Sovereign inference starts with a structural fact: data cannot leave the pod. Volt enforces zero ingress, zero egress, and zero inter-pod transfer. Your prompts and outputs are served in your customer's metro and stay there. Residency is a property of the architecture, not a clause in a contract.

Every workload carries a cryptographic identity. SPIRE issues short-lived SPIFFE SVIDs to each service, so calls between the gateway, scheduler, and inference runtime are authenticated by identity rather than by network location. No shared secrets, no long-lived credentials.

The network is closed by default. Cilium applies default-deny egress at L3/L4, so a pod can only reach the endpoints its policy names. There is no path off the box for data to take, even if a workload tried to open one.

On Volt Vault, hardware proves its own state. Measured-boot attestation verifies firmware, kernel, and runtime per node before a workload is scheduled. A node that fails attestation never receives a request.

The supply chain is verifiable end to end. Images are cosign-signed with SLSA L3 provenance, so every running container traces back to a known build. And audit is on by default: every request is bound to a tenant identity and written to an immutable log.