Data sovereignty has become a top boardroom issue. Regulators demand it, customers expect it, and CIOs and chief technology officers are tasked with delivering it. The assumption is simple: if your data resides locally, under your jurisdiction, you control it.

However, as explored in episode 5 of Altron’s Local Logic podcast series — in which technology leaders discuss how South African organisations can harness AI, data and digital innovation to deliver meaningful customer value — this assumption may be flawed.

AI expert Steven Sidley and Bongani Andy Mabaso, CTO of Altron Group, discussed how this results in a paradox: the more organisations chase absolute data sovereignty, the more they discover how elusive true control really is.

The illusion of complete control

At the heart of the sovereignty debate is the belief that local data residency equals control. Sidley challenges that premise: “I’ve always considered the concept of data residency being in this day and age, utterly, utterly absurd.”

His argument is not that jurisdiction doesn’t matter, but that modern digital infrastructure makes the idea of purely local control almost impossible. Cloud systems are, by design, distributed and redundant.

As he explained: “Many of the big cloud providers have started building data sovereign, safe data centres. I don’t fully believe it, because all of those big hyperscalers have to have backup data centres. That’s their entire model. If Google or Amazon’s data centres in Africa go down under a flood or a bomb or anything else, they are backed up elsewhere in the world.”

The global architecture that makes hyperscale cloud resilient is the same architecture that complicates sovereignty. Resilience depends on geographic distribution. Distribution complicates jurisdiction.

Mabaso adds another layer of complexity: extraterritorial legal reach.

Extraterritorial reach

He highlights the implications of the US Cloud Act, which states that, if for whatever reason, law enforcement in the US decides that they want to investigate an organisation in South Africa, if they are provided with data services by any American companies, then the FBI or Interpol can actually compel that organisation to reveal your data sets.

Even if the data sits in a South African data centre, the corporate structure of the provider may expose it to foreign legal processes. When challenged, cloud providers acknowledge the possibility. “If you go and you challenge a cloud service provider on that, they’ll tell you, well, it’s true, but they’ll give you all sorts of reasons on why it’s very unlikely to happen, but it is a real risk that actually exists.”

The paradox becomes clear: you can localise infrastructure, but you cannot fully localise legal exposure in a globally interconnected system.

Security versus sovereignty: a false choice?

Another persistent confusion in the debate is the conflation of data security with data sovereignty.

Sidley invokes the original architect of AWS, Willem van Biljon, who argued that “people who think that residency is important, do not realise that if you go to Amazon to store your data, notwithstanding the fact that it lives in another country, your actual data at Amazon Web Services is the safest in the world because they have spent US$50-billion on perimeter control and encryption”.

From a pure cybersecurity perspective, hyperscalers may offer stronger protection than most on-premises environments. Few enterprises can match the billions invested in encryption, perimeter defence and monitoring.

Mabaso agreed but drew a clear distinction.

“Steven has raised an important point around cybersecurity and how secure your data is in whatever environment. And I think it would be difficult for anyone to argue that hyperscalers have not invested more than anybody else in making sure that security in that environment is as strong as it can possibly be. However, I think it’s a slightly different argument regarding laws.”

Security protects against breaches, while sovereignty addresses jurisdiction.

To listen to the podcast series, click here

Consider the entire landscape

Mabaso frames the decision more holistically. “I do think that you do have to consider the entire landscape end to end. Yes, there’s the technological risk, and how do you secure that? But there’s also the geopolitical risk and how do you make sure that you’ve got the right mix?”

Sovereignty is only one factor among several. “One is security, two is cost, because depending on the solution that you go with, it will have a very different cost profile. Three is the regulatory environment in which you operate in.”

The regulatory environment is particularly complex in South Africa. As TransUnion’s CEO Lee Naik explained in episode 2: “Popia (the Protection of Personal Information Act) is stronger than GDPR (General Data Protection Regulation). GDPR only protects consumer data. It does not protect corporate data. Popia protects consumer data and corporate data.”

Moreover, he said: “The South African law says if you’re going to use Popia, if you’re going to put the data somewhere else, it has to have a set of regulations that are at least as stringent as the local ones. And right there we’ve got a problem, because it’s telling you you can’t put your corporate data in Europe.”

Here, sovereignty is not simply a philosophical ideal. It creates practical constraints. Local law may restrict cross-border transfer, while global cloud economics incentivise it. Security and sovereignty are not interchangeable, and optimising for one does not automatically solve the other.

AI’s data sovereignty challenge

If cloud computing complicates sovereignty, AI fundamentally transforms it. Sidley described what he calls a “dirty little secret” of large language models.

“AI has brought a complicating wrinkle into this. One of the dirty little secrets of AI, which is unknown to most people, even those who use it, is that the data … you don’t find any data, you find a set of statistical relationships in a matrix,” he said.

Traditional data governance assumes identifiable datasets that can be located, deleted or transferred. LLMs don’t store data conventionally. They encode patterns.

This creates a new risk vector.

“If you are building an AI system which is going to use the vernacular language capability of the LLMs in order to be able to chat casually with a user, you are in danger in having all the data about that chat, all the data that’s provided as context, being sucked in as training and it becomes ungovernable once it’s pulled in as a training data set.”

He warned: “There is not only a danger, in my view, there is an absolute certainty of data leakage if one is using some of the frontier LLMs.”

Mabaso echoed the sentiment. “Corporations have gone all in on using these large public LLMs in production, or even proof of concept, for some of their workloads. But the problem with that is data leakage is almost always guaranteed.”

The solution, he argued, lies in proximity and control. “The best thing for corporates around AI adoption is how do I ensure that I can use a language model or any type of model that’s contextual, that’s smaller, that’s more efficient and generally runs as close as possible to where your data resides.”

AI makes sovereignty even harder to define. Once data is absorbed into model weights, it becomes statistically embedded rather than geographically located. It cannot simply be “brought home”.

Living with the paradox

The data sovereignty paradox is not about choosing between global cloud and local control. It is about recognising that complete sovereignty is an illusion in distributed digital ecosystems.

Jurisdiction, security, cost, resilience, compliance and AI governance all intersect. Sovereignty is no longer a binary state. It is a spectrum of risk management decisions.

The organisations that navigate this successfully will not chase absolute control. They will design for informed trade-offs: understanding that in a world of hyperscalers and AI, sovereignty is less about geography and more about governance.