Canadian AI Sovereignty Series, with thanks to Laszlo Lakatos-Hayward

Responding to coverage of Canada’s AI for All strategy on LinkedIn, engineer and board advisor Laszlo Lakatos-Hayward raised a procurement question hiding inside a regulatory one. If Canada adopts substantial sections of the EU AI Act, including requirements around the reproducibility of decision-making, what happens to neural-network-based models in sovereign and government services? He followed it up with: Since Canada’s strategy selected a hybrid AI stack that includes EU entities, an equivalent to the EU AI Act in Canada is a matter of when and how, a journey the federal government will fairly certainly undertake.

The question points at a structural shift this series has been circling for fifteen papers. AI sovereignty has outgrown the question of where a model is hosted and who owns the company. The operative question is whether government-used AI can satisfy multiple sovereignty tests simultaneously. Canada now has to answer three at once: domestic legitimacy, EU-grade governability, and geopolitical substitutability.
Can the model be governed under Canadian public-sector expectations? Can it meet EU-style documentation, transparency, and high-risk system obligations? Can it serve as a credible alternative for states and regulated industries that have ruled out dependence on both the United States and China?

The triangle is already operating, through procurement and vendor cost structures years ahead of any Canadian statute, and Canada’s choice is to legislate the standard or inherit it.

The Domestic Leg: AI for All Builds a Procurement Pathway

Canada’s AI for All strategy, launched June 4, 2026, is explicitly an adoption and industrial-policy document. It targets $200 billion in additional economic growth and 250,000 AI-related jobs over five years, and aims to lift business AI adoption from roughly 12 percent to 60 percent by 2034. Its sovereignty pillar commits to 850 megawatts of sovereign compute capacity by 2030, $700 million in affordable sovereign compute for small and medium enterprises, a Trusted AI Certification program, and an expanded Canadian AI Safety Institute. Its alliance pillar counts twenty new economic and defence partnerships, eleven of them covering AI, including the Canada-Germany Sovereign Technology Alliance signed in February 2026.

Read as industrial policy, the design is procurement-backed. Government acts as anchor customer for domestic AI scale-ups while sovereign compute programs lower the cost of building on Canadian infrastructure. Canada’s sovereign AI strategy does not need to name Cohere for Cohere to become structurally central to it.

What the strategy conspicuously avoids is a risk-tier legislative architecture. The Artificial Intelligence and Data Act died with Bill C-27. AI for All promises modernized privacy law, transparency legislation, and deepfake protections, with the precise measures unspecified. The legislative layer of Canadian AI governance remains the thinnest part of the structure, which makes the other two legs of the triangle decisive.

The Carrier: Why Cohere Fits the Slot

Cohere’s positioning has always been institutional rather than consumer-facing: enterprise-grade models, regulated-sector deployment, private and secure implementation, sovereign-control messaging. The company signed a memorandum of understanding with Ottawa in August 2025 to explore AI deployment across government operations, signed a parallel MOU with the United Kingdom, partnered with Bell Canada to deliver its services through Canadian data centres, and integrated its North platform into SAP’s sovereign cloud environments.

The April 24, 2026 acquisition of Aleph Alpha converted that positioning into structure. The combined company, valued at a reported $20 billion, keeps the Cohere name, Canadian headquarters, majority Canadian control, and Canadian-held intellectual property, while gaining a German headquarters, the German government as an expected anchor customer, and Schwarz Group as lead investor in a $600 million Series E. The merged entity will deploy a sovereign offering on STACKIT, the cloud platform run by Schwarz Digits. Both governments endorsed the transaction. Canada’s AI minister called it a big moment for Canadian AI; the European Commission’s EuroStack initiative blessed it at the vice-presidential level.

Cohere trails the frontier labs on raw capability and name recognition, and its reported annual recurring revenue of roughly $240 million in 2025 is an order of magnitude below the leaders. The policy relevance lies elsewhere. Institutional fit, regulatory credibility, and now a transatlantic governance footprint make it the best-positioned sovereignty company in the Western alternative market, whatever its benchmark standing.

