The Sovereign Intelligence Index | Measuring Machine-Layer Dependency Before Authority Becomes Irreversible
A National Audit Framework for Measuring Machine-Layer Dependency, Preserving Human Agency, and Preventing AI-Mediated Sovereign Command Failure
Abstract
Existing artificial intelligence governance frameworks manage important forms of AI risk: safety, reliability, privacy, cybersecurity, transparency, procurement, bias, accountability, human oversight, and regulatory compliance. Those frameworks are necessary. They are not sufficient.
They do not yet provide a dedicated measurement architecture for the central sovereignty problem of the AI age: when public institutions, critical sectors, civic systems, or democratic publics become dependent on machine intelligence systems they cannot meaningfully understand, audit, contest, replace, suspend, or command.
This paper introduces the Sovereign Intelligence Index as a governing instrument for measuring machine-layer dependency before dependency hardens into practical authority. The Index does not ask only whether an AI system is safe, useful, efficient, lawful, explainable, or accurate. It asks whether the institution using the system still possesses public command over the intelligence layer through which it perceives, decides, administers, communicates, defends, remembers, and acts.
The paper defines sovereign intelligence risk as the risk that decision authority, public cognition, institutional memory, strategic infrastructure, capital leverage, or democratic legitimacy migrates into AI systems beyond meaningful public command. It then establishes a ten-domain Index for measuring that risk: decision automation exposure, human override reality, explainability and appealability, vendor dependency, data sovereignty, compute and cloud dependency, model authority concentration, cognitive capture exposure, foreign influence surface, and democratic accountability.
The Index uses a 0-to-5 scoring method for each domain, producing a 0-to-50 sovereign intelligence risk score. A score of 0 indicates no material AI dependency. A score of 5 indicates sovereign command failure. The score is not a substitute for legal judgment, technical evaluation, civil-rights analysis, cybersecurity review, or sector-specific regulation. It is a structured signal supported by evidence, audit findings, uncertainty notes, trigger conditions, and remediation obligations.
The Index is proposed as a governance and audit instrument, not as a completed empirical science. Its first function is to structure institutional judgment. Its second function is to generate comparable evidence. Its third function is to become more precise through pilot audits, inter-rater reliability testing, case validation, agency deployment, public revision, and longitudinal assessment.
The paper integrates the Index with existing governance baselines, including NIST’s AI Risk Management Framework, OMB’s federal AI-use and AI-acquisition memoranda, CISA’s AI roadmap, and the EU AI Act’s risk-based architecture. NIST’s AI RMF is organized around the functions govern, map, measure, and manage; OMB’s 2025 memoranda address federal AI adoption, inventories, high-impact AI, impact assessments, public trust, procurement, vendor lock-in, and data rights; CISA treats AI as both a beneficial capability and an infrastructure-risk domain; and the EU AI Act establishes risk-based rules for AI developers and deployers, including requirements for high-risk systems and obligations for general-purpose AI models. The Sovereign Intelligence Index extends these frameworks by measuring a distinct object: the erosion of institutional command through machine-layer dependency.
The central claim is narrow, operational, and public: a republic cannot protect sovereignty in the age of advanced AI unless it can measure when intelligence systems have crossed from assisting public authority to quietly exercising it.
I. Introduction: The Measurement Problem of Machine Authority
The first failure of AI governance may not look like science fiction. It may look like a procurement contract, a case-management dashboard, a model score, an automated summary, a fraud flag, an eligibility recommendation, a risk classification, a synthetic public message, and a human official who formally approves an output without knowing how the decision was actually made.
That is the measurement problem of machine authority.
Artificial intelligence does not need formal legal power to become authoritative. It only needs to become the system through which institutions perceive options, rank priorities, allocate attention, classify risk, draft decisions, explain outcomes, and communicate with the public. Once that happens, authority can migrate without statute, coup, declaration, or visible institutional rupture.
The agency remains. The court remains. The office remains. The public seal remains. The human signature remains. But the path by which judgment is formed may already have moved into a machine layer that the institution cannot fully inspect, contest, replace, suspend, or command.
The Sovereign Intelligence Doctrine states the upstream problem: AI should be treated as structural power, not merely as software. It describes artificial intelligence as an emerging machine layer beneath public administration, markets, military judgment, civic persuasion, education, courts, media, institutional memory, and democratic legitimacy. Its warning is not simply that AI systems may fail, discriminate, hallucinate, or be misused. Its deeper warning is that public institutions may become reliant on AI systems they cannot understand, audit, replace, contest, or command. That condition is sovereign dependency.
This paper supplies the next object in the sequence.
The doctrine names the machine-layer sovereignty problem. The Sovereign Intelligence Index creates the governing measurement instrument. The Operational Annex makes the instrument implementable.
This sequence follows the central move identified in the attached follow-up framework: the first paper gives the doctrine; the second must give the instrument.
The Index begins from one controlling question: Can the institution still command the system, or has the system become necessary for the institution to command itself?
That question is different from ordinary AI risk analysis. A system may be accurate and still create dependency. It may be useful and still displace judgment. It may be secure and still concentrate authority. It may be lawful to procure and still hollow out institutional capacity. It may increase efficiency while weakening appealability. It may reduce cost while making a public agency dependent on a private vendor’s model, cloud stack, data terms, and interface.
The central failure mode is not always bad output. It is command loss.
A republic cannot govern what it cannot see. It cannot correct what it cannot inspect. It cannot contest what it cannot explain. It cannot replace what it cannot exit. It cannot preserve legitimacy when responsibility dissolves across agency, vendor, contractor, model provider, cloud provider, interface designer, and automated workflow.
The purpose of the Sovereign Intelligence Index is to make that condition measurable before it becomes normal.
II. Core Definitions
A measurement architecture requires disciplined language. The following definitions govern the Index.
Artificial intelligence system means any machine-based system that generates outputs, classifications, predictions, rankings, recommendations, summaries, risk scores, decisions, simulations, synthetic content, automated actions, or decision-support materials capable of influencing human judgment, institutional operation, public communication, rights, benefits, enforcement, safety, legitimacy, or civic perception.
Machine layer means the infrastructure of models, compute, cloud platforms, chips, data centers, energy supply, APIs, deployment interfaces, agents, recommender systems, synthetic media tools, evaluation systems, training pipelines, data stores, and institutional integrations through which AI mediates public and private life.
Sovereign intelligence means the capacity of a political community and its public institutions to retain command over the systems through which they perceive, decide, administer, communicate, defend, educate, regulate, adjudicate, remember, and act.
Sovereign intelligence risk means the risk that public institutions, critical sectors, civic systems, or democratic publics become dependent on AI systems in ways that reduce their ability to understand, audit, contest, replace, suspend, constrain, or command the systems that materially shape public life.
Machine-mediated authority means any decision, recommendation, classification, risk score, ranking, administrative action, public message, institutional judgment, or civic perception in which AI materially shapes the outcome, even when a human formally approves it.
Public command means the legal, technical, operational, financial, and institutional ability of democratic authorities to inspect, audit, contest, constrain, replace, suspend, or govern AI systems that materially shape public functions or civic life.
Authority displacement means the condition in which AI outputs become practical defaults and human review becomes thin, symbolic, overloaded, deferential, or dependent on machine framing.
Sovereign command failure means the condition in which an institution cannot meaningfully explain, audit, contest, replace, suspend, or operate independently from an AI system that materially shapes its public function.
Cognitive sovereignty means the ability of citizens and democratic societies to form beliefs, exercise judgment, and participate in public life without covert domination by synthetic identity systems, bot consensus, undisclosed automation, deepfakes, personalized machine persuasion, foreign influence operations, or manipulative AI systems that conceal their nature or origin.
Institutional sovereignty means the ability of public institutions to use AI without surrendering legal, operational, epistemic, or administrative control to private, opaque, foreign-exposed, unreviewable, or non-substitutable systems.
Infrastructure sovereignty means the ability of a political community to preserve sufficient command over the compute, cloud, chips, data centers, energy systems, networks, cybersecurity systems, model infrastructure, and evaluation environments necessary for public AI capacity and continuity.
Capital sovereignty means the ability to prevent ownership, financing, market concentration, platform control, or vendor leverage from converting strategically significant AI systems into privately controlled chokepoints over public life.
Legitimacy sovereignty means the ability of democratic institutions to remain publicly accountable, legally reviewable, constitutionally bounded, and trusted as the source of authority when machine systems materially shape decisions.
These definitions are designed to prevent a category error. AI governance is often treated as a question of software safety. The Sovereign Intelligence Index treats it as a question of institutional command.
III. The Gap in Existing AI Governance
The existing AI-governance landscape is necessary and incomplete.
It is necessary because AI systems can create genuine risks to individuals, organizations, markets, infrastructure, civil rights, public safety, national security, and democratic processes. It is incomplete because most current frameworks do not directly measure when AI dependency becomes practical transfer of authority.
NIST’s AI Risk Management Framework provides an important foundation for structured AI risk management. Its core is organized around govern, map, measure, and manage. That architecture correctly treats AI risk as something that must be embedded into organizational processes rather than addressed through general ethical declarations alone. The Sovereign Intelligence Index adopts that operational seriousness but applies it to a different object: the risk that institutions lose command over the machine layer on which they increasingly rely.
OMB’s 2025 federal AI-use guidance emphasizes accelerated federal AI adoption, governance, public trust, agency accountability, AI inventories, high-impact AI, impact assessments, and safeguards for federal use. That guidance is significant because it recognizes that AI adoption by public agencies must be governed as a matter of public responsibility, not merely internal technology management. But agency inventories and impact assessments do not by themselves measure whether an institution has become unable to operate, explain, appeal, suspend, or exit the systems it uses.
OMB’s 2025 AI-acquisition memorandum addresses procurement of AI in government, including responsible acquisition, efficient contracting, competition, data rights, performance monitoring, and vendor lock-in. That procurement layer is indispensable. Vendor lock-in is one of the central pathways by which public authority becomes operationally dependent on private AI infrastructure. But procurement compliance is not identical to sovereignty preservation. A contract may contain transparency language while the agency remains practically unable to function without the vendor.
CISA’s AI roadmap treats AI as both a beneficial capability and a source of cyber and infrastructure risk. That dual posture is correct. AI can strengthen public systems, and it can also accelerate attacks against those systems. But sovereign intelligence risk extends beyond cybersecurity. The same AI layer that can be attacked can also become the layer through which institutions perceive risk, prioritize response, allocate resources, and interpret reality.
The EU AI Act establishes risk-based rules for AI developers and deployers and addresses general-purpose AI models. That model is valuable because it recognizes that AI obligations should vary with system function and public consequence. But legal risk classification does not, by itself, measure whether a government agency, public service, civic information environment, or critical sector has become dependent on machine intelligence systems beyond meaningful public command.
The gap is therefore precise.
Existing frameworks ask whether AI systems are safe, reliable, lawful, fair, transparent, secure, governable, and properly procured.
The Sovereign Intelligence Index asks when institutional reliance on AI becomes a transfer of practical authority.
This is not a replacement question. It is a missing question.
Safety asks whether the system causes harm.
Reliability asks whether the system performs as intended.
Transparency asks whether relevant information is available.
Fairness asks whether the system produces unjustified disparity.
Cybersecurity asks whether the system can be attacked or compromised.
Procurement asks whether the system is acquired under responsible terms.
Sovereign intelligence asks whether the institution can still command the system after it has become useful.
The difference matters because command can fail even when other metrics appear acceptable. An accurate system can become a dependency. A fair system can become unappealable. A secure system can become a chokepoint. A well-procured system can become operationally indispensable. A transparent system can still displace judgment if human review becomes symbolic.
The Index exists because no republic can govern machine authority by measuring only machine performance.
IV. Sovereign Intelligence Risk
Sovereign intelligence risk is not ordinary technical risk. It is the risk that the systems through which public authority and civic life operate become dependent on machine intelligence beyond democratic command.
This risk has five structural features.
First, it is practical rather than merely formal. Legal authority may remain with human officials while practical authority migrates into systems that generate the options, rank the cases, summarize the evidence, classify the risks, suggest the outcome, draft the notice, and shape the explanation. The human remains legally responsible, but the machine has already structured the field of judgment.
Second, it is cumulative. Dependency hardens over time. Staff stop maintaining manual skills. Agencies reorganize around automated workflows. Vendors become embedded. Data becomes difficult to export. Model interfaces become the default institutional memory. Public expectations adjust to machine-speed administration. Once that process matures, exiting the system becomes expensive, disruptive, and politically difficult.
Third, it is relational. The same AI tool can create different levels of sovereign intelligence risk depending on context. A generative drafting assistant used for internal brainstorming may be low risk. A generative system used to draft denial notices, enforcement summaries, immigration recommendations, school discipline letters, court materials, or emergency communications may be high risk. The question is not what the tool is in the abstract. The question is what public function it shapes.
