A Framework for Institutional AI Resilience
First post on the forum, so feedback on framing or norms is as welcome as feedback on the argument. I originally drafted this as a policy paper for institutional operators and am cross-posting because the systemic argument intersects with longstanding EA and LW concerns about governance, single points of failure, and infrastructure capture. I'm reasonably confident in the diagnostic framework and the contract analysis. The migration timeline is the part I'm least sure about: tooling for local orchestration is moving fast, and what's true today will not be true in eighteen months. I expect to be wrong about specific things and would rather find out now.
Executive Summary
Most institutions adopting artificial intelligence have no map of where their reasoning actually lives. They believe they have bought a product. What they have done is rent a faculty of judgment from a counterparty who reserves the unilateral right to change, throttle, or terminate that faculty under terms few of them have read.
This paper offers a diagnostic framework for executives, regulators, and technical leaders to evaluate that exposure. It rejects the inherited vocabulary of cloud security, which treats AI as one more workload to be hardened. AI is not a workload. It is cognitive infrastructure, and the system answering questions, drafting briefs, classifying claims, or steering decisions is now a load-bearing component of the institution itself.
The framework rests on three strict tiers of control. Genuine Control denotes unilateral technical and legal authority over hardware, weights, and data. Conditional Control denotes operational use bound by a revocable license, even when the model sits on your own hardware. Dependent Control denotes complete delegation of reasoning to an external counterparty, governed by SaaS terms, arbitration clauses, and the silent threat of model deprecation.
These tiers then map across the modern AI stack: compute, models, data, tooling. Most organizations score Dependent or Conditional across every layer they touch. No amount of cloud certification, SOC 2 audit, or procurement due diligence corrects this. The exposure is structural, not operational.
The paper closes with a migration pattern called the AI Strangler Fig. Borrowed from legacy software modernization, it offers a phased route back to institutional resilience: intercept all model calls behind an internal gateway, migrate workflows progressively to locally controlled models, and strangle the dependent API once parity is reached.
Part 1: The Hook and the Illusion
Boards have spent two decades being told that the question of digital sovereignty reduces to a binary: cloud or on-premise. Pick a hyperscaler, sign a Data Processing Addendum, run a SOC 2 audit, and the institution is judged secure. That framework, whatever its merits for storage and compute, does not apply to AI, and continuing to apply it produces a particular and dangerous illusion.
Call it the Illusion of Sovereignty. The institution believes its data is governed because the data sits in a region of its choosing. It believes its tools are governed because procurement signed an MSA. It believes its risk is bounded because legal reviewed the indemnity clauses. None of these instruments touch the actual surface of exposure, because in classical IT the substrate was the product. In AI, the model is the product, and the model is not yours.
A row in your database does not reason. A virtual machine does not exercise judgment. A SQL query returns the same answer today, tomorrow, and in eighteen months because the engine executing it is deterministic and stable. A large language model does none of this. It produces probabilistic outputs. Its behavior shifts silently when the vendor updates weights. Its ability to serve your workflow can be revoked by a Trust and Safety policy change drafted by people you will never meet. The substrate of the institution's thinking now sits inside a counterparty's deployment pipeline.
This is what we mean by delegated reasoning, and it is the actual surface of exposure. When a claims adjuster routes a denial through a hosted model, the institution has outsourced part of its judgment. When a compliance team uses a chat interface to summarize regulatory filings, the regulator's text is being interpreted by a system the institution cannot inspect. When a sovereign government drafts policy memos through an API, an external actor sits silently in the editorial chain.
The proper name for this is Shadow AI. Not the consumer-grade misuse problem that security vendors have rebranded under that label, where employees paste secrets into a chatbot. The deeper problem: the institution itself, through formal procurement and signed contracts, has made an external counterparty's reasoning engine a single point of failure for its own decisions. Every product roadmap, every vendor pricing decision, every model deprecation, every geopolitical shift that triggers a sanctions update, becomes a direct operational risk to the institution.
The model is the product. The product is your reasoning. Your reasoning is your institution. Treat the chain seriously, or do not treat it at all.
The remainder of this paper is written for leaders who have decided to treat it seriously. It provides a vocabulary, a diagnostic, and a migration pattern. It does not promise that the work will be easy, or that the cure will be painless. It promises only that the disease has a name, a structure, and a treatment.
