Notifications
Clear all
Topic starter
07/06/2026 8:15 pm
TL;DR: Modern SaaS is splitting residency by plane, keeping customer content and, increasingly, inference in-region while routing authentication and other control-plane functions globally, according to WorkOS’s analysis of OpenAI, Slack, and GitHub. The trade-off is now structural: identity teams must decide which cross-border flows are tolerable and which trigger sovereignty exceptions.
NHIMG editorial — based on content published by WorkOS: Why authentication doesn't need to stay local: the new data residency pattern
By the numbers:
- OpenAI expanded EU residency to include in-region GPU inference for Europe in an update published January 16, 2026.
- Slack’s data residency model dates back to December 2019, showing that selective residency is not a new pattern.
- GitHub’s EU data residency launch in October 2024 reflects the same split between local content and global control-plane operations.
Questions worth separating out
Q: How should security teams evaluate SaaS residency claims when authentication crosses borders?
A: Security teams should separate storage claims from identity-path claims.
Q: Why do residency programmes often exempt authentication and control-plane functions?
A: They are usually exempted because they are low-volume, operationally central, and difficult to regionalise without duplicating identity infrastructure.
Q: What do teams get wrong about data residency in AI-enabled SaaS?
A: Many teams focus only on stored data and miss where inference happens.
Practitioner guidance
- Inventory identity flows alongside data flows Document where SSO, session handling, directory sync, and federation requests terminate for each SaaS application.
- Classify residency exceptions by control-plane function Separate authentication, telemetry, billing, and support operations into distinct exception categories.
- Add compute locality to AI procurement reviews For AI-enabled platforms, ask where inference occurs as well as where prompts are stored.
What's in the full article
WorkOS's full analysis covers the operational detail this post intentionally leaves for the source:
- The vendor-by-vendor residency split across OpenAI, Slack, and GitHub, including what remains local and what does not.
- The specific authentication and SSO routing patterns that create cross-border exceptions in enterprise SaaS.
- The architectural trade-offs behind region-by-region duplication of identity infrastructure and control planes.
- The deployment options that support customers who cannot accept any cross-border identity handling.
👉 Read WorkOS’s analysis of selective data residency and authentication routing →
Authentication can cross borders in residency models, but should it?
Explore further
07/06/2026 10:05 pm
Selective residency is really a control-plane exception model, not a full sovereignty model. Vendors are no longer promising that every byte stays local. They are promising that customer content stays in-region while identity, routing, and support functions may travel globally. That makes the real governance question whether the organisation accepts a split boundary or needs a stricter one. Practitioners should treat the exception as a formal design choice, not a vague implementation detail.
A few things that frame the scale:
- 92% of organisations expose NHIs to third parties, raising concerns about supply chain security, according to Ultimate Guide to NHIs.
- Only 5.7% of organisations have full visibility into their service accounts, which means many identity exceptions are still being governed without end-to-end observability.
A question worth separating out:
Q: When is a split residency model not acceptable for identity governance?
A: It is not acceptable when the organisation cannot tolerate cross-border identity traffic, such as in some public-sector, defence, or tightly regulated financial contexts. In those cases, even a small authentication exception can undermine the residency commitment. The decision is less about technical elegance and more about whether the control-plane exception matches the risk posture.
👉 Read our full editorial: Selective data residency leaves authentication outside the region
