Skip to content
Sovereign AI Defense · An Open Call · April 2026

“Sovereign AI without Sovereign Defense is just Sovereign Risk.”

Every country is building Sovereign AI.
None are building Sovereign AI Defense.
Until now.

Over the last 18 months, democracies have committed over USD 10Bto build Sovereign AI. None have prepared a defense layer for the autonomous agents they’re building.

This is not an oversight. It is a structural vulnerability. Today, that gap has its first open, operational, community-governed answer — MIT-licensed, 314 behavioral rules, already shipping in Cisco, Microsoft, NVIDIA, Meta, and IBM security stacks.

SHIPPING
314
rules in Cisco AI Defense
RECALL
97.1%
666 real-world jailbreaks
FALSE POSITIVE
0.20%
498 benign samples
GARAK COVERAGE
32/32
NVIDIA probe modules
01 · THE MOMENT

Why Sovereign AI became a national imperative

AI is no longer a tool. It is the core of next-era national competitiveness — whoever controls AI controls the future of economic, military, diplomatic, and cultural voice. Over the last 18 months, democratic allies have signed over USD 10B in Sovereign AI commitments:

India
Tata + Reliance · Hindi / Marathi LLMs
$ multi-billion
Japan
SoftBank + KDDI · Japanese LLMs · disaster resilience AI
$ multi-billion
United Kingdom
NVIDIA AI infrastructure commitment
£1B (≈ $1.3B)
France
Mistral AI + 18,000 Grace Blackwell
$ multi-billion
Saudi / UAE / Korea
2025 US-Saudi Investment Forum and others
$ multi-billion
Taiwan
Foxconn + TSMC + gov AI supercomputer · Constellation HQ
NT$ 40B+

The driver is sovereignty anxiety — no country wants its critical data and intelligence running in US clouds, nor wants to be shut off or censored by foreign platforms at critical moments.

“Every country needs to own the production of their own intelligence. The first thing I would do is codify the language, the data of your culture into your own large language model.”Jensen Huang · World Governments Summit · Dubai 2024
02 · THE FATAL GAP

Every country now owns its AI. None owns its AI Defense.

These countries have their own models and their own compute. But when those AI systems become agents — autonomous actors, tool users, MCP clients, transaction executors — no widely accepted agent security detection standard exists.

The current reality: sovereign AI customers source their security layer from US-private vendors running proprietary rule sets and black-box models. This reproduces exactly the dependency that Sovereign AI was created to escape. You can own your AI, but still have to rent the knowledge that defends it — that is incomplete sovereignty.

“Conventional cybersecurity approaches do not translate cleanly to autonomous agent deployments.”NIST CAISI · January 2026 · Official acknowledgment of the standards gap
CONCERNED
87%
but only 11% report being prepared · CSA 2026
DEPLOYMENTS
0
Sovereign AI deals include a defense layer
MYTHOS
83.1%
CyberGym reproduction · previous generation ≈ 0%
03 · THE PROPOSAL

ATR — the open standard that fills the missing layer

MIT License · 314 behavioral rules · protocol-agnostic · behavior-based. Derived from real attack corpora, classified to NVIDIA garak / OWASP Agentic / MITRE ATLAS taxonomies. Adoptable by any country, contributable by any organization. No geopolitical risk. No vendor lock-in.

ATR detects behavioral intent, not string signatures. Attackers who rephrase prompts, repackage payloads, or restructure attack chains cannot evade it, because the detection target is the causal structure of the attack. Each attack has to be redesigned — cost rises exponentially.

