The World Has Built a Vocabulary for AI Governance. It Has No Architecture for AI Democracy.

A response to the CAIDP Index 2026, and the question every major framework has left unasked.

The Center for AI and Digital Policy released its 2026 Index this week. The findings are worth taking seriously. Forty-five countries now support the international AI Treaty. New AI laws passed in China, Japan, South Korea, Peru, and Vietnam. The UN established a scientific panel on AI with global participation. European countries are moving forward with the EU AI Act. The CAIDP's conclusion: global progress on AI governance is real, and it is continuing even as the United States retreats from the international stage.

They are right. The progress is real. And the framework used to measure it has a structural gap that no amount of progress can fill, because the gap is in what the framework asks.

The Best Tool We Have

The CAIDP Index is the most rigorous global instrument for measuring whether AI systems align with democratic values. It covers 80 countries, draws on over 1,000 researchers across 120 nations, and has been published annually since 2021. Its 12 metrics assess transparency, accountability, fairness, data protection, the right to contest automated decisions, independent oversight bodies, public participation in policy development, human rights alignment, and environmental impact, a dimension added in the 2025 edition.

This year's top performers are Canada, Japan, the Netherlands, Norway, Switzerland, and the United Kingdom. These are functioning democracies with strong rule of law, robust regulatory institutions, and serious commitments to individual rights. They are implementing or aligned with the EU AI Act, the most sophisticated risk-based AI regulation in the world. On every metric the CAIDP measures, they score well.

They would still fail a democratic governance test. And the CAIDP Index, as currently constructed, cannot detect that failure.

What the 12 Metrics Measure, and What They Don't

The CAIDP's metrics are individual-rights centred. They ask whether people are protected from harmful AI systems. Whether they can contest automated decisions. Whether governments are transparent about AI use. Whether data is handled lawfully. These are important questions. They are also, structurally, questions about protection rather than power.

There is a difference between protecting someone from a system and giving them a say in how it is built, owned, and governed. Every major framework in the global AI governance landscape, the CAIDP Index, the EU AI Act, the OECD Principles, the Council of Europe AI Treaty, the UNESCO Recommendation on AI Ethics, measures the first. None of them measure the second.

Specifically, not one asks:

• Who owns the AI infrastructure: the compute, the data pipelines, the foundational models that these systems run on?

• Do communities have decision-making authority over AI systems affecting their lives, or only the right to complain afterward?

• What are the exit rights, meaning the practical ability of a government, community, or institution to migrate away from a vendor or platform if the terms change?

• Is there accountability below the state level, to the people most directly affected, rather than to regulators acting on their behalf?

• Can the governance framework survive the departure of the current government, the current vendor, or the current political moment?

  
  

These are not peripheral questions. They are the difference between AI governance and AI democracy. The first produces systems that are accountable to institutions. The second produces systems that are accountable to people.

The US Retreat Does Not Resolve This

The CAIDP 2026 report documents US withdrawal from global AI governance with appropriate concern. Washington opposed the UN scientific panel. A Presidential Executive Order undid commitments to safe and trustworthy AI. The US withdrew from UNESCO. The report is right to name this as a setback.

But the analysis requires one more step. The US model that is now being abandoned was also a consumer protection model, not a democratic governance model. The Blueprint for an AI Bill of Rights named affected people. It did not give them power. The executive commitments to safe AI addressed system behaviour. They did not address system ownership. Losing US engagement is a problem for global AI safety. The alternative being consolidated in its absence is EU-style individual rights regulation, more rigorous and more enforceable, and still silent on the same structural questions.

The choice being presented to the world is between two models of managed AI: one market-led and increasingly ungoverned, the other rights-based and increasingly institutionalised. Both leave unresolved who owns the foundational layer and whether communities have genuine agency over systems shaping their lives.

Replacing US leadership with European leadership is progress. Progress is also distinct from building AI democracy.

The Ontological Problem

There is a reason every framework shares this blind spot. They all begin from the same place: the liberal individual as the unit of moral analysis. Rights attach to persons. Harms are suffered by persons. Consent is given by persons. Accountability runs to persons, through institutions that represent them in aggregate.

This is not a neutral starting point. It is a specific philosophical tradition, and one that African philosophy has been challenging for decades. David M. Matsinhe, political sociologist and human rights strategist, writing on Ubuntu and AI Ethics, puts it precisely: "the Western AI ethicist asks how we protect the individual from the machine, while the Ubuntu philosopher asks what kind of community the machine makes possible". These are not the same question. And the gap between them, as Matsinhe writes, is where millions of people disappear.

Ubuntu, the relational ethics framework rooted in the proposition that a person is a person through other persons, begins somewhere else entirely. It asks what this system does to the web of relationships that makes personhood possible. It asks whether this technology strengthens or corrodes the communal bonds through which people understand themselves as human.

