Proof Not Promises: Why Vendor Trust is Critical For Enterprises to Navigate Data Residency and Geopolitical Complexity

With data residency rules multiplying, geopolitical tensions shifting, and new security threats emerging faster than ever, enterprises face a growing list of compliance obligations and significant downside risk they need to successfully manage. Increasingly, this will require partnering with cloud vendors who can not only navigate multi-jurisdictional compliance complexity but can also objectively validate their security and governance capabilities – making “trust” a primary competitive differentiator for vendor selection. 

To get it right, shift left 

Maintaining data residency compliance was always a challenging undertaking, but technologies like AI raise the level of complexity significantly.  

AI needs to be grounded in curated data that resides in a specific location. However, if AI performs a task on that data – a quick analysis, perhaps, or a summarisation – is that output, which is a derivative of the original data, subject to the same data residency requirements? How should data that has been abstracted or changed in some way through an AI function be treated when it comes to data residency? 

Getting those nuances right requires a full understanding of the regulatory components and the financial and legal risks associated with breaching those regulatory requirements. The “work fast and break things” approach is not the way to go here.  

Vendors who “shift left” and incorporate regulatory, legal, privacy, and security concerns very early in the development process – rather than retroactively having to add functionality in – help ensure that the right level of information can be shared across regions and leveraged by technologies like AI without residency requirements being breached.  

For their part, enterprises will likewise benefit from “shifting left” and making sure that people who fully understand these compliance nuances are involved early in the vendor evaluation and selection process rather than being brought on at the last minute, right as a deal is about to be inked. 

Solving the “say-do” problem 

Even with stronger processes upstream, enterprises face a deeper challenge: determining whether vendors’ assurances reflect reality or simply sound good on paper. Enterprises want to know that any cloud vendors they’re contracting with are compliant with a veritable alphabet soup of security and compliance frameworks: from ISO and CSA STAR; FedRAMP, IRAP, and Cyber Essentials Plus; EU-US Data Privacy Framework; through to NIST AI Risk Management and the EU AI Act. 

This means that vendors need to be able to credibly attest to compliance – or, better yet, be evaluated by independent third parties that attest to their compliance. This helps address the “say-do” problem: A vendor might say they tick the box in X,Y, or Z area, but an independent validation verifies what they actually do. 

Part of this effort involves vendors being able to provide highly detailed documentation around all relevant aspects of their platform, which could comprise anything from data governance and data residency to access management, AI, and encryption services.  

Broad, high-level overviews no longer cut it in these areas. Vendors should be prepared to provide deep, “next level” details – for instance, not just indicating that encryption is used for certain functions, but specifying what type of cryptographic modules are used. Alternately, they should be able to indicate what steps the company takes around achieving separation of networks, or even provide in-depth details around token management – not just how they issue the digital tokens that applications use for authentication and authorisation, but how they store, protect, monitor, refresh, and revoke them.   

To make sure nothing gets “lost in translation” around what is required from either a customer or regulatory standpoint versus what functionality and safeguards the product actually provides, it’s important to incorporate cross-functional teams at all stages of the product development and documentation process. Legal, privacy, security, development, and operations should all be involved and working hand in glove to make sure that there’s alignment between “say” and “do.” 

Eye to the future 

If vendors want to build trust in the eyes of enterprises, it’s not enough to show that they’re able to tackle today’s challenges – they also need to show that they’re keeping an eye on the horizon and tomorrow’s threats. 

For instance, while it might not be a risk right now, what are vendors doing to prepare themselves against the potential combination of AI malware and quantum computing capabilities – a supercharged threat that could break through cryptographic standards in a fraction of the time required today? 

Those customer questions are coming, which means that vendors need to be moving towards having a credible answer that can reassure customers that they’re already putting thought into how to future-proof against emergent threats. 

In the end, the vendors preparing for tomorrow’s threat landscape are the same ones proving they can be trusted today – and that distinction is becoming impossible to ignore. Vendors who can prove – not just claim – that they meet the highest bar across privacy, security, and residency will earn a seat at the enterprise table. Everyone else will discover that in today’s challenging security and data governance landscape, the absence of credible attestations is a dealbreaker. When trust is solid, decisions are faster, alignment is stronger, and results scale.