Published March 2026 — Sovaign team
Early 2025
We were not a team with a grand plan. We were people who used AI every day for serious work — research, documentation, compliance, strategy — and kept running into the same wall. The AI was genuinely impressive. But the moment the conversation ended, everything it had helped us build disappeared. The next session started from nothing (or some cloud doc folder or AI agent folder). The intelligence was real. The memory was not.
That gap is where Sovaign was born.
In September 2025, we provisioned a server in Nuremberg and started building.
The problem nobody was quite solving
By late 2025, every major AI lab had made enormous progress on capability. GPT-5 could reason through complex documents. Claude 3.7's Extended Thinking showed a model working through hard problems step by step. Gemini 1.5 Pro offered a million-token context window — theoretically enough to hold an entire compliance framework in a single conversation.
But capability is not the same as memory. And memory is not the same as structured knowledge.
ChatGPT and Claude remembered facts you told them, in their own cloud. Useful for personal notes. Not useful for sensitive organisational compliance data that may be difficult or inadvisable to place in third-party cloud systems because of GDPR transfer restrictions, sovereignty concerns, sectoral obligations, and internal governance requirements. In June 2025, Microsoft's legal director admitted to the French Senate that no contract can override the US CLOUD Act. For European organisations, this was not a theoretical risk. It was an immediate blocker.
Google NotebookLM validated the idea that documents could become an AI knowledge base — but it stored flat files, not relationships. Ask it "which controls satisfy ISO 27001 obligation 6.1.2, and what evidence is still missing?" and it gives you a prose answer with nothing persistent behind it. NotebookLM persists notebooks, notes, and chat history, but not as a first-class relationship graph.
The second-brain tools — Obsidian, Notion, Mem.ai — had built large communities around personal knowledge management. But they organised content, not compliance structure. They stored what you wrote, not the reasoning chains that make compliance work auditable and defensible. Limitless, formerly Rewind, was acquired by Meta in December 2025, and the Rewind Mac app's capture functionality was discontinued later that month.
Everywhere we looked, the tools were either too powerful to trust with sensitive data, too general to understand compliance structure, or too amnesiac to build on.
What we decided to build
Sovaign's founding creed, written in late 2025, still fits on four lines:
Your graph. Your AI routing. Your evidence. Your rules.
That is not marketing copy. It is a description of an architecture.
Your graph means a knowledge graph — Neo4j — that holds your compliance framework as structured relationships, not as documents or notes. Obligations connect to controls. Controls connect to evidence. Evidence connects to inventory items. Gaps are tracked as first-class data. The graph persists across every conversation, every AI model, every session, and every personnel change.
Your AI routing means a gateway that normalises calls to OpenAI, Anthropic, Google, and local models running on your own hardware via Ollama. Every call is logged. Costs are tracked. When an AI response matters — when it should become a draft policy or a piece of compliance evidence — you can promote it into the graph permanently. Most AI traffic stays as traffic. Consequential outputs become knowledge.
Your evidence means the system tracks not just what your controls say, but what proves they work. Every evidence requirement is an explicit, queryable object in the graph with a status, a priority, a due date, and a link to the inventory item or document that satisfies it.
Your rules means the whole thing runs on your server, under your control, with your data never leaving your infrastructure. Not because cloud AI is bad, but because compliance data is sensitive and sovereignty is not optional for organisations that take governance seriously.
The second brain for compliance
There is a phrase that has gained traction in knowledge management circles: the "second brain." The idea is that an AI-augmented system should extend your memory and reasoning capacity the way a physical notebook once did — holding what you cannot hold in your head, making connections you would not make alone, and surfacing what matters when it matters.
Sovaign is a compliance second brain. But it differs from the personal knowledge management tools that phrase usually evokes in one structural way: it stores relationships, not just content.
Ask Obsidian or Notion "which controls lack verified evidence as of today?" and they search your notes for relevant text. Ask Sovaign the same question and it runs a precise graph query, returning structured results in milliseconds — because the compliance structure was designed to make that question directly answerable.
The knowledge graph is not a better search engine over documents. It is a model of how your compliance programme actually works: what you claim, what proves it, what is missing, and why. That is what makes it a second brain rather than a second filing cabinet.