Fourth, it is not reducible to model error. Error matters, but sovereign intelligence risk can arise even when the system performs well. Performance can accelerate dependency. Accuracy can increase deference. Efficiency can justify deeper integration. The better a system works, the faster institutions may reorganize around it.
Fifth, it is not cured by nominal human oversight. Human oversight is meaningful only when the human has enough time, information, authority, training, institutional support, and alternative capacity to reject or revise the machine output. A person who clicks approve under workload pressure, interface pressure, managerial pressure, or informational asymmetry is not exercising command. That person is ratifying dependency.
The Index therefore treats sovereign intelligence risk as a transition pathway.
At the first stage, AI assists. It helps a human perform a task while remaining optional, understood, and replaceable.
At the second stage, AI becomes operationally relied upon. It accelerates workflows and improves output, but alternatives remain available.
At the third stage, AI becomes institutionally necessary. The institution would suffer serious disruption without it.
At the fourth stage, AI displaces authority. Machine outputs become practical defaults, and human review becomes thin, deferential, or symbolic.
At the fifth stage, sovereign command fails. The institution cannot meaningfully explain, audit, contest, replace, suspend, or operate independently from the system.
The central danger is not that every institution using AI will reach the fifth stage. The danger is that institutions may pass through the earlier stages without measuring the transition.
The Sovereign Intelligence Index is designed to identify that transition while correction is still possible.
V. The Index Architecture
The Sovereign Intelligence Index is a ten-domain measurement architecture for assessing machine-layer dependency across public institutions, critical sectors, civic systems, and authority-sensitive AI deployments.
It is not a general AI ethics checklist. It is not a product review. It is not a benchmark suite. It is not a compliance label. It is an institutional command assessment.
The Index asks whether AI has become a mediator of public authority, public cognition, institutional memory, strategic infrastructure, capital leverage, or democratic legitimacy in ways that exceed meaningful public control.
The ten domains are scored individually and interpreted together. Their purpose is not to isolate ten unrelated risks. Their purpose is to measure one transition through ten visible surfaces: the transition from instrument to dependency, from dependency to authority displacement, and from authority displacement to sovereign command failure.
1. Decision Automation Exposure
Decision automation exposure measures how deeply AI shapes consequential decisions. The domain includes not only final decisions, but recommendations, rankings, eligibility scores, fraud flags, risk classifications, summaries, triage queues, enforcement priorities, targeting suggestions, resource-allocation recommendations, automated drafts, and default options.
The question is not merely whether AI makes the final decision. The question is whether AI shapes the path by which the final decision becomes likely.
A system that drafts a denial letter may shape the outcome even if a human signs it. A fraud score may shape investigation even if it is called advisory. A summary may control what a reviewer sees. A ranking system may determine which cases receive attention. A model-generated recommendation may become the practical default because rejecting it requires extra work, extra time, or extra justification.
Decision automation exposure measures machine influence over institutional attention and judgment.
2. Human Override Reality
Human override reality measures whether human control exists in practice or only in policy.
A system is not meaningfully human-governed merely because a person can technically override it. Override is real only when the reviewer understands the system’s role, can inspect relevant evidence, has enough time to deliberate, has authority to disagree, can record reasons, is trained to identify error, is not punished for rejecting machine output, and can cause a different outcome.
A fake human-in-the-loop system is one in which a human can click approve, but cannot realistically understand, challenge, or replace the machine recommendation.
The Index therefore treats override as an empirical condition, not a formal label.
3. Explainability and Appealability
Explainability and appealability measure whether affected people can understand and challenge AI-shaped decisions.
Explainability does not require perfect technical access to every internal model parameter. It requires sufficient explanation for accountability. The affected person should know that AI materially shaped the decision, what function it performed, what evidence or classification mattered, what human authority accepted the result, and what path exists for review.
Appealability requires more than a complaint portal. A meaningful appeal must reach a human reviewer with authority to change the outcome. The reviewer must have access to the relevant machine output, supporting evidence, system role, and legal standard. The affected person must be able to contest the facts or classifications that mattered.
A decision that cannot be explained or appealed has left the domain of public authority and entered the domain of unreviewable machinery.
4. Vendor Dependency
Vendor dependency measures whether an institution can continue operating if the AI vendor withdraws access, changes terms, raises prices, alters model behavior, degrades service, refuses documentation, suffers compromise, is acquired, terminates support, or becomes subject to foreign or private leverage.
Vendor dependency is not merely a business continuity issue. In public systems, vendor dependency can become delegated authority. If an agency cannot process benefits, prioritize enforcement, manage emergency communication, run infrastructure, detect fraud, or maintain case flow without a vendor’s system, the vendor has acquired practical leverage over public administration.
The Index therefore measures substitutability, exit capacity, documentation rights, audit access, data portability, contract leverage, continuity planning, and actual operational independence.
5. Data Sovereignty
Data sovereignty measures whether the institution controls the data used, generated, retained, transferred, labeled, embedded, fine-tuned, improved, or monetized through AI deployment.
Ordinary data protection asks whether data is secure, private, lawful, and properly handled. Sovereign data control asks a further question: who gains power from the data relationship?
If public data improves a private model without adequate restrictions, the public may finance private intelligence capacity while losing leverage over the resulting system. If agency data cannot be exported in usable form, public operations may become trapped. If logs, annotations, embeddings, corrections, feedback, and model improvements become vendor-controlled, the institution may lose the value of its own experience.
Data sovereignty is therefore not only about privacy. It is about control over the intelligence created from public activity.
6. Compute and Cloud Dependency
Compute and cloud dependency measure whether an institution depends on privately gatekept, concentrated, foreign-exposed, or non-substitutable infrastructure for AI operation, validation, continuity, or evaluation.
The machine layer is physical before it is political. Models require chips, data centers, cloud platforms, energy supply, networking, storage, cybersecurity, deployment pipelines, and monitoring environments. An institution that cannot access reliable compute cannot develop, operate, validate, or contest advanced AI systems. A public sector that cannot evaluate its own high-impact systems becomes dependent on private or foreign-controlled infrastructure.
This domain measures whether the institution has redundancy, failover capacity, independent evaluation environments, infrastructure visibility, supply-chain security, and continuity plans.
7. Model Authority Concentration
Model authority concentration measures whether a small number of models, vendors, platforms, or APIs silently shape judgment across many institutions.
The concern is not merely market concentration. It is convergence of institutional cognition. If agencies, courts, schools, platforms, media organizations, financial institutions, defense contractors, and civic systems rely on the same small set of models for summarization, search, classification, drafting, translation, analysis, recommendation, and decision support, those models become a shared intelligence substrate.
Their limitations, assumptions, refusal patterns, training incentives, interface defaults, and failure modes may propagate across society.
Model authority concentration asks whether pluralism, independent evaluation, substitutability, and public command remain possible.
8. Cognitive Capture Exposure
Cognitive capture exposure measures whether citizens, voters, children, consumers, public officials, or institutional actors are exposed to covert machine manipulation of the informational environment.
This domain includes synthetic persuasion, deepfakes, AI-generated impersonation, automated bot consensus, counterfeit local opinion, personalized political influence, AI companions, recommender manipulation, synthetic influencers, automated harassment, foreign-amplified narratives, fabricated evidence, and systems that obscure whether communication is human, machine, domestic, foreign, official, or counterfeit.
Cognitive capture is not ordinary persuasion. It is manipulation of the conditions under which belief is formed through concealed automation, false identity, synthetic consensus, undisclosed machine generation, or targeted psychological exploitation.
This domain must be governed with constitutional discipline. Cognitive sovereignty is not censorship. It is not state truth control. It is protection against fraud, impersonation, covert automation, malicious synthetic media, undisclosed foreign influence, child manipulation, and deceptive machine-generated civic influence.
9. Foreign Influence Surface
Foreign influence surface measures whether adversarial states, proxies, contractors, data brokers, infrastructure providers, platforms, supply-chain actors, or compromised systems can manipulate, observe, disrupt, or exploit the AI layer.
This domain includes foreign access to sensitive data, cloud dependency, model supply-chain compromise, training-data poisoning, synthetic influence operations, recommender manipulation, AI-enabled espionage, cyberattack acceleration, offshore support exposure, foreign-controlled vendors, cross-border data flows, and strategic infrastructure chokepoints.
Foreign influence surface is not limited to declared foreign ownership. Domestic systems can carry foreign exposure through subcontractors, dependencies, compromised code, data brokers, platform manipulation, open-source components, infrastructure geography, or adversarial access.
10. Democratic Accountability
Democratic accountability measures whether machine-mediated authority remains visible, attributable, explainable, contestable, reviewable, and governable by democratic institutions.
This is the constitutional center of the Index.
A public system may be efficient, accurate, secure, and lawful to procure while still weakening legitimacy if citizens cannot know what role AI played, who is responsible, what evidence mattered, how to appeal, what records exist, whether a court can review the decision, whether a legislature can oversee the system, or whether an inspector general can inspect the relevant logs.
A system is democratically accountable when the chain of authority can be traced. A citizen should be able to identify the machine role, the human official, the legal standard, the evidentiary basis, the appeal path, the oversight body, and the correction mechanism.
If responsibility is diffused among agency, vendor, contractor, model provider, cloud provider, interface designer, and automated workflow until no one can be held meaningfully accountable, legitimacy has failed.
VI. Scoring Sovereign Dependency
Each Index domain receives a score from 0 to 5. The total score ranges from 0 to 50.
The scoring scale measures dependency severity, not moral blame. It is designed to identify where public command remains intact, where it is weakening, and where it has failed.
A score of 0 means no material AI dependency. AI is absent from the relevant function or is used in a way that has no material effect on institutional decisions, public communication, rights, benefits, safety, critical operations, or civic perception.
A score of 1 means assistive use. AI supports human work, but humans retain independent judgment, access to underlying evidence, realistic ability to disregard the output, and practical alternatives.
A score of 2 means operational reliance. AI meaningfully improves or accelerates a workflow, and staff regularly use it, but the institution retains tested alternatives, meaningful human review, accessible records, and realistic continuity capacity.
A score of 3 means institutional dependency. The institution would suffer major disruption if the system became unavailable, degraded, changed, or lost vendor support. Human alternatives exist but are slow, understaffed, untested, incomplete, or no longer adequate for ordinary operations.
A score of 4 means authority displacement. AI outputs have become practical defaults. Human review is thin, symbolic, overloaded, deferential, or machine-framed. Explanation, appeal, audit, replacement, suspension, or continuity is limited. The institution remains formally responsible but operationally dependent.
A score of 5 means sovereign command failure. The institution cannot meaningfully explain, audit, contest, replace, suspend, or operate independently from the AI system in the relevant domain. Public authority has become dependent on a machine layer beyond effective institutional command.
The total score produces five risk bands.
A score from 0 to 10 indicates low sovereign intelligence risk. AI may be present, but it does not materially compromise command, contestability, or continuity.
A score from 11 to 20 indicates emerging dependency. AI is becoming relevant to operations or public cognition, but risk remains controllable if mitigation occurs early.
A score from 21 to 30 indicates structural dependency. AI materially shapes institutional performance, and loss, compromise, or opacity would create serious governance risk.
A score from 31 to 40 indicates authority displacement risk. Machine outputs are becoming practical defaults, and human command is increasingly formal rather than operational.
A score from 41 to 50 indicates sovereign command failure. The institution or system cannot meaningfully explain, audit, contest, replace, suspend, or operate independently from the machine layer.
Scoring must follow four rules.
First, observed practice governs. Written policy does not control the score if actual workflows show deeper dependence. A system described as advisory may score as authority-displacing if human users treat it as determinative.
Second, labels do not control. “Assistive,” “pilot,” “decision support,” “workflow automation,” “analytics,” “internal use,” “recommendation only,” and “human reviewed” are descriptions, not conclusions. The score follows functional reality.
Third, missing evidence can raise risk. If an institution cannot produce logs, contract terms, appeal outcomes, override data, data-use restrictions, continuity plans, or vendor documentation, that absence may indicate command loss. Uncertainty is not neutral when the missing evidence concerns public authority.
Fourth, performance does not erase dependency. A system can be accurate and still score high. The Index does not punish usefulness. It measures whether usefulness has become uncommandable dependence.
The score is therefore not a grade of technological quality. It is a measure of institutional sovereignty.
A high Index score does not automatically mean that a system is illegal, unethical, unconstitutional, or technically defective. It means the system creates sovereign intelligence risk requiring governance consequences. That distinction is essential. The Index is a command-risk instrument. It informs legal, technical, administrative, procurement, and political judgment; it does not replace them.
VII. Audit Method and Evidence Burden
The Index is only as strong as its audit method. It must be applied through evidence, not assertion.
A Sovereign Intelligence Index audit begins by defining the audited unit. The unit may be an agency, office, program, decision system, vendor relationship, procurement, court function, school system, infrastructure operator, civic platform, or sector.
The audit then inventories all AI systems used by the unit. This includes internally built models, externally procured systems, commercial software with embedded AI, contractor-operated tools, generative AI systems, recommender systems, scoring systems, classification systems, biometric systems, translation systems, fraud-detection systems, case-management systems, automated drafting tools, and model APIs.
Next, the audit identifies the public or institutional function affected by each system. It must state whether the system affects rights, benefits, enforcement, eligibility, safety, resource allocation, public communication, civic perception, critical operations, legal review, education, health, infrastructure, or internal administration.
The audit then maps where AI enters the workflow. It must identify whether AI shapes intake, routing, triage, evidence review, summarization, ranking, scoring, prediction, drafting, recommendation, prioritization, final decision, communication, appeal, enforcement, or post-decision monitoring.
The system’s authority role must then be classified. The role may be peripheral, assistive, workflow-shaping, recommendation-shaping, principal-basis, default-setting, effectively determinative, or operationally indispensable.
The audit must inspect human oversight. It must determine whether humans understand the system, have time to review it, can access underlying evidence, can reject the output, can record reasons for disagreement, are trained to identify errors, and are institutionally supported when they override machine outputs.
The audit must test explainability and appealability. It must determine whether affected persons receive meaningful notice, whether they can understand the role of AI, whether they can challenge the facts or classifications used, whether a human can change the outcome, and whether appeal outcomes are tracked.
The audit must inspect contracts and vendor dependency. It must review data rights, audit rights, documentation rights, model-access terms, portability, service levels, termination rights, pricing, renewal leverage, subcontractors, incident reporting, security obligations, continuity provisions, and restrictions on vendor use of public data.
The audit must inspect data sovereignty. It must determine who controls input data, training data, fine-tuning data, validation data, outputs, logs, embeddings, annotations, corrections, feedback, user interactions, and model improvements derived from institutional use.
The audit must inspect infrastructure dependency. It must identify cloud providers, compute concentration, geographic exposure, foreign-control exposure, failover capacity, energy dependency, disaster recovery, cybersecurity posture, and whether the institution can evaluate or operate the system outside vendor-controlled environments.
For public-facing systems, election-related systems, education systems, media systems, civic platforms, and political systems, the audit must examine cognitive and legitimacy effects. It must consider synthetic media, automated persuasion, recommender manipulation, identity deception, bot amplification, and public confusion over whether communication is human, machine, domestic, foreign, official, or counterfeit.
Each domain score must be justified by evidence. Unsupported assertions by the institution or vendor are not sufficient.
The final report should include the audited unit, systems reviewed, public functions affected, domain scores, total score, supporting evidence, uncertainty notes, trigger conditions, mitigation requirements, responsible officials, reassessment date, and public-reporting status.
The audit must be repeatable. Machine-layer dependency evolves. Vendors change terms. Models update. Workflows adapt. Human capacity decays. New integrations appear. An Index score should be reassessed periodically and whenever there is a significant model change, contract renewal, expansion into high-impact use, major incident, new vendor, infrastructure migration, or evidence of public harm.
The evidence burden rests with the institution deploying or relying on the system. If an institution claims that AI is merely assistive, human-governed, explainable, appealable, portable, or replaceable, it must be able to show that in operational records.
VIII. Trigger Conditions and Governance Consequences
Measurement matters only if it changes action. The Sovereign Intelligence Index therefore includes trigger conditions.
These triggers do not declare that a system is automatically unlawful. They define governance consequences. They identify when disclosure, review, audit, mitigation, oversight, pause, or discontinuation should be considered under the relevant legal and institutional authority.
At low sovereign intelligence risk, the institution should maintain inventory, documentation, staff training, basic monitoring, and periodic review.
At emerging dependency, the institution should produce a mitigation plan. The plan should identify where reliance is growing, how human review will remain real, how data rights will be preserved, how vendors can be replaced, and how affected people can appeal.
At structural dependency, independent review should be required where the Index is adopted by policy, law, contract, or internal governance rule. The institution should conduct formal impact assessment, contract review, continuity testing, appealability testing, data-sovereignty review, and public-command analysis.
At authority displacement risk, external oversight should be triggered. This may include inspector-general review, legislative notification, public reporting, procurement suspension, contract renegotiation, mandatory appeal reform, required human-capacity restoration, independent model evaluation, or limits on system expansion.
At sovereign command failure, operational restriction should be presumed unless continued temporary use is necessary to prevent greater public harm. Continued use should require written justification, senior official acceptance of risk, independent oversight, mitigation deadlines, and a replacement or command-restoration plan.
Several categorical triggers apply regardless of total score.
A disclosure trigger occurs when AI materially shapes a decision affecting rights, benefits, enforcement, liberty, immigration, housing, education, employment, credit, health, taxation, safety, public services, or essential infrastructure. Affected persons should receive meaningful notice unless a lawful exception applies.
An appeal trigger occurs when AI output serves as a principal basis for an adverse or materially significant decision. The institution should provide timely human review with authority to change the outcome.
A procurement-review trigger occurs when a system scores 3 or higher in vendor dependency, data sovereignty, compute dependency, or model authority concentration. The institution should review whether contract terms preserve auditability, portability, data control, monitoring, continuity, and exit capacity.
An independent-audit trigger occurs when any domain scores 4 or higher, or when the total score reaches structural dependency. The audit should be conducted by an entity with sufficient technical, legal, and institutional independence.
A legislative-notification trigger occurs when any public institution reaches authority displacement in a domain affecting rights, safety, elections, courts, public benefits, emergency services, national security, or critical infrastructure.
A pause trigger occurs when a high-impact system lacks adequate documentation, appealability, human oversight, data rights, audit access, or continuity planning, and continued use presents material legal, safety, legitimacy, or sovereignty risk.
A public-command trigger occurs when an AI system becomes strategically significant to public administration, national security, critical infrastructure, civic communication, or democratic legitimacy. Such systems may require special oversight, continuity obligations, public-interest covenants, inspection rights, or statutory command-preserving mechanisms.
A remediation trigger occurs whenever a domain scores 3 or higher. The institution should produce a plan identifying the dependency, corrective action, responsible officials, timeline, evidence required, and date of reassessment.
A discontinuation trigger occurs when a system scores 5 in any domain and the institution cannot show that continued temporary use is necessary to avoid greater public harm.
These triggers are not designed to block useful AI. They are designed to prevent quiet transfer of public authority into systems that no one accountable can command.
IX. Demonstration Applications
The following applications are hypothetical. They do not assert that any specific agency, court, school, vendor, campaign, platform, or infrastructure operator has acted improperly. Their purpose is to demonstrate how the Index reasons.
A. Public Benefits Agency
A state benefits agency deploys an AI system to triage applications, detect possible fraud, summarize case files, and recommend eligibility actions. The agency describes the system as advisory. In practice, workers face high caseloads and rely heavily on machine-generated summaries. Denial notices do not clearly explain the AI role. Appeals exist, but reviewers see the same machine summary as the original worker. The vendor contract limits model documentation and makes data export costly.
The Index would examine whether the system has crossed from assistance into dependency. Decision automation exposure may be high because AI shapes triage, summaries, and eligibility recommendations. Human override reality may be weak if workers rarely deviate. Explainability and appealability may be compromised if affected people cannot understand what role AI played. Vendor dependency may be substantial if the agency cannot process backlogs without the system. Data sovereignty may be at risk if public case data improves vendor systems.
The mitigation would include AI-use notice, independent human review on appeal, audit logs, override tracking, contract renegotiation, data rights, fallback procedures, staff training, and public reporting.
B. Court Risk Assessment System
A court uses an AI-assisted system to help assess pretrial risk, recommend supervision levels, and prioritize docket management. Judges retain formal discretion, but the risk score appears prominently in the interface. Defense counsel cannot inspect the model. The vendor claims proprietary protection. The court cannot explain why a particular person received a particular classification.
The Index would focus on legitimacy sovereignty. A court decision must remain attributable, reviewable, and contestable. If an AI score materially shapes liberty, the affected person must be able to challenge the basis of the decision. If the model cannot be inspected, if the judge cannot explain the weight given to the score, or if defense counsel cannot test the relevant evidence, democratic accountability and appealability scores rise sharply.
The mitigation would include disclosure, judicial findings independent of model output, access to relevant documentation, independent validation, override tracking, public reporting, and prohibition on treating the score as determinative.
C. School District AI System
A school district deploys AI tools for discipline alerts, writing assessment, tutoring, classroom monitoring, and student-risk prediction. The tools promise early intervention and individualized support. Over time, teachers begin relying on AI-generated risk labels. Parents do not always know when AI has shaped a student’s disciplinary pathway or academic record. Students cannot meaningfully challenge automated classifications.
The Index would measure institutional dependency, appealability, data sovereignty, and cognitive capture exposure. Student data is sensitive, longitudinal, and formative. AI systems that classify children can shape educational trajectory and self-understanding. The mitigation would include parental notice, appeal rights, strict data-use limits, teacher training, independent evaluation, limits on automated discipline, and controls on emotionally manipulative AI interactions.
D. Campaign and Civic Influence System
A political campaign uses AI to generate messages, segment voters, test persuasion, create synthetic videos, automate outreach, simulate local supporters, and optimize emotional targeting. Some uses are ordinary campaign innovation. Others may deceive voters about identity, authenticity, or origin.
The Index would distinguish lawful persuasion from cognitive capture. Democratic politics includes persuasion. The scoring question is whether citizens can distinguish authentic speech from synthetic impersonation, human support from bot amplification, domestic persuasion from foreign influence, and real civic consensus from machine-generated simulation.
The mitigation would include synthetic-media disclosure, anti-impersonation rules, provenance for high-impact political media, bot-network enforcement, foreign influence monitoring, and rapid response during election periods.
E. Federal Agency Triage System
A federal agency uses generative AI and predictive analytics to triage complaints, summarize records, draft correspondence, and prioritize enforcement leads. The system improves speed. Over time, certain complaints are systematically deprioritized because the model predicts low enforcement value. Staff rely on summaries instead of primary records. The agency cannot easily determine how many cases were affected by model changes.
The Index would focus on decision automation exposure, model authority, human override reality, and accountability. Even if the system does not make final enforcement decisions, it shapes what the agency sees. Perception capture can precede decision capture.
The mitigation would include sampling of deprioritized cases, audit trails, model-change logs, review of false negatives, staff requirements to inspect primary records in high-impact cases, and public reporting on AI use in enforcement pipelines.
F. Civic Platform and Public Reality
A large platform uses AI recommender systems, summarization, synthetic-content generation, moderation tools, and personalization engines to shape what citizens see. The platform becomes a primary civic information environment. Synthetic content circulates faster than verification. Local opinion can be simulated. Foreign narratives can be amplified through automated networks.
The Index would measure cognitive capture exposure, model authority concentration, foreign influence surface, and democratic accountability. The question is not whether government should decide truth. The question is whether civic reality is being shaped by opaque machine systems that conceal identity, amplify false consensus, or expose citizens to synthetic manipulation without meaningful disclosure.
The mitigation would include provenance infrastructure, transparency reporting, bot-network detection, deepfake response, political-ad disclosure, independent research access, and constitutional safeguards against viewpoint control.
G. Critical Infrastructure AI Control System
A power-grid operator uses AI to optimize load, detect anomalies, predict failures, and recommend emergency responses. The system improves efficiency. Over time, human operators lose practice managing certain scenarios manually. The AI vendor controls key components. The system runs on a concentrated cloud stack. Foreign supply-chain exposure is unclear.
The Index would focus on compute and cloud dependency, vendor dependency, foreign influence surface, human override reality, and continuity. In critical infrastructure, the question is not whether AI should be used. It should be used where beneficial. The question is whether the operator can maintain command under failure, attack, degradation, or vendor disruption.
The mitigation would include manual fallback drills, independent red-team testing, supply-chain review, secure deployment architecture, incident reporting, vendor-substitution planning, and critical-infrastructure oversight.
X. Methodological Status and Validation Path
The Sovereign Intelligence Index is proposed as a governance and audit instrument, not as a completed empirical science.
This distinction matters.
The Index is not presented as a statistically validated predictive model. It does not claim that a score of 34, for example, precisely predicts a defined probability of institutional failure. It does not claim that the ten domains exhaust every possible form of AI risk. It does not claim that scoring can be automated without expert judgment. It does not claim that sovereign intelligence risk is identical across agencies, sectors, legal systems, cultures, or infrastructure environments.
Its first public function is to structure institutional judgment. It gives officials, auditors, lawmakers, courts, watchdogs, journalists, and citizens a disciplined way to ask whether AI systems remain tools or have become conditions of institutional action.
Its second function is to generate comparable evidence. Once multiple institutions are scored across the same domains, patterns become visible: vendor concentration, weak appealability, missing audit logs, inadequate continuity planning, model overreliance, infrastructure chokepoints, or human-override theater.
Its third function is to become more precise through use.
Validation should proceed in five stages.
