In a world where data is the new currency, protecting its sovereignty has become a paramount concern for enterprises and governments alike. But what does sovereignty truly mean when applications are distributed across private data centers, public clouds, and the edge? We sat down with Maryanne Baines, a leading authority on enterprise cloud infrastructure, to dissect this evolution. With deep experience evaluating cloud providers and their technology stacks, Maryanne offers a unique perspective on how the rise of AI and complex regulations are forcing us to redefine sovereignty, moving the focus from physical borders to operational control.
This conversation explores the fundamental shift in how organizations approach data governance. We delve into how AI workloads are accelerating the move toward distributed infrastructure, challenging the old model of centralizing data. Maryanne explains the practical steps businesses can take to maintain sovereign control in a hybrid world, where security and compliance are no longer just about the perimeter but are embedded within each workload. Finally, we discuss how this new paradigm impacts business resilience and shapes the future of cloud platform choices.
The article highlights a shift in sovereignty from being about physical location to being about operational control. What specific customer challenges or AI use cases are driving this change, and can you walk us through an example of this new control-based model in practice?
It’s a fascinating and absolutely critical shift. For years, the conversation was simple: “Our data must not leave Germany,” for example. But that model is crumbling under the weight of modern IT. The biggest drivers are distributed applications and, especially, AI. Think about training a large language model. The datasets are enormous. The idea of moving petabytes of sensitive data from various sources into a single, central public cloud is not only incredibly expensive but also a security and compliance nightmare. Data gets copied, restored, and analyzed in so many places that the idea of a single “location” becomes almost meaningless. This is where the control-based model comes in. A perfect example is when a customer can now run management tools, which were previously only available as a service, directly inside their own environment. This means they can observe, manage, and secure their data and applications in a completely air-gapped facility, with no exposure to any outside entity, giving them true operational sovereignty regardless of where the workload itself is running.
Lee Caswell notes that AI is pushing for a more distributed world. Beyond general trends, what specific cost, risk, or compliance metrics are convincing organizations to run AI closer to data sources, rather than moving large datasets to a central cloud for processing?
The metrics are becoming brutally clear for CFOs and CISOs. First, there’s the direct cost of data egress and ingress. Moving massive datasets in and out of a central cloud incurs significant financial penalties that many organizations initially underestimate. It’s a recurring operational expense that can spiral out of control. Second, the risk metric is huge. Every time you move data, you expand its attack surface. You’re exposing it during transit and creating a new, potentially vulnerable copy in a different environment. Why introduce that risk if you don’t have to? Finally, compliance exposure is the metric that keeps legal teams up at night. Moving data can inadvertently violate GDPR, HIPAA, or other regional regulations if it crosses jurisdictional boundaries. So, organizations are realizing it’s far more efficient, secure, and compliant to bring the AI processing to the data, not the other way around. This distributed approach minimizes all three of those critical metrics.
The platform now allows management tools to run inside customer environments and licenses to move with workloads to public clouds. Can you detail the technical or operational steps a customer takes to maintain sovereign control in such a hybrid scenario, perhaps with an anecdote?
This is where the strategy becomes tangible. Let’s imagine a financial services company. They develop a new AI-powered fraud detection application in their private, on-premises data center for maximum security. Operationally, the first step is they deploy their entire management and orchestration plane within their own secure walls, not as a SaaS service. They have the only keys. Now, let’s say they need to scale a part of that application to handle a surge in transactions. They decide to burst that specific workload to a public cloud provider like AWS. Instead of being locked in, they can seamlessly move the license for that workload. As Lee Caswell put it, “you can move that licence at will.” This is a crucial step; it’s not just the license, but the encryption controls and security policies tied to it that move with the workload. This ensures that even though the application is running on rented servers in a public cloud, the control, the security posture, and the governance remain firmly in the hands of the customer.
As security moves closer to the workload, the article mentions extending policies to Kubernetes and supporting government-ready AI software. In practical terms, how does this approach differ from traditional perimeter security, and what new audit or identity integration capabilities does this unlock for organizations?
The difference is night and day. Traditional perimeter security is like a fortress wall. It’s strong, but once an attacker is inside, they can often move around freely. The modern approach of moving security closer to the workload is like assigning a dedicated bodyguard to every single person inside that fortress. We’re no longer just securing the network entry points; we are applying policy enforcement directly to the virtual machines, and even more granularly, to containerized workloads in Kubernetes. For an organization, this unlocks incredible new capabilities. Instead of a vague audit log saying “traffic from this IP was blocked,” you get a highly specific report showing “this specific container, part of this application, attempted an unauthorized action and was stopped.” This allows for much deeper identity integration and truly meaningful audit visibility, which is essential for regulated industries and government agencies using hardened, compliant AI software.
The article connects platform choice with resilience, noting customers are reassessing virtualization strategies. How do your new orchestrated recovery policies, which prioritize systems by risk, specifically address the operational consistency concerns that organizations currently face, and can you share an example of this in action?
Operational consistency during a disaster is a massive challenge. In the past, disaster recovery was often a blunt instrument where all applications were treated equally. This is incredibly inefficient. A critical, revenue-generating system has a much higher recovery priority than an internal development server. This is where orchestrated recovery policies change the game. Organizations can now define policies that prioritize the restoration of systems based on their actual business impact and regulatory risk. For instance, in a multi-site failure scenario, a bank could have a policy that dictates its online banking platform and transaction processing systems are restored first, with all their specific security settings preserved. Only after those are confirmed to be stable does the system begin restoring less critical internal HR applications. This gives them granular control over the entire process, ensuring that the most vital parts of the business are back online first, maintaining operational consistency where it matters most and avoiding a chaotic, all-at-once recovery effort.
What is your forecast for the evolution of sovereign cloud? As AI models become more federated and regulations tighten, what new challenges and platform capabilities do you see emerging over the next three to five years?
My forecast is that the concept of “sovereignty as control” will become the undisputed standard, and the technology will race to catch up. The primary challenge will be managing and proving this control across an even more fragmented and complex ecosystem. As AI models become more federated, running in different clouds and edge locations, we will need platform capabilities that can enforce a single, unified security and governance policy across all of them without ever needing to centralize the raw data. I foresee the emergence of advanced, automated audit systems that can provide cryptographic proof of where data was processed and by whom, satisfying even the strictest regulators. The winning platforms will be those that make this complex, distributed governance feel simple and unified, allowing organizations to innovate with AI confidently, knowing their sovereignty is intact and provable, no matter where their workloads run.
