MicroLink × NVIDIA · Working Session Reference
← Back to Eight Zones
Prepared 4 May 2026 / Version 0.2 Draft / Confidential
Zone 05 · Product · Cluster B

Sovereign public-sectorAI

For Jumbi Edulbehram, Alex Pazos, and Ben Gueret

Four national sovereign AI precedents exist. Zero US municipal precedents exist. San José is a category-defining first because the procurement model, the offtake stack, and the host coupling are. The product is not GPU hours. It is a cryptographically-isolated, host-coupled, grid-independent civic compute utility, built to satisfy ten compliance regimes from day one.

Owner
Jumbi Edulbehram
VP Global BD · Public Sector · host
Adjacent owners
Alex Pazos · Ben Gueret
Smart Spaces · TPM · programme
MicroLink lead
Andrew Thomas
CCO · Cluster B steward
Co-authors
City of San José · SJSU
Khaled Tawfik · CIO · GovAI Coalition
Working session
5 May 2026
30 min · Teams · 13 attendees
05 The Thesis
Four national sovereign AI precedents exist. Zero US municipal precedents exist. San José is a category-defining first because the procurement model, the offtake stack, and the host coupling are new, even where the silicon is not. The product is a cryptographically-isolated, host-coupled, grid-independent civic compute utility, governed under a California Joint Powers Authority. NVIDIA's Public Sector pipeline depends on cities procuring with confidence. This is the reference deployment.
01
Precedents
0
Documented US municipal NCP precedents. The empty fifth row that San José fills.
Category-defining First of its kind
02
Compliance regimes
10
FedRAMP, StateRAMP, CJIS, FERPA, HIPAA, NIST AI RMF, CCPA, EU GDPR plus AI Act, SB 253, California SAM 5300.
Stacked on NIST 800-53
03
Anchor offtake
6 segments
City departments, SJSU, public safety, county health, NVIDIA Inception, federal long tail.
City as anchor
04
GovAI Coalition
900+
Member agencies. Khaled Tawfik founded it. The city is already the convening node for the next thirty.
Convening node CIO · since Apr 2022

Four national precedents.Zero US municipal precedents.#

NVIDIA's own definition (Jensen Huang, "What Is Sovereign AI") frames the category as the ability of a nation to produce AI using its own infrastructure, data, workforce, and business networks. The four national precedents resolve the abstraction into operational patterns. The municipal sub-pattern is the empty fifth row.

The precedents below are the operational shape of sovereign AI today. They are national in buyer, billion-dollar in funding, and structured as managed clouds or sovereign training factories. The procurement model, the offtake stack, and the host coupling that San José proposes are not in any of these four rows. That is the differentiation, not a weakness.

Buyer
Provider
Product
Funding
NCP status
FranceNational
Mistral + Scaleway
Managed sovereign cloud, raw GPU, sovereign models
EUR 1.7B equity, USD 830M bank debt
Reference PlatformScaleway designated NCP
GermanyNational
Aleph Alpha + STACKIT
Sovereign AI assistant on BSI C5
Schwarz USD 600M Series E + Cohere merger
Not NCPSovereign without designation
IndiaNational
Yotta Shakti Cloud
GPU-as-a-Service, sovereign LLM training
INR 10,372 crore IndiaAI Mission
Reference PlatformPlus Exemplar Cloud
SingaporeNational
Singtel RE:AI + NSCC
Sovereign AI factory + research HPC
SGD 1.6B+ National AI Strategy 2.0
NCP via CoENVIDIA CoE Feb 2026
US, municipalSan José
MicroLink + NVIDIA
Sovereign municipal AI cloud, host-coupled WWTP
JPA + IBank PARB + availability payments
First municipal NCPUnder construction

The closest US analogues are not municipal at all. The Prologis STEM Park (selected by San José Council in November 2025, 159-acre, 396 MW hyperscale ground lease on the same RWF buffer parcel) is land development, not a city-operated sovereign cloud. The New England Research Cloud at MGHPCC is an academic consortium, not a municipal procurement. The configuration MicroLink proposes is not on the map yet.

The municipal sub-pattern is what NVIDIA Public Sector needs
National sovereign AI is already proven; the four rows above are the proof. Municipal sovereign AI is the next, larger, and unproven market. US cities, EU member-state authorities, and county-level public-sector buyers are the long tail of NVIDIA Public Sector revenue. They will not procure on the strength of the four nationals above; the deals are too large, the funding mechanisms too unfamiliar. San José is the reference deployment they will read before they procure.

