Many APAC enterprises are today seeing regulatory disruption to their IT operations, and as AI moves from pilots into production, the issues of sovereignty, auditability, and operational control are today becoming urgent architecture-level decisions, not policy checkboxes.
At the same time with US–China tensions intensify and governments become more sensitive to who can access strategic datasets, what will an “acceptable” cloud and AI architecture for enterprises across APAC looks like?
To look at how regulation and external macro-economic developments are impacting enterprise infrastructure decisions across the region, as well as the urgency for CIOs and CISOs to act now, iTNews Asia speaks with Catherine Lian, General Manager and Technology Leader, IBM ASEAN.
iTNews Asia: How do you see the ASEAN or Asia Pacific region in comparison to the EU and US in their digital sovereignty awareness (and preparedness)?
Lian: Across regions, we see organisations at different stages of readiness on digital sovereignty - but the direction is unmistakable. Leaders are moving toward an understanding that sovereignty is ultimately about control, transparency, and flexibility across their digital and AI ecosystems.
Digital sovereignty needs also vary by sector. In digitally mature industries such as financial services, telecommunications - the conversation has shifted decisively toward architecture. Boards are asking pointed, operational questions: “Can we prove who can access our data and models?” “Are we overly dependent on one provider?” “How fast could we switch if we had to?” These are signs that sovereignty is becoming a strategic design principle and increasingly recognised as the enabler that allows organisations to scale AI with confidence while retaining authority over how it runs.
Across all markets, friction points are remarkably consistent: skills shortages, legacy infrastructure, fragmented data environments, uncertain ROI for AI adoption, and heightened security concerns. These challenges consistently slow AI adoption, and sometimes, the broader AI sovereignty roadmap.
What’s changing quickly is the mindset. Sovereignty is no longer framed as restrictive. It is being understood as the foundation for open, interoperable, hybrid architectures that preserve choice, prevent lock‑in, and which provides enterprises control over their digital futures.
iTNews Asia: Given the heterogenous and more complex IT landscape in Asia Pacific, what challenges do enterprises in this region face, firstly, in planning their digital infrastructure and secondly, in creating unified and interoperable systems that respect sovereignty?
Lian: IBM’s Sovereign Technology Capabilities whitepaper reveal that many enterprises are still constrained by siloed, legacy operating models that prevent a unified view of data. Six in 10 of Asia Pacific organisations are experiencing regulatory disruption to their IT operations. This regulatory fragmentation across nations adds ongoing compliance complexity.
Deploying AI across sensitive domains also introduces new questions around governance and accountability. Cyber threats remain intense across the region, requiring resilient hybrid architectures. At the same time, there continues to be a growing talent gap in AI, cybersecurity and compliance expertise.
This often means rethinking infrastructure as a unified hybrid platform, rather than isolated environments. Hybrid architectures that combine local data residency with global failover capabilities ensure that critical workloads can move across sovereign zones, on-prem environments and private clouds, mitigating risks.
iTNews Asia: With cloud computing now integral to most industries in the region, is sovereignty over the cloud infrastructure the largest concern and most difficult challenge for public sector institutions and industries which are highly regulated, e.g. finance, telcos and healthcare?
Lian:
Sovereignty over cloud infrastructure is absolutely a top-of-mind concern for public sector institutions and highly regulated industries. Sovereignty helps organisations establish a foundation of control and flexibility to switch providers, move workloads, govern AI transparently and verify who has access to what.
- Catherine Lian, General Manager and Technology Leader, IBM ASEAN.
A single data breach can erode decades of customer trust and tank shareholders’ confidence. The stakes are high, but so is the opportunity. In fact, Gartner predicts that sovereign cloud spending in regulated industries such as banking and healthcare will surge fivefold to US$66 billion in 2028.
Sovereignty must be intentional and engineered into every layer of the technology stack. Enterprises can accelerate innovation without compromising governance, security, or ethics by embedding open, responsible AI practices from the start: define clear guardrails, implement robust monitoring, invest in the right talent, and partner with trusted AI providers who ensure solutions are secure, auditable, and aligned with organisational and societal standards.
iTNews Asia: How should enterprises redesign their infrastructure decisions to remain adaptable as regulatory or operational requirements continue to evolve?
Lian: Enterprises need to move beyond a one-size-fits-all cloud approach to ensure they have demonstratable authority while meeting ambitious innovation roadmaps to better serve their customers or communities. An open hybrid infrastructure that integrates public, private, and sovereign cloud environments provides the necessary flexibility to meet diverse regulatory requirements while maintaining operational agility.
True transformation happens when organisations pair the openness of hybrid cloud with the power of AI. This combination helps them move beyond incremental upgrades and focus on building architecture designed for flexibility, security and continuous innovation where the client is in control.
Sensitive data can remain within specific geographic or sovereign boundaries to comply with data localisation laws while less critical workloads can leverage public clouds for scale, connectivity, and access to advanced AI and analytics capabilities.
In practice, organisations across the region are already adopting this model. For example, Telkom Indonesia collaborated with IBM to deploy sovereign AI solutions using IBM watsonx and watsonx.ai, empowering enterprises to deliver responsible, scalable AI across HR, legal, marketing, and other functions.
iTNews Asia: What does it mean to embed sovereignty into infrastructure architecture, beyond just data residency?
Lian: Digital sovereignty has to be designed deliberately into every layer of the technology stack. Open ecosystems, hybrid‑by‑design deployment models - whether cloud, on‑premises, edge or fully air‑gapped and integrated AI governance give organisations the control and flexibility they need to run their operations on their own terms.
iTNews Asia: How can we create risk management frameworks that are geared for auditability, as well as explainability to regulators?
Lian: We believe there are core pillars to build this:
- Client Control and Choice
Organisations maintain authority over their data, workload placement, and technology stack supported by open ecosystems that prevent vendor lock‑in and preserve the freedom to switch, scale, or adapt as needed. - Flexible Sovereignty Models
A range of software, infrastructure, and consulting options built on open standards to meet different regulatory requirements, industry needs, and data sensitivities while ensuring interoperability across environments. - Innovation with demonstratable authority
Architectural approaches that enable organisations to scale digital and AI innovation while maintaining choice, control, and compliance. Open, hybrid-by-design systems ensure that sovereignty supports innovation rather than restricting it.
For example, IBM’s Sovereign Core builds sovereignty directly into the architecture, ensuring customers retain control of data, keys, and compliance while avoiding lock‑in through open, portable components. The outcome is a transformation that is both technologically advanced and fully aligned with the organisation’s values, governance expectations, and performance goals.
iTNews Asia: As digital sovereignty extends into AI and projects move from pilots into production, where are CIOs and CISOs underestimating sovereignty risks? What advice can you give to organisations here? How can ASEAN organisations turn sovereignty requirements into competitive advantage rather than compliance cost?
Lian: AI as an opportunity, not just a risk. However, organisations need to embrace AI responsibly with a focus on protecting data while prioritising meaningful value-add not just experimentation.
Enterprises should bring AI to their data, not the other way around. Using hybrid cloud architectures, enterprises can run AI securely where data resides, ensuring compliance and operational control. Building smaller, domain-specific AI models allows organisations to fully leverage their proprietary data, creating unique insights and value. Open, transparent platforms and AI models prevent vendor lock-in and future-proof technology stacks against evolving regulations.
