TL;DR: Cloud migration has made data residency and sovereignty harder to reason about because physical storage location, legal jurisdiction, and access control no longer line up cleanly, according to IS Decisions. The governance problem is not just where data sits, but who can access the keys, the sessions, and the files once control leaves the perimeter.
NHIMG editorial — based on content published by IS Decisions: Understanding data residency, sovereignty, and on-prem security trade-offs
Questions worth separating out
Q: How should security teams govern data sovereignty across cloud and on-premises systems?
A: Govern data sovereignty by combining location, jurisdiction, key custody, and access control into one operating model.
Q: Why does keeping data on-premises not solve identity governance risk?
A: On-premises storage can simplify residency, but it does not eliminate remote users, third-party administrators, or privileged access paths.
Q: What do security teams get wrong about data sovereignty controls?
A: Teams often treat sovereignty as a legal or infrastructure question and ignore post-authentication behaviour.
Practitioner guidance
- Inventory key custody and control paths Document who manages the encryption keys, who can delegate access, and which jurisdictions may apply to each sensitive dataset.
- Extend IAM policy to third-party and remote access Apply MFA, contextual access, and session controls to employees, contractors, and partners using on-prem and SaaS resources.
- Add file-level monitoring to sovereignty-critical data Track reads, writes, renames, copies, and permission changes on files that matter for compliance or national jurisdiction concerns.
What's in the full article
IS Decisions's full article covers the operational detail this post intentionally leaves for the source:
- How UserLock applies MFA, SSO, contextual access, and session management in Active Directory environments
- How FileAudit tracks reads, writes, renames, copies, and permission changes across files and cloud storage
- Which alert conditions trigger immediate responses, including unusual time-of-day access and mass copying
- How the controls extend from on-prem systems into SaaS and major cloud platforms without losing visibility
👉 Read IS Decisions's article on data sovereignty, residency, and cloud access control →
Data sovereignty and residency: what IAM teams are missing?
Explore further
Data sovereignty is an access-control problem disguised as a location problem. The article correctly shows that residency alone does not establish control. What matters is who can manage keys, authorise sessions, and observe post-access behaviour, because that is where sovereignty is either real or merely contractual. For IAM and PAM teams, the practical conclusion is that control planes matter more than storage geography.
A few things that frame the scale:
- 69% of security leaders agree identity management must fundamentally shift to address agentic AI systems, according to the 2026 Infrastructure Identity Survey.
- Only 44% of organisations have implemented any policies to manage their AI agents, despite 92% agreeing that governing AI agents is critical to enterprise security.
A question worth separating out:
Q: Who is accountable when sensitive data crosses cloud and on-prem boundaries?
A: Accountability should sit with the team that owns the access path, key custody, and monitoring controls, not just the storage platform owner. In practice, that means identity, security, and compliance teams need a shared governance model with clear ownership for residency, session control, and evidence retention across environments.
👉 Read our full editorial: Data sovereignty and residency are colliding with cloud access control