TL;DR: Digital sovereignty is shifting from procurement preference to compliance requirement for regulated European organisations as DORA, NIS2, and CLOUD Act exposure change how identity governance must be deployed, controlled, and proven, according to Omada Identity. The core issue is not cloud versus on-premises, but who can operate the platform, under which jurisdiction, and with what accountable control.
At a glance
What this is: Omada Identity Sovereign is a containerised IGA deployment model aimed at giving regulated organisations direct control over where identity governance runs and under which legal and operational conditions.
Why it matters: It matters because identity governance now has to satisfy sovereignty, residency, and jurisdictional requirements alongside access control, which affects NHI, autonomous, and human identity programmes alike.
By the numbers:
- 90% of IT leaders say properly managing NHIs is essential for a successful zero-trust implementation.
👉 Read Omada Identity's explanation of sovereign identity governance deployment
Context
Digital sovereignty for identity governance is no longer a niche procurement question. For regulated organisations, the problem is whether the platform that governs access, approvals, and audit evidence can be controlled in a way that satisfies jurisdictional, operational, and data requirements at the same time.
That matters across human IAM, NHI governance, and broader lifecycle controls because the deployment model becomes part of the control surface. If the organisation cannot determine where the platform runs, who operates it, and which law governs access to the data, then the governance evidence itself can become contested.
Omada Identity Sovereign is positioned against that gap. The article argues that standard cloud residency claims do not solve the underlying control problem, especially for regulated sectors that need provable sovereignty rather than a marketing label.
Key questions
Q: How should regulated organisations evaluate identity governance platforms for digital sovereignty?
A: They should assess operational control, legal jurisdiction, data residency, encryption ownership, and deployment locality as one decision. A sovereignty claim is only credible if the organisation can show it controls the platform that governs access, approvals, and audit evidence. If those controls sit with a third party under a different legal regime, the sovereignty gap remains.
Q: Why does data residency not guarantee sovereign control in identity governance?
A: Because residency only tells you where data is stored, not who can operate the infrastructure or which laws can compel access. In identity governance, that distinction matters because the platform itself produces compliance evidence. If legal and operational control sit elsewhere, the organisation may still be exposed even when the data is geographically local.
Q: What should teams look for in a sovereign IGA deployment model?
A: Look for customer-controlled encryption, flexible deployment on approved infrastructure, clear operational boundaries, and audit support that survives different hosting models. The key question is whether the governance function remains under organisational control when the platform changes location or provider. If not, sovereignty is only partial.
A: Accountability remains with the organisation that chose the service and must answer to regulators, auditors, and internal risk owners. The provider may host the platform, but the regulated entity owns the compliance outcome. That means procurement, security, and identity teams need shared approval criteria before deployment.
How it works in practice
What digital sovereignty means for identity governance
Digital sovereignty in identity governance is the ability to control where the platform runs, who operates it, where data is processed, and which jurisdiction can reach it. In IGA, those factors matter because the system is not just storing identities. It is making approvals, recording evidence, and supporting audit and compliance decisions. Residency alone is not enough if a provider can still determine operational access or legal exposure. For regulated organisations, sovereignty is therefore a control model, not a hosting preference.
Practical implication: evaluate IGA platforms on operational control, legal reach, and deployment locality together, not on cloud wording alone.
Why containerised IGA changes the control boundary
A fully containerised IGA platform changes the control boundary by separating the software from a fixed provider infrastructure. That can let an organisation place the system in its own datacentre, a sovereign cloud, or a partner-hosted environment while retaining more direct control over encryption, operations, and hosting location. The architectural point is not portability for its own sake. It is that governance evidence, policy execution, and administrative control remain closer to the organisation that must answer for them.
Practical implication: confirm whether portability actually preserves administrative, cryptographic, and audit control, not just deployment flexibility.
How jurisdictional control intersects with cloud sovereignty claims
Jurisdictional control is the decisive issue when sovereignty claims are tested against law and provider access. If a provider operates under legal regimes that can compel disclosure or access, then a local data region does not automatically mean sovereign control. This is why regulated buyers distinguish between residency, tenancy, and legal control. In identity governance, that distinction affects audit defensibility, third-party exposure, and whether the platform itself can be treated as compliant infrastructure.
Practical implication: map sovereignty claims to legal exposure and operational control requirements before accepting any cloud-based IGA deployment.
NHI Mgmt Group analysis
Digital sovereignty is now an identity governance control problem, not a hosting preference. The article is right to frame sovereignty as part of the control surface rather than as a deployment option. Identity governance systems hold approval evidence, access records, and compliance artefacts, so the question is whether the organisation can prove control over the platform that governs control itself. For regulated programmes, that makes sovereignty a governance requirement, not an infrastructure feature. Practitioners should treat deployment jurisdiction as part of the access-control design.
