TL;DR: Cloud migration has made data residency and sovereignty harder to reason about because physical storage location, legal jurisdiction, and access control no longer line up cleanly, according to IS Decisions. The governance problem is not just where data sits, but who can access the keys, the sessions, and the files once control leaves the perimeter.
At a glance
What this is: This is an analysis of how cloud adoption complicates data residency and sovereignty, and why access control and monitoring remain the practical enforcement layer.
Why it matters: It matters because IAM, PAM, and lifecycle teams have to govern access across on-prem, SaaS, and cloud storage without assuming location alone delivers control.
👉 Read IS Decisions's article on data sovereignty, residency, and cloud access control
Context
Data sovereignty and data residency are often treated as location problems, but in practice they are access and control problems. Once data moves into cloud and SaaS environments, the question is no longer only where it lives, but who can manage the encryption keys, authorize access, and observe activity after access is granted.
That shift matters for IAM and governance teams because on-premises systems, remote admins, business partners, and cloud services all extend the control boundary. The core challenge is maintaining the same identity, authentication, and monitoring discipline across environments that no longer share a single perimeter.
Key questions
Q: How should security teams govern data sovereignty across cloud and on-premises systems?
A: Govern data sovereignty by combining location, jurisdiction, key custody, and access control into one operating model. Cloud storage location alone does not prove sovereignty. Teams need MFA, contextual access, session oversight, and file monitoring so they can control who enters, what they can do, and how activity is observed after access is granted.
Q: Why does keeping data on-premises not solve identity governance risk?
A: On-premises storage can simplify residency, but it does not eliminate remote users, third-party administrators, or privileged access paths. Those identities still need lifecycle management, recertification, and session control. If the access model is weak, on-prem data can remain exposed even when the storage location is fully known.
Q: What do security teams get wrong about data sovereignty controls?
A: Teams often treat sovereignty as a legal or infrastructure question and ignore post-authentication behaviour. That misses the point, because the risky event is not only entry but copying, renaming, permission changes, or exfiltration after access has been granted. File activity monitoring is what turns sovereignty from a claim into a control.
Q: Who is accountable when sensitive data crosses cloud and on-prem boundaries?
A: Accountability should sit with the team that owns the access path, key custody, and monitoring controls, not just the storage platform owner. In practice, that means identity, security, and compliance teams need a shared governance model with clear ownership for residency, session control, and evidence retention across environments.
Technical breakdown
Data residency vs data sovereignty: why the distinction matters
Data residency describes where data is physically stored. Data sovereignty goes further and asks which laws apply and who can control access to the data, especially the encryption keys that protect it. In cloud environments those two questions often diverge, because a dataset may be stored in one region while being governed by another provider, jurisdiction, or contract model. That means compliance cannot rely on location alone. Organisations need to understand the full access path, including administrative control, key custody, and third-party reach.
Practical implication: map data location, legal jurisdiction, and key ownership together before treating a workload as sovereign.
Why on-premises does not eliminate identity risk
Keeping data on-premises can simplify residency, but it does not remove the identity problem. Internal users, remote workers, business partners, and support staff still need access, and every one of those access paths creates exposure if authentication, session control, or privilege boundaries are weak. On-prem environments also carry the burden of securing their own controls rather than inheriting cloud provider safeguards. The result is that sovereignty may improve, but operational risk can remain high if identity governance is immature.
Practical implication: treat on-prem access as a governance problem, not a security shortcut.
Session control and file monitoring are the real enforcement layer
The article separates two distinct controls: preventing inappropriate access and detecting risky activity after access is granted. Identity controls such as MFA, SSO, contextual access, and real-time session management limit who gets in and under what conditions. File monitoring then tracks reads, writes, copies, renames, permission changes, and anomalous behaviour after entry. That split is important because residency and sovereignty claims are weak if you cannot see or stop abnormal file activity once someone is authenticated. The practical architecture is identity first, then continuous activity oversight.
Practical implication: pair access controls with file-level monitoring so sovereignty is enforceable, not just asserted.
NHI Mgmt Group analysis
Data sovereignty is an access-control problem disguised as a location problem. The article correctly shows that residency alone does not establish control. What matters is who can manage keys, authorise sessions, and observe post-access behaviour, because that is where sovereignty is either real or merely contractual. For IAM and PAM teams, the practical conclusion is that control planes matter more than storage geography.
On-premises does not remove the need for NHI-style governance. Third parties, remote administrators, scripts, and service connections still touch sensitive systems even when the data never leaves the corporate boundary. That means service access, permissions, and activity monitoring still need lifecycle discipline, especially where business partners or support functions retain persistent access. The conclusion is that sovereignty and NHI governance converge at the same control points.
