Editor's Note
Niti Logic’s continued commitment to work with First Nations and Indigenous groups in the fight for Data Sovereignty is accelerating beyond our initial partnerships and we are excited by the opportunity to assist more communities.
🗓️ Upcoming Deadlines: The compliance clock is no longer theoretical.
DUAA is now in effect!
The UK’s Data Use and Access Act 2025 has now moved from policy into implementation. Most data protection reforms came into force on 5 February 2026, with the organisational complaints-procedure requirement scheduled for 19 June 2026 and remaining ICO governance changes still to follow.
EU AI Act
The EU AI Act is also entering its operational phase. The Act entered into force on 1 August 2024, with major obligations becoming applicable from 2 August 2026, subject to phased exceptions.
AI Governance Has a Data Sovereignty Problem
Policies do not create accountability. Evidence does.
AI governance conversation has, for several years now, been dominated by the same set of artefacts: policies, frameworks, responsible AI statements, ethics committees, data protection impact assessments, and consent documentation. These are not worthless. They represent a genuine and necessary effort by organisations, regulators, and standards bodies to establish shared expectations about how AI systems should behave.
But they share a structural problem.
They describe what organisations say they will do. They do not, and largely cannot, prove what AI systems actually did at the moment of action.
That gap is narrow enough to ignore in many contexts. In the context of Indigenous data sovereignty, it is not.
Data sovereignty is not data residency
When Indigenous governance frameworks assert data sovereignty, they are asserting something more precise and more demanding than control over where data is stored.
They are asserting that data is subject to the laws, governance structures, values, and authority of the Indigenous peoples from whom it is collected, regardless of where it physically resides and regardless of which vendor, platform, or jurisdiction holds it at any given moment.
Te Mana Raraunga, the Māori Data Sovereignty Network, frames this clearly: Māori data should be subject to Māori governance. The First Nations Principles of OCAP® (Ownership, Control, Access, and Possession) assert that communities must be able to control research that affects them. The CARE Principles for Indigenous Data Governance add that data governance must be exercised in the interest of those communities, not merely in compliance with a policy checklist.
What this means in practice is that sovereignty is not a filing cabinet. It is an ongoing, active claim about authority. Specifically: who has authority over this data, what uses are permitted, what uses are prohibited, under what conditions those permissions apply, and what consequences follow if they are violated.
That is the claim. The question is whether current AI governance infrastructure is capable of honouring it, or even of demonstrating that it has tried.
The execution gap
When an AI system acts, it does not pause to consult the consent documentation.
It classifies. It summarises. It infers. It recommends. It routes, ranks, discloses, and trains. It does all of this using data that may be culturally restricted, jurisdictionally constrained, contractually limited, or explicitly governed by Indigenous authority.
The governance artefacts (the policies, the DPIAs, the data sharing agreements) exist at a different layer. They are written before the model runs, often before the specific data combination is even known. They may accurately describe intent. They frequently cannot describe behaviour.
This is not a criticism of organisations acting in bad faith. It is a description of an architectural reality. Once data moves into models, copilots, agentic workflows, analytics pipelines, or automated decision systems, the connection between the governance document and the system's behaviour becomes indirect, assumed, and difficult to audit.
The result is what might be called the execution gap: the space between what an organisation agreed to do and what the system actually did at the moment of action. In most current deployments, this gap is poorly evidenced and often opaque even to the organisation operating the system.
The accountability principle is maturing
Regulators are beginning to formalise exactly this concern.
The accountability principle under GDPR requires that controllers not only comply with data protection principles but be able to demonstrate that compliance. The UK ICO makes the same distinction explicit: accountability is both a responsibility and a demonstrability obligation.
The UK's Data (Use and Access) Act 2025, which received Royal Assent in June 2025, continues to expand the framework within which AI and data systems will be expected to operate. The direction of travel across UK, EU, and international regulatory environments is consistent: saying you comply is insufficient. You must be able to show it.
For Indigenous data, this creates an important question that procurement bodies, regulators, auditors, and Indigenous governance authorities are all beginning to ask:
Can the organisation prove what the AI system did, what rule applied, what authority was recognised, and why the action was permitted or refused?
Most organisations today cannot answer that question cleanly. They can produce a policy. They can produce a DPIA. They can produce training records and access logs. What they frequently cannot produce is a sealed, execution-time record that demonstrates, with specificity:
At this moment, this system attempted this action, against this data class, under this authority rule, and the action was permitted or refused for this reason.
That is the accountability gap, and it is precisely where Indigenous governance frameworks are most exposed.
Why evidence changes the power relationship
Governance frameworks that depend entirely on organisational disclosure have a structural vulnerability: the organisation that may have caused harm controls the evidence of whether harm occurred.
That is not governance. That is dependency.
The practical consequence is this: without execution-time evidence, communities asserting data sovereignty must rely on an organisation's willingness to investigate itself, disclose fully, and apply its own remediation. Where there is goodwill, that may be sufficient. Where there is not, or where the organisation simply does not know what its AI systems did, the community has limited recourse, because there is nothing independent to point to.
Evidence changes that. Not in the sense that evidence alone creates remedy. But in the sense that evidence is the precondition for remedy.
A community cannot pursue a contractual claim if it cannot show which provision was violated and when. A regulator cannot assess proportionate penalty without a specific account of what occurred. A procurement body cannot exclude a vendor for non-compliance without documentation of the non-compliant act. A court cannot award compensation where the chain of causation is speculative.
Evidence does not guarantee recourse. But without evidence, recourse is often impossible.
Where OBEXGATE fits
OBEXGATE is designed to operate at the execution layer, the point where an AI system attempts to act.
