Every Person Needs a Personal AI Firewall Before They Need a Personal AI Assistant

Artificial intelligence is no longer a tool. It is becoming the operating layer of work, public services, personal decisions, institutions and everyday life.

The first wave of AI use was simple. A person opened a chat window and asked a model for help. They pasted text, uploaded files, asked for analysis, drafted messages, translated content, wrote code and explored ideas. The experience was powerful because it was immediate. It was fragile because the user had to decide, every single time, what could be shared, with whom, under which identity, and with what consequences.

That model does not scale into society.

As AI becomes embedded in healthcare, law, finance, education, public administration, employment, family life and political communication, the central question is no longer only which model is best. The deeper question is this: what should stand between the human being and the artificial intelligence systems that increasingly mediate his or her relationship to the world?

My answer is simple.

Every person should have a Personal AI Firewall before they have a personal AI assistant.

This is not only a privacy idea. It is a technical, civic and institutional design principle.

A personal AI assistant without a firewall is a convenience layer. A Personal AI Firewall is a rights layer, a trust layer and — increasingly — a negotiation layer.

The Missing Layer Between People and Models

Most AI systems today are still built around the model. The user sends a prompt; the model responds. More advanced systems add memory, retrieval, tools, agents, evaluations, model routing and integrations. The basic relationship remains the same: the person is expected to expose intent, context and data directly into a system whose internal workings, data policies and risk boundaries he or she cannot fully inspect.

The next architecture must become human-centric.

A Personal AI Firewall would sit between the person and all AI systems. Its first task is protection. It would decide what may leave the person's protected space, in what form, to which model or institution, and under which conditions.

Sometimes a request can be sent to a cheap and fast model. Sometimes it requires a frontier model. Sometimes it must be anonymised before being sent anywhere. Sometimes it must remain local. Sometimes it should travel only through an encrypted, auditable channel to a trusted public-sector or organisational agent. Sometimes it should not be sent at all.

This is where model routing becomes much more than cost optimisation.

A conventional model router asks: which model is cheapest, fastest or most capable for this task?

A Personal AI Firewall asks: what is the risk, identity, privacy, authority, legal status, context requirement and trust boundary of this task?

That is a different category of question.

From Firewall to Player Agent

But protection is only the beginning.

The Personal AI Firewall should not be understood as a blocking mechanism alone. It is also the user's negotiating agent.

It does not only say: "Do not send this." It also says: "This task requires this depth of reasoning, this much context, this privacy boundary, this budget, this workflow, and this degree of human approval."

In that sense, it is less like a security guard at the door and more like the professional agent of an elite athlete.

The user is the player on the ice. The user wants to play, read the game, make decisions, pass, shoot and score. The player should not have to negotiate every background condition: who sharpens the skates, who studies the video, who handles the contract, who watches the medical risk, who manages travel, who speaks to the league, who decides when a specialist is needed.

A whole machinery exists so that the player can perform.

AI use should evolve in the same direction.

The human should not need to decide, every time, how many tokens to send, which model to choose, how much context to reserve for reasoning, whether the document contains sensitive data, whether a local model is enough, whether a frontier model is justified, whether the request should be split into stages, or whether an institutional agent should be contacted directly.

The human should be able to state the goal.

The Personal AI Firewall should prepare the conditions for success.

This layer is so new that it does not yet have a settled name. One playful working title — Personal Agent Agent, or PAA — names the recursion at its heart: the user's own agent, whose role is to represent the user before, around and through the rapidly multiplying agents of platforms, institutions and frontier models. In a more institutional register, the same idea has a more formal name: the citizen's cabinet — a small, private machinery that knows the principal's interests and acts in their name.

Context Is the New Permission

One of the most underappreciated aspects of AI literacy is the context window.

People are often told that a model has a million-token context window and that this equals a certain number of novels. The comparison is technically vivid but practically misleading.

A context window is not reading space. It is working space.

Into that same window go system instructions, application rules, conversation history, user prompts, uploaded documents, retrieved sources, tool outputs, intermediate results and the final answer. If a user fills the window with raw material, very little room remains for reasoning, synthesis, comparison, verification and response.

