VENDORiQ: Google Leans into Sovereign AI

Why it’s Important

With growing geopolitical instability and specific concerns over the potential overreach of the USA CLOUD Act (among others), organisations are increasingly concerned about not just data but all areas of digital sovereignty. 

Google’s decision to bring its flagship AI models (Gemini) and platform components (Vertex AI) onto GDC, its on-premises cloud, is a strategically significant, albeit early step. 

While hyperscale clouds offer powerful AI services, the processing and indexing often occur across global infrastructure, posing challenges for organisations facing strict data sovereignty mandates or heightened geopolitical uncertainty. This announcement directly addresses the growing demand for ‘sovereign AI’ – ensuring not just data but also the AI processing itself remains within designated geographical or organisational boundaries. This capability could unlock AI use cases previously untenable due to compliance or risk postures for sectors like government, finance, and healthcare.

Placing its AI capabilities into GDC strengthens Google’s position in the competitive hybrid cloud market, putting the firm into closer contention with established offerings like AWS Outposts and Microsoft Azure Arc, which have also been extending AI capabilities beyond the public cloud. 

Sovereign Cloud is not Just Running Cloud On-Prem

As Australia and the ASEAN markets weigh up the unstable geopolitical environment, they will need to appreciate that sovereign cloud is more than just local data centres.

Google’s strategic recognition of sovereignty as a critical requirement is particularly evident in European markets. GDC is a key part of Google Cloud Sovereign Solutions, which is a comprehensive portfolio designed to help organisations meet their diverse digital sovereignty requirements. This nuance is important. An ‘on-premises’ or ‘edge’ cloud infrastructure is not the same as a sovereign cloud. To be truly sovereign, the platform demands a wide range of capabilities that bring hardware and networking acquisition and management, life-cycle controls, encryption, and more, under the sole control of an organisation. 

To illustrate this, the sovereign capabilities of GDC include:

• Sovereign Controls by Partners: This includes initiatives like S3NS in France (a Thales company), where trusted local partners operate Google Cloud technologies with independent oversight and safeguards to meet stringent national requirements, such as SecNumCloud. Google is working on similar trusted partner offerings in other regions, such as Germany.
• Sovereign Controls and Regional Controls (within Google Cloud public regions): Regional controls enable the enforcement of data residency and personnel access restrictions. These are further enhanced by sovereign controls, which can include advanced encryption management through Cloud External Key Manager (EKM) with key access justifications. Governance enforcement features, such as assured workloads, allow the creation and maintenance of environments that adhere to these specific configurations and compliance regimes.
• Foundational Security and Control: Confidential computing provides hardware-based data encryption in use, offering an additional layer of data protection. Furthermore, principles of transparency, including tools like access transparency and access approval, remain core to visibility and control of critical sovereign cloud capabilities.

However, while impressive from a strategic standpoint, organisations must weigh the benefits against the inherent complexities and potential costs of managing sophisticated AI infrastructure on-premises, even via a platform like GDC. 

While Google (and other cloud vendors) strive to bring all their hyperscale features to edge cloud offerings, functional parity will likely lag. It is essential to consult with the cloud vendors or expert partners to determine which features of the offerings are available and which are not. Also, working directly with vendors like Google to understand their roadmap is essential.

However, achieving 100 per cent parity between sovereign cloud and public hyperscale cloud is unnecessary. When evaluating GDC or similar platforms for sovereign cloud efforts, it is more cost-effective and practical to develop precise requirements for the use cases that are likely to be needed and validate that the current features (or features on the roadmap) align.

Cloud’s success with Thales demonstrates it is possible and economically viable – even profitable – to create a sovereign cloud.

Who’s Impacted?

• CIO: Needs to evaluate how this offering aligns with the organisation’s overall cloud and AI strategy, particularly regarding hybrid deployments and potential vendor lock-in versus multi-cloud flexibility. Budget implications for GDC hardware and management are key considerations.
• Risk and Compliance Officer: Must assess if GDC’s on-premises AI capabilities genuinely meet specific regulatory and data sovereignty requirements (e.g., IRAP in Australia). Understanding the operational model and data flows within GDC is critical.
• Chief Technology Officer (CTO): Should consider the technical integration of GDC AI services with existing systems, the platform’s maturity, and how it fits into the long-term technology roadmap. Evaluating the capabilities against alternative solutions is vital.
• Cloud Architect Lead: Needs to understand the deployment, configuration, and operational requirements of running Gemini and Vertex AI on GDC or an alternative on-premises cloud architecture. Designing resilient and performant hybrid architectures incorporating these new services will be their focus.

Next Steps

Organisations considering this capability should:

• Clarify Sovereignty Needs: Define precisely what ‘sovereign AI’ means for your operation – is it data residency, processing location control, or operational control?
• Assess Operational Overhead: Evaluate the internal resources and expertise required to manage and maintain the GDC (or competitive) infrastructure stack for AI workloads.
• Validate Feature Parity: If using Gemini already, verify that the specific Gemini models and Vertex AI features available on GDC meet the requirements of intended use cases.
• Compare Alternatives: Analyse GDC’s AI capabilities against other on-premises or hybrid AI solutions, considering factors like cost, performance, ecosystem, and existing vendor relationships.
• Review Contractual Terms: Scrutinise licensing, support, and data processing agreements related to using Google AI services on GDC.