The Regulatory Leg: Brussels Rules on a Revised Clock

The EU AI Act supplies the compliance reference point, and any Canadian harmonization argument now has to absorb a major timing revision. On May 7, 2026, EU negotiators reached provisional agreement on the Digital Omnibus on AI, deferring high-risk obligations for standalone Annex III systems from August 2, 2026 to December 2, 2027, and for AI embedded in regulated products to August 2028. Watermarking obligations slip to December 2026. General-purpose AI obligations under Articles 51 through 55, in force since August 2025, are untouched. The stated rationale is operational: the technical standards from CEN-CENELEC that would give the high-risk requirements concrete meaning are unfinished.

Two consequences matter for Canada. First, adoption-by-reference now means importing a standard the EU itself has not yet operationalized. A Canadian government that copied Annex III obligations tomorrow would be enforcing requirements whose measurement instruments do not exist. Second, critics note that because the Act is non-retroactive, systems deployed before the deadlines may sit permanently outside its oversight, which means the deferral window is also a deployment window. Whatever is installed in European and Canadian governments between now and December 2027 will shape what the rules end up tolerating.

The Act’s architecture remains intact: risk classification, banned practices, transparency duties, documentation, human oversight, and special obligations for systems that decide hiring, benefits, essential services, and access to justice. The Commission’s own framing of the problem is that people often cannot determine why an AI system produced a given decision. That concern travels well beyond Europe, and it lands precisely on the systems governments most want to automate.

Procurement Does the Work of Law

Canada does not need to copy the EU AI Act for EU rules to shape Canadian government AI. The vendor channel does it first. Cohere’s German government relationships, its STACKIT commitment, and its EU enterprise base mean the company must build North to EU AI Act standards as a commercial necessity. Compliance engineering of that kind is expensive to fork: audit logging, documentation pipelines, oversight tooling, and versioning controls get built once and shipped everywhere. Whatever Cohere builds for Heilbronn, it ships to Ottawa. Call this the procurement Brussels effect: EU obligations arriving inside Canadian deployments through a domestically headquartered vendor’s cost structure, years ahead of Canadian legislation, with no Canadian fingerprints on the standard.

Legal analysis of AI for All points the same direction from the domestic side. Public-sector deployment and procurement are likely to generate governance requirements before formal legislative mandates arrive. In AI sovereignty, procurement can become regulation by other means.

The distributional effects are uneven and worth stating plainly. For Cohere, EU-aligned compliance converts from cost into commercial moat. For US hyperscaler offerings, every requirement around data residency, audit access, and jurisdictional control adds friction, compounding the CLOUD Act exposure this series documented earlier: the test is US incorporation or US parent operational access, and server location does not cure it. For Canadian public servants, model selection becomes a governance choice wearing the costume of a technology choice.

The Live Experiment: North Inside ISED

This is no longer hypothetical. In April 2026, Innovation, Science and Economic Development Canada began deploying North to as many as 1,400 public servants for search, summarization, drafting, decision support, and task automation. The minister’s office described it as a real-world, at-scale deployment of Canadian AI inside the federal government. Cohere’s public-sector lead called it the company’s first major expansion of secure AI infrastructure into civilian government operations.

Decision support is the phrase to watch, because Canada already has rules for it. The Treasury Board Directive on Automated Decision-Making has governed federal automated decision systems since 2019, requiring algorithmic impact assessments, tiered safeguards, transparency notices, and human intervention provisions scaled to impact level. The Directive is the closest thing Canada has to an Annex III analogue, and it is a procurement-layer instrument with no statute behind it. The ISED deployment is therefore a live test of the series’ procurement-strategy-policy gap: a country with no AI law, running EU-grade questions through a Treasury Board directive, on a platform whose compliance architecture is being built for German government customers.