This matters because as context windows grow, the temptation will be to upload everything.

All emails. All documents. All health notes. All contracts. All strategy files. All personal memories. All public correspondence. All company material.

It will be convenient. And because it is convenient, people will do it.

The key question will no longer only be: does it fit into the model?

The question will be: should it be allowed onto the model's workbench at all?

This is context governance.

Data governance asks where data lives, who owns it and who may access it. Context governance asks what data is allowed onto the AI's working surface, in what form, for which task, under which identity, with which model, with how much reasoning budget, and with what audit trail.

Context is the new permission.

What the Personal AI Firewall Negotiates

Before a serious task begins, the Personal AI Firewall could negotiate with an external AI agent, an enterprise gateway or an institutional system.

It would communicate, explicitly or in the background: the user's goal; the sensitivity of the material; whether the user's identity is needed; which parts of the data must remain local; what can be anonymised or generalised; how much context should be sent; how much room must be reserved for reasoning and output; what depth of analysis the user expects; whether the task is a draft, decision support or a publishable result; whether a second model should review the output; and whether human approval is required before action.

This is agent-to-agent workflow negotiation.

It turns AI use from raw prompting into represented action.

For individuals, this means stronger protection and better results. For organisations, it means less wasted computation, fewer accidental data leaks, better routing, stronger compliance and more consistent quality.

This is why companies may care about the idea even before they approach it as a civic rights issue. A Personal AI Firewall is not only a privacy product. It is also an efficiency product, a quality product and a governance product.

Three Routes for AI Use

A Personal AI Firewall could classify AI interactions into at least three main routes.

The first route is anonymous or pseudonymous AI use. The user needs intelligence, but the model does not need to know who the user is. The firewall removes identifiers, generalises the context and forwards only the minimum necessary. The model receives the problem, not the person.

The second route is permissioned, context-rich AI use. Some tasks genuinely require personal context. A strategy memo, a tax question, a health-related process, a legal draft or a personal writing assistant may need to know more about the user. But the firewall decides what is shared, with which model, for what purpose, under what retention policy and with what audit trail.

The third route is trusted agent-to-agent communication. Some matters should never be sent to a general external model. They should move directly and securely between the citizen's agent and a trusted organisational agent — a tax authority, healthcare provider, municipality, pension institution, bank, court, school or other regulated actor.

This third route is especially important for the public sector.

The future of public AI cannot be a collection of generic chatbots resting on top of administrative websites. Public-sector AI needs access rights, logs, archival validity, data protection, explainability, accessibility, source attribution, decision boundaries and a clear separation between advice, preparation and formal administrative decision-making.

In other words, public AI needs infrastructure.

From Chatbots to an Agentic Society

The emerging discussion about an agentic society points in the right direction. The shift is not only from forms to conversational interfaces, although that is part of it. The deeper shift moves from isolated digital services toward a federated network of agents operating across organisational boundaries.

Public administration should not become one giant AI system. That would be both unrealistic and undesirable. Instead, it should become a governed network: agencies, municipalities, ministries and public bodies maintain their own agents, and these agents cooperate through shared rules, interfaces, identity layers, audit mechanisms and chains of responsibility.

This is where the Personal AI Firewall and the Nordic Trust Gateway belong together.

The Personal AI Firewall protects and represents the individual.

The Nordic Trust Gateway connects trusted agents, institutions, data spaces and models under democratic, legal and technical governance.

Together, they sketch a possible architecture for a society where AI is widely used but is not blindly surrendered to platforms.

Why This Is a Nordic Opportunity

The Nordic countries have a rare combination of assets: strong public institutions, high digital trust, advanced registers, relatively coherent public data systems, a tradition of legal accountability and citizens who already expect the state to function digitally.

This gives the Nordics an opportunity to build AI infrastructure differently.

The dominant American pattern is platform-first: capture the user, capture the workflow, capture the data, then optimise the experience. The European instinct is often regulation-first: define risk classes, compliance duties and institutional boundaries. Both are necessary; neither is sufficient on its own.

A Nordic model could be trust-first.

Not trust as a slogan. Trust as architecture.