04 · ECOSYSTEM

Already shipping across the major democratic security stacks

Cisco AI Defense
Shipping
PR #99 merged · Full 314-rule library shipping in skill-scanner (2026-04-22)
Microsoft
PR Merged
agent-governance-toolkit · 287-rule auto-sync
NVIDIA garak
Integrating
PR #1676 · v2.0.12 · 2 review rounds passed
Meta PurpleLlama
Open PR
20 regex patterns merged into DEFAULT_REGEX_PATTERNS
IBM
Open PR
mcp-context-forge · ATR plugin for IBM MCP runtime
OWASP
Under Review
LLM Top 10 official project PR · standards-track reference

43 days solo · 0 → 314 rules · 6 ecosystem integrations · 30+ PRs in flight · Apache 2.0 academic edition · DOI 10.5281/zenodo.19178002

05 · COMMUNITY-GOVERNED

An open standard, governed by its contributors

ATR is not a single lab’s or vendor’s deliverable. Every rule passes through a public, auditable pipeline: pull request → automated safety gate → community review → merge → npm publish. Governance rules are codified in GOVERNANCE.md; every rule carries provenance metadata; any contributor can challenge, correct, or extend the taxonomy.

If this proposal resonates with your organization, there are three levels of participation:

  • Contribute rules: translate AI agent attack samples you've observed into ATR YAML rule PRs
  • Contribute probes: define new attack classes so rule generation can be systematically mapped
  • Contribute validation: test FP/Recall against real attack corpora, surface detection gaps

Open governance is itself a structural requirement for Sovereign AI Defense — attacks are not defined by a single lab, and defense should not be defined by a single vendor.

06 · FIRST REFERENCE

Why Taiwan is positioned to be the first reference deployment

Taiwan will not own this standard. Taiwan will be the first to adopt it — like the first bank to deploy Linux, or the first government to adopt OpenSSL.

CONDITION 01
Densest real nation-state attack environment
2.63 million daily attacks in 2025 (NSB official, +113% vs 2023). Healthcare, telecom, semiconductor supply chain, and government systems are all confirmed targets.
CONDITION 02
Closest NVIDIA ecosystem
NVIDIA Taipei HQ "Constellation" — NT$40B+ investment, groundbreaking June 2026. Jensen Huang: "Without Taiwan, NVIDIA could not achieve what it has today."
CONDITION 03
Most mature open-governance culture
g0v, vTaiwan, Pol.is, Plurality — Taiwan is one of the few democracies with long-term proven experience running open standards × government collaboration in production.
CONDITION 04
Shortest decision chain
The distance from technical community to executive agencies is far shorter than in the EU or US. The same proposal that needs 18 months in D.C. can launch in 3 months in Taipei.
07 · OPEN CALL

Who we're looking for

ATR is MIT-licensed. This proposal has no exclusivity. If you believe the Sovereign AI era needs a corresponding open Defense standard, we invite the following groups to make contact:

  • Governments · public sector · national cybersecurity agenciesAny jurisdiction willing to adopt ATR as an AI agent security reference framework, or to provide anonymized attack samples for rule development.
  • Enterprise security teams · CISOsFinance, telecom, healthcare, critical infrastructure — teams that want to deploy ATR into their agent runtime before Mythos-class threats arrive.
  • Research institutions · academic labsGroups working on AI agent attacks, red-teaming, or threat intelligence who want to use ATR as a benchmark or contribute rules.
  • Open-source communities · standards bodiesOpenSSF, OWASP, MITRE, CSA, Linux Foundation, ROOST — any partner willing to help integrate ATR into the existing security standards ecosystem.
  • Security vendors · tool buildersTeams willing to integrate ATR rules into existing products (SIEM, SOC, agent runtime, MCP gateways).
  • Journalists · analysts · policy researchersIf you're reporting on or researching Sovereign AI, agent security, or global AI governance, this proposal is open to citation, scrutiny, and challenge.
SHARE

Help this gap become visible

The distribution of this manifesto directly shortens the timeline to adoption. A share is a vote that this layer should exist.

Share on XShare on LinkedInForward by Email
Adam Lin
Founder · PanGuard AI · ATR Initiator
[email protected]
MIT License · Open Standard · Day 43
agentthreatrule.org
v2.0.12 · 293 Rules · 1,597 Patterns