This is also why DGX-Ready Colocation is the first-path framing for the deal architecture, not "fast-tracked NCP." Reference Platform NCP designation has a published 50 MW / 4,096 GPU effective floor; the 1 MW Phase 1 sits below that line by design. The NCP designation arrives as the portfolio aggregates above the floor in Phase 2 and beyond, with San José as a Reference Platform candidate. Forward-looking, not overclaimed.

The three primitives,with the caveats said out loud#

Confidential Computing on H100, H200, and B200. BlueField-3 multi-tenant separation. Run:ai quota and scheduling. The composition is what makes the sovereign claim cryptographic rather than rhetorical, and the limits of the composition are part of the brief, not a footnote to it.

Primitive 01
NVIDIA Confidential Computingon H100, H200, B200
Attestation rooted in an on-die hardware Root of Trust. VBIOS and firmware verified against published Reference Integrity Manifests. On Blackwell, dual-attestation binds the CPU TEE alongside the GPU and signs the joint state of NVLink encryption.
Primitive 02
BlueField-3 DPUtenant separation at line rate
Hardware root of trust. Line-rate IPSec and TLS at up to 400 Gb/s. SR-IOV with DPU steering provides hardware-isolated per-tenant Ethernet devices. DOCA HBN zero-trust mode is the policy substrate above the silicon.
Primitive 03
Run:aiquota, fair-share, chargeback
NVIDIA-acquired April 2024. Quota management, fair-share scheduling, and chargeback. Trusted internal segmentation only. RBAC and namespaces inside a tenant. The cluster boundary is the trust boundary.
Architectural constraint · the honest framing
DGX SuperPOD does not currently support multi-tenancy as a product
Per NVIDIA's DGX SuperPOD B300 documentation: multi-tenancy is not supported with SuperPOD currently. Run:ai's documentation distinguishes "trusted internal segmentation" (RBAC, namespaces) from "untrusted tenants such as external organizations," recommending dedicated Kubernetes clusters per untrusted tenant. The City of San José should be on a different cluster than the Santa Clara County Sheriff, not just a different namespace. This caps the "twenty agencies on one pod" pitch and replaces it with the right one: cluster-per-untrusted-tenant, with composed isolation across BlueField + DOCA + per-tenant Confidential Computing. Third-generation Confidential Computing across CPU, GPU, and NVLink is fully coherent only on Vera Rubin NVL72, available H2 2026 onward. San José is positioned as a reference deployment for that capability.

The threat-model rule we follow on every pagethat touches a city or state attorney

Any sovereign claim made to a municipal CIO, a city attorney, a state CISO, or a county counsel must reproduce the in-scope and out-of-scope threat-model limits verbatim from NVIDIA's Confidential Computing whitepapers. The 2025 to 2026 "TEE.Fail" DDR5 memory-bus interposition disclosure was acknowledged by NVIDIA, with formal advisory pending. We treat this as a known unknown: it does not invalidate the architecture, it does shape the language we use to describe it.

The reason this matters in the room is that composed isolation is a more honest claim than multi-tenant SuperPOD, and it is also a stronger one once a city attorney reads the supporting documents. Run:ai does scheduling and chargeback. BlueField-3 separates the tenant networks at silicon. Confidential Computing attests the hardware to the tenant. The cluster boundary is the trust boundary. That sentence is the brief.

!
This caveat is non-negotiable in the proposal
A reviewer who reads the marketing claim "twenty agencies on one pod" and then reads NVIDIA's own Run:ai documentation will conclude one of two things: that we have not read the documentation, or that we have read it and chosen to stretch. Both undercut the credibility we cannot afford to lose with NVIDIA Public Sector or with the City attorney. The cluster-per-untrusted-tenant pattern is what we propose, and what we deliver.

Ten regimes, stacked.Most have no NCP precedent.#

FedRAMP, StateRAMP, CJIS, FERPA, HIPAA, NIST AI RMF, the California suite, EU GDPR plus AI Act. The ladder below is the comparative shape: where the regime applies, what it requires, and whether any NCP-class operator has cleared it. The pathway is sequential and customer-sponsor-led.