That means identity, consent, data minimisation, auditability, reversibility, human responsibility, semantic interoperability, secure computation, local processing where needed and clear legal boundaries for autonomous action.

It also means accepting one hard truth: people will use AI for everything. They will use it for work, love, money, health, law, politics, parenting, grief, ambition, bureaucracy and conflict. The correct response is not to pretend this can be stopped. The correct response is to build the layer that makes it safer, more accountable and more human.

The Human Must Not Be the Weakest API

Without a Personal AI Firewall, the human becomes the weakest API in the system.

A person is asked to understand data protection, model training policies, prompt leakage, inference risk, identity exposure, legal privilege, health privacy, employer confidentiality, public-sector secrecy rules and geopolitical cloud dependencies — while simply trying to get help with a document.

That is absurd.

We do not ask ordinary users to manually inspect every network packet leaving their computer. We built firewalls, browsers, permission systems, authentication layers and security protocols. AI now needs the same civilisational treatment.

The user should not have to ask: "Is this safe to paste into a model?"

The user's AI firewall should help answer that question before the data ever leaves the device.

The Edge Agent

The technical core of this idea is the edge agent.

It may live on a phone, a laptop, a secure organisational environment or a dedicated physical device. In sensitive use cases, it may hold the user's secrets locally. It may maintain personal memory, preferences, permissions, credentials and private context. It may use local models for classification and redaction, external models for high-quality reasoning, and trusted institutional channels for regulated tasks.

The important point is not the device. The important point is the direction of control.

The user's agent must be closer to the user than the platform is.

Before any prompt, document, voice recording, image, health note, financial statement or official letter is sent to an outside AI system, the edge agent should ask: What is this? Who is asking? What does the task require? What can be removed? What must remain local? Which model is allowed? Which institution is trusted? What must be logged? Does a human need to approve this?

This is model routing upgraded into civic infrastructure.

The Public-Sector Version: Nordic Trust Gateway

For institutions, the corresponding layer is the Nordic Trust Gateway.

It would not be a single product in the narrow sense. It would be a reference architecture and eventually a market: shared components for identity, permissions, semantic interoperability, logging, model access, source-grounded answers, agent-to-agent communication, human approval, archival records and compliance with European regulation.

It would allow public-sector organisations to adopt AI without each one rebuilding the same risky architecture from scratch.

It would also allow citizens to engage with public services through their own agents — not by surrendering all context to a platform, but by granting specific, revocable and auditable permissions to trusted counterparties.

The long-term effect could be profound. Instead of citizens navigating dozens of fragmented services, forms and portals, their own agent could help them understand, prepare and act. Instead of authorities building isolated chatbots, institutional agents could work within a shared trust framework. Instead of AI becoming an uncontrolled shadow layer above society, it could become part of governed digital infrastructure.

The Political Meaning

This is not only a technology proposal. It is a theory of power.

AI assistants will become intimate. They will know our tasks, weaknesses, ambitions, fears, relationships, finances, medical concerns and bureaucratic struggles. If those assistants are primarily controlled by external platforms, then the most important interface in a person's life will not be governed by the person.

A Personal AI Firewall reverses that logic.

It says: before AI systems gain access to the person, the person is given a protective and negotiating layer against AI systems.

This layer can still use the best models in the world. It can benefit from frontier AI, open-source AI, local AI and public-sector AI. But it changes the terms of access.

The person is not raw material. The person is the principal — and the principal has a cabinet.

The Strategic Bet

The next decade of AI will not be won only by the largest model. It will also be won by the best trust layer.

The model will matter. So will the routing. So will permissions, context strategy, logs and legal boundaries. So will the human approval points. So will the ability to explain which source was used, under which authority and for what purpose.

For companies, this is a product opportunity. For governments, it is an infrastructure challenge. For citizens, it may become a new digital right.

The personal computer gave individuals computational power. The internet gave individuals access to information and networks. AI gives individuals access to reasoning, generation and agency.

But agency without protection is exposure.

That is why every person should have a Personal AI Firewall before they have a personal AI assistant.

And that is why the Nordic countries should not merely adopt AI. They should help define the trust architecture for an AI society.

Back to all essays, or get in touch.