The open questions are answerable and should be answered. Which impact assessment tier, if any, was applied to the North deployment? What logging, audit, and reversibility requirements attach to its decision-support functions? Is the output of an agentic workspace advisory or determinative in the workflows where it operates? The answers will reveal whether Canada’s existing governance instruments reach the systems actually being installed, or whether deployment is outrunning the Directive the way agreements expire faster than collective-bargaining protections are negotiated.

The Third Stack Market

The geopolitical leg completes the triangle. American models will keep winning wherever performance dominates and politics permits. For public administration, defence-adjacent systems, health, finance, benefits, immigration, justice, and identity infrastructure, dependence on either US or Chinese stacks raises sovereignty objections that benchmarks cannot answer. That creates a third-stack market: democratic, enterprise-grade, auditable, sovereign-capable AI for buyers who need an alternative.

The shortlist for that market currently has two names. Mistral is the European candidate: a January 2026 framework agreement with France’s Ministry of the Armed Forces running entirely on French infrastructure under AMIAD oversight, a May 2026 partnership bringing sovereign AI tooling into EDF’s nuclear operations, an $830 million debt raise to build its own compute near Paris, and an AI for Citizens initiative aimed at public institutions. Cohere is the Canadian candidate, now with a German government anchor and EuroStack endorsement. The two differ in posture, with Mistral’s open-weight lineage against Cohere’s enterprise deployment depth, and they will increasingly meet in the same tenders.

The sovereign AI market is not a race to replace the American labs everywhere. It is a race to become acceptable where the American and Chinese options are politically, legally, or institutionally difficult to use. Acceptability is a compliance property, which is why the EU AI Act’s real jurisdiction in 2026 runs through two companies’ compliance budgets more than through any adequacy mechanism.

One Layer Down: What the Ecosystem Inherits

For startups selling into government and regulated sectors, the compliance inheritance functions as subsidized infrastructure. Annex III-grade logging, documentation, and oversight tooling arrive as platform features rather than engineering projects, and tender eligibility improves wherever hyperscaler stacks accumulate CLOUD Act exposure. The $700 million SME sovereign compute fund and the Trusted AI Certification program push the same direction. Ottawa is, in effect, paying startups to make the sovereign choice.

The EU AI Act assigns deployers their own obligations, and a startup that fine-tunes or substantially modifies a model for a high-risk use case can become a provider in its own right; the December 2027 deferral is runway rather than exemption. And strictest-common-denominator engineering carries a price that flows through platform fees to every customer, including consumer-facing startups whose buyers need none of it and whose competitors build on cheaper, more capable US APIs.

The deeper exposure is concentration. A startup tier betting its roadmap on a single vendor is betting on a vendor whose own roadmap now answers to two governments and a German retail conglomerate’s cloud division. If commercial pressure ever pushes Cohere toward a forked product line, an EU-compliant build and a lighter one, the startup tier is the layer most likely to receive the lighter build. Sovereignty for the state can mean dependency for the ecosystem underneath it. The dependency trap this series has mapped at the national layer operates recursively, one layer down.

Reproducible Governance Sets the Bar

Taken literally, a reproducibility-of-decision requirement is unachievable for current transformer architectures at the level of the individual output. Sampling variance, model updates, retrieval nondeterminism, and the basic opacity of learned representations mean that bitwise reproduction of a given decision is the wrong test, and any rule written that way will either be written down in practice or hollowed by carve-outs. This is also where the predictability framing matters: under Evans’ Law, the longer a model reasons, the greater the likelihood a response will be incorrect, until incorrectness becomes more likely than correctness. Extended-reasoning systems in consequential government workflows make the predictability of coherence collapse a procurement specification, and a reproducibility mandate is, in cost terms, a verification mandate whose asymmetry lands on the deploying institution.