Part 2: The Diagnostic Framework
I propose three tiers. They are deliberately strict. Most internal frameworks fail because they grade on a curve, allowing vendors and integrators to claim "control" through paperwork. I grade on the actual locus of authority: who can change the system without your consent, and who can revoke your access to it.
Tier 1: Genuine Control
Genuine Control exists when the institution holds unilateral technical and legal authority over the three irreducible inputs of an AI system: the hardware running inference, the data feeding training and retrieval, and the model weights themselves. The institution can modify the model, run it offline, change its alignment posture, retrain it on internal corpora, and continue using it indefinitely without the consent or continued cooperation of any third party.
This is rare. Genuine Control over a frontier-scale model is currently held by a handful of well-capitalized labs, a few sovereign actors, and almost no one else. At smaller scales, it is achievable: a fine-tuned open-weight model running on owned GPUs, trained on internally curated data, deployed behind the institution's own perimeter. Resilience here is structural. The system survives a vendor bankruptcy, a regulatory ban on a foreign provider, a unilateral price hike, or a policy change in San Francisco.
Genuine Control is the only tier under which the institution's reasoning cannot be revoked.
Tier 2: Conditional Control
Conditional Control exists when the institution operates a model on its own infrastructure but does so under terms set, monitored, and revocable by an external licensor. The hardware is yours. The weights sit on disks you own. The reasoning is still not yours.
The Meta Llama 3.3 Community License illustrates this tier with surgical clarity. Section 1.a frames the grant as a non-exclusive, worldwide, royalty-free, non-transferable license. Section 1.b then conditions that grant on a stack of obligations: licensees must display the Built with Llama attribution, prepend Llama to derivative model names, and adhere to an Acceptable Use Policy that Section 1.b.iv incorporates by reference and reserves Meta's right to revise. Section 2 caps the open grant at 700 million monthly active users; above that threshold, continued use requires a fresh license that Meta may grant or withhold at its sole discretion. Section 6 is unambiguous: any breach permits Meta to terminate the Agreement, and termination obliges the licensee to delete the materials. Section 5.c voids the license automatically on any patent litigation against Meta.
This is not open source in any meaningful sense. Widder, Whittaker, and West catalog the broader pattern in Open (For Business): corporate openness rhetoric is deployed to consolidate market power, while the licensor retains the right to redefine acceptable use, set commercial thresholds, and revoke the grant at discretion. Even the most maximally open weights produce, in their phrase, "barnacles on the hull of Big Tech", not a substitute for it. The compute layer remains rented from hyperscalers. The development frameworks remain governed by Meta and Google. The weights themselves arrive with a kill switch.
Conditional Control is operationally useful. It is strategically fragile. An open-weight model under a corporate community license is a hostage to its licensor's continued goodwill.
Tier 3: Dependent Control
Dependent Control is the dominant condition in industry today. The institution holds nothing. It accesses reasoning over an API, governed by a Master Services Agreement that the counterparty drafts and updates.
The OpenAI Services Agreement encodes Dependent Control with admirable clarity, and the contract deserves to be read literally. Section 2.3 reserves OpenAI's right to update the Services unilaterally; if an update materially reduces functionality, the customer's sole remedy is termination on thirty days' notice. Section 3.3(e) forbids the customer from using Output to develop competing AI models, foreclosing the most obvious migration path. Section 8.2 permits suspension on any breach of the Agreement or the separately maintained OpenAI Policies, and Section 16.13 reserves OpenAI's right to update those Policies unilaterally, with thirty days' notice for material changes and lighter notice for everything else. Section 11.2 grants either party a thirty-day cure period before termination. The operational reality is asymmetric: OpenAI controls the inference. The customer controls a billing relationship.
Disputes are routed to mandatory arbitration in San Francisco under California law, with class actions barred. The customer's total liability is uncapped for confidentiality breaches. OpenAI's total liability is capped at fees paid in the prior twelve months. None of this is unusual for a SaaS contract. All of it is catastrophic when the service in question is the institution's reasoning engine.
Every Dependent capability is a future revocation event waiting to be triggered. The only question is what triggers it.
Part 3: The Diagnostic Matrix
The three tiers become useful when applied to the physical layers of the modern AI stack. The reference architecture published by Andreessen Horowitz identifies the components most institutions actually deploy: data pipelines, embedding models, vector databases, orchestration frameworks (LangChain, LlamaIndex), proprietary and open LLM APIs, cloud providers, and operational tooling. Each layer has its own locus of control. An institution's true exposure is the weakest tier across all four critical axes.