Residency claims do not resolve jurisdictional exposure when infrastructure control sits elsewhere. A cloud service can place data in-region without giving the customer meaningful control over who operates the environment or which legal process can reach it. That distinction matters more in regulated sectors than in generic enterprise IT because auditability depends on provable control, not assumed locality. The implication is that sovereignty assessments must examine operating model, legal reach, and data control as a single package.
Identity governance inherits the same sovereignty pressures as the systems it governs. If an organisation demands control over access approvals and audit evidence, it must also scrutinise the platform used to deliver those functions. That is especially relevant where identity governance extends across human users, service accounts, and other non-human identities. The practical conclusion is that the governance stack itself must be assessed as a regulated asset.
SEAL-3 style sovereignty targets raise the bar from compliance theatre to deployment discipline. The article signals that regulated buyers are no longer satisfied with provider assurances; they want control over the legal, operational, and infrastructure chain. That aligns with the broader direction of European procurement, where sovereignty is becoming a buying criterion tied to accountability. Practitioners should expect more scrutiny of where identity platforms run and who can intervene in them.
Integrated identity programmes will need sovereignty-aware architecture choices across human and non-human identities. The vendor's own positioning around human and non-human identity reflects a real programme issue. Once identity governance spans both populations, deployment control becomes a shared requirement rather than a niche concern for one team. The field is moving toward architecture decisions that unify governance, audit, and sovereignty instead of treating them separately. Teams should plan for that convergence now.
From our research:
- 90% of IT leaders say properly managing NHIs is essential for a successful zero-trust implementation, according to Ultimate Guide to NHIs.
- Only 5.7% of organisations have full visibility into their service accounts, which shows why control over identity infrastructure matters as much as control over the identities themselves.
- For a broader control baseline, read Ultimate Guide to NHIs , Lifecycle Processes for Managing NHIs for the governance mechanics that sovereignty decisions must not weaken.
What this signals
With only 5.7% of organisations reporting full visibility into their service accounts, per the Ultimate Guide to NHIs, sovereignty decisions will increasingly be judged on whether they improve control evidence rather than simply relocating workloads.
Control-plane sovereignty: the next procurement test is whether the identity platform itself can be governed under the same accountability model it enforces. For teams managing human IAM, NHI governance, and lifecycle controls together, that means deployment architecture now belongs in the security review, not just in infrastructure planning.
For practitioners
- Separate residency from sovereignty in your evaluation criteria Require evidence for where data resides, who operates the service, what legal jurisdiction applies, and whether the customer can independently control encryption and administration.
- Test the governance stack as a regulated workload Assess whether the IGA platform can be deployed inside your chosen infrastructure model without losing evidence integrity, operational control, or audit support.
- Align sovereignty requirements to sector obligations Map DORA, NIS2, and any internal sovereignty policy to concrete platform requirements before procurement so control expectations are explicit and defensible.
- Include non-human identities in sovereignty planning If your identity programme governs service accounts, tokens, and workloads as well as people, make sure the deployment model covers those identities under the same control assumptions.
Key takeaways
- Digital sovereignty is becoming a control requirement for identity governance, especially in regulated European sectors.
- Residency alone does not solve legal and operational exposure if the provider still controls the platform or can be compelled under another jurisdiction.
- Identity teams should evaluate IGA platforms for deployment control, encryption control, and audit defensibility before accepting any sovereign claim.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the technical controls, while NIS2 define the regulatory obligations.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | GV.SC-1 | Third-party and supply-chain governance matters when a provider operates the identity platform. |
| NIST Zero Trust (SP 800-207) | SC-3 | Zero Trust emphasizes continuous verification and control over protected resources and pathways. |
| NIS2 | NIS2 pressure is part of the article's regulated-sector sovereignty rationale. |
Document provider control boundaries and legal exposure before approving a sovereign or cloud IGA deployment.
Key terms
- Digital sovereignty: Digital sovereignty is the ability for an organisation to control where a critical platform operates, who can administer it, and which legal regime can compel access to the associated data. In identity governance, that control extends beyond data location to operational authority and audit defensibility.
- Identity governance and administration: Identity governance and administration is the control layer that manages access requests, approvals, certifications, and audit evidence across identities. It is not just an administrative workflow. It is the mechanism that proves who has access to what, why they have it, and who approved it.
- Jurisdictional control: Jurisdictional control is the degree to which an organisation can keep its data and platform operations outside unwanted legal reach. For identity governance systems, it matters because the service itself stores evidence and supports compliance outcomes, so legal exposure can affect the control plane.
- Customer-controlled encryption: Customer-controlled encryption means the organisation, not the provider, controls the encryption keys used to protect its data. In regulated identity environments, this reduces provider-side exposure and helps preserve control when the platform is hosted outside the customer’s direct infrastructure.
Deepen your knowledge
NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.
This post draws on content published by Omada Identity: Omada Identity Sovereign and digital sovereignty for identity governance. Read the original.
Published by the NHIMG editorial team on 2026-06-23.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