This is not only a philosophical argument. Kristy Claassen, whose doctoral dissertation Being Human: Evaluating Artificial Intelligence Through the Lens of Ubuntu was defended at the University of Twente in April 2026, brings empirical weight to it. Through fieldwork with South African communities where Ubuntu is actively practiced, Claassen found that the values her participants prioritised diverged sharply from those dominating global AI ethics frameworks. Where international frameworks emphasise transparency, autonomy, and fairness, her participants emphasised dignity, care, and community well-being. Women in particular consistently foregrounded responsibility and collective welfare in ways that standard governance metrics do not capture. Her conclusion is direct: it is not enough to expand the list of values we consider when designing AI. We have to ask deeper questions. What do we mean by privacy? By responsibility? By dignity? These concepts do not have universal definitions. They are shaped by history, culture, and power.

The distinction between AI governance and AI democracy turns precisely on these questions. Governance produces systems accountable to institutions. Democracy produces systems accountable to people.

The African AI policy community has been building toward this. The Africa Declaration on Artificial Intelligence, signed by 54 member states in Kigali in April 2025, insists that AI design and deployment should reflect Africa's "strategic priorities, shared values, and diverse cultural contexts." The Nairobi Statement calls for decolonial co-creation. These are gestures toward a different ontology. The architecture to support them, community ownership, data trusts, participatory governance with real authority, is largely absent from the policy stack that is supposed to deliver them.

Africa makes the gap visible because the sovereignty argument is being made explicitly, which throws the missing democratic layer into sharp relief. But the gap is not African. It is universal.

The High Scorers Would Fail a Democratic Governance Test

Let's take the 2026 top performers and apply a different set of questions. For example, the Netherlands scores highly on CAIDP metrics. It has strong data protection enforcement, meaningful algorithmic transparency requirements, and an independent supervisory authority. Dutch citizens cannot, however, participate in decisions about the AI infrastructure their public services run on. There is no mechanism for community governance of the AI systems shaping access to housing, benefits, or employment. The foundational models used in Dutch public administration are built and owned by companies operating under US or other foreign jurisdictions. Exit rights, meaning the practical ability to migrate to alternatives if those companies change their terms, do not exist in any meaningful sense.

Canada ranks at the top of the CAIDP Index. It has serious AI governance discussions underway and meaningful civil society participation in policy processes. The AI systems deployed across Canadian public institutions, from immigration to social services, run on infrastructure Canada does not own and could not audit end to end without the cooperation of the vendors. Indigenous communities, who have been working for years to establish data sovereignty over information about their lands and peoples, have no enforceable rights under the current framework to govern how that data is used in AI systems.

South Korea passed a new AI law in 2026 and appears in the CAIDP rankings as one of the year's legislative successes. The law addresses risk categorisation and transparency. It does not address the question of who owns the AI stack or whether communities have power over systems affecting their lives.

The pattern is consistent: High-performing jurisdictions have built sophisticated frameworks for protecting individuals from AI. The question of who holds power over AI systems remains largely unaddressed.

Africa as the Sharpest Case

This pattern is most visible in the African context, which is why the African AI policy landscape deserves special attention as the place where the structural problem is most clearly named.

African policy documents assert sovereignty explicitly. The AU Continental AI Strategy calls for African-owned, people-centred AI. The Rabat Consensus calls for a sovereign AI path. The Africa Declaration insists that AI reflect Africa's strategic priorities. These documents are doing something the EU AI Act does not: naming the question of who controls the foundational layer. And yet even these documents, which go further than any equivalent in the Global North on sovereignty language, do not close the gap. The AfCFTA Digital Trade Protocol, the most binding digital governance instrument on the continent, prohibits source code disclosure as a condition of market access, limiting African governments' ability to audit foreign AI systems. The Malabo Convention, the only binding continental data protection instrument, has been ratified by 15 of 55 member states. The Continental AI Strategy has no open-weight model requirements, no technology transfer conditions, no exit rights.

The countries that score highest on any AI governance index in Africa, Rwanda, Kenya, South Africa, are building their AI futures on infrastructure they do not own, with governance frameworks that protect individuals without giving communities power. They would score well on the CAIDP metrics. They would fail the democratic governance test. That is not a criticism of their ambition. It is a description of the gap between the metrics we are using and the outcomes we say we want.

Community Ownership Is Not a New Idea

Before addressing what a democratic governance index would measure, it is worth being precise about what community ownership actually means in practice. The concept sounds radical. The models it draws on are not.

Data trusts are legal structures in which a trustee holds data rights on behalf of a defined community, with a fiduciary obligation to act in their interest. Communities do not own data individually. They govern collectively how it is used, licensed, and shared. Any organisation wanting to train AI on that data negotiates with the trust, not with thousands of individuals. The Ada Lovelace Institute and the Open Data Institute in the UK have piloted versions of this. Barcelona has used trust structures for urban data governance. The model is legally established, operationally tested, and requires no new technology, only political will to deploy it at scale.