I collapse the stack into four axes for diagnostic purposes: Compute, Models, Data, and Tooling. The matrix below shows the typical pattern observed across regulated industries today.
| Layer | Genuine | Conditional | Dependent | Typical Position |
|---|---|---|---|---|
| Compute | Owned GPU clusters, sovereign DCs | Reserved capacity on hyperscaler with sovereign region | Spot inference billed per token | Dependent (rented from AWS, Azure, GCP, CoreWeave) |
| Models | Trained from scratch, weights owned | Open-weight under Llama-style community license | Hosted API from frontier labs (OpenAI, Anthropic, Google) | Dependent or Conditional |
| Data | Internal corpora, governed pipelines | Mixed internal plus licensed third-party | Sent to vendor for processing under DPA | Genuine to Conditional |
| Tooling | Self-built orchestration | LangChain, LlamaIndex on owned infra | Vendor-hosted orchestrator and vector DB | Conditional to Dependent |
Read the matrix carefully. An institution can hold Genuine Control over its data, in the narrow sense that the data was generated internally and stored in its own systems, while still operating under Dependent Control over its reasoning, because every prompt routes that data through an external API. The data sovereignty narrative collapses the moment the prompt leaves the perimeter. The vendor's logs, retention policies, and incident response procedures now define the actual data governance posture. Whatever the contract says, the operational reality is that the institution's most sensitive material is being shaped into prompts and shipped to a counterparty's GPUs, where it is processed by weights the institution cannot inspect.
The compute axis is where the un-governable upstream dependencies become visible. Even nominally open AI projects, as Widder et al. document, run on rented infrastructure provided by the same handful of hyperscalers that train the proprietary frontier models. A fine-tuned Llama instance hosted on AWS does not escape Dependent Control on compute. It merely splits the dependency across two counterparties instead of one.
The tooling axis is the most underestimated. Orchestration frameworks define how prompts are constructed, how retrieval works, and how outputs are validated. When LangChain or a hosted orchestrator sits between the institution and its model, the framework becomes a second locus of revocation. A breaking change in version 0.x.y, a license shift, a deprecation of a chain, ripples through every workflow built on top.
The diagnostic exercise for any board is straightforward. For each critical decision workflow (underwriting, claims adjudication, regulatory drafting, citizen-facing services), trace the call graph and assign a tier to every layer it touches. The lowest tier across the chain is the institution's actual control posture. The institution cannot rise above its weakest dependency.
Part 4: The AI Strangler Fig Migration
The diagnosis names the disease. The cure is structural and gradual. It is not procurement reform, not vendor diversification, not a "responsible AI" policy circulated by the General Counsel. The cure is migration, and the pattern is well known to anyone who has rebuilt a legacy mainframe.
Martin Fowler's Strangler Fig pattern was named after the rainforest vine that germinates in the canopy of a host tree, draws nutrients downward, sends roots to the ground, and over years replaces the host entirely. Fowler observed software teams doing the same thing to legacy systems: building new capabilities alongside the old, gradually moving behavior across, and strangling the legacy system one component at a time. The core insight is that wholesale replacement almost always fails, while gradual displacement almost always succeeds, because gradual displacement allows the institution to learn, validate, and capture value at every step.
Applied to AI, the pattern resolves into a three-stage migration I will name Intercept, Migrate, Strangle. It assumes the institution begins in the dominant industry posture: workflows wired directly to a Dependent API, with no internal locus of authority over the reasoning.
Stage 1: Intercept
Every model call inside the institution must first pass through an internal gateway. Not a security proxy. Not an API key vault. A full routing layer that owns the prompt, owns the response, logs the full trace, and decides which backend executes the inference.
This is the seam in Fowler's vocabulary, the architectural insertion point that makes everything downstream possible. Until the seam exists, the institution has no leverage. With the seam in place, every workflow becomes a routing decision rather than a hard-coded vendor relationship. The orchestration frameworks identified in the a16z reference (LangChain, LlamaIndex, internal Python wrappers) collapse into a single internal abstraction. Logging, validation, caching, and prompt observability now belong to the institution rather than to a vendor's dashboard.