When
Regime
Coverage and NCP-class precedent
Status
In scope
FedRAMP Moderate / High / 20xNIST 800-53 baselines
All federal agency cloud usage. None Authorised among NCP-class operators. CoreWeave Federal announced intent Oct 2025. Lambda's "FedRAMP Compliant" marketing is not authorisation. Oracle US Gov Cloud carries the only FedRAMP High GPU offering.
No precedent
In scope
StateRAMP / GovRAMP + CA SAM 5300SLED + California-specific
SLED cloud security and California-specific cloud assessment. No NCP-class operator currently in GovRAMP Authorized status. SJSU and the City are credible sponsors of the Authorized application.
Pursuing
Oct 2027
CJIS Security Policy v6.0Full audit deadline
Body-cam transcription, evidence analysis, ALPR. No NCP-class operator with California CSA validation. Hyperscalers (Microsoft, Google, AWS GovCloud) have CJIS attestations. We sign the Security Addendum with each public-safety customer.
Per-customer
In scope
FERPAEducation records
SJSU is the FERPA gate. No NCP-class operator publishes a model FERPA DPA. We commit to publishing one as part of the SJSU offtake.
In scope
In scope
HIPAAEven no-view CSPs are BAs
Santa Clara Valley Healthcare ePHI. Lambda markets "HIPAA Compliant" without a published BAA template. No NCP-class operator publishes a BAA comparable to AWS, Azure, or Google. We do.
In scope
In scope
NIST AI RMF + AI 600-1GenAI Profile
Voluntary AI governance, twelve GenAI risk categories. No NCP-class operator publishes comprehensive AI RMF GenAI Profile alignment. The civic-Guardrails pattern is our published reference.
Building
Jan 2026
CA suiteCCPA / CPRA / AB-1130 / SB 942 / AB 2013
Privacy, biometric breach, AI transparency, training data transparency. Phased compliance from Jan 1, 2026. No NCP-class operator has issued a public ADMT compliance statement.
In scope
Aug 2026
EU GDPR + EU AI ActFully applicable
EU resident personal data, prohibited and high-risk AI. Fully applicable Aug 2, 2026. Nebius holds ISO 27001/27701/27018, NIS2, DORA, EU residency in Finland and France. The European NCP partner pipeline starts here.
EU template

The pathway is sequential,and each step is customer-sponsor-led

The frameworks stack cleanly onto NIST 800-53 Rev 5. FedRAMP authorisation can be leveraged for HIPAA Security Rule with BAA. FedRAMP Moderate satisfies CJIS administrative, technical, and physical baselines, subject to the Security Addendum. The order is therefore: pursue Agency ATO at FedRAMP Moderate with a federal customer sponsor, build OSCAL/KSI capability to ride the 20x reciprocity wave, pursue GovRAMP Authorized at Moderate with the City of San José or SJSU as sponsor, sign the CJIS Security Addendum with each public-safety customer, execute the SJSU-specific FERPA DPA and the Santa Clara County HIPAA BAA, and stand up the Article 28 DPA template for any EU template extension.

§
First-mover position is real and time-sensitive
CoreWeave Federal announced intent in October 2025. The cohort that will hold FedRAMP Authorized inside two years is small and observable. If MicroLink completes Agency ATO at Moderate with a federal sponsor before that cohort closes, "first NCP-class operator with FedRAMP Authorized" is the marketing line, and it is also the truth. The pathway needs the federal sponsor identified and the OSCAL toolchain built; both are working-session items.

Sovereign is not slogan.The weights are downloadable.#

NVIDIA's primary statement is unusually explicit: yes, you can download and run NVIDIA Nemotron models from Hugging Face for free in production. The licensing architecture, the production family, and the on-prem fine-tuning workflow are the factual basis on which a municipality can credibly call its deployment sovereign.

The licensing architecture matters because municipalities are not buyers of opaque APIs. They are stewards of public records, criminal-justice data, and constituent identity. The NVIDIA Open Model License Agreement (June 2024) and the Nemotron Open Model License (December 2025) are permissive: commercial use, redistribution, modification, no attribution required on outputs. The Llama-Nemotron line inherits the Meta Llama Community License plus OMLA layered on NVIDIA modifications. The legal basis for sovereignty is in the licence, not in the marketing.

"
The sentence the city procurement officer needs to hear
A municipal customer can download the weights, store them on its own GPUs, fine-tune with its own data, redistribute derivatives within its own bureaucracy, and never make an external API call. That is the factual basis on which "sovereign" is more than slogan. It is also the basis on which the City Attorney signs.

The production familyscales from 2 GB to 8 H100s

Six models cover the workload spread we expect from city departments, SJSU, public safety, and Inception startups. The smallest fits on existing city hardware; the largest is rated by Artificial Analysis (April 2025) as the most intelligent open-source model in production.

