Final Authority in AI Governance: Frontier-Provider Sovereignty and Action-Centered Deployer Governance
arXiv:2607.13040v1 Announce Type: cross Abstract: This paper examines where final authority should sit once capable AI systems are embedded in organizational workflows. It compares two governance models. The first, frontier-provider sovereignty, assigns privileged authority to the provider of the most capable models and is reflected in contemporary arguments for frontier-model testing, release gating, transparency duties, and compute-related controls. The second, action-centered deployer sovereignty, places final authority over high-impact actions with the organization that authorizes the action, embeds it in a business process, and bears the downstream legal, operational, and commercial consequences. The paper combines comparative reading of public governance frameworks with implementation-informed analysis of runtime heterogeneity and enterprise control requirements. It compares EU AI Act guidance, the NIST AI Risk Management Framework, Singapore's Model AI Governance Framework for Agentic AI, recent Japanese AI policy instruments, and Canada's voluntary code and managerial guidance. Across these materials, the paper finds stronger support for distributed operational accountability than for unilateral frontier-provider control. It further argues that rapid enterprise adoption, declining provider transparency, and widening control gaps increase the value of a portable governance layer centered on governed action rather than on provider-native session objects. The conclusion is layered rather than absolutist: strong upstream authority remains justified for frontier capability gating, but final authority over concrete enterprise action is better located with the deployer and consequence-bearer.