The Borrowed Shell: why your “sovereign” AI might be living in a rental

Picture any town hall. One of those that manages the census, social benefits, case files full of data that administrative jargon calls, with unsettling tenderness, citizen-sensitive. One day they decide to modernize and they buy an AI assistant. Not just any one: a safe, sovereign, home-soil assistant that promises the data “stays at home” and that “the AI doesn’t learn from us.” It ticks every box: ISO certification, GDPR, a flag on the website, support in the local language. The data protection officer breathes easy and signs. And here comes the red pill: every question that assistant answers travels, underneath, to a model owned by a US company. The shell has a national flag painted on the outside. The animal living inside was born in another ocean.

A couple of weeks ago I wrote here about the day they switched off Fable from Washington: a textbook case of dependency you knew you had and suffered all at once. Today I want to talk about something subtler and, in a way, more uncomfortable. Not the dependency you know you have, but the one that’s sold to you as independence. Sticker sovereignty.

The trick isn’t lying — it’s choosing your words carefully

Let’s use a real, public example. In the Netherlands there’s a platform called, with little subtlety, SafeGPT. It presents itself as “the safe AI platform for government”, and the pitch is elegant: instead of a civil servant pasting a citizen’s data into ChatGPT — with everything that entails — you give them a governed tool, with automatic anonymization, that doesn’t use your data to train public models, certified and audited. So far, flawless. It’s actually a good and necessary idea.

The nuance shows up when you read their own fine print. SafeGPT doesn’t train its own frontier model in a basement in The Hague. Underneath, it orchestrates models from the GPT family — OpenAI’s, a San Francisco company. They don’t fully hide it: their own documentation admits the chatbot runs “on different language models, like GPT-4o.” The sleight of hand is in the framing. What they sell you isn’t “we don’t use OpenAI.” What they sell you is “your data is protected.” And those are two very different sentences that most buyers hear as if they were one.

I want to be fair, because this matters and it isn’t a judgment of intent: SafeGPT isn’t necessarily deceiving anyone. What it offers — anonymization at the edge, a no-training commitment, European contracts — is a real mitigation and, for a great many use cases, more than enough. The problem isn’t what they do. The problem is the word they use to sell it. Because “sovereign,” in the dictionary that counts — the one lawyers and procurement tenders use — means something very specific: answering to no other authority. And a system whose inference happens on a US model answers, ultimately, to another authority. What SafeGPT sells isn’t infrastructure sovereignty. It’s compliance sovereignty. A layer of good practices and good contracts over an engine that still belongs to someone else.

And this is neither an isolated case nor a Dutch quirk. It’s a pattern. So much so that the industry already has a name for it: sovereignty-washing. European cloud providers themselves are demanding that Brussels make the definition of “sovereign” account for where a company is headquartered — precisely to stop anyone from pinning on the medal by painting a flag on the login screen. As one industry analyst put it with surgical brevity: a fine-tuned wrapper sitting on someone else’s frontier model is not sovereignty.

What a hermit crab knows about sovereignty

This is where biology — which, for me, always ends up explaining things better than any consultancy — comes to the rescue.

There are two ways to wear armor in nature. The first is the snail’s, or the sea urchin’s, or that of any creature that builds its own shell. That shell is an organ. It grows with the animal, it’s made of its own carbonate, irrigated by its own metabolism, and no one can take it off because, literally, it is the animal. It belongs to it down to the last atom.

The second way is the hermit crab’s. This fascinating creature is born soft, vulnerable, with a naked abdomen, and solves the problem cleverly: it finds an empty shell — usually from a dead sea snail — and moves in. From the outside, it’s indistinguishable from an armored animal. It walks around with its little house on its back, protects itself, intimidates rivals. It looks like a walking fortress. But that shell isn’t its own. It’s borrowed. And two things are true of every hermit crab in the world: that the armor it shows off was made by someone else, and that, when it grows or when a bigger one shows up, it will have to abandon that shell — or have it taken.

I think you can see where I’m going.

An AI you train and run on infrastructure you control is a snail: the intelligence is an organ of your own, grown at home, under your jurisdiction and your metabolism. A “sovereign” AI that’s really a wrapper over an OpenAI or Google model is a hermit crab: it walks around with a magnificent shell — one of the best in the ocean, undeniably — but the shell has another owner’s name engraved on the inside. And that owner can, on any given day, change the terms of the lease.

I like the metaphor because it isn’t a caricature. The hermit crab isn’t a fraud: it’s a legitimate, wildly successful evolutionary strategy — there are millions of them, and they’ve been at it for tens of millions of years. Living in a borrowed shell is perfectly reasonable… as long as no one reclaims the shell. The problem isn’t being a hermit crab. The problem is selling yourself as a snail.

The part nobody reads: the shell has someone else’s name on the deed

So why does it matter whose shell it is, if it works just as well? It matters for a very unpoetic reason called jurisdiction.

There’s a US law from 2018, the CLOUD Act, that compels any American company to hand its authorities the data it holds, even if that data is physically stored in another country. Read it again, because it’s the heart of everything: it doesn’t matter where the server is. It matters what country the company operating it belongs to. A data center in Frankfurt, run by a company headquartered in Redmond or San Francisco, is still within reach of a Washington judge. As it’s been put with legal elegance: jurisdiction follows the company, not the data center.

This isn’t a paranoid’s hypothesis. In June 2025, Microsoft France’s chief legal officer, asked under oath before the French Senate whether he could guarantee that European data would never be handed to US authorities, answered that he could not. Not even with the “EU Data Boundary” switched on. Not because Microsoft is evil, but because it’s bound by a law it cannot disobey. The honest answer from an honest lawyer was, in essence: the shell is excellent, but the deed is in another language and another judge signs it.