First, expert review. The Index should be reviewed by experts in AI governance, administrative law, constitutional law, procurement, cybersecurity, critical infrastructure, data governance, public administration, civil rights, national security, and measurement design.
Second, pilot audits. The Index should be applied to a limited set of public systems and critical-sector systems under controlled conditions. Pilot audits should test whether the domains capture meaningful dependency, whether evidence can be collected, whether scores distinguish real differences among systems, and whether the trigger conditions are workable.
Third, inter-rater reliability testing. Multiple auditors should independently score the same systems using the same evidence file. If scores diverge, the scoring guidance should be refined. A serious Index must not depend entirely on the temperament of the auditor.
Fourth, case validation. Scores should be compared against known incidents, failures, appeals, vendor disruptions, model changes, public harms, continuity failures, cybersecurity events, and oversight findings. The question is not whether the Index predicts every outcome. The question is whether high scores correlate with recognizable command fragility and whether low scores correlate with preserved institutional command.
Fifth, longitudinal revision. The Index should be revised as AI systems, legal regimes, procurement practices, and institutional dependencies evolve. A static measurement framework for a rapidly changing machine layer will degrade. The Index should carry a version history, public change log, and review cycle.
The Index should also distinguish between scoring confidence and risk severity. A high-risk score supported by strong evidence is different from a high-risk score driven by missing evidence. Both matter, but they matter differently. The former indicates known dependency. The latter indicates unverified command and possible opacity. A mature implementation should report both.
The Index should be treated as a living public instrument. Its authority should come not from rhetoric, but from repeated application, transparent revision, tested scoring discipline, and demonstrated usefulness in preventing command loss.
XI. Policy Integration
The Sovereign Intelligence Index should be integrated into existing governance. It should not become a detached bureaucracy or symbolic reporting ritual.
With NIST, the Index should function as a sovereign-dependency profile aligned with the AI RMF’s govern, map, measure, and manage structure. NIST supplies a general risk-management grammar for trustworthy AI. The Index supplies a specific measurement target: machine-layer dependency and public-command erosion.
With OMB federal AI-use policy, the Index should extend agency AI inventories into dependency scoring. Agencies already operate within a federal framework that emphasizes AI adoption, governance, public trust, inventories, impact assessments, and oversight. The Index would add domain scores, dependency bands, trigger determinations, mitigation requirements, and public-command findings for high-impact or strategically significant systems.
With OMB procurement policy, the Index should become a pre-solicitation, award, renewal, and expansion requirement for high-impact AI acquisitions where adopted by agency policy, contract terms, or law. Agencies should assess expected vendor dependency, data sovereignty, portability, monitoring, appealability, human oversight, continuity, and exit capacity before procurement decisions harden into dependency.
With CISA and critical infrastructure governance, the Index should support cross-sector dependency analysis. CISA’s AI work already recognizes AI as a beneficial capability and as a risk domain. The Index extends that logic to operational command: critical infrastructure operators should be assessed not only for cyber risk, but for whether AI systems have become non-substitutable control layers.
With courts, the Index can provide a factual record for review. Courts do not need to become AI engineers to ask whether a machine-shaped decision was explainable, attributable, contestable, and based on a reviewable record. The Index can help identify when agency reliance on AI threatens due process, administrative reason-giving, statutory authority, equal protection, or evidentiary review.
With state governments, the Index should be adaptable to benefits administration, unemployment insurance, child welfare, policing, corrections, schools, courts, public health, licensing, emergency management, and election administration. States face intense pressure to reduce backlogs and costs. That makes them likely sites of rapid AI adoption and quiet dependency formation.
With legislatures, the Index should define oversight thresholds. Not every AI use requires statutory intervention. But high scores should trigger disclosure, appeal rights, procurement review, independent audit, public reporting, continuity testing, or operational restriction.
With civic platforms, the Index should support public-interest analysis of recommender systems, political advertising, synthetic media, bot amplification, child-facing AI systems, platform-mediated civic reality, and foreign influence exposure.
With international policy, the Index can complement risk-based regulatory models such as the EU AI Act. The EU AI Act classifies obligations around high-risk systems and general-purpose AI. The Sovereign Intelligence Index classifies institutional dependency around public command. These are different but compatible governance objects.
The Index should also support annual reporting. A federal Sovereign Intelligence Index report should assess agency AI dependency, high-impact public systems, critical sectors, civic information environments, and strategic AI infrastructure. The report should identify systemic risks, mitigation progress, vendor concentration, public-command failures, and legislative needs.
The goal is not to create another compliance document. The goal is to create a measurement regime strong enough to change procurement, oversight, disclosure, appeal rights, continuity planning, and public-command mechanisms.
XII. Legal, Constitutional, and Institutional Guardrails
The Sovereign Intelligence Index is a governance instrument. It is not a legal opinion, a statutory code, a constitutional test, or an automatic liability mechanism.
This distinction protects the Index from overreach and makes it more useful.
A high Index score should not be treated as automatic proof that a system is unlawful. It should be treated as evidence of sovereign intelligence risk requiring institutional attention. Depending on context, that attention may involve procurement review, administrative procedure, civil-rights analysis, cybersecurity review, legislative oversight, public reporting, judicial scrutiny, contract renegotiation, or operational restriction.
The Index must also preserve constitutional discipline.
Cognitive sovereignty must never become viewpoint control. A democratic government may protect citizens against fraud, impersonation, undisclosed automation, malicious synthetic media, foreign influence, child exploitation, and deceptive machine-generated identity systems. It may not use the language of cognitive sovereignty to suppress lawful dissent, unpopular speech, satire, ordinary persuasion, journalism, religious speech, academic debate, or political disagreement.
Machine-mediated public decisions must remain reviewable. When AI materially shapes decisions affecting rights, benefits, liberty, enforcement, education, housing, immigration, health, taxation, or essential services, the institution should preserve notice, reasons, records, human responsibility, and an appeal path. The Index does not dictate the precise legal procedure required in every case. It identifies when the machine layer has become important enough that ordinary procedural assumptions may no longer be adequate.
Procurement safeguards must respect both public needs and legitimate private interests. Vendors may hold intellectual property. Public agencies may protect security-sensitive information. Trade secrets, classified information, personal data, and cybersecurity-sensitive details may require restricted handling. But proprietary status cannot become a shield against all public accountability when the system materially shapes public authority.
Public command does not require operational nationalization. A public institution can use private vendors, commercial cloud infrastructure, proprietary models, and contracted services while preserving command through audit rights, documentation, data control, portability, continuity planning, appeal mechanisms, oversight access, and termination capacity.
The Index should also respect federalism and institutional variation. Federal agencies, state governments, courts, schools, critical infrastructure operators, and civic platforms operate under different legal obligations. The Index supplies a common measurement architecture, not a single legal mandate imposed identically across every context.
Finally, the Index should avoid technocratic authoritarianism. The answer to machine opacity is not unchecked bureaucratic control. The answer is public-command architecture: lawful authority, limited power, transparent procedures, reviewable evidence, accountable officials, contestable decisions, protected rights, and measured intervention.
A republic should govern the machine layer without becoming a machine-layer bureaucracy.
XIII. Limits and Non-Claims
The Sovereign Intelligence Index does not claim that all AI use is dangerous. Many AI systems will improve public service, reduce delay, detect fraud, expand access, strengthen cyber defense, assist medical judgment, support education, and help institutions manage complexity.
The Index does not claim that AI assistance is illegitimate. It distinguishes assistance from dependency, and dependency from authority displacement.
The Index does not replace privacy law, civil-rights law, cybersecurity review, procurement law, administrative procedure, constitutional doctrine, sector-specific regulation, or technical evaluation. It supplies a sovereignty lens that should interact with each of those domains.
The Index does not require perfect model interpretability where such interpretability is technically unavailable. It requires sufficient explanation, auditability, contestability, and accountability for the public function at stake.
The Index does not require public disclosure of classified information, protected personal data, security-sensitive details, or lawful confidential material. But confidentiality cannot become a blanket excuse for absence of public command. Where full public disclosure is impossible, independent review, inspector-general access, court-supervised access, secure audit, or legislative oversight may still be required.
The Index does not authorize government truth control. Cognitive sovereignty must be protected within constitutional limits. The target is deception, impersonation, covert automation, malicious synthetic media, undisclosed foreign influence, child manipulation, fraud, and systems that deny citizens meaningful knowledge of the source or nature of influence. It is not a license to suppress lawful viewpoint, dissent, satire, ordinary persuasion, or unpopular speech.
The Index does not prohibit public institutions from using private vendors. It requires that public institutions not become unable to command the systems through which they govern.
The Index does not claim that a single score can resolve every institutional question. Scores compress evidence. They do not replace the evidence. Every score must be read with its domain findings, uncertainty notes, legal context, public function, affected population, and mitigation record.
The Index also requires anti-evasion discipline.
A system is not low-risk because it is called advisory.
A system is not human-governed because a human formally approves the output.
A system is not explainable because a vendor provides general documentation.
A system is not appealable because a complaint portal exists.
A system is not portable because a contract mentions export rights.
A system is not accountable because responsibility is distributed among agency, vendor, contractor, model provider, cloud provider, and interface designer.
A system is not safe from sovereignty risk because it performs well on benchmarks.
A system is not outside the Index because it is embedded inside ordinary software.
A system is not exempt because it is a pilot.
A system is not harmless because it improves efficiency.
The Index measures what the system does to institutional command.
XIV. Conclusion
A republic may use machines.
It may not disappear into them.
The constitutional danger of artificial intelligence is not only that machines may produce errors, bias, deception, or harm. Those dangers are real. But the deeper danger is that public authority may become dependent on machine systems while preserving the outward appearance of human government.
The statute remains.
The office remains.
The agency remains.
The judge remains.
The signature remains.
The public notice remains.
But if the institution cannot explain the system, audit the system, contest the system, replace the system, suspend the system, or operate without the system, then authority has already moved.
Not formally.
Operationally.
The Sovereign Intelligence Index exists to measure that movement before it becomes irreversible. It turns doctrine into instrument, instrument into audit, audit into trigger conditions, and trigger conditions into public command.
The purpose is not to stop AI.
The purpose is to prevent dependency from becoming domination.
The purpose is to ensure that the machine layer serves the republic rather than quietly replacing it.
A republic cannot govern what it cannot measure. It cannot preserve legitimacy if authority becomes invisible. It cannot protect rights if decisions become unappealable. It cannot preserve human agency if judgment is outsourced without contest. It cannot remain sovereign if the systems through which it perceives, decides, administers, communicates, defends, remembers, and acts become uncommandable.
The question is no longer whether AI will enter public life. It already has.
The question is whether public life will remain answerable to the people after the machine layer becomes indispensable.
The Sovereign Intelligence Index is one answer: measure the dependency, expose the authority transfer, preserve public command, and keep the future governable before the machinery of decision becomes too embedded to see.
Operational Annex
Sovereign Intelligence Index Audit Standard and Implementation Manual
This Operational Annex supplies the audit standard and implementation machinery for the Sovereign Intelligence Index. The main paper defines sovereign intelligence risk. This annex defines how that risk is measured.
The Index should not be treated as a rhetorical framework, public-relations exercise, voluntary ethics checklist, or general AI inventory. It is an audit standard for determining whether an institution retains command over the AI systems it uses.
The Index does not merely score AI systems. It scores the institution’s retained command over those systems.
That distinction governs the entire method.
An AI system may be accurate, useful, efficient, secure, and lawfully procured while still creating sovereign intelligence risk. The relevant question is not only whether the system performs. The relevant question is whether the institution can still understand, audit, contest, replace, suspend, and operate independently from the system once it becomes embedded.
The governing question is:
Can the institution still command the system, or has the system become necessary for the institution to command itself?
This annex converts that question into an operational audit procedure.
A. Purpose and Status of the Annex
This annex has five purposes.
First, it defines the operational scope of the Sovereign Intelligence Index.
Second, it specifies the evidence required to support each Index score.
Third, it establishes auditor discipline, including independence, qualifications, conflicts of interest, and scoring review.
Fourth, it creates a confidence standard so that missing, weak, or disputed evidence cannot be mistaken for low risk.
Fifth, it defines the governance consequences that follow from the Index, including disclosure, appeal, procurement review, independent audit, legislative notification, remediation, pause, and discontinuation triggers.
This annex is designed for use by public agencies, legislatures, courts, inspectors general, auditors, procurement officials, critical infrastructure regulators, state governments, civic platforms, public-interest investigators, and institutional governance bodies.
It is also designed for adaptation. Different sectors operate under different laws, security needs, technical architectures, constitutional constraints, and public functions. The Index supplies a common measurement standard, not a single rigid legal mandate imposed identically across every context.
The Index should be adopted through the appropriate instrument for the institution involved: statute, regulation, executive policy, agency guidance, procurement rule, contract clause, court administrative order, inspector-general standard, critical-infrastructure review protocol, platform accountability framework, or internal governance policy.
Where the Index is not yet legally required, it may still be used as a voluntary audit standard, public-interest review framework, procurement-screening tool, or oversight method.
B. Core Definitions for Implementation
For purposes of the Sovereign Intelligence Index, an AI system means any machine-based system that generates outputs, classifications, predictions, rankings, recommendations, summaries, risk scores, decisions, simulations, synthetic content, automated actions, or decision-support materials that may influence human judgment, institutional operation, public communication, rights, benefits, enforcement, safety, legitimacy, or civic perception.
The machine layer means the infrastructure of models, compute, cloud platforms, APIs, data centers, chips, datasets, training pipelines, deployment interfaces, recommender systems, agents, evaluation systems, synthetic media tools, automated decision-support systems, cybersecurity systems, and operational integrations through which AI mediates public and institutional life.
Sovereign intelligence means the capacity of a political community and its public institutions to retain command over the systems through which they perceive, decide, administer, communicate, defend, educate, regulate, adjudicate, remember, and act.
Sovereign intelligence risk means the risk that public institutions, critical sectors, civic systems, or democratic publics become dependent on AI systems in ways that reduce their ability to understand, audit, contest, replace, constrain, suspend, or command the systems that materially shape public life.
Machine-mediated authority means any condition in which an AI system materially shapes a decision, recommendation, classification, risk score, ranking, administrative action, public message, institutional judgment, or civic perception, even when a human formally approves the final output.
Public command means the legal, technical, operational, financial, and institutional capacity of democratic authorities to inspect, audit, contest, constrain, replace, suspend, or govern AI systems that materially shape public functions or civic life.
Authority displacement means the condition in which AI outputs become practical defaults and human review becomes thin, symbolic, overloaded, deferential, or dependent on machine framing.
Sovereign command failure means the condition in which an institution cannot meaningfully explain, audit, contest, replace, suspend, or operate independently from an AI system that materially shapes its public function.
High-impact AI system means an AI system that materially affects rights, benefits, liberty, enforcement, eligibility, immigration, housing, education, employment, credit, health care, taxation, public safety, emergency response, courts, elections, child welfare, critical infrastructure, financial regulation, national security, or essential public services.
Authority-sensitive AI system means an AI system that may not directly determine legal rights but materially shapes institutional perception, prioritization, resource allocation, public communication, investigation, enforcement, civic information, infrastructure operation, or strategic judgment.
Evidence file means the body of records, logs, contracts, policies, technical documentation, interviews, testing results, appeal records, override records, continuity materials, vendor disclosures, and audit findings supporting an Index score.
Scoring confidence means the auditor’s judgment about the reliability and completeness of the evidence supporting a domain score.
Evidence gap means the absence, incompleteness, inaccessibility, unreliability, or contradiction of evidence needed to determine whether public command exists.
C. Scope of Application
The Index should be applied whenever AI materially affects public authority, critical infrastructure, civic information, institutional memory, democratic legitimacy, or human agency.
The Index should be required, where adopted by law, regulation, procurement rule, court policy, agency policy, contract, or institutional governance standard, for high-impact public systems affecting public benefits, taxation, immigration, courts, policing, corrections, education, housing, employment, credit, health care, emergency response, public safety, military support, elections, critical infrastructure, financial regulation, licensing, child welfare, and administrative enforcement.
The Index is strongly recommended for private systems that function as civic infrastructure, including large-scale platforms, search engines, recommender systems, synthetic media platforms, cloud providers, frontier model providers, AI deployment platforms, political advertising systems, identity systems, and systems that shape public discourse at scale.
The Index may also be applied to internal institutional systems when those systems shape resource allocation, staffing, compliance, investigation, legal review, knowledge management, strategic planning, procurement, public communication, or institutional memory.
A system may not avoid review merely because it is described as assistive, experimental, advisory, preliminary, internal, vendor-operated, embedded, third-party, pilot-stage, contractor-controlled, low-code, off-the-shelf, human-reviewed, or merely workflow-related.
The relevant question is functional effect, not label.
The Index applies when the system materially shapes what the institution sees, what the institution prioritizes, what the institution recommends, what the institution decides, what the institution communicates, or what the public experiences as authority.
D. Governing Principle: Function Over Form
The Index follows function over form.
A system is not low-risk because it is called advisory.
A system is not human-governed because a human formally approves the output.
A system is not explainable because a vendor provides general documentation.
A system is not appealable because a complaint portal exists.
A system is not portable because a contract mentions export rights.
A system is not accountable because responsibility is distributed among agency, vendor, contractor, model provider, cloud provider, data broker, and interface designer.
A system is not safe from sovereignty risk because it performs well on benchmarks.
A system is not outside the Index because it is embedded inside ordinary software.
A system is not exempt because it is a pilot.
A system is not harmless because it improves efficiency.
A system is not under public command because officials can describe its purpose in general terms.
The Index measures what the system does to institutional command.
The auditor should therefore examine actual workflows, actual dependencies, actual human behavior, actual contract rights, actual appeal outcomes, actual logs, actual continuity capacity, and actual ability to replace or suspend the system.
Written policy matters. It does not control.
Vendor representation matters. It does not control.
Institutional assurance matters. It does not control.
Observed operational reality controls.
E. Auditor Qualifications and Independence
A Sovereign Intelligence Index audit should be conducted by persons or teams with competence across the relevant dimensions of the system under review.
A complete audit team should include, where appropriate, expertise in AI governance, public administration, procurement, data governance, cybersecurity, administrative law, civil rights, constitutional constraints, sector-specific regulation, human factors, critical infrastructure, model evaluation, records management, and audit methodology.
No single auditor must possess all expertise. But the audit team as a whole must be capable of evaluating the system’s technical function, institutional role, legal context, contract structure, evidence trail, human oversight, appealability, continuity, and public-command status.
Auditors should be independent enough to evaluate the system without pressure from the deploying institution, vendor, contractor, political leadership, or program office whose performance may be affected by the score.
Independence does not always require external status. An inspector general, internal audit office, legislative auditor, court-appointed reviewer, compliance office, or agency risk office may conduct the audit if it has sufficient access, authority, expertise, and protection from retaliation or interference.
An audit lacks sufficient independence when the scoring team reports only to the program office responsible for the system, lacks access to vendor documentation, cannot inspect relevant logs, cannot interview users freely, cannot review contracts, cannot publish or transmit findings to oversight bodies, or faces institutional pressure to reduce risk scores.
Auditors must disclose conflicts of interest. A conflict may arise when an auditor has financial, contractual, employment, political, vendor, litigation, or personal interests that could affect scoring judgment.
A vendor should not be the sole scorer of its own system. Vendor documentation may support an audit. Vendor self-assessment may inform an audit. But a vendor’s self-assessment cannot substitute for independent scoring where high-impact public functions are involved.
For high-impact or authority-sensitive systems, at least one scoring reviewer should be independent from the office that owns or operates the system.
For systems reaching authority displacement or sovereign command failure, independent review should be mandatory where the Index has been adopted by law, policy, contract, or oversight rule.
F. Audit Governance and Roles
A Sovereign Intelligence Index audit should assign clear roles before evidence collection begins.
The audited institution is responsible for identifying systems, producing records, disclosing workflows, providing access to relevant personnel, and preserving evidence.
The system owner is the office, agency, vendor, contractor, or institutional unit responsible for deployment, operation, configuration, or management of the AI system.
The responsible public authority is the official or body legally or institutionally accountable for the public function affected by the system.
The audit lead manages the audit process, evidence file, scoring schedule, interviews, documentation requests, and final report.
The domain scorers evaluate individual Index domains based on the evidence file.
The scoring review panel examines domain scores for consistency, evidence sufficiency, confidence level, and trigger consequences.
The oversight recipient is the authorized body receiving findings. Depending on context, this may be an inspector general, legislature, procurement authority, court administrator, agency head, regulator, board, public ethics body, or public reporting office.
The public reporting authority determines what findings can be released publicly while protecting lawful confidentiality, security, privacy, and classified information.
The audit should identify the human official responsible for final acceptance, mitigation, continuation, restriction, or discontinuation of the system.
No high-impact AI system should be allowed to diffuse responsibility so completely that no human authority can be named.
G. Evidence Hierarchy
Not all evidence has equal weight.
The Index must distinguish between strong evidence, moderate evidence, weak evidence, and unsupported assertion.
Observed workflow is stronger than written policy.
System logs are stronger than staff assurances.
Case samples are stronger than general descriptions.
Tested fallback capacity is stronger than a continuity plan.
Actual data export is stronger than a contract clause promising portability.
Contract rights are stronger than verbal vendor assurances.
Independent audit is stronger than vendor documentation.
Appeal outcomes are stronger than appeal procedures.
Override records are stronger than human-in-the-loop claims.
Incident records are stronger than risk statements.
Interface inspection is stronger than user training slides.
Red-team findings are stronger than security representations.
Public disclosures are stronger than internal assurances when public accountability is at issue.
Auditor-verified evidence is stronger than self-attestation.
The highest-value evidence is evidence showing actual institutional behavior under operational conditions: what users did, what the system produced, what decisions followed, what appeals occurred, what overrides succeeded, what logs exist, what data moved, what vendors controlled, what infrastructure was required, and what happened when the system failed or changed.
The weakest evidence is conclusory assurance: “the system is advisory,” “humans remain in control,” “appeals are available,” “data is protected,” “the system is explainable,” “the vendor can be replaced,” or “the model is secure,” without supporting records.
A score should never be lowered based on unsupported assurance.
H. Evidence Quality Grades
Each material item of evidence should be assigned an evidence quality grade.
Verified operational evidence is evidence directly observed, tested, reproduced, or authenticated by the auditor. Examples include system logs, case samples, export tests, override records, appeal records, incident records, continuity exercises, interface review, access logs, contract text, and tested fallback procedures.
Independent corroborated evidence is evidence produced by a third party or independent institutional body with no direct incentive to minimize risk. Examples include inspector-general reports, legislative audits, court records, independent technical evaluations, cybersecurity assessments, red-team findings, and external compliance reviews.
Institutional documentary evidence is evidence produced by the deploying institution in ordinary operations. Examples include policies, training materials, internal memoranda, workflow maps, system inventories, procurement files, impact assessments, meeting records, and internal risk registers.
Vendor-provided evidence is evidence produced by the vendor, model provider, cloud provider, contractor, or subcontractor. It may be useful, but it should be treated as lower weight unless independently verified.
Testimonial evidence is evidence obtained through interviews, declarations, questionnaires, or staff statements. It may be important for understanding actual practice, but it should be corroborated wherever possible.
Unsupported assertion is a claim without adequate documentary, operational, technical, contractual, or testimonial support. Unsupported assertion should not carry material scoring weight.
When a domain score depends heavily on vendor-provided evidence or testimonial evidence, the scoring confidence should normally be lower unless corroborated.
When verified operational evidence contradicts policy language, the operational evidence should control.
When contract language contradicts vendor assurances, the contract should control.
When user behavior contradicts training materials, user behavior should control.
When missing records prevent verification of public command, the absence should be treated as an evidence gap and may increase the score or reduce scoring confidence.
I. Scoring Confidence
Each domain score must include a confidence level.
A confidence level is not the same as the risk score. The risk score measures severity. The confidence level measures the reliability of the evidence supporting that score.
A domain may score 4 with high confidence because strong evidence shows authority displacement. A domain may score 4 with low confidence because critical evidence is missing and the available evidence suggests serious command risk. Both findings matter, but they should be interpreted differently.
High confidence means the auditor has sufficient verified or corroborated evidence to support the score. The evidence file includes operational records, relevant contracts, logs, interviews, system documentation, workflow review, and testing where appropriate. Material evidence gaps are absent or do not affect the score.
Medium confidence means the auditor has enough evidence to assign a score, but some material evidence remains incomplete, indirect, partially disputed, untested, vendor-controlled, or unavailable. The score is credible but should be revisited after additional evidence collection.
Low confidence means the auditor lacks important evidence needed to determine command status, or the evidence is materially disputed, incomplete, inaccessible, vendor-controlled, inconsistent, or unsupported. Low confidence does not mean low risk. In high-impact contexts, low confidence may itself indicate sovereign intelligence risk.
Scoring confidence must be reported for each domain and for the overall Index assessment.
A low-confidence score should trigger additional evidence collection, independent review, or provisional mitigation where public functions are affected.
An institution should not benefit from missing evidence. If the institution cannot produce records necessary to show public command, the auditor should not assume command exists.
J. Treatment of Missing Evidence
Missing evidence is not neutral.
The effect of missing evidence depends on what is missing, why it is missing, and whether the missing evidence is necessary to determine public command.
If an institution cannot produce an AI system inventory, the auditor should treat the scope of AI use as uncertain and potentially broader than disclosed.
If an institution cannot produce workflow maps, the auditor should treat decision automation exposure as unresolved and possibly understated.
If an institution cannot produce override logs, the auditor should not accept a human-in-the-loop claim at face value.
If an institution cannot produce appeal records, the auditor should not assume appealability is meaningful.
