By NHI Mgmt Group Editorial TeamPublished 2026-01-08Domain: Cyber SecuritySource: Appgate

TL;DR: APAC regulators are tightening controls on cross-border personal data transfers, and cloud-routed ZTNA can unintentionally move traffic through foreign points of presence even when users and resources are local, according to Appgate. The architectural issue is that sovereignty now depends on access-path control, auditability, and jurisdictional placement, not policy statements alone.


At a glance

What this is: Appgate argues that APAC data sovereignty rules turn ZTNA routing architecture into a compliance issue, especially when vendor-managed cloud paths can move traffic across borders.

Why it matters: IAM and security teams need to treat access-path design, session logging, and jurisdictional control as part of governance when identity-mediated access carries regulated data.

👉 Read Appgate's analysis of APAC data sovereignty and direct-routed ZTNA


Context

Data sovereignty means keeping personal and sensitive data within the legal and operational boundaries that a regulator expects. In APAC, the issue is no longer limited to storage and application placement, because access paths can also create cross-border exposure when traffic is brokered through infrastructure outside the country of origin.

That makes ZTNA a governance decision as much as an access-control decision. Where the article intersects with identity is in session governance, MFA, posture checks, and least-privilege access enforcement, all of which shape whether an authenticated user can reach regulated data without creating a hidden transfer problem.


Key questions

Q: How should organisations avoid hidden cross-border data transfers in ZTNA?

A: They should map the full access path, not just the application location. If a ZTNA service brokers sessions through foreign infrastructure, it can create a transfer issue even when the user and resource are local. The control objective is to keep routing, logging, and enforcement inside the jurisdiction required by the data classification.

Q: When does cloud-routed access become a sovereignty risk?

A: Cloud-routed access becomes a sovereignty risk when the jurisdiction of the brokered session matters to law, contract, or regulator expectations. That is common in APAC privacy regimes, where organisations may need to prove that data did not traverse infrastructure outside the approved boundary. If you cannot prove locality, you cannot rely on policy alone.

Q: What do security teams get wrong about encrypted traffic and sovereignty?

A: They assume encryption solves the problem, but sovereignty rules often care about who processed the connection and where the session was handled. Encrypted traffic can still move through an unapproved region, and the metadata alone may create compliance exposure. The issue is control of the path, not only confidentiality of the payload.

Q: Who is accountable when access routing breaks sovereignty obligations?

A: Accountability usually sits with the organisation that chose the architecture and approved the control design. Regulators will look for evidence that the business understood the transfer boundary, classified the workload correctly, and retained audit records. Vendor infrastructure may be part of the chain, but the compliance responsibility remains with the controller or operator.


Technical breakdown

Cloud-routed ZTNA versus direct-routed ZTNA

Cloud-routed ZTNA typically brokers sessions through vendor-operated points of presence before forwarding traffic to the target resource. That design can improve convenience, but it also introduces an additional jurisdictional hop and a second governance domain. Direct-routed ZTNA removes that intermediary and connects the user device to the resource through customer-controlled infrastructure. The practical difference is not only latency or network design, but where the access transaction is processed, logged, and governed.

Practical implication: Map every access path to its legal transfer boundary before approving ZTNA for regulated workloads.

Why session metadata matters for sovereignty and auditability

Even when payload traffic is encrypted, session metadata can reveal who accessed what, from where, and through which infrastructure the connection passed. In sovereignty-sensitive environments, regulators often care about more than content. They care about whether transfer, processing, and control were maintained within the required jurisdiction. Audit-ready ZTNA therefore has to preserve logs, policy decisions, and enforcement events in a customer-controlled environment, not only the session itself.

Practical implication: Keep session logs and policy records under customer governance so audits can prove locality and control.

Identity-centric access control at the network layer

The article’s key architectural point is that Zero Trust access control is not just about authenticating a user once. It also involves continuously evaluating device posture, policy, and least-privilege scope before and during access. That is where IAM and network architecture meet. If the access broker sits in foreign infrastructure, the identity decision and the data path can diverge from the regulatory boundary the organization is trying to maintain.

Practical implication: Align identity policy enforcement with in-region infrastructure so access decisions and data flows stay within the same jurisdiction.


NHI Mgmt Group analysis

Data sovereignty now reaches into access architecture, not just data storage. APAC privacy and transfer rules are forcing organisations to examine where sessions are brokered, not only where records are stored. When a ZTNA platform inserts vendor-managed infrastructure into the path, it can create a transfer event even if the application and user are both local. The governance conclusion is simple: jurisdictional control must extend to the access layer.

Cloud-routed ZTNA creates a hidden transfer boundary that many compliance programmes miss. The problem is not encryption, which remains necessary, but the additional jurisdictional hop introduced by remote PoPs. That hop can undermine the intent behind transfer-limitation and overseas-disclosure obligations because the organisation may no longer be able to prove that traffic stayed inside the expected boundary. Practitioners should treat routing topology as a compliance artifact, not a networking detail.

Identity governance and network governance are converging in regulated APAC deployments. Session-level MFA, posture checks, and least-privilege policy are only half the story if the enforcement plane sits outside the region being protected. This is where the sovereignty conversation intersects with IAM: access control must be both identity-aware and jurisdiction-aware. Teams should evaluate whether their access layer can prove locality as well as authorization.

