Pourquoi SIA
Standard
Le Standard Framework Stack de référence Blueprints
Certification
Programmes Développer sa pratique Vérifier un certificat
Insights Contact
Back to Insights
Methodology April 14, 2026

Six Phases. Six Months. Full Sovereignty.

## SIA Implementation Roadmap and Timeline Ask any organization why their sovereign AI project took 18 months and you get the same answer: they kept discovering requirements they didn't know about....

TSI
The Sovereign Institute Research & Analysis
7 min read
Six Phases. Six Months. Full Sovereignty.SIA Implementation Roadmap · 8–10 weeks1ASSESSMENT2 weeksAI usage auditData classification2ARCHITECTURE2 weeksRouter-Vault-RecorderDesign sign-off3DEPLOYMENT2 weeksHardware: $50K-$200KInfrastructure live4INTEGRATION2 weeksMigrate workflowsTop 10 use cases5HARDENING1 weekSecurity testingAudit documentation6EVOLUTIONOngoingModel upgradesPerformance reviewSIA Methodology: 8–10 weeks totalTraditional bespoke deployment: 12–18 monthsThe difference: binary exit criteria per phase eliminate discovery during implementationThe Sovereign Institute — thesovereigninstitute.org

Six Phases. Six Months. Full Sovereignty.

SIA Implementation Roadmap and Timeline

Ask any organization why their sovereign AI project took 18 months and you get the same answer: they kept discovering requirements they didn't know about. Phase 3 revealed that Phase 2 decisions needed revisiting. Workflow migration in Phase 4 exposed model output differences that broke downstream processes. Hardware arrived before the architecture was finalized. Each discovery became a cycle of rework.

The SIA methodology eliminates discovery during implementation by front-loading every architectural decision into Phase 2, before hardware is ordered or infrastructure is touched. Eight weeks later, the infrastructure is running. Six months after that, the organization has passed its first EU AI Act compliance review and is on its second model upgrade cycle. The 18-month timeline isn't a technology problem — it's a methodology problem.

Why Conventional Timelines Drift

Traditional IT infrastructure projects average 12 to 36 months, a figure Gartner has tracked consistently across enterprise deployments. The mechanism is well understood: requirements emerge during implementation, each requirement triggers rework, and rework compounds across every subsequent step.

Sovereign AI projects in the 2020-2022 period inherited this pattern. Organizations without a methodology made architectural decisions they thought were settled — model selection, data classification, infrastructure topology — and discovered those decisions had downstream implications they hadn't anticipated. A model chosen in week two became a point of contention in week ten when a better option was released. An architecture scoped for current AI usage was undersized when actual usage was audited and turned out to be triple the estimate. These aren't technology failures. They're sequencing failures.

Clear phases replace architectural uncertainty. Uncertainty is expensive — not just in time, but in organizational will to finish the project. The SIA methodology compresses the timeline by making decisions time-bounded rather than open-ended. Each phase has explicit exit criteria: binary conditions that must be met before the next phase begins. Phase 2 is complete when the Router-Vault-Recorder architecture has been reviewed and signed off against the seven SIA non-negotiables — not when the team feels sufficiently confident, but when conditions are verifiably met.

Phase by Phase

Phase 1 — Discovery and Data Audit (two weeks)

Phase 1 is officially a current-state audit. In practice, it's often the first candid conversation an organization has had about its actual AI footprint.

Shadow AI tools outnumber approved tools in most organizations. Data flows that IT believes exist rarely match the flows a proper audit documents. Phase 1 exit criteria: a complete inventory of AI tools in use (including unapproved), a data sensitivity classification framework covering the organization's key data types, and documented regulatory requirements by jurisdiction. Phase 1 exits when all three conditions are documented and signed off.

Phase 2 — Architecture Design (two weeks)

Phase 2 converts Phase 1 findings into specific architectural decisions: which Router configuration, which model endpoints, which data classification rules, which Vault structure. Every decision made here follows from the Phase 1 audit, eliminating the discovery cycles that extend conventional timelines.

Exit criterion for Phase 2: the full Router-Vault-Recorder-Firewall architecture is documented against the seven SIA non-negotiables — Data Residency, Model Sovereignty, Vendor Independence, Audit Completeness, Hybrid Intelligence, Governance by Design, and LLM Agnosticism — and formally signed off. Hardware procurement begins only after sign-off.