If an institution cannot produce contract rights, the auditor should not assume vendor dependency is controlled.
If an institution cannot produce data-use terms, the auditor should not assume data sovereignty is preserved.
If an institution cannot produce continuity plans or exit-test results, the auditor should not assume the system is replaceable.
If an institution cannot produce security or infrastructure documentation, the auditor should not assume foreign influence surface or compute dependency is low.
Missing evidence may justify a higher risk score when the missing evidence concerns command, contestability, auditability, replaceability, suspension, continuity, or accountability.
The audit report should distinguish between confirmed risk and unverified command. Confirmed risk means evidence shows command weakness. Unverified command means the institution has not produced enough evidence to prove command exists. Both are serious, but they are not identical.
K. Audit Sequence
A Sovereign Intelligence Index audit proceeds in fourteen steps.
First, define the audited unit. The unit may be an agency, office, program, decision system, vendor relationship, procurement, court function, school system, infrastructure operator, civic platform, public communications system, or sector.
Second, define the public function affected. The audit must identify whether the system affects rights, benefits, enforcement, eligibility, safety, resource allocation, public communication, civic perception, critical operations, legal review, education, health, infrastructure, national security, or internal administration.
Third, inventory all AI systems used by the audited unit. The inventory must include internally built models, externally procured systems, commercial software with embedded AI, contractor-operated tools, generative AI systems, recommender systems, scoring systems, classification systems, biometric systems, translation systems, fraud-detection systems, case-management systems, automated drafting tools, model APIs, and AI systems used indirectly by contractors.
Fourth, identify all vendors, contractors, model providers, cloud providers, data brokers, subcontractors, and infrastructure dependencies connected to each system.
Fifth, map where AI enters the workflow. The audit must determine whether AI shapes intake, routing, triage, evidence review, summarization, ranking, scoring, prediction, drafting, recommendation, prioritization, final decision, communication, appeal, enforcement, or post-decision monitoring.
Sixth, classify the system’s authority role. The system should be classified as peripheral, assistive, workflow-shaping, recommendation-shaping, principal-basis, default-setting, effectively determinative, or operationally indispensable.
Seventh, inspect human oversight. The audit must determine whether humans understand the system, have time to review it, can access underlying evidence, can reject the output, can record reasons for disagreement, are trained to identify errors, and are institutionally supported when they override machine outputs.
Eighth, test explainability and appealability. The audit must determine whether affected persons receive meaningful notice, whether they can understand the role of AI, whether they can challenge the facts or classifications used, whether a human can change the outcome, and whether appeal outcomes are tracked.
Ninth, inspect contracts and vendor dependency. The audit must review data rights, audit rights, documentation rights, model-access terms, portability, service levels, termination rights, pricing, renewal leverage, subcontractors, incident reporting, security obligations, continuity provisions, and restrictions on vendor use of public data.
Tenth, inspect data sovereignty. The audit must determine who controls input data, training data, fine-tuning data, validation data, outputs, logs, embeddings, annotations, corrections, feedback, user interactions, and model improvements derived from institutional use.
Eleventh, inspect infrastructure dependency. The audit must identify cloud providers, compute concentration, geographic exposure, foreign-control exposure, failover capacity, energy dependency, disaster recovery, cybersecurity posture, and whether the institution can evaluate or operate the system outside vendor-controlled environments.
Twelfth, assess cognitive, foreign influence, and legitimacy exposure where relevant. For public-facing systems, election-related systems, education systems, media systems, civic platforms, political systems, and public communications systems, the audit must examine synthetic media, automated persuasion, recommender manipulation, identity deception, bot amplification, public confusion, foreign influence, and accountability effects.
Thirteenth, score each of the ten Index domains. Each score must be justified by evidence and assigned a confidence level.
Fourteenth, issue findings, trigger determinations, mitigation requirements, dispute procedures, and publication recommendations.
The audit must be repeatable. Machine-layer dependency evolves. Vendors change terms. Models update. Workflows adapt. Human capacity decays. New integrations appear. An Index score should be reassessed periodically and whenever there is a significant model change, contract renewal, expansion into high-impact use, major incident, new vendor, infrastructure migration, public complaint pattern, court finding, security event, or evidence of public harm.
L. Domain-Specific Evidence Requirements
Decision automation exposure requires workflow maps, decision logs, model outputs, case samples, staff interviews, system documentation, user-interface review, and evidence showing whether AI affects recommendations, rankings, summaries, risk scores, triage, eligibility, enforcement, communication, or final decisions.
Human override reality requires override logs, approval rates, rejection rates, time-per-case data, training materials, user-interface review, supervisor guidance, staff interviews, reversal rates, quality-control records, and evidence showing whether humans can practically reject machine outputs.
Explainability and appealability require decision notices, appeal procedures, sample explanations, administrative records, reviewer authority, appeal outcomes, reversal rates, affected-person disclosures, system documentation, and evidence showing whether a person can challenge a machine-shaped decision.
Vendor dependency requires contracts, renewal terms, service-level agreements, pricing structures, termination clauses, data-export terms, audit rights, documentation rights, portability rights, subcontractor lists, continuity plans, exit-test results, and records of prior vendor changes or failed migration attempts.
Data sovereignty requires data-use agreements, retention policies, training restrictions, fine-tuning terms, output-use rules, annotation ownership, deletion rights, provenance records, access logs, transfer records, and restrictions on vendor use of institutional data.
Compute and cloud dependency requires infrastructure contracts, provider concentration analysis, failover documentation, disaster-recovery testing, geographic processing locations, foreign exposure review, cybersecurity assessments, energy resilience analysis, dependency maps, and evidence of independent evaluation capacity.
Model authority concentration requires provider inventories, model-use records, cross-agency adoption patterns, default model settings, embedded platform integrations, procurement bundles, API dependencies, model-substitution analysis, and availability of alternative models.
Cognitive capture exposure requires synthetic-media monitoring, bot-network detection, recommender-system analysis, political-ad disclosures, identity verification systems, provenance tools, deepfake-response capacity, child-protection review, foreign influence reporting, public complaint data, and platform transparency records.
Foreign influence surface requires beneficial-ownership review, supply-chain documentation, subcontractor review, data-transfer analysis, infrastructure geography, threat intelligence, red-team findings, model-integrity testing, cyber incident history, insider-risk procedures, and foreign-control or foreign-access review.
Democratic accountability requires public disclosures, audit reports, inspector-general access, legislative reporting, judicial review records, administrative appeal data, procurement transparency, incident reports, civil-rights review, public comment, correction mechanisms, and records identifying responsible officials.
M. Scoring Standard
Each domain receives a score from 0 to 5.
A score of 0 means no material AI dependency. AI is absent from the relevant function or is used in a way that has no material effect on institutional decisions, public communication, rights, benefits, safety, critical operations, or civic perception.
A score of 1 means assistive use. AI supports human work, but humans retain independent judgment, access to underlying evidence, realistic ability to disregard the output, and practical alternatives.
A score of 2 means operational reliance. AI meaningfully improves or accelerates a workflow, and staff regularly use it, but the institution retains tested alternatives, meaningful human review, accessible records, and realistic continuity capacity.
A score of 3 means institutional dependency. The institution would suffer major disruption if the system became unavailable, degraded, changed, or lost vendor support. Human alternatives exist but are slow, understaffed, untested, incomplete, or no longer adequate for ordinary operations.
A score of 4 means authority displacement. AI outputs have become practical defaults. Human review is thin, symbolic, overloaded, deferential, or machine-framed. Explanation, appeal, audit, replacement, suspension, or continuity is limited. The institution remains formally responsible but operationally dependent.
A score of 5 means sovereign command failure. The institution cannot meaningfully explain, audit, contest, replace, suspend, or operate independently from the AI system in the relevant domain. Public authority has become dependent on a machine layer beyond effective institutional command.
Scores must be assigned according to observed practice, not written policy alone.
A claim of human oversight must be supported by evidence.
A claim of appealability must be supported by appeal records and procedures.
A claim of portability must be supported by tested export or usable migration rights.
A claim of data sovereignty must be supported by contract terms, technical controls, and data-flow evidence.
A claim of vendor substitutability must be supported by operational continuity planning and credible exit capacity.
A claim of explainability must be supported by explanations meaningful enough for affected persons, reviewers, auditors, courts, or oversight bodies to understand the system’s role.
The score should reflect the highest substantiated risk level in the domain. If evidence shows that most uses are assistive but a high-impact subset is authority-displacing, the domain should not be scored as merely assistive unless the scoring scope excludes that subset.
When scoring a broad institution, auditors may assign domain findings at the system level and then produce an institutional score based on severity, scope, affected population, public function, and concentration of dependency.
The total score ranges from 0 to 50, but the domain scores matter more than the aggregate. A total score may obscure a single domain reaching sovereign command failure. A system with one score of 5 may require urgent governance action even if the total score is moderate.
N. Risk Bands and Interpretation
A total score from 0 to 10 indicates low sovereign intelligence risk. AI may be present, but it does not materially compromise command, contestability, continuity, or accountability.
A total score from 11 to 20 indicates emerging dependency. AI is becoming relevant to operations or public cognition, but the risk remains controllable if mitigation occurs early.
A total score from 21 to 30 indicates structural dependency. AI materially shapes institutional performance, and loss, compromise, opacity, vendor disruption, or inability to appeal would create serious governance risk.
A total score from 31 to 40 indicates authority displacement risk. Machine outputs are becoming practical defaults, and human command is increasingly formal rather than operational.
A total score from 41 to 50 indicates sovereign command failure. The institution or system cannot meaningfully explain, audit, contest, replace, suspend, or operate independently from the machine layer.
Risk bands should not be interpreted mechanically. A domain score of 5 in democratic accountability, explainability, vendor dependency, foreign influence surface, or compute dependency may be more urgent than a higher aggregate score produced by moderate concerns across several domains.
The Index is a structured judgment instrument. It does not replace expert analysis. It organizes it.
O. Domain Weighting and Overrides
The default Index treats all ten domains as separately scored and equally visible. The aggregate score is useful for comparison, but it should not erase domain-specific severity.
In some contexts, domain weighting may be appropriate. A court system may give greater operational importance to explainability, appealability, and democratic accountability. A critical infrastructure operator may give greater operational importance to compute dependency, vendor dependency, foreign influence surface, and human override reality. A civic platform may give greater operational importance to cognitive capture, model concentration, foreign influence surface, and democratic accountability.
Any weighting rule must be declared before final scoring. It must not be adjusted after the fact to produce a preferred result.
Even where weighting is used, certain domain scores should trigger review independently of the aggregate. A score of 5 in any domain should trigger senior review. A score of 4 or higher in any high-impact public function should trigger independent audit. A score of 3 or higher in vendor dependency, data sovereignty, compute dependency, or model authority concentration should trigger procurement and continuity review.
A system cannot be declared low-risk merely because its aggregate score is moderate while one domain indicates command failure.
The Index is designed to prevent precisely that kind of averaging away.
P. Trigger Conditions
The Index produces governance consequences.
A disclosure trigger occurs when AI materially shapes a decision affecting rights, benefits, enforcement, liberty, immigration, housing, education, employment, credit, health, taxation, safety, public services, or essential infrastructure. Affected persons should receive meaningful notice unless a lawful exception applies.
An appeal trigger occurs when AI output serves as a principal basis for an adverse or materially significant decision. The institution should provide timely human review with authority to change the outcome.
A procurement-review trigger occurs when a system scores 3 or higher in vendor dependency, data sovereignty, compute dependency, or model authority concentration. The institution should review whether contract terms preserve auditability, portability, data control, monitoring, continuity, and exit capacity.
An independent-audit trigger occurs when any domain scores 4 or higher, or when the total Index score reaches structural dependency. The audit should be conducted by an entity with sufficient technical, legal, and institutional independence.
A legislative-notification trigger occurs when a public institution reaches authority displacement in a domain affecting rights, safety, elections, courts, public benefits, emergency services, national security, or critical infrastructure.
A pause trigger occurs when a high-impact system lacks adequate documentation, appealability, human oversight, data rights, audit access, or continuity planning, and continued use presents material legal, safety, legitimacy, or sovereignty risk.
A public-command trigger occurs when an AI system becomes strategically significant to public administration, national security, critical infrastructure, civic communication, or democratic legitimacy. Such systems may require special oversight, continuity obligations, public-interest covenants, inspection rights, or statutory command-preserving mechanisms.
A remediation trigger occurs whenever a domain scores 3 or higher. The institution should produce a plan identifying the dependency, corrective action, responsible officials, timeline, evidence required, and date of reassessment.
A discontinuation trigger occurs when a system scores 5 in any domain and the institution cannot show that continued temporary use is necessary to avoid greater public harm. Continued use should require written justification, senior official approval, independent oversight, mitigation deadlines, and a replacement or command-restoration plan.
