FrameworkJune 18, 20268 min

The Levels of Sovereign Autonomy

A two-axis maturity model for organizations deploying AI that acts. Every enterprise can say how autonomous its systems are. Almost none can say how enforced that autonomy is — and that second axis is the one that determines the risk.

By Weynand Kuijpers — Co-founder & CTO, Skipr

The Levels of Sovereign Autonomy

A two-axis maturity model for organizations deploying AI that acts.

Every organization deploying AI agents today can answer the question "how autonomous are our systems?"

Almost none can answer the harder question: "how enforced is that autonomy?"

The industry has borrowed a useful frame from self-driving cars. SAE J3016 defined six levels of driving automation, and that scale worked because it classified operational risk, not intelligence — a Level 2 system and a Level 4 system might use similar models, but the consequences of failure, and the required supervision, differ completely. Several credible efforts now map AI agents onto the same ladder, from rule-based assistants to fully self-managing systems.

These models measure one axis. They describe what the agent is permitted to do. They say nothing about whether that permission is real.

The gap between documented and enforced

The Cloud Security Alliance stated the principle plainly in its 2026 guidance: autonomy boundaries must be technically enforced, not just policy-documented.

The distinction sounds procedural. It is everything.

A policy that says "agents may not approve payments above $10,000" exists in two very different organizations. In one, it is a paragraph in a governance document that an agent has no mechanism to read and no obligation to obey. In the other, it is a runtime control that evaluates every payment action before execution and blocks the ones that exceed the boundary — regardless of what the agent decided.

Both organizations will report identical policies to their auditors. Only one of them has a policy.

Autonomy without enforcement is not governed autonomy. It is autonomy with paperwork.

Two axes, not one

A maturity model for the autonomous era therefore needs two axes.

The first axis is autonomy — familiar from the SAE-derived frameworks:

  • A0 — Advisory. The system recommends. A human performs every action.
  • A1 — Assisted. The system acts on narrow, pre-approved tasks under continuous human supervision.
  • A2 — Conditional. The system acts independently within a defined operating envelope; humans handle exceptions and escalations.
  • A3 — High autonomy. The system manages workflows end-to-end, including many exceptions; humans set objectives and review outcomes.
  • A4 — Full autonomy. Systems of systems: agents delegating to agents, operating continuously, with humans governing at the level of policy and intent.

Most enterprise deployments today sit at A1–A2. The trajectory toward A3 and A4 is not in dispute — Gartner projects the average Fortune 500 enterprise will run more than 150,000 agents by 2028, up from fewer than fifteen in 2025. Nothing at that scale can be supervised action-by-action. Autonomy will rise because arithmetic demands it.

The second axis is enforcement sovereignty — how, and where, the boundaries on that autonomy actually exist:

  • S0 — Documented. Policies exist on paper. Compliance depends on the agent's design and the developer's diligence. Nothing prevents violation.
  • S1 — Platform-enforced. Boundaries are enforced by the vendor platform the agent runs on — real controls, but scoped to one estate, defined by the vendor's capabilities, and visible only within that platform.
  • S2 — Runtime-enforced. An independent control layer evaluates every action, from any agent on any platform, at the moment of execution. Policy is uniform across the estate. Violations are blocked, not discovered.
  • S3 — Sovereign-enforced. Runtime enforcement, with the control layer running entirely inside infrastructure the organization owns and operates. No external dependency, no foreign jurisdiction, no vendor whose outage or subpoena becomes your governance failure. Every action produces evidence the organization itself retains.

The regulatory frameworks the industry must answer to already assume the upper half of this axis. The EU AI Act's high-risk regime does not ask whether critical-infrastructure operators have AI policies; it demands risk management, logging, human oversight, and demonstrable control — obligations that carry penalties reaching three percent of global turnover, and that only technically enforced systems can demonstrably meet. NIST's AI Risk Management Framework organizes its govern-map-measure-manage cycle around controls that operate, not aspirations that sit in binders. ISO/IEC 42001 makes an auditable management system — evidence, not intention — the unit of certification.

Regulation, in other words, is a ratchet along the S-axis. Each new mandate converts another documented policy into a required control.

Reading the grid

Cross the two axes and every AI deployment in the world lands somewhere on a twenty-cell grid. Three regions matter.

The safe diagonal. Autonomy and enforcement rising together: A1/S1, A2/S2, A3/S3. Each increase in what systems may do is matched by an increase in how independently, uniformly, and provably that permission is bounded. Organizations on the diagonal can adopt autonomy as fast as they can enforce it — which, in practice, means faster than anyone else.