It does not decide what Indigenous authority requires. It does not own or interpret cultural governance. It does not replace the legal, regulatory, or governance frameworks that communities and states define. Those decisions belong to the appropriate authorities: Indigenous governance bodies, legal counsel, regulators, and the communities themselves.
What OBEXGATE does is enforce the rules those authorities define, and create a cryptographically sealed record of what happened at the moment of execution.
The architecture works as follows. Before an AI system acts, OBEXGATE evaluates the proposed action against the applicable rule set, which can encode jurisdiction, data class, authority designation, permitted use conditions, and prohibited use conditions. If the action is permitted, it proceeds. If it is refused, it is blocked. In both cases, a tamper-evident record is created: what was attempted, what rule applied, what authority classification was in effect, what the system decided, and why.
That record is the evidence layer that current AI governance infrastructure largely lacks.
For organisations, it supports auditability, regulator engagement, procurement requirements, vendor accountability, and internal governance verification.
For Indigenous governance bodies, it supports oversight, dispute identification, contract enforcement, and, where a governance mechanism exists to receive it, the factual foundation for claims of misuse, remediation demands, or compensation assertions.
For regulators, it narrows the distance between a policy promise and a system's demonstrated behaviour.
This positioning is deliberate. OBEXGATE is not the authority. It is the enforcement and evidence layer beneath the authority. The rules are set by those with the right to set them. OBEXGATE ensures those rules are applied at execution and that the application is provable.
From governance promise to governance proof
The next phase of AI governance will not be determined by better policy language.
For data sovereignty specifically, the question that matters is not only whether an organisation had permission to possess data. It is whether the organisation can demonstrate that every consequential use of that data respected the correct authority at the moment the system acted.
A consent form can be separated from a workflow. A policy can be ignored by an agent. A responsible AI statement can sit in a PDF while a model continues to classify, infer, summarise, disclose, or recommend using data that was never properly governed at the point of use.
Runtime governance changes the evidentiary posture. It moves the record from the policy layer to the execution layer. It creates documentation of the attempted action, the applicable rule, the authority classification, the system decision, and the basis for that decision.
That evidence does not replace law. It does not replace Indigenous governance. It does not guarantee compensation or remedy. But it can make recourse possible in a way that policy-only governance cannot, and it can do so at a moment when the regulatory environment is increasingly demanding exactly this kind of demonstrability.
Data sovereignty cannot depend on whether an organisation remembers its commitments after the fact.
If AI systems are going to act on governed data, and they already are, then authority has to be enforceable before execution, and provable after it.
The infrastructure to do that exists. The question is whether organisations, procurement bodies, and governance frameworks will require it.
OBEXGATE is a runtime AI governance enforcement platform developed by Niti Logic. Information contained in this article is not legal or financial advice or a guarantee of outcome.
Need a Risk Assessment for Your Business?
Find out where your organisation may be exposed across AI governance, data sovereignty, auditability, and runtime accountability.
The question is no longer whether you have a policy.
It is whether you can prove what happened.
The OBEXGATE Risk Assessment helps organisations identify where their AI governance may be exposed across data sovereignty, regulatory accountability, auditability, contractual risk, and runtime enforcement.
It is designed to answer one practical question:
If something goes wrong, can you prove what happened?
Policies describe intent. OBEXGATE assesses whether your organisation can produce evidence.
In Case You Missed It…
Funding Roundup
Quantum Leap Technologies secured $45M Series B, led by Sequoia Capital, to advance quantum computing infrastructure for enterprise solutions.
EcoGrid AI raised $22M to develop machine learning algorithms for renewable energy grid optimization.
MindSync Neurtech closed a $15M seed round to expand its brain-computer interface research.
🏆 This week’s Obe Award
This week's Obe Award goes to a regional cooperative bank fined by the Data Protection Authority of Niedersachsen.
Fine: EUR 900,000
Authority: Data Protection Authority of Niedersachsen (LfD Niedersachsen)
GDPR issue: Insufficient legal basis for data processing
The core issue was not a rogue AI system or a headline data breach.
It was profiling.
The bank built profiles of customers for advertising purposes without a lawful basis for doing so. No dramatic technical failure. No external attack. An internal workflow that classified and scored customers, used that output to target them, and could not point to a legitimate legal ground under GDPR Article 6 for any of it.
That is the lesson.
Profiling does not require a sophisticated AI stack to create compliance risk. A segmentation model, a marketing automation rule, a scoring field in a CRM, a recommendation engine in a banking app — any of these can trigger Article 22 or Article 6 obligations the moment they are used to influence how an organisation treats a data subject.
How OBEXGATE could have helped
OBEXGATE is designed to surface this kind of risk before it becomes a fine.
Before a profiling workflow, scoring model, or AI-enabled personalisation process goes live, OBEXGATE helps teams ask:
What personal data is being used to build this profile or score?
What is the legal basis for the processing?
Does the intended use — targeting, advertising, prioritisation, exclusion — require explicit consent, a legitimate interests assessment, or something else?
Have data subjects been informed in a way that is accurate and complete?
Is the organisation able to demonstrate why the processing is lawful?
Does this workflow create risk under GDPR Article 6, Article 22, or related obligations in UK GDPR or the EU AI Act?
Profiling for commercial purposes is one of the most consistently enforced areas of GDPR across every European jurisdiction.
It is also one of the areas where AI and automation create risk fastest, because the same tools that make targeting more efficient also make legal basis failures harder to trace and harder to defend.
That is where OBEXGATE comes in.
Did You Know?
Storage as physical object
If you printed every piece of data created in a single day in 2024 (roughly 2.5 quintillion bytes) onto standard A4 paper, the stack would reach from Earth to the Sun and back approximately 130 times. We generate that every 24 hours and mostly use it to argue on social media.
Till next time,