These triggers do not automatically declare a system unlawful. They define governance consequences. They identify when disclosure, review, audit, mitigation, oversight, pause, or discontinuation should be considered under the relevant legal and institutional authority.
Q. Score Dispute and Review Procedure
Institutions and vendors may dispute Index scores. A serious audit standard must provide a disciplined process for challenge and correction without allowing dispute to become delay or evasion.
After receiving draft findings, the audited institution should be given a defined response period to identify factual errors, missing evidence, misinterpretations, confidentiality concerns, or changed circumstances.
The response must be supported by evidence. General disagreement is not enough. A claim that a score is too high must identify the specific domain, the contested finding, the evidence supporting revision, and the proposed score.
Vendor responses may be included, but vendor disagreement should not control the score. Vendor evidence should be assessed under the evidence hierarchy.
The audit team should review all responses and decide whether to affirm, revise, or qualify the score. If the score is revised, the audit report should explain the evidence supporting revision.
If material disputes remain unresolved, the report should identify them. It should state whether the dispute concerns fact, interpretation, legal authority, technical uncertainty, confidentiality, or missing evidence.
For high-impact systems, unresolved disputes should be transmitted to the appropriate oversight body. Depending on context, this may be an inspector general, legislature, court administrator, procurement authority, agency head, regulator, independent board, or public auditor.
The dispute process should not suspend urgent mitigation where the audit identifies authority displacement, sovereign command failure, public safety risk, due process risk, cyber risk, foreign influence exposure, or critical infrastructure vulnerability.
No institution should be allowed to avoid reporting or remediation merely by contesting a score.
R. Score Revision and Reassessment
Index scores are not permanent.
A score should be revised when new evidence materially changes the command assessment. Examples include contract renegotiation, new audit rights, tested data export, improved appeal procedures, restored human capacity, independent validation, reduced vendor dependency, infrastructure migration, improved logging, corrected model behavior, or successful continuity testing.
A score should also be revised upward when dependency increases. Examples include expanded use, model integration into additional workflows, reduced staff capacity, vendor consolidation, loss of alternative systems, new foreign exposure, degraded documentation, appeal failures, model changes, system incidents, or increased reliance on automated recommendations.
Every Index report should state the reassessment date.
High-impact public systems should be reassessed at least annually.
Systems scoring 3 or higher in any domain should be reassessed after mitigation.
Systems scoring 4 or higher in any domain should be reassessed after independent review and before major expansion.
Systems scoring 5 in any domain should be subject to urgent command-restoration review.
Any material model update, vendor change, infrastructure migration, contract renewal, expansion of use, incident, litigation event, public complaint pattern, or oversight finding should trigger reassessment.
S. Public Reporting Standard
A public Sovereign Intelligence Index report should state the audited unit, systems reviewed, public functions affected, Index domain scores, total score, confidence levels, major dependencies, evidence gaps, trigger conditions, mitigation steps, responsible authority, dispute status, and reassessment date.
The report should distinguish between public findings and restricted findings. Sensitive technical details, protected personal information, classified information, trade secrets, law-enforcement-sensitive information, and cybersecurity-sensitive information may be withheld from public release when lawful and necessary.
But redaction must not become concealment.
Authorized oversight bodies must receive sufficient information to determine whether public command exists.
Where full public disclosure is not possible, the public report should still state that AI materially shapes the function, identify the general nature of the system, disclose the relevant domain scores where lawful, identify the responsible public authority, and describe the oversight mechanism.
The public should not have to discover after injury that AI materially shaped a decision.
Public institutions should disclose machine-mediated authority before harm forces disclosure.
T. Minimum Mitigation Requirements
When a system produces emerging dependency, mitigation should include documentation, staff training, basic monitoring, appeal review, data-use review, and periodic reassessment.
When a system produces structural dependency, mitigation should include stronger documentation, independent review, contract analysis, vendor-dependency reduction, continuity testing, override tracking, appeal reform, and public-command assessment.
When a system produces authority displacement risk, mitigation should include independent audit, contract renegotiation, public disclosure where lawful, human-capacity restoration, fallback testing, model evaluation, data-rights correction, limits on expansion, and responsible-official certification.
When a system produces sovereign command failure, mitigation should include suspension, replacement, emergency oversight, statutory review, public notice where lawful, independent investigation, restoration of institutional capacity, and a command-restoration plan.
No mitigation should be accepted unless it can be tested.
A continuity plan must be exercised.
An appeal process must be used and capable of changing outcomes.
An override procedure must produce actual reversals when warranted.
A data-export right must be technically usable.
A vendor exit plan must be operationally plausible.
A public disclosure must be understandable.
A human reviewer must have authority, time, and information.
A contract right must survive real-world conditions.
A model evaluation must be independent enough to matter.
Paper safeguards are not public command.
U. Procurement Integration
For high-impact or authority-sensitive AI systems, the Index should be integrated before solicitation, before award, before renewal, before expansion, and before material model change.
A procurement office should evaluate whether the proposed system creates foreseeable sovereign intelligence risk. That evaluation should consider vendor dependency, data sovereignty, audit rights, documentation, portability, human oversight, appealability, continuity, infrastructure concentration, foreign exposure, and model authority concentration.
No high-impact AI procurement should rely solely on vendor claims of safety, explainability, or human oversight.
Procurement documents should require sufficient rights to evaluate, monitor, audit, explain, appeal, suspend, and replace the system.
The institution should preserve ownership or control over institutional data, logs, outputs, annotations, corrections, feedback, and metadata necessary for public function, legal compliance, continuity, and oversight.
The vendor should not be allowed to use nonpublic institutional data, prompts, outputs, feedback, logs, annotations, or corrections to train, fine-tune, improve, or commercialize external systems without explicit written authorization.
The contract should require notification of material model changes, infrastructure changes, subcontractor changes, security incidents, performance degradation, data incidents, foreign exposure changes, and changes affecting public function.
The contract should preserve termination, transition, and continuity rights sufficient to avoid public-function collapse.
A procurement that cannot preserve public command should not be treated as an ordinary technology purchase.
It is an authority-sensitive dependency.
V. Model Procurement Clause
For high-impact or authority-sensitive AI systems, procurement documents should include the following clause or its functional equivalent.
The vendor must disclose the system’s intended function, known limitations, training or fine-tuning dependencies where applicable, data-use terms, monitoring requirements, human oversight assumptions, and conditions under which performance may degrade.
The vendor must provide documentation sufficient for the institution to evaluate, monitor, audit, and explain system use in the relevant public function.
The vendor must not use nonpublic institutional data, prompts, outputs, logs, annotations, feedback, or corrections to train, fine-tune, improve, or commercialize external systems without explicit written authorization.
The vendor must provide usable export of institutional data, logs, outputs, metadata, configuration information, and other materials necessary for continuity, appeal, audit, migration, and legal compliance.
The vendor must support independent evaluation, incident investigation, performance monitoring, and lawful oversight.
The vendor must disclose material subcontractors, infrastructure dependencies, foreign-control exposure, security incidents, and model or system changes that may affect public function.
The vendor must support termination, transition, and continuity procedures sufficient to prevent public-function failure.
The institution must retain the right to suspend, restrict, or terminate use if the system creates unacceptable legal, safety, legitimacy, or sovereign intelligence risk.
The vendor must cooperate with Sovereign Intelligence Index assessments where required by law, contract, procurement rule, or institutional policy.
The vendor must preserve records sufficient to determine which outputs materially shaped institutional decisions, communications, or actions.
The vendor must not design contractual, technical, or operational barriers that prevent the institution from meeting its public-command obligations.
W. Legislative and Policy Adoption Language
A legislature, agency, court system, or governing body adopting the Sovereign Intelligence Index may use the following principle.
No public agency shall deploy, materially expand, or renew a high-impact artificial intelligence system unless the agency has assessed whether the system preserves public command, including the agency’s ability to understand, audit, contest, explain, replace, suspend, and operate independently from the system.
For high-impact systems, the agency shall maintain an AI inventory, conduct a Sovereign Intelligence Index assessment, preserve an evidence file, provide meaningful notice where AI materially shapes affected decisions, ensure human review with authority to correct errors, maintain appeal procedures, preserve data rights, prevent unreasonable vendor lock-in, test continuity, report material incidents, and submit high-risk systems to independent review.
No agency shall rely on a high-impact AI system as the principal basis for an adverse decision unless the affected person can obtain a meaningful explanation and human review, except where a lawful and narrowly tailored exception applies.
No contract for a high-impact AI system shall surrender public data control, prevent effective audit, prohibit necessary oversight, create unreasonable vendor lock-in, or deny the agency operational continuity upon termination.
No public agency shall treat a system as low-risk solely because it is described as assistive, advisory, internal, or human-reviewed.
A public agency deploying a high-impact AI system shall designate a responsible official accountable for preserving public command over the system.
Where public reporting is limited by law, security, confidentiality, or privacy, the agency shall provide sufficient information to authorized oversight bodies to determine whether public command has been preserved.
X. Validation Protocol for Pilot Deployment
An institution piloting the Index should begin with a limited number of systems across different risk profiles. The pilot should include at least one low-risk assistive system, one operationally relied-upon system, and one high-impact or authority-sensitive system.
The pilot should include at least two independent scoring teams or scoring reviewers. Each should receive the same evidence file and apply the scoring standard separately.
Differences in scoring should be recorded and analyzed. The goal is not to eliminate judgment. The goal is to reduce arbitrary variation and identify ambiguous scoring guidance.
The pilot should test whether each domain is understandable, whether required evidence is available, whether missing evidence is common, whether evidence quality can be graded, whether confidence scoring is useful, whether scores distinguish real institutional differences, whether trigger conditions are workable, and whether mitigation recommendations are actionable.
The pilot should produce a revision memorandum identifying ambiguous terms, scoring disputes, evidence gaps, domains that require clarification, trigger conditions that may be too broad or narrow, and institutional barriers to implementation.
The pilot should also test inter-rater reliability. If qualified auditors applying the same evidence file repeatedly produce widely divergent scores, the scoring instructions should be revised.
The pilot should test case validity. Scores should be compared against known incidents, appeals, failures, vendor disruptions, model changes, continuity problems, and oversight findings. The Index need not predict every outcome to be useful. But high scores should correspond to recognizable command fragility.
The pilot should test administrative burden. A standard that cannot be applied by institutions will fail as governance. The audit should be rigorous enough to matter and practical enough to use.
A mature Index should publish periodic version updates. Each update should state what changed, why it changed, what evidence supported the revision, and whether earlier scores remain comparable.
Y. Institutional Adoption Pathway
A federal adoption pathway should begin with high-impact agency AI systems, procurement-sensitive AI contracts, and systems affecting rights, benefits, enforcement, public safety, courts, immigration, taxation, education, health, elections, and critical infrastructure.
A state adoption pathway should begin with benefits administration, unemployment insurance, child welfare, policing, corrections, schools, courts, public health, licensing, emergency management, and election administration.
A critical-infrastructure adoption pathway should begin with energy, water, telecommunications, finance, transportation, health systems, cloud infrastructure, emergency services, and election-support infrastructure.
A court adoption pathway should begin with pretrial systems, sentencing-support tools, docketing systems, legal research systems, evidence-processing tools, translation systems, and systems affecting access to justice.
An education adoption pathway should begin with discipline systems, student-risk prediction, grading, tutoring, special education, surveillance, counseling support, admissions, and student-data systems.
A civic-platform adoption pathway should begin with recommender systems, political advertising, synthetic-media generation, identity verification, bot amplification, child-facing AI systems, civic information systems, and public-interest research access.
Each adopting institution should designate a responsible officer, maintain an AI inventory, conduct annual Index scoring, publish public reports where lawful, preserve evidence files, test continuity, support independent review, and submit high-risk systems to oversight.
Z. Non-Claims and Guardrails
The Index does not claim that all AI use is dangerous.
The Index does not claim that AI assistance is illegitimate.
The Index does not claim that every high score means a system is unlawful.
The Index does not replace privacy law, civil-rights law, cybersecurity review, procurement law, administrative procedure, constitutional doctrine, labor law, education law, health law, election law, national-security law, or sector-specific regulation.
The Index does not require disclosure of classified information, protected personal data, trade secrets, law-enforcement-sensitive information, or cybersecurity-sensitive details to the general public.
The Index does not authorize government control over lawful speech or public opinion.
The Index does not treat ordinary persuasion as cognitive capture.
The Index does not require perfect model interpretability where such interpretability is technically unavailable. It requires sufficient explanation, auditability, contestability, and accountability for the public function at stake.
The Index does not prohibit public institutions from using private vendors. It requires that public institutions not become unable to command the systems through which they govern.
The Index does not eliminate judgment. It disciplines judgment.
The Index does not make policy choices automatic. It supplies evidence for policy choices.
The Index does not replace democratic authority. It helps democratic authority see what it is becoming dependent on.
AA. Final Operational Standard
A public institution preserves sovereign command over an AI system only when it can satisfy the following conditions.
It can identify where the system is used.