Nemotron-Mini-4B-Instruct
~2 GB VRAM. Ideal for 311 chatbots and edge devices. The civic agent class.
Llama-3.1-Nemotron-Nano-8B
Single H100 fit. 128k context. The reasoning model for permit and code workloads.
Llama-3.3-Nemotron-Super-49B
Single H100 80GB fit. The reference for the civic-chatbot Guardrails pattern.
Llama-3.1-Nemotron-Ultra-253B
Eight H100 node. Rated April 2025 as the most intelligent open-source model.
Nemotron 3 Nano (30B-A3B MoE)
1M token context. Four times the throughput of Nemotron 2 Nano. Document-scale RAG.
NemoGuard 8B
Content Safety, Topic Control, Jailbreak Detect. The civic guardrails substrate.

The sovereign fine-tuning workflowend-to-end on NVIDIA primitives

NeMo Customizer is an API-first Kubernetes microservice. It supports LoRA, full SFT, DPO, GRPO, and Knowledge Distillation, and is deployable on customer A100 80GB or B200. NVIDIA explicitly markets the on-prem story for sensitive data by keeping everything on-premises. NeMo Curator is Apache 2.0, GPU-accelerated via Ray and RAPIDS, and ships 30+ heuristic filters, fastText classification, exact, fuzzy, and semantic deduplication, and PII redaction via Presidio integration. NeMo Retriever provides extraction NIMs, embedding NIMs, and reranking NIMs as the RAG plumbing.

Composed in the San José deployment, the workflow looks like this: city data lands in the curator, filtered and redacted in place, fed to the customizer, which produces a fine-tuned Nemotron variant on the city's own GPUs, retrieved at runtime through the retriever, guardrailed by NemoGuard, served to the citizen-facing interface. No external API call at any stage. The supply chain of the inference, end-to-end, is under municipal control.

The civic Guardrails pattern is the publishable artifact
The Llama-3.3-Nemotron-Super-49B + NemoGuard 8B + NeMo Retriever combination, configured for the 311 chatbot, the permit AI, and the code-enforcement workload, becomes the reference configuration for any other US city building the same thing. Asking NVIDIA to publish this configuration as an official NVIDIA AI Blueprint, replacing the current ABC-bot reference, is open question 6 in the brief. It is a clean ask with clean upside for both sides.
"
A category-defining first because the procurement model, the offtake stack, and the host coupling are. The empty fifth row that NVIDIA Public Sector needs filled.
Section 01 · Thesis
Working draft v0.2

The askand the bilateral working sessions#

Three named owners on the NVIDIA side, three distinct asks, one shared programme. The bilateral working sessions are how the asks land in real calendars rather than a shared inbox.

Tier · Sovereign municipal AI cloud · reference deployment
A municipal sub-pattern,recognised in the NCP rubric

San José is the live deployment. The municipal sub-pattern is the contribution. The bilateral sessions with Jumbi, Alex, and Ben are how the pattern enters the rubric.

From Jumbi Edulbehram · Public Sector
  • Bilateral session within 30 days on the GovAI Coalition tie-in
  • Sponsor for Public Sector inclusion in the NCP rubric
  • Internal advocacy for the municipal sub-pattern alongside the four nationals
  • Bridge to Khaled Tawfik, City CIO and GovAI Coalition founder
  • Position the municipal-sovereign reference for the broader Public Sector pipeline
From Alex Pazos and Ben Gueret
  • Programme structure for sovereign-municipal as a recognised pattern
  • Co-development of the multi-tenant policy bundle on Run:ai and BlueField-3
  • Vera Rubin NVL72 reference deployment slot when available
  • Compliance-pathway co-authoring with NVIDIA legal
  • Reference architecture review for the public-safety segment specifically
What MicroLink contributes
  • First US municipal NCP under construction (the empty fifth row, filled)
  • Anchor offtake signed before commissioning (City + SJSU + Inception)
  • FedRAMP Agency ATO pursuit with City or SJSU as customer sponsor
  • Khaled Tawfik and the GovAI Coalition as the convening node for the next thirty cities
  • Live multi-tenant deployment data under the cluster-per-untrusted-tenant pattern
Bilateral working sessions requested · 30 minutes each
  • Jumbi Edulbehram · the GovAI Coalition tie-in and Public Sector framing · within 30 days of the LOI
  • Alex Pazos · Smart Spaces co-development on the multi-tenant policy bundle · within 60 days
  • Ben Gueret · programme structure and Vera Rubin NVL72 reference slot · within 60 days