Six months of building
We started in September 2025 with ChatGPT and Google Gemini outputs being copy-pasted into a fresh server. We were figuring it out manually before the tooling existed to do it any other way.
In late 2025 we shifted to VS Code with Claude Code integration — Anthropic's agentic CLI tool that had launched in February 2025 and grown into a professional-grade system by the time we adopted it. That shift changed everything. Instead of prompting and copy-pasting, we could delegate multi-step work to an AI subprocess and review the results. The development pace accelerated.
By November 2025, the core stack was running: a knowledge graph service, an AI gateway, an MCP server, Node-RED for automation, and a Streamlit dashboard. By February 2026, we had migrated to a hub-and-spoke compliance reasoning architecture — the design decision that turned the graph from a storage system into a reasoning system. By March 2026, the stack had grown to thirteen containerised services, an autonomous task orchestration system, a React-based primary interface, and a zero-to-compliance onboarding wizard.
The number that matters most to us is not a line count or a service count. It is this: a compliance team can go from a ZIP file of documents to a populated, gap-analysed compliance graph in under thirty minutes and one overnight wait, without writing a single line of code.
What makes Sovaign different from GRC platforms
Governance, Risk, and Compliance (GRC) platforms accelerated rapidly in 2025. Tools like Vanta, Drata, and Scytale offered hundreds of cloud integrations, automated evidence collection from infrastructure APIs, and dashboards that show certification progress. They are genuinely useful, particularly for technology companies whose compliance posture lives largely in cloud infrastructure.
Sovaign is architecturally different in three ways.
It is a graph, not a checklist. Mainstream GRC platforms model compliance as a set of controls that need evidence attached. Sovaign models compliance as a network of obligations, reasoning chains, inventory items, evidence requirements, and gaps — each with a provenance, a status, and a history. You can ask questions about the structure, not just tick boxes on it.
It is self-hosted, not SaaS. Your compliance data does not leave your infrastructure. This is not a premium feature; it is the base architecture. For organisations under GDPR, ISO 27001, or the EU AI Act — particularly European enterprises conscious of US CLOUD Act exposure — this is the feature that makes Sovaign possible to use at all.
It uses local AI, not cloud-only AI. Sovaign's ingestion pipeline and enrichment engine run on Ollama models on your own hardware. The graph stores what the AI produces. When you ask compliance questions, the AI reasons over structured, persistent knowledge — not over raw documents re-ingested in every session.
Where we are now
As of March 2026, Sovaign has:
- A compliance knowledge graph (Neo4j) with hub-and-spoke reasoning architecture
- An AI gateway routing across OpenAI, Anthropic, Google, and local Ollama models
- A file ingestion pipeline with content-hash deduplication and two-phase AI processing
- An MCP server exposing 32 tools over SSE transport (localhost but protocol-portable by design)
- Autonomous task orchestration (SATO) for background compliance work
- A policy generator producing draft-ready documents from obligation or your org's context
- A zero-to-compliance ISMS Wizard with three default framework presets (ISO 27001:2022, ISO 42001:2023, ISO 9001:2015), flexible framework import for anything else
- A React dashboard with 15 purpose-built screens for compliance roles
- A compliance score of a demo org of 91% against ISO 27001 §9 and §7.3 — demonstrated inside the system we ship
Sovaign is running a research demo on a Hetzner VPS in Nuremberg. The same server that was provisioned in September 2025 to run the first experiments.
Why it matters now
The convergence happening in 2025–2026 — powerful local AI models, the MCP standard achieving rapid adoption, European sovereignty requirements sharpening into law, and compliance automation maturing from novelty to expectation — makes the timing of this project feel less accidental than it did at the start.
The compliance function is one of the areas where AI can deliver genuine, measurable value: not just by drafting faster, but by maintaining persistent, auditable, queryable knowledge about what an organisation has committed to, what proves it, and what is missing. That is a knowledge graph problem, not a document retrieval problem. And it is a problem that benefits from being solved inside your infrastructure, under your control, with models you can choose and swap.
That is what Sovaign is for.
Sovaign is a self-hosted AI and compliance knowledge platform. If you would like to learn more, contact us.