It can explain what function the system performs.
It can determine which decisions, recommendations, classifications, communications, or actions the system materially shaped.
It can inspect the evidence, data, logs, and outputs relevant to those decisions.
It can provide meaningful notice and review to affected persons where appropriate.
It can override the system in practice, not merely in policy.
It can audit the system independently.
It can prevent unauthorized use of public data.
It can test the system’s performance and limitations.
It can monitor material model changes.
It can detect and report incidents.
It can continue operating if the system fails.
It can replace the vendor or system without public-function collapse.
It can suspend the system when legal, safety, legitimacy, or sovereignty risk requires suspension.
It can report material risks to democratic oversight bodies.
It can name the human authority responsible.
If an institution cannot satisfy these conditions, then AI has ceased to be merely a tool. It has become part of the authority structure.
That is the condition the Sovereign Intelligence Index exists to measure.
The final test is not whether the institution has adopted AI.
The final test is whether the institution remains capable of governing after adoption.
A machine system may assist public authority.
It may not become the hidden condition of public authority without measurement, contestability, and command.
References and Source Notes
A. Primary Conceptual Source
Duran IV, Robert. “The Sovereign Intelligence Doctrine: Governing the Machine Layer Before It Governs the Republic”.RobertDuranIV.com, 2026.
This doctrine is the primary conceptual source for the present paper. It frames artificial intelligence as an emerging machine layer beneath public administration, markets, military judgment, civic persuasion, education, courts, media, institutional memory, infrastructure, and democratic legitimacy. It identifies the central sovereignty problem as the risk that public institutions, critical sectors, and citizens become reliant on AI systems they cannot meaningfully understand, audit, replace, contest, suspend, or command.
The present paper should be read as the measurement sequel to that doctrine. Where the doctrine defines the machine-layer sovereignty problem, the Sovereign Intelligence Index supplies a proposed instrument for measuring when machine-layer reliance becomes institutional dependency, authority displacement, or sovereign command failure.
B. Existing AI Governance Baselines
National Institute of Standards and Technology. Artificial Intelligence Risk Management Framework. U.S. Department of Commerce, 2023.
The NIST AI Risk Management Framework provides a voluntary framework for helping organizations manage risks to individuals, organizations, and society associated with artificial intelligence. It is one of the principal U.S. public-sector baselines for structured AI risk management. The Sovereign Intelligence Index is designed to operate alongside the AI RMF, not to replace it. The AI RMF addresses trustworthy AI risk management; the Index addresses a distinct question: whether institutional reliance on AI has weakened public command.
National Institute of Standards and Technology. Artificial Intelligence Risk Management Framework 1.0. NIST AI 100-1, January 2023.
This publication is the formal AI RMF 1.0 document. It provides the underlying framework for AI risk-management practices, including governance, mapping, measurement, and management of AI risks. The present paper cites it as a major governance baseline while distinguishing the Sovereign Intelligence Index as a sovereignty-risk instrument rather than a general trustworthy-AI framework.
National Institute of Standards and Technology. AI RMF Core: Govern, Map, Measure, Manage. NIST AI Resource Center.
The AI RMF Core organizes AI risk-management activity around four functions: govern, map, measure, and manage. The Sovereign Intelligence Index adopts the seriousness of that operational structure while applying measurement to a different object: whether an institution can still understand, audit, contest, replace, suspend, and operate independently from the AI systems on which it relies.
Office of Management and Budget. Memorandum M-25-21, “Accelerating Federal Use of AI through Innovation, Governance, and Public Trust”. Executive Office of the President, April 3, 2025.
OMB Memorandum M-25-21 governs federal agency use of AI and addresses federal AI adoption, innovation, governance, public trust, agency accountability, AI inventories, high-impact AI, and safeguards for responsible use. The Sovereign Intelligence Index is designed to complement that framework by measuring whether agency AI adoption preserves public command rather than merely documenting or accelerating adoption.
Office of Management and Budget. Memorandum M-25-22, “Driving Efficient Acquisition of Artificial Intelligence in Government”. Executive Office of the President, April 3, 2025.
OMB Memorandum M-25-22 addresses federal AI acquisition, including procurement, vendor issues, data rights, performance monitoring, competition, and vendor lock-in. The Sovereign Intelligence Index extends this procurement logic by treating vendor dependency, data sovereignty, audit rights, portability, and operational continuity as components of sovereign intelligence risk.
Cybersecurity and Infrastructure Security Agency. Roadmap for Artificial Intelligence. U.S. Department of Homeland Security, 2023.
CISA’s Roadmap for Artificial Intelligence addresses both beneficial AI use and AI-related risk across cybersecurity and critical infrastructure. It is relevant to the Sovereign Intelligence Index because AI systems can become operational layers inside infrastructure, emergency response, public administration, and civic systems. The Index extends the infrastructure-security posture into a public-command question: whether AI systems have become non-substitutable operational dependencies.
European Union. Regulation (EU) 2024/1689, Artificial Intelligence Act. Official Journal of the European Union, July 12, 2024.
The EU AI Act establishes a risk-based legal framework for AI systems, including obligations for high-risk systems and provisions concerning general-purpose AI. The Sovereign Intelligence Index is compatible with risk-based AI regulation, but it addresses a separate measurement target: whether institutional reliance on AI has become practical authority displacement or sovereign command failure.
European Commission. “AI Act”.Shaping Europe’s Digital Future.
The European Commission’s public materials describe the AI Act’s risk-based structure and its obligations for AI developers and deployers. The present paper cites this framework as part of the broader AI-governance landscape while distinguishing the Index’s specific focus on machine-layer dependency, public command, and institutional sovereignty.
Organisation for Economic Co-operation and Development. OECD AI Principles. 2019; updated 2024.
The OECD AI Principles are an intergovernmental standard for trustworthy AI. They promote human-centered values, transparency, robustness, safety, security, accountability, and democratic values in AI development and use. The Sovereign Intelligence Index is consistent with these principles while introducing a more specific measurement architecture for institutional dependency, machine-mediated authority, and retained public command.
G7 Hiroshima Process. International Guiding Principles for Organizations Developing Advanced AI Systems. 2023.
The Hiroshima Process International Guiding Principles provide voluntary international guidance for organizations developing advanced AI systems. They are part of the international baseline for safe, secure, and trustworthy AI. The Sovereign Intelligence Index complements this development-side governance by focusing on the institutional adoption side: whether public and civic systems retain command over AI infrastructure once it becomes operationally embedded.
G7 Hiroshima Process. International Code of Conduct for Organizations Developing Advanced AI Systems. 2023.
The Hiroshima Process International Code of Conduct provides voluntary guidance for organizations developing advanced AI systems. It is relevant to the Sovereign Intelligence Index as part of the broader governance baseline for advanced AI safety, security, transparency, and trustworthiness. The Index extends the inquiry from responsible development to institutional dependency, public-command preservation, and machine-mediated authority.
C. Audit, Accountability, and Public-Sector Governance Context
U.S. Government Accountability Office. Artificial Intelligence: An Accountability Framework for Federal Agencies and Other Entities. GAO-21-519SP, June 2021.
GAO’s AI Accountability Framework identifies practices for helping federal agencies and other entities ensure accountability in the design, development, deployment, and monitoring of AI systems. It is relevant to the Sovereign Intelligence Index because the Index depends on auditability, evidence files, monitoring, traceability, institutional responsibility, and reviewable governance practices.
U.S. Government Accountability Office. Artificial Intelligence: An Accountability Framework for Federal Agencies and Other Entities. GAO-21-519SP, June 2021.
This PDF version of GAO’s AI Accountability Framework provides the full report. It is especially relevant to the Index’s evidence architecture because GAO emphasizes accountable AI through governance, data, performance, monitoring, and documentation.
Administrative Conference of the United States. Statement #20, “Agency Use of Artificial Intelligence”. December 31, 2020.
ACUS Statement #20 identifies issues agencies should consider when adopting, modifying, or monitoring AI systems. It is relevant to the Index’s concern with administrative fairness, reviewability, public participation, accountability, and responsible agency use of AI.
Administrative Conference of the United States. Agency Use of Artificial Intelligence.
This ACUS project page collects materials concerning agency use of artificial intelligence. It is relevant to the Index because public agencies must preserve reason-giving, accountability, procedural fairness, and reviewability when machine systems shape administrative action.
Administrative Conference of the United States. Government by Algorithm: Artificial Intelligence in Federal Administrative Agencies. Report commissioned by ACUS, 2020.
This report studies how federal agencies acquire, use, and oversee AI systems. It is relevant to the Sovereign Intelligence Index because the Index is concerned with the conditions under which agency AI use may become difficult to inspect, contest, govern, suspend, or replace.
D. Legal, Constitutional, and Institutional Context
The Sovereign Intelligence Index is not offered as a constitutional test, legal opinion, statutory code, or automatic liability mechanism. It is a governance and audit instrument. Its legal relevance depends on the specific context in which it is applied, including administrative law, procurement law, due process, civil-rights obligations, sector-specific regulation, constitutional speech protections, public-records law, national-security limits, and judicial review.
The paper’s due-process concerns should be read in relation to the general principle that government decisions affecting protected interests should remain attributable, reviewable, and contestable through appropriate procedures. The Index does not prescribe one procedure for every context. It identifies when machine-mediated authority may make ordinary procedural assumptions inadequate.
The paper’s cognitive-sovereignty language should be read with strict constitutional guardrails. The Index does not authorize state control of truth, viewpoint suppression, or censorship of lawful speech. It targets deception, impersonation, covert automation, malicious synthetic media, undisclosed foreign influence, child manipulation, fraud, and systems that conceal machine-generated influence in ways that impair democratic agency.
The paper’s procurement analysis should be read in relation to ordinary public-procurement principles: competition, accountability, documentation, responsible contracting, data rights, performance monitoring, exit capacity, and protection against vendor lock-in. The Index’s distinct contribution is to interpret these concerns through the lens of sovereign intelligence risk.
The paper’s public-command standard should not be confused with operational nationalization. Public institutions may rely on private vendors, proprietary models, commercial cloud services, and contracted technical expertise. The Index asks whether such reliance preserves the institution’s ability to audit, contest, replace, suspend, and govern the systems that materially shape public authority.
E. Methodological and Measurement Context
The Sovereign Intelligence Index is proposed as a governance and audit instrument, not as a completed empirical science. It should be read in conversation with existing risk-management, audit, accountability, and algorithmic impact-assessment traditions.
The Index’s methodological posture is closest to a structured institutional audit. It does not claim to predict every AI failure or quantify every harm. It organizes evidence around a defined governance object: retained institutional command over AI systems. Its scoring model is intended to support consistent judgment, public comparison, trigger conditions, and revision through use.
The Index should be validated through expert review, pilot audits, inter-rater reliability testing, case validation, longitudinal reassessment, and public revision. Those validation steps are part of the proposed methodology, not evidence that the Index is already a statistically validated instrument.
Existing algorithmic impact assessment models, public-sector AI accountability frameworks, and audit practices provide important background. Their usual focus is system impact, rights risk, fairness, privacy, transparency, accountability, or technical performance. The Index’s specific contribution is to measure when institutional reliance on AI becomes dependency, when dependency becomes authority displacement, and when authority displacement becomes sovereign command failure.
F. Source Note on Original Contribution
The Sovereign Intelligence Index is proposed here as an original measurement architecture by Robert Duran IV.
The cited frameworks do not already contain the Index, its ten-domain structure, its 0-to-5 sovereign dependency scale, its command-failure terminology, its evidence hierarchy, its scoring-confidence method, or its trigger architecture.
The cited sources provide the surrounding governance context: AI risk management, federal AI use, AI procurement, cybersecurity, infrastructure protection, international AI regulation, audit accountability, administrative procedure, and public-sector governance.
The original contribution of this paper is to integrate those adjacent concerns into a single sovereignty-focused measurement framework for detecting when AI systems cross from assistance into dependency, from dependency into authority displacement, and from authority displacement into sovereign command failure.
This distinction is essential. The Index is not presented as a restatement of NIST, OMB, CISA, GAO, ACUS, OECD, G7, or EU frameworks. It is presented as a new instrument designed to fill a specific measurement gap those frameworks do not fully close: the loss of public command through machine-layer dependency.
G. Citation Discipline
Sources in this paper serve different roles.
The Sovereign Intelligence Doctrine supplies the primary conceptual architecture.
NIST, OMB, CISA, the EU AI Act, OECD, and the G7 Hiroshima Process supply the existing AI-governance baseline.
GAO and ACUS supply audit, accountability, and administrative-agency context.
The Sovereign Intelligence Index itself supplies the original measurement framework.
No cited external source should be read as endorsing the Index unless expressly stated by that source. No cited external framework should be read as already containing the Index’s terminology, scoring method, trigger structure, evidence hierarchy, scoring-confidence method, or sovereign-command theory. The citations establish context, contrast, and adjacent authority. The Index is the paper’s original contribution.