The Intercept stage is the largest single piece of engineering work in the migration, and it is the only piece that is non-negotiable. An institution that cannot intercept its own model calls cannot govern its reasoning. No further stage is possible without it.
Stage 2: Migrate
With the gateway in place, the institution begins moving workflows across. The order matters and follows a clear logic: start with the workflows that are simplest, lowest-risk, and most repetitive. Classification tasks. Embedding generation. Routine summarization. Internal-only queries with no regulatory exposure.
Each migrated workflow gets routed by the gateway to a locally controlled model. In the early phase, this often means a fine-tuned open-weight model running on owned GPUs or on a sovereign cloud region with bare-metal contracts. The institution accepts that the local model is, at first, less capable than the frontier API. It accepts this because capability without control is the disease, not the cure. A workflow that runs on a slightly worse model under Genuine Control is structurally healthier than the same workflow running on a slightly better model under Dependent Control.
This is the capability tax of sovereignty, and it is real. The frontier API will, for some workflows, be measurably better than anything an institution can run on owned hardware: faster reasoning across longer contexts, better calibration on edge cases, lower cost per token at inference scale. The gap is not a marketing illusion. It is a function of capital concentration, and it will persist for as long as a handful of labs control the inputs Widder, Whittaker, and West catalog: compute, data, and the labor of frontier-scale alignment. The institution paying the capability tax is paying a premium for resilience, in the same way it pays for fire suppression in a server room it has never seen burn. Whether the premium is worth it depends on which workflows are genuinely load-bearing on the institution's reasoning, and which are convenience features that can tolerate degradation. The honest answer for most regulated decisions is that the convenience features can run on the API, and the load-bearing decisions cannot.
Migration is iterative. Each successful migration retires a slice of dependency, captures operational telemetry the institution previously could not see, and feeds back into the next migration. Capability gaps become visible and addressable: where the local model fails, the institution can fine-tune, augment retrieval, or invest in better base weights. This is sovereign capital allocation in its most practical form. Every dollar spent on local capability is a dollar that buys durable institutional resilience, rather than rented access to a counterparty's roadmap.
The gateway also enables a pattern Fowler called transitional architecture: workflows that are temporarily routed to both backends, with outputs compared, until confidence is established. The transitional layer is overhead. It is also the only honest way to validate that the migration has not silently degraded outcomes.
Stage 3: Strangle
When a sufficient share of the institution's reasoning runs locally, the dependent API can be deprecated. The gateway flips the routing. The vendor relationship is wound down to a vestigial channel for genuinely frontier-scale tasks, or terminated outright. The thirty-day cure period in the OpenAI Services Agreement, the discretionary grant in the Llama license, the unilateral update rights in both, become operationally irrelevant. The institution has acquired the right to walk away.
The Strangle stage is the moment delegated reasoning is reabsorbed into the institution. It is also the moment the institution discovers that the migration has produced a second, less obvious benefit: the gateway, the local models, the retrieval infrastructure, and the operational telemetry now constitute a real internal AI capability. The institution is no longer a customer of someone else's intelligence. It is an operator of its own.
This is the only durable end state. Every interim state is a hostage situation dressed in a procurement contract.
Closing Note
The argument of this paper is narrow, deliberate, and uncomfortable. Institutional resilience in the age of AI is a function of locus of control, and most institutions today hold none. The vocabulary of cloud governance, vendor management, and responsible AI ethics, however well-intentioned, does not name the problem. The problem has a name. The problem has a structure. The problem has a treatment.
The treatment is gradual, expensive, and unglamorous. It will not be sold by the firms that benefit from the current architecture. It will not be recommended by the consultancies that resell their licenses. It must be undertaken by the institution itself, with clear-eyed acceptance that the question is not whether to migrate, but how soon, and at what cost. The cost compounds with every workflow that becomes load-bearing on a Dependent API.
The Strangler Fig grows slowly. The host tree, eventually, is only an echo of its shape. The institution that begins now will, in five years, hold the substrate of its own reasoning. The institution that does not begin will, in five years, discover that the substrate of its reasoning was never theirs to begin with.
I am an independent researcher and builder working on sovereign federated infrastructure and local-first AI networks. I write about the political economy of these systems and the architecture of long-term institutional resilience at The Civic Architect. If you are working on institutional governance, federated infrastructure, or local orchestration tooling, I'd love to connect in the comments or via DM.