Apply that to our town hall from the start. They were sold “the data stays at home.” The technical reality, translated without marketing, is more like: “the data is anonymized, encrypted, and travels to a model living on infrastructure whose ultimate owner answers to a foreign court — and who has sworn he can’t promise otherwise.” It remains, I insist, a reasonable mitigation for writing up meeting minutes. It stops being one the day we’re talking about court files, sensitive medical records, or children’s data. There the difference between the snail and the hermit crab stops being a pretty metaphor and becomes a legal problem with a first and last name.

The honest counterpoint (because there is one, and it’s strong)

At this point I have to slow down, because it would be dishonest to paint this as “the good sovereigns versus the bad fakers.” It isn’t, and the other side deserves defending with equal energy.

The hermit crab wins for one crushing reason: the borrowed shell is better. US frontier models are, today, simply superior. More capable, faster, cheaper to run than almost any alternative you could stand up yourself. Building your own shell — training or deploying open-weight models on your own hardware, raising the data center, maintaining it — is expensive, slow, and for years will give you an animal a notch below. Anyone telling you strict sovereignty is free or painless is selling you another sticker, just the opposite color.

And for the vast majority of uses, the hermit crab’s mitigation is plenty. Anonymize before sending, forbid training, demand European contracts: that resolves 90% of the real risks for 90% of the cases. Demanding infrastructure sovereignty from a tool that drafts internal memos is like asking the person writing the grocery list to encrypt it to military grade. There’s a disproportion.

So the honest question is never “snail or hermit crab?”, because framed that way the hermit crab almost always wins. The honest question is: which shell are we talking about, and what do I need it for? For the bulk of administrative work, the borrowed shell is a sensible call. For that hard core where the law, the risk, or people’s dignity make non-transfer non-negotiable — justice, defense, sensitive healthcare — no sticker will do: there you need an organ of your own, whatever it costs. The mistake isn’t choosing the hermit crab. The mistake is not knowing you chose a hermit crab, because they sold it to you as a snail.

What real sovereignty would require

If you ever have to sign one of these contracts — or you just want to tell a snail from a well-disguised crab — these are the questions that peel off the sticker:

What model does the inference run on? If the answer is “GPT,” “Gemini,” or “Claude,” then however good the layer on top, you’re looking at a hermit crab. Truly sovereign means open-weight models you can run yourself — whichever family you choose — without asking anyone’s permission.

What country is the company operating the infrastructure from? Not where the server is: who owns the company. Because jurisdiction, as we’ve seen, follows the company. Truly sovereign means a provider incorporated and controlled in the EU, not a subsidiary of something whose ultimate boss answers to another court.

Is there an option for local, air-gapped deployment with no route to the internet? For the hard core, the only total guarantee is that the data never leaves the room. If they don’t offer you that option, they’re not offering sovereignty — they’re offering trust.

Do they name every subprocessor? A true sovereign tells you exactly whose hands each bit passes through. A hermit crab tends to leave that box conveniently blurry.

The good news is that this is ceasing to be a crusade of four idealists and becoming law. In June 2026 the European Commission introduced its Cloud and AI Development Act, which for the first time defines sovereignty levels with hard criteria — independence from third countries, European control, transparency across the whole supply chain. Initiatives like Gaia-X and EuroStack have been pushing in the same direction for years. Soon, “sovereign” will stop being a brochure adjective and become a label with verifiable requirements. The day that happens, a lot of hermit crabs are going to lose their stickers in the first rain.

The future I don’t want (and that’s already incubating)

Let’s swallow the red pill all the way and look at 2030.

Artificial intelligence is no longer a tool you use: it’s the administrative tissue of Europe. Every town hall, every hospital, every court has its “sovereign” assistant, with its flag in the corner and its certificate on the wall. Thousands of hermit crabs marching proudly across the continent. And nearly all of them — this is the unsettling part — live inside the same three or four shells, made on the same stretch of California coast.

One day — not out of malice, but out of someone else’s cold national-security logic, exactly as in the Fable case — the shells’ owner changes the terms. Or a directive lands on a Friday afternoon. It doesn’t even need to rip them off all at once: it’s enough to remind each hermit crab that the armor it wears was never its own. And Europe discovers, all at once, that its “sovereign” administration had spent years molting inside a rental shell. That the flag was painted on the outside of a house that belonged to someone else. That the sticker, in the rain, was never anything more than that: a sticker.

It isn’t an invasion. It’s something more humiliating: the discovery, far too late, that you never held the deed.

What I’m taking home

Three ideas, in case this is all you keep:

Sovereignty isn’t a label, it’s a chain of custody. It doesn’t matter how pretty the flag on the login is. What makes something yours isn’t what you call it, but who can take it from you. Always ask for the deed, not the façade.

Ask about the shell, not the animal. That an assistant answers beautifully tells you nothing about who it depends on. The snail and the hermit crab walk equally upright. The difference is underneath — in whether the armor grew with the body or was found empty on the beach.

For almost everything, the hermit crab is plenty. For what it isn’t, no sticker fixes it. The trap isn’t using a borrowed model — it’s a sensible choice nearly always. The trap is not knowing that’s what it is. Choose the hermit crab with your eyes open, and reserve the snail for what you can’t afford to lose if, on some Friday afternoon, it gets switched off from the outside.

The hermit crab, in nature, is an admirable survivor. But it survives precisely because it knows its shell is borrowed and stays alert, ready to swap it. The day a hermit crab truly believes the shell is its own, it stops paying attention. And that, exactly that, is the day a bigger one shows up.

Red pill swallowed.

Sources: