Your service management platform may be your biggest data sovereignty liability

The industry quietly abandoned on-premise, dressed cloud lock-in as progress, and penalised customers who pushed back. In 2026, organisations are paying the price and realising how few genuine options they have left.

Here is a question most IT leaders have not asked: do you know where your service management data physically resides? Not 'in the cloud' but which country, which data centre, which legal jurisdiction. And under whose government's right of access?

For most organisations running a modern ITSM or ESM platform, the honest answer is, not entirely. That uncertainty is not an accident. It is the result of a decade-long industry decision to move service management entirely onto shared, foreign-hosted cloud infrastructure, making it feel so inevitable that few people stopped to ask what was being surrendered.

True data sovereignty requires an on-premise or private cloud. The rest is rented space under someone else's rules.

The quiet removal of customer choice

Ten years ago, on-premise deployment was standard. You ran your service management platform in your own data centre, on your own hardware, behind your own firewall. Then vendors migrated to the cloud, and on-premise was quietly discontinued. Not announced and not debated. Just gone.

Today, most major service management vendors offer cloud only. Your data lives in their environment, subject to their policies, governed by whatever legal framework applies to their corporate structure. This is presented as progress. For organisations in government, healthcare, finance and legal, it is increasingly a compliance problem they cannot solve with a contractual workaround.

A local data centre operated by a foreign vendor does not equal data sovereignty. If the platform vendor's parent company is subject to foreign law, your data may still be accessible to foreign governments, exposed to trade disputes, or caught in jurisdictional shifts you have no control over. 'Hosted in-country' and 'under your control' are not the same thing.

The ESM problem nobody is talking about

Enterprise Service Management, extending service management beyond IT into HR, Finance, Facilities and Legal, has become mainstream. Organisations are consolidating employee onboarding, procurement approvals, compliance workflows and contract management onto single platforms alongside traditional IT operations.

This is the right direction. However, it dramatically raises the stakes for data sovereignty. When HR, Finance and Legal move onto your service management platform, the data involved is no longer just IT operational data. It is employee records, financial approvals, legal correspondence and sensitive procurement decisions, sitting on the same cloud infrastructure, under the same jurisdictional uncertainty.

When your whole organisation moves onto one service management platform, data sovereignty stops being an IT concern and becomes a board-level one.

The commercial penalty

Among the handful of vendors that still nominally offer on-premise, a pattern has emerged, it is available but priced punitively. Higher costs, reduced features, lower-tier support. The implicit message is clear – you can have data control, but you will pay extra for the inconvenience.

This is the wrong way around. Deployment choice is a governance decision that belongs to the organisation, reflecting their regulatory environment and duty of care. A service management vendor's job is to support that choice unconditionally, not to use pricing architecture to steer customers toward whatever model suits the vendor's unit economics.

Organisations with legitimate sovereignty requirements, NHS trusts, government agencies, financial services firms, and legal practices should not be commercially penalised for exercising them. Outcomes are what matter: whether the platform delivers measurable improvements in service quality and operational efficiency. The infrastructure it runs on is the customer's decision to make.

Three questions worth asking now

The regulatory and geopolitical pressures driving this conversation, trade tensions, NIS2, DORA, Australia's Essential Eight, and post-Brexit data governance, are not easing. They are accelerating and service management leaders should be asking three things:

1. Where does your service management data physically reside, and under which legal jurisdiction? Require a substantive answer from your vendor's legal or compliance team, not a marketing summary.

2. What happens if your vendor's jurisdiction changes, if trade policy disrupts their data-sharing agreements, or if they are acquired by a company subject to different legal obligations? Know what your contract actually says.

3. Can you move to on-premise or private cloud if your governance requirements change, and at what cost? If on-premise is unavailable or commercially prohibitive, that is material risk information for your procurement and board reporting.

Deployment models should be decided on governance grounds, not on the basis of what your vendor prefers or charges.

The service management market has, for the most part, made these questions difficult to ask by making cloud-only feel like the only sensible answer. It is not. The right answer depends on your organisation, your regulatory environment, and your responsibilities to the people whose data you hold. What organisations deserve, and what most vendors no longer offer, is genuine choice, at equal cost, measured entirely by outcomes.