Consequential systems can, however, meet a standard of reproducible governance, and this is the standard the EU framework is converging toward and the one Canada should write. A government deploying AI in a decision pathway must be able to reconstruct enough of that pathway to answer a fixed set of questions. Who supplied the model, and which version was used? What data and retrieval sources fed the output? What prompt, policy layer, or system instruction shaped it? Was the output advisory or determinative? Who reviewed it? What was logged? How does a citizen challenge the result?

None of those questions requires deterministic models. Every one of them requires governance architecture: versioning, logging, provenance, human authority, and contestability. The policy restriction that follows is precise. Neural networks remain usable in government; opaque, weakly documented, non-contestable deployment of them in consequential systems becomes very hard. That is the defensible form of the original claim, and it describes pressure on deployment architecture rather than a ban on a model class. It also describes, requirement by requirement, the product Cohere is now commercially obligated to build for its German customers.

Sovereignty Runs Deeper Than the Vendor Flag

A Canadian-headquartered model provider does not by itself create sovereign AI. Sovereignty is a property of the whole stack: compute, cloud, data governance, model weights and access terms, inference logs, procurement language, audit rights, fallback systems, human decision authority, and version control. A government can buy Canadian and still lose the loop. This series has called that the box-versus-loop distinction, and the Cohere case gives it a sharp new instance: Canada controls the box, with ownership, headquarters, and IP residency all secured in the merger terms, while the compliance loop that defines what the product can and must do runs through Brussels, Berlin, and a directive in Ottawa that predates the technology it now governs.

Sovereignty is the ability to inspect, constrain, replace, and contest the system when it matters. Everything else is a logo on the vendor contract.

The Strongest Case Against the Triangle

The first argument against says the triangle collapses back to two poles. The EU has just delayed its own high-risk regime; the United States is running a deregulatory campaign through executive order, a litigation task force aimed at state AI laws, and a March 2026 framework asking Congress for broad preemption; and capability gravity is relentless. On this view, the real choice in 2028 remains a US stack with paper safeguards or underpowered alternatives, and the middle-power regime is a press-release layer sitting on US-designed silicon and EU regulation it did not write. Middle powers consume the triangle; they do not constitute a pole of it.

The second says vendor-transmitted compliance is fragile. The procurement Brussels effect assumes a single product line, and nothing technically forces one. If EU requirements prove commercially heavy, Cohere can fork, and the Canadian build gets lighter.

Both objections have force, and both run into the same structural facts. The February declaration, the EuroStack endorsement, the German anchor-customer relationship, and a valuation premium built entirely on the sovereignty story make forking politically expensive in a way ordinary product decisions are not. Meanwhile the ISED deployment and the Treasury Board Directive create a Canadian compliance floor already converging on EU documentation norms from below. The triangle holds because all three poles now sit inside one vendor’s board calculus, and because the deferral that weakened the EU’s tempo did nothing to its architecture, which is the part that travels.

What Follows

For Canada, the choice this paper opened with is now concrete. AI for All’s unspecified legislation is the window. If it closes without a risk architecture, the standard governing Canadian government AI will be assembled from Cohere’s product roadmap, the Treasury Board Directive’s quiet expansion, and CEN-CENELEC working groups in which Canada holds observer status at best. Legislate the standard or inherit it.

For the series, triangulated sovereignty extends the four-trigger dependency model with a fifth observation: dependency can be regulatory as well as infrastructural, and regulatory dependency is harder to see because it ships inside a domestically headquartered vendor.

For everyone watching the AI Act’s deferral and concluding the compliance era has slipped, the conclusion runs backwards. The deferral window is a deployment window, and what gets installed in governments before December 2027 will set the de facto standard the formal rules eventually ratify. The next phase of AI sovereignty will belong to the jurisdiction that makes adoption, auditability, and autonomy reinforce each other. Canada has the vendor, the deployment, and the directive. The statute is the missing leg, and the clock is running in Heilbronn and Ottawa at the same time.

Jen Evans is Principal of Pattern Pulse AI and co-founder of Tech Reset Canada.