Platform cooperatives apply credit union logic to digital infrastructure. Worker or user-owned platforms, governed democratically, where decisions about what a system optimises for, what data it collects, and how value is distributed are made by the people the platform serves. Stocksy in photography, Resonate in music streaming, and Up&Go in domestic services are functioning examples. The question for AI governance is whether the same ownership logic can be applied to foundational infrastructure, not just consumer-facing applications.

Public-interest AI foundations hold AI infrastructure in trust for the public, governed by multi-stakeholder boards with community representation. This is how public broadcasters and universities are structured. Masakhane, the African natural language processing research collective, already operates on something close to this model informally, building language models for African languages outside commercial dependency. The question is whether it receives the institutional structure and public financing to operate at the scale the moment requires.

Municipal and regional AI utilities treat AI infrastructure the way functioning states treat water or electricity: as a public utility, owned collectively, operated for public benefit, with democratic oversight of pricing and access. Estonia's X-Road digital infrastructure is the closest existing model: state-owned, interoperable, not extractive. The East African Community could, in principle, establish a shared AI compute utility owned collectively by member states, accessible to any public institution without dependence on foreign vendors. This is not a novel governance concept. It is standard public utility logic applied to a new infrastructure class.

Indigenous data sovereignty frameworks are the most developed community governance model already in operation. The CARE Principles (Collective Authority, Responsibility, and Ethics), developed by indigenous data sovereignty networks, give communities veto power over how their data enters AI training pipelines. Te Mana Raraunga in New Zealand and the Global Indigenous Data Alliance have built governance architecture that is legally recognised and operationally functional. These frameworks could be adapted far more broadly, including across African communities whose data is currently processed without meaningful consent or benefit-sharing.

None of these models require inventing new institutions from scratch. All of them have legal precedent. All of them have functioning examples at smaller scales. What they share is a governance architecture that places decision-making authority with affected communities rather than with states acting on their behalf or companies acting in their own interest.

What is blocking them is not feasibility. It is that current AI governance frameworks, including the metrics used by the CAIDP Index, do not require or reward them. A procurement framework that favoured cooperative ownership over extractive alternatives, a regulatory framework that recognised data trusts as legitimate governance structures, a development finance institution that treated community AI infrastructure as a public good worth funding: any of these would shift the incentive structure. None of them require a revolution. They require policy choices that the field has not yet made.

What a Democratic Governance Index Would Measure

If the CAIDP Index were supplemented with a democratic governance tier, and we think it should be, the additional questions would look something like this:

• On ownership and infrastructure: What percentage of AI systems used in public services run on domestically owned or collectively governed infrastructure? Do governments have the technical capacity to operate critical AI systems independently of private vendors?

• On community power: Do affected communities have decision-making authority over AI systems shaping their lives, or only advisory status? Are there governance mechanisms operating below the state level with real power?

• On exit rights: Can governments, institutions, or communities migrate away from AI systems or vendors if terms change, without losing essential services? Are technology transfer requirements embedded in public procurement?

• On accountability: Are there accountability mechanisms that run directly to affected communities, not only to regulators acting on their behalf? Are there community-level redress mechanisms with enforceable outcomes?

• On data sovereignty: Do communities control how data about them is used in AI training and deployment? Are data trusts or equivalent mechanisms in place?

• On durability: Would the governance framework survive a change of government, a vendor exit, or a geopolitical shift in the country controlling the foundational infrastructure?

None of these questions appear in the CAIDP Index. None appear in the EU AI Act. None appear in the OECD Principles. None appear in the Council of Europe AI Treaty. They appear, in partial and rhetorical form, in some of the African regional declarations. They do not yet appear anywhere as enforceable requirements with teeth.

What This Means for the Field

None of this is a dismissal of what the CAIDP Index has built. It is the most serious attempt the field has made to hold national AI policies to account against democratic values. The researchers, policymakers, and advocates who contribute to it are doing essential work. The 2026 findings, progress despite US retreat, new laws across Asia and Latin America, the consolidation of the EU AI Act, represent genuine achievements worth documenting and defending.

My argument is that the field needs a second instrument alongside this one. Not a replacement. A supplement that asks the questions the current framework cannot ask, because they are outside its ontological frame.

The CAIDP Index measures whether AI systems are safe, transparent, and fair to individuals. A democratic governance index would measure whether people have genuine power over the AI systems shaping their lives. The two are related but distinct. A country can score well on the first and fail the second. Most of the world's highest-scoring AI governance jurisdictions currently do exactly that.

The window to build the second instrument is open. AI is still in the phase where foundational choices about ownership, governance architecture, and democratic accountability are being made. Once those choices are locked in, once the infrastructure dependencies are built, the vendor relationships are embedded, the regulatory frameworks are set, reversing them will be as difficult as reversing the ownership structures of any previous utility.

The CAIDP Index tells us how far we have come. The democratic governance gap tells us how far we have yet to go. Both things are true. Only one of them is currently being measured.

Mission AI builds products that centre people and communities, and we have strong opinions about the infrastructure and governance frameworks that shape what those products can become. If you're working at the intersection of AI, sovereignty, and democratic accountability, we'd like to talk.