In a world where data is the new currency, controlling where it resides and who has access to it has become a critical concern for governments and businesses alike. Today, we sit down with Dominic Jainy, an IT professional with deep expertise in AI, machine learning, and the complex digital frameworks that underpin our global economy. We’ll explore the rising tide of digital sovereignty, particularly in the Asia-Pacific region, and unpack what it truly means to have control in the cloud. Our conversation will touch upon the challenges of navigating varied international regulations, the hidden risks within AI supply chains, and the practical steps organizations can take to ensure their digital infrastructure is not just powerful, but also compliant and secure.
Organizations in the Asia-Pacific region are facing tighter expectations on data control. How does benchmarking against the 2025 EU framework help them, and what kind of common compliance gaps related to public sector work does a 20-minute assessment typically uncover? Please walk us through an example.
It’s a fantastic starting point because it provides a common language. The EU framework has become a de facto global reference, so when a business in Australia or Singapore benchmarks against it, they’re not just preparing for Europe; they’re aligning with a globally recognized standard that regulators and public sector buyers are increasingly citing. This really helps businesses that operate across borders. In a quick 20-minute assessment, we often see gaps that feel small but are absolute deal-breakers for government contracts. For instance, a company might believe its data is locally resident, but the assessment reveals that their cloud provider’s incident response team is based in another jurisdiction. This means foreign personnel could access sensitive data during a crisis, a clear violation of sovereign principles that would immediately disqualify them from a critical infrastructure project.
The assessment’s scoring model gives higher weight to supply chain security and operational autonomy. Why do regulators place so much emphasis on these two areas, and what are some concrete, practical steps a company can take to strengthen its capabilities and improve its score?
Regulators are laser-focused on these two areas because they represent the most significant systemic risks. Think about it: a compromise in your software supply chain can have a cascading effect, creating vulnerabilities you don’t even know exist. That’s why it’s weighted so heavily at 20%. Operational autonomy, at 15%, is about resilience. If a geopolitical event cuts off access to your primary cloud vendor’s international support, can you still run your essential services? To strengthen these areas, a company must move beyond just contractual assurances. For the supply chain, this means actively vetting the provenance of all software and diversifying suppliers to avoid concentration risk. For autonomy, it means ensuring your local teams are fully trained and have the administrative control to manage the infrastructure independently, without relying on support from external jurisdictions.
Many are discussing the “black box” problem in digital sovereignty, particularly regarding AI. How does this issue create hidden risks for AI models built on cloud infrastructure, and why is a sovereign cloud considered an essential foundation for developing Sovereign AI?
The “black box” problem is one of the most pressing issues we face. When you build an AI model on a non-sovereign cloud, you lose visibility and control over the very foundation it rests on. The cloud infrastructure itself—the data storage, the processing, the management layer—could be subject to foreign laws or a single vendor’s opaque policies. This means your AI, which you believe to be autonomous, is actually at risk. Its data could be accessed, or the model’s behavior could even be influenced, without your knowledge. A sovereign cloud is the essential foundation because it ensures the entire stack, from the hardware up to the AI application, is under your local control. You can’t have a truly Sovereign AI if its brain and nervous system are effectively housed in a black box you don’t control.
The self-assessment tool is designed to keep results within a user’s browser to address privacy concerns. How does this design choice help security teams, and how can the downloadable improvement plan serve as a practical roadmap for unifying governance across different business units or cloud providers?
This is a design choice that security teams absolutely love. The last thing they want is to create a new vulnerability while trying to assess existing ones. By keeping the diagnostic results confined to the user’s browser, we avoid creating a centralized honeypot of organizational weaknesses that could be compromised. No sensitive data about infrastructure or controls ever leaves the organization. The downloadable improvement plan then becomes a powerful, tangible asset. It’s not just a score; it’s a roadmap. For a large enterprise where one division uses AWS and another uses Azure, this document provides a unified set of objectives. It allows the CISO to go to both teams with a clear, data-driven plan and say, “Here are our gaps, and here are the concrete steps we need to take to align our governance, regardless of the underlying provider.”
Sovereignty requirements often appear in procurement rules rather than single laws, creating complexity for businesses. How can a structured assessment help translate these high-level expectations into auditable technical controls, especially where contractual commitments and operational reality might diverge?
This is where the rubber meets the road. A government tender might have a clause that just says “data must be managed by local personnel,” which sounds simple but is technically complex. A structured assessment forces an organization to answer very specific questions that translate that high-level rule into auditable controls. For example: Who has administrative privileges? Where are those administrators physically located? What are the procedures for after-hours support? I remember a case where a company had a contract stipulating full local control, but the assessment revealed that their data backups were being replicated to an offshore data center by default. The contractual commitment was there, but the operational reality was completely different. The assessment brought that divergence to light, allowing them to fix it before an audit did.
What is your forecast for Cloud Sovereignty?
My forecast is that Cloud Sovereignty will shift from being a niche compliance requirement for government contracts to a standard pillar of corporate risk management for all critical industries. We’re seeing this trend accelerate as more business functions are powered by AI, where the provenance of data and models is paramount. The conversation is moving beyond just data residency to encompass operational resilience, supply chain integrity, and technological self-determination. Organizations that build their cloud and AI strategies on a sovereign foundation now won’t just be compliant; they’ll be more resilient, more competitive, and ultimately more trusted by their customers and partners on the global stage. It’s becoming a fundamental aspect of digital trust.