A critical design principle at Phase 2: LLM Agnosticism. The architecture must accommodate model swaps without redeployment. Teams that optimize Phase 2 for a specific model weight find themselves needing a rebuild in Phase 6, when better models become available.

Phase 3 — Infrastructure Deployment (two to three weeks)

Phase 3 deploys the architecture on commodity hardware. A production-capable Level 1 sovereign AI configuration — sufficient for a 100-to-500 person organization — requires hardware in the $50,000 to $200,000 range at 2025 pricing. NVIDIA H100 clusters that cost $400,000 in 2023 were available at $150,000 to $200,000 by 2025 for comparable configurations. Cloud AI API costs for a 100-person technical team actively using AI tools run $120,000 to $400,000 annually. Phase 3 hardware pays for itself in year one on compute costs before any data sovereignty value is counted.

Exit criterion for Phase 3: a model serves inference requests from internal endpoints, the Router classifies test queries according to Phase 2 specifications, and the Recorder logs interactions. Not "mostly working." Fully functional.

Phase 4 — Integration and Workflow Migration (two weeks)

Phase 4 is where most sovereign AI projects without a methodology stall. Infrastructure deployed correctly in Phase 3 encounters workflows calibrated to cloud model behavior — specific output formats, particular reasoning patterns, response lengths that downstream systems expected. A local model produces technically correct outputs that break processes built for a different model's outputs.

SIA methodology addresses this by explicitly migrating the top ten highest-priority AI workflows, testing each for output compatibility, and adjusting prompt structures or downstream processing as needed. Exit criterion: migration completed — not attempted.

Phase 5 — Governance Hardening (two to three weeks)

Phase 5 converts deployed infrastructure into an auditable system. EU AI Act high-risk provisions took enforcement effect in 2025. General provisions apply from 2026, with penalties up to €35 million or 7% of global revenue. Article 26 of the EU AI Act — which makes the deploying organization responsible for compliance, not the model vendor — means the documentation Phase 5 produces is the audit package that answers regulator questions.

Documentation produced includes data flows, a model card for each deployed model, access control configurations, incident response procedures, and a compliance mapping against applicable regulations. Exit criterion: an external party could conduct a compliance review of the deployed system using Phase 5 documentation alone.

Phase 6 — Evolution (ongoing)

Open-weight models advance faster than any fixed deployment can track. An organization that deploys in Phase 3 and never upgrades finds its sovereign infrastructure lagging commercial cloud AI within 12 to 18 months. Phase 6 defines a quarterly assessment cadence — reviewing available models against current use cases, with LLM-agnostic architecture enabling swaps without infrastructure rework.

Phase 6 also closes the loop with Phase 1: quarterly security posture reviews, regulatory update monitoring, and use case expansion. Each completed phase built a capability — classification framework, architecture sign-off, deployed infrastructure, migrated workflows, compliance documentation — that Phase 6 maintains and extends.

The Cost of Waiting

Organizations that defer sovereign AI accumulate a compound exposure cost. Each quarter without sovereign infrastructure is a quarter of documented exposure under the CLOUD Act — a 2018 US law that lets federal agencies compel any American company to produce data held anywhere globally — and under EU AI Act enforcement timelines. The quarterly cost looks manageable in isolation.

TikTok paid €530 million to Ireland's Data Protection Commission in May 2025 for routing EU user data to servers outside Europe. That outcome began with a series of quarters in which the data transfers continued and the compliance review was deferred. The organizations that completed Phase 1 assessments in early 2025 are in Phase 6 evolution cycles today.

Eight Weeks to Infrastructure

The timeline question that stalls most sovereign AI projects isn't "how long will this take?" It's "what does done look like at each step?" One question produces estimates that drift. The second produces a project that completes when conditions are met.

Phase 1 exit: audit documented and classified.

Phase 2 exit: architecture signed off.

Phase 3 exit: infrastructure serving inference.

Phase 4 exit: workflows migrated and tested.

Phase 5 exit: compliance documentation produced.

Phase 6: quarterly cadence running.

Eight weeks from Phase 1 start to Phase 5 complete, for organizations that make decisions at each phase boundary without reopening prior phases. The organizations that start Phase 1 this quarter will be in their second model upgrade cycle before others finish evaluating the timeline.

The map was always available. The question is whether to use it.

← Previous Policies Don't Protect Data. Architecture Does. Next → The Most Secure AI Runs Where No Network Can Reach It

Full SIA methodology documentation and certification programs at thesovereigninstitute.org