Auditability becomes the control that separates policy from evidence. Many programmes can state that data should remain local, but far fewer can demonstrate the path, enforcement point, and logging chain end to end. The named concept here is sovereignty-aware access path control: the ability to keep identity-mediated access, logs, and enforcement within the jurisdiction that policy requires. Without that, sovereignty claims are difficult to defend in audit or incident review.

Direct-routed ZTNA is best understood as a governance pattern, not a product feature. The architectural principle is that customer-controlled session handling reduces the chance of unintended foreign transfer and narrows the compliance surface. That does not remove the need for classification, consent, and regional legal review, but it does give practitioners a clearer control boundary. The practitioner takeaway is to treat routing design as part of the sovereignty model from the start.

What this signals

Sovereignty-sensitive programmes should now treat access routing as part of the control inventory, alongside MFA, device posture, and session logging. In practice, that means architecture review boards need to ask where the enforcement plane sits before they approve a ZTNA pattern for regulated data.

Sovereignty-aware access path control: a mature programme can prove not only that a user was authorised, but that the enforcement and session path remained inside the required jurisdiction. That is the difference between asserting compliance and demonstrating it during audit or regulatory review.


For practitioners

  • Inventory every ZTNA traffic path Document where each user-to-resource session is brokered, including any vendor-managed PoP or intermediary cloud region. Compare those paths against the jurisdictional requirements that apply to the data being accessed.
  • Classify regulated workloads by transfer sensitivity Separate applications that can tolerate global brokering from those that require local processing, local logging, or explicit transfer controls. Use that classification to decide whether direct-routed access is mandatory.
  • Retain session logs under customer control Store access decisions, session metadata, and policy enforcement events in infrastructure governed by the organisation rather than the access vendor. That evidence is often what proves compliance during review.
  • Test sovereignty claims with routing validation Run controlled access tests from local users to local resources and verify whether traffic ever exits the intended jurisdiction. Record the observed path, not the expected design, as part of control assurance.

Key takeaways

  • APAC sovereignty rules are turning network access architecture into a compliance control, not just a connectivity choice.
  • Cloud-routed ZTNA can create hidden transfer exposure when session brokering crosses jurisdictional boundaries.
  • Practitioners should prove locality, keep logs under customer control, and align identity enforcement with regional infrastructure.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

NIST CSF 2.0, NIST SP 800-53 Rev 5 and NIST Zero Trust (SP 800-207) set the technical controls, while ISO/IEC 27001:2022 and GDPR define the regulatory obligations.

FrameworkControl / ReferenceRelevance
NIST CSF 2.0PR.AC-4Access permissions and session control are central to sovereignty-sensitive ZTNA design.
NIST SP 800-53 Rev 5AC-4Information flow enforcement maps directly to cross-border routing and transfer control.
NIST Zero Trust (SP 800-207)Zero Trust architecture is the core model being adapted for sovereignty constraints.
ISO/IEC 27001:2022A.5.15Access control governance supports policy decisions about region-bound session handling.
GDPRArt.32The article's transfer and control concerns mirror security of processing expectations.

Document access control requirements for regional routing and review them against sovereignty obligations.


Key terms

  • Data Sovereignty: Data sovereignty is the requirement that data be collected, processed, stored, or transferred in ways that comply with a specific jurisdiction's laws. In practice, it means organisations must know not just where data lives, but where it flows and who can control each step of that flow.
  • Cloud-Routed ZTNA: Cloud-routed ZTNA is a Zero Trust access model where sessions are brokered through vendor-managed infrastructure before reaching the destination resource. It can simplify operations, but it also adds an intermediary control plane that may create jurisdictional and audit concerns in regulated environments.
  • Direct-Routed ZTNA: Direct-routed ZTNA connects a user device directly to the authorised resource without sending the session through a vendor-operated point of presence. The design reduces intermediary handling and gives the customer more control over where access traffic, metadata, and enforcement are processed.
  • Sovereignty-aware Access Path Control: Sovereignty-aware access path control is the practice of governing not only who can connect, but where the connection is brokered, logged, and enforced. It is a useful concept in regulated regions because it turns locality into an explicit, testable security control rather than an assumption.

What's in the full article

Appgate's full article covers the operational detail this post intentionally leaves for the source:

  • How direct-routed ZTNA changes the access path for APAC workloads and why that matters for sovereignty controls.
  • Examples of country-specific transfer obligations in Singapore, Australia, Japan, South Korea, Indonesia, Vietnam, and the Philippines.
  • The customer-controlled deployment model for controllers and gateways, including jurisdictional placement choices.
  • Audit logging considerations for session establishment, access decisions, and traffic flows in regulated environments.

👉 Appgate's full article covers the APAC jurisdiction examples, routing risks, and deployment model in more detail.

Deepen your knowledge

NHI Foundation Level course, the industry's only accredited NHI security programme, covers NHI governance, machine identity security, and secrets management. It helps practitioners connect identity control, auditability, and lifecycle governance across modern access programmes.
NHIMG Editorial Note
Published by the NHIMG editorial team on 2026-01-08.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org