The danger zone: high autonomy, low enforcement. A3/S0 or A4/S1 — agents managing end-to-end workflows, bounded by documentation or by one platform's partial view. This is where the industry's failure statistics will concentrate. Gartner already projects that over 40 percent of agentic AI projects will be cancelled by 2027; ungoverned autonomy is the canonical route there. An organization at A4/S0 has not deployed autonomous AI. It has deployed an incident report with a delay on it.

The under-used zone: low autonomy, high enforcement. A1/S3 — modest autonomy inside sovereign-grade enforcement. This looks over-engineered and is in fact the strongest starting position available, because the constraint on scaling autonomy is never the model. Models improve on their own. Enforcement infrastructure does not. The organization that builds S3 enforcement around A1 autonomy can walk up the A-axis at will. The organization that builds A3 autonomy on S0 enforcement must eventually stop, retrofit, and hope nothing happens in between.

That asymmetry is the model's central claim: the S-axis is the rate-limiting axis. Intelligence scales faster than governance. Enforcement is the buildable half of the gap.

Where the current stack tops out

It is worth being precise about why S3 is scarce.

The hyperscaler agent platforms deliver genuine S1 — strong enforcement, inside one tenant. The security incumbents extend inspection and threat control across more of the estate, but govern access and threats rather than decisions, and operate as services, not as customer-owned infrastructure. The SaaS governance and observability tools describe and report — S0 with better dashboards — because oversight delivered from someone else's cloud, with no enforcement path, documents rather than prevents.

S2 requires neutrality: a layer that no governed platform owns. S3 requires sovereignty on top of it: the layer running where the organization runs, owned by the organization it governs. Both properties are architectural. Neither can be added to a platform whose business model depends on the opposite.

Using the model

Three questions locate any organization on the grid in under an hour.

First: for each material agent deployment, what is the highest-consequence action it can take without a human in the loop? That is the A-level — assessed by consequence, not by vendor marketing.

Second: for that action, what would physically prevent a policy violation — a document, a platform setting, an independent runtime control, or a sovereign one? That is the S-level. If the honest answer is "the agent was designed not to," the answer is S0.

Third: is the S-level at or above the A-level? If not, the gap between them is the organization's unpriced risk — and, for anyone operating under the EU AI Act, Gulf critical-infrastructure mandates, or national localization law, its unpriced liability.

What this means

Maturity models earn their keep when they change decisions. This one implies three.

Build the enforcement axis first; the autonomy axis will take care of itself. Judge every governance product by the S-level it can actually deliver, not the A-level it demos. And treat the diagonal as strategy: the organizations that keep enforcement level with autonomy will absorb each new generation of AI capability as it arrives — while their competitors pause, retrofit, and explain.

Autonomy is coming on the industry's schedule. Sovereignty over it is built on yours.

FAQ

Frequently asked

What is an AI autonomy maturity model?
An AI autonomy maturity model classifies how independently an AI system acts — typically on a ladder from advisory (recommends only) to full autonomy (systems of agents operating continuously). Most are modeled on SAE J3016, the six-level framework for self-driving cars, because it classifies operational risk rather than intelligence.
What is the second axis in the Levels of Sovereign Autonomy model?
Enforcement sovereignty — how, and where, the boundaries on an AI system's autonomy are actually enforced. It runs from S0 (documented on paper only) through S1 (enforced by a single vendor platform) and S2 (enforced at runtime by an independent, cross-vendor control layer) to S3 (runtime enforcement inside infrastructure the organization owns and controls, producing its own evidence).
Why does enforcement matter more than autonomy level?
Because a policy that is documented but not technically enforced does not constrain anything — as the Cloud Security Alliance put it, autonomy boundaries must be technically enforced, not just policy-documented. Two organizations can report identical AI policies to auditors while only one can actually prevent a violation. Enforcement is also the rate-limiting axis: models improve on their own, but enforcement infrastructure has to be built.
How do regulations like the EU AI Act relate to this model?
Regulation acts as a ratchet along the enforcement axis. The EU AI Act's high-risk regime, NIST's AI Risk Management Framework, and ISO/IEC 42001 all require demonstrable, operating controls and audit-ready evidence — not documented intentions. Each new mandate effectively converts a paper policy into a required, enforced control, pushing organizations up the S-axis.
sovereign AIAI governanceAI agent autonomymaturity modelzero trustruntime enforcementEU AI ActNIST AI RMF
Related concepts

The vocabulary behind this piece

Related reading

Continue on this thread