Identity security must be evaluated after authentication, not just before it. MFA and SSO answer who can enter, but they do not prove that the resulting activity is acceptable. File-level telemetry, session oversight, and permission-change monitoring are what turn residency claims into enforceable governance. Practitioners should treat visibility after access as part of the sovereignty control model, not as an optional add-on.
Cloud and on-prem programmes fail when they assume one perimeter can govern both worlds. The article’s central tension is that modern environments combine local systems, SaaS, and cloud storage, each with different trust boundaries and control owners. That breaks perimeter-era thinking and pushes identity governance toward continuous verification and activity monitoring across all locations. The practical implication is that governance models must follow access paths, not network borders.
From our research:
- 69% of security leaders agree identity management must fundamentally shift to address agentic AI systems, according to the 2026 Infrastructure Identity Survey.
- Only 44% of organisations have implemented any policies to manage their AI agents, despite 92% agreeing that governing AI agents is critical to enterprise security.
- For the adjacent governance lens, read Ultimate Guide to NHIs , Lifecycle Processes for Managing NHIs for how access review and offboarding discipline extends across machine identities.
What this signals
Data sovereignty programmes will keep failing if they are scoped as storage-location exercises rather than access-path governance. The practical shift for security teams is to unify residency, jurisdiction, key management, and monitoring into one evidence chain that survives audit.
Control-plane sovereignty: the useful operating model is not where the bytes sit, but who can change the keys, approve the session, and alter the files. That is the boundary practitioners should build around.
The wider identity signal is that one in five organisations already grant AI systems dramatically more access than human employees, according to the 2026 Infrastructure Identity Survey. As access becomes more distributed, sovereignty controls will increasingly depend on identity governance that can follow the session, not just the system.
For practitioners
- Inventory key custody and control paths Document who manages the encryption keys, who can delegate access, and which jurisdictions may apply to each sensitive dataset. This makes sovereignty assessments concrete rather than rhetorical and highlights where shared responsibility ends.
- Extend IAM policy to third-party and remote access Apply MFA, contextual access, and session controls to employees, contractors, and partners using on-prem and SaaS resources. The control objective is consistent enforcement, not separate exceptions for each access population.
- Add file-level monitoring to sovereignty-critical data Track reads, writes, renames, copies, and permission changes on files that matter for compliance or national jurisdiction concerns. Alert on unusual timing, volume, or source device so that misuse is visible after authentication.
- Review persistence in partner and admin access Look for accounts that retain standing access after business need changes, especially in remote management and support scenarios. Offboarding and recertification should cover the full access chain, not just employee identities.
Key takeaways
- Data sovereignty fails as a concept if teams only track where data is stored and ignore who controls the keys, sessions, and file activity.
- On-premises storage can narrow residency exposure, but it still leaves identity, partner access, and administrative privilege as live governance risks.
- Practitioners should align IAM, monitoring, and offboarding controls so residency claims are backed by evidence across the full access path.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
NIST CSF 2.0, NIST Zero Trust (SP 800-207) and NIST CSF 2.0 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AC-4 | Access permissions must be managed across cloud, SaaS, and on-prem paths. |
| NIST Zero Trust (SP 800-207) | Continuous verification fits the post-authentication visibility gap described here. | |
| NIST CSF 2.0 | DE.CM-1 | File activity monitoring is central to detecting misuse after access is granted. |
Map sovereignty-critical access to PR.AC-4 and review entitlements across every environment.
Key terms
- Data Residency: The physical location where data is stored and processed. Residency matters because local law, contractual obligations, and operational constraints can change depending on where the data sits, even when the business treats the dataset as globally available.
- Data Sovereignty: The degree of legal and operational control an organisation has over its data. It depends on where the data is, who controls the encryption keys, who can authorise access, and which jurisdiction can compel disclosure or handling.
- Contextual Access Control: An access model that evaluates conditions such as user location, device state, time, and risk before granting entry. In governance terms, it helps ensure that access decisions reflect more than identity alone and can be adapted to sensitive or regulated environments.
- File Activity Monitoring: The practice of observing reads, writes, copies, renames, permission changes, and other file events after access has been granted. It is essential where post-authentication behaviour matters as much as authentication itself, especially in regulated or sovereignty-sensitive systems.
What's in the full article
IS Decisions's full article covers the operational detail this post intentionally leaves for the source:
- How UserLock applies MFA, SSO, contextual access, and session management in Active Directory environments
- How FileAudit tracks reads, writes, renames, copies, and permission changes across files and cloud storage
- Which alert conditions trigger immediate responses, including unusual time-of-day access and mass copying
- How the controls extend from on-prem systems into SaaS and major cloud platforms without losing visibility
Deepen your knowledge
NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.
Published by the NHIMG editorial team on 2026-03-25.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org