundaries without grinding operations to a halt. 🎯
The APA platform and the technical capabilities behind the model
To make the Spectrum of Control work in practice, Automation Anywhere points to its Agentic Process Automation platform, known as APA, as one of the few solutions on the market capable of delivering this level of control without requiring data centralization or a single deployment model.
The technical capabilities behind this promise include:
- Flexible deployment models — supporting cloud, multi-cloud, and on-premises environments, letting the company choose the combination that makes sense for its regulatory and operational reality.
- Data controls and governance — allowing organizations to define where data is processed and how access is managed without relying on a centralized architecture.
- Composable architecture — integrating with data sources, AI models, and applications chosen by the customer without requiring lock-in to a single vendor.
- Action and workflow controls — governing how AI systems act on data across different processes and environments.
- Sovereignty controls — enabling organizations to define data location, model deployment, and applicable legal jurisdiction.
- Built-in security and governance — with policies, monitoring, and auditability to support compliance and responsible AI operations.
The most interesting point here is the idea that control doesn’t have to come with rigidity. Many data sovereignty approaches end up limiting organizational flexibility by requiring all data to be centralized in a single environment or all operations to run on a platform controlled by a single vendor. Automation Anywhere’s proposal goes in the opposite direction: keeping control distributed, matching the way companies actually operate day to day — with multiple systems, multiple clouds, and multiple jurisdictions.
How to operationalize Sovereign AI in everyday work
Okay, the concept is interesting, but how does this translate into concrete actions? Automation Anywhere detailed a few practices companies can adopt to turn the Spectrum of Control into operational reality:
- Limit unnecessary data movement — process data where it lives instead of copying or centralizing it to feed AI processes. This reduces exposure points and simplifies regulatory compliance.
- Maintain control during execution — ensure that workflows and AI agents operate within well-defined boundaries without exposing data in environments outside the organization’s governance scope.
- Retain control of access and encryption keys — don’t rely solely on the cloud or platform provider to manage who has access to data and how it’s protected.
- Align deployments with regulatory requirements — use a combination of deployment models, including cloud, multi-cloud, and on-premises, based on the applicable jurisdiction and risk level of each operation.
- Ensure visibility and auditability — track data movement and system actions with clear audit trails and governance controls that allow you to demonstrate compliance at any time.
These practices aren’t revolutionary on their own, but what changes is the context. When AI was an analytical tool that received data, processed it, and returned a result, governance controls could be applied in a more static way. Now, with AI agents chaining actions autonomously, those controls need to be dynamic and embedded in the workflow architecture itself.
Regulations that keep growing
You can’t talk about Sovereign AI without talking about the regulatory environment shaping business decisions. The number of countries with some form of data control legislation has grown significantly in recent years, and the trend is accelerating — especially now that governments around the world are realizing that AI is no longer a technology of the future but a present reality already making decisions with real consequences for citizens, businesses, and critical infrastructure.
The European GDPR was the best-known milestone, but since then we’ve seen AI-specific regulations in the European Union with the AI Act, state-level privacy laws in the United States, data protection legislation in Latin America — including Brazil’s LGPD — and sector-specific frameworks for healthcare, finance, and defense. This regulatory fragmentation is one of the biggest challenges for global companies that need to standardize their AI operations across different regions.
The challenge for companies is that these regulations weren’t designed with autonomous AI agents executing complex end-to-end workflows in mind. Most legislation still assumes there’s a person or a well-defined system responsible for each decision made based on personal data. When an AI agent starts chaining decisions autonomously, identifying where accountability lies, which data was used at which moment, and which rule applies at each stage becomes an extremely difficult regulatory exercise.
This is exactly the gap that approaches like the Spectrum of Control are trying to fill from a technical and operational standpoint. By creating a framework that lets organizations define and enforce controls at every stage of execution, the proposal offers a bridge between what regulations require and what technology actually does in practice. 📋
What this means if you’re using automation today
If your company already uses some form of intelligent automation — whether traditional RPA or more modern AI agents — it’s worth revisiting how existing workflows handle sensitive data throughout execution. The question isn’t just whether data is stored in the right place, but whether you have visibility into what happens to it while automated processes are running.
This review can reveal exposure points that weren’t relevant when AI was just an analytical tool but become critical now that it acts autonomously and chains actions together. A workflow that used to be simple — query a database, apply a rule, generate a report — may have turned into a complex chain of actions involving multiple systems, multiple jurisdictions, and multiple AI agents operating in parallel.
Another important dimension is preparing for regulations that are still on the way. The global regulatory environment is constantly evolving, and companies that build their automation architectures with data control baked in from the start have a clear advantage over those that need to retrofit legacy systems to meet new requirements. This is especially true for regulated industries, but it also applies to any organization dealing with user data at scale — which, in practice, is pretty much everyone using AI in a serious way.
In practical terms, this means a healthcare company dealing with patient data will have very different needs than a retail company processing purchase preference data. Both use automation, both are subject to some type of regulation, but the levels of control required are completely different. The Spectrum of Control acknowledges this diversity and offers a framework for each organization to calibrate its sovereignty posture intelligently, without sacrificing the speed and efficiency that agentic AI delivers.
Sovereign AI as a native layer of automation
For legal, compliance, and IT teams, all of this represents a significant shift in how to think about governance. It’s no longer enough to have a map of where data is stored — you need visibility into how AI agents interact with that data during execution, which systems are accessed, what inferences are made, and how outputs are used.
That visibility needs to be built into the architecture of automated workflows themselves, turning data control into a native layer of automation rather than a retroactive audit that only discovers problems after they’ve already happened.
Automation Anywhere, which has been in the automation market for over 20 years, is clearly positioning its APA platform as the infrastructure capable of supporting this new vision of sovereignty. With support for flexible deployments, composable architecture without vendor lock-in, and governance controls integrated into the execution layer, the company is betting that the Spectrum of Control can become a reference point for how the market thinks about Sovereign AI going forward.
Sovereign AI is no longer a conversation limited to governments and large critical infrastructure corporations. It has reached the operational level — the day-to-day reality of anyone configuring workflows, defining access policies, and choosing where and how language models and AI agents will process information. And understanding this new landscape — where sovereignty means active control throughout the entire execution, not just storage location — is the first step toward building an automation strategy that is both powerful and responsible. 🚀
