Last week, an ex-colleague and a good friend, Iolaire McKinnon, showed me an open-source tool he had developed called Borderlint. Simple and a clever idea. It finds every place where the code calls an AI service and checks whether those services are allowed under the company’s data policy. If not allowed, the build fails, preventing the release of such code to production.
Iolaire is clearly ahead of the market here as I have not yet come across a commercial solution to AI data residency. Looking at his tool drew my attention to two adjacent stories in the news: Anthropic’s recent allegations against Alibaba, and the decision to limit access to Mythos to around 100 approved companies.
I see three connected problems at the heart of AI governance:
- AI data residency and sovereignty,
- AI theft, and
- AI export control.
Each carries residual risks that technology cannot fully eliminate. Let me start with the residency piece.
AI data residency and sovereignty
A developer at a bank in Singapore or Hong Kong adds three lines of Python to a customer service application. The code sends customer transaction summaries to an AI provider in Mainland China for natural-language processing. The same call also writes to a logging service, a prompt cache, and possibly a vector database storing customer context. Each one a separate residency decision. No procurement review. No data protection officer aware. No contract.
Residency versus sovereignty
Data residency means where the data physically sits. Singapore. Hong Kong. Sydney.
Data sovereignty means who has the legal right to demand it. The American government. The Chinese government. The Singapore government.
Here is an example I have seen catch most management teams by surprise.
A US cloud provider, say AWS or Microsoft, runs a data centre in Singapore. You put your Asian customer data there. The data is in Asia. That is residency.
But AWS and Microsoft are US-incorporated. The US CLOUD Act says American companies must produce data on a valid US court demand, regardless of where it physically sits. On such an order, the provider must hand your Asian data to US authorities. The data never physically moves. But it has effectively left Asia, because a foreign government now holds a copy. That is sovereignty.
For a regulated APAC bank, this turns a clean compliance answer into a messy one. A Singapore data centre owned by a US provider gives you residency in Singapore. Not sovereignty in Singapore.
The simplest test for any AI or cloud vendor: where is the company incorporated? The data centre tells you residency. The headquarters tells you sovereignty. Both matter. Most procurement teams check only one.
What Borderlint can address, and what the industry needs
Borderlint, as Iolaire has built it, can become the lean engine for data residency control. The engine reads code, finds AI service calls, checks them against policy, and fails the build when policy is violated. That core engine can and should stay open source, with proper attribution to Iolaire. That is what builds community trust and keeps the barrier to entry low.
But the engine is only half of the story. The other half is the configuration that drives it: which AI providers operate where, which cross-border arrangements apply, which jurisdictions are accepted for which data class. Iolaire has done impressive work here too, curating an east-west symmetric knowledge base covering around fifty AI providers, four vector databases, dozens of cloud region mappings, and the main cross-border transfer arrangements.
My view is that the configuration is where the commercial opportunity is. If it is externalised into a properly managed system, with a user interface, maker-and-checker approval, version history, and an audit trail, it becomes the secret sauce that turns a developer utility into an enterprise-grade control. The engine builds community trust. The governed configuration is what regulated organisations will pay for, because it captures the regulatory expertise specific to their jurisdiction, sector, and policy.
The bigger picture
“Residency and Sovereignty” is only one of the three connected problems I flagged at the start. The other two operate at different scales but share the same shape of residual risk.
AI theft
In June 2026, Anthropic alleged that Alibaba used roughly 25,000 fraudulent accounts to generate 28.8 million exchanges with Claude over six weeks. Anthropic called it the largest known attack of its kind. The purpose, according to its letter to two US Senators, was distillation: training a smaller AI model on a stronger one’s outputs to imitate its capabilities at a fraction of the cost.
Interestingly, Claude is formally blocked in China. Identity verification is required. Contracts prohibit this use. Yet industry commentary suggests an underground market has formed, offering Claude tokens at 70 to 90 percent below official prices, with resellers selling the harvested outputs as training data to Chinese AI labs. Alibaba has not commented. Whatever the courts find, the case shows that formal access controls may reduce the frequency of theft but cannot eliminate it.
AI export control
At about the same time, the US government and Anthropic limited access to Mythos, Anthropic’s most advanced frontier model, to around 100 approved companies. The intent is to keep Mythos out of the hands of adversaries, particularly the Chinese government. The controls look comprehensive: allow-lists, nationality screening, contractual restrictions, behavioural monitoring.
But here is the question. If 100 companies have access, and those companies together employ tens of thousands of people across many countries, including Chinese nationals working lawfully in Singapore, London, or Sydney, what does “blocked from the Chinese government” actually mean in practice? Controls reduce probability. They do not eliminate capability transfer.
Why all three problems matter together
If an adversary has frontier AI capability, the kind Anthropic is trying to protect, they can generate convincing fake content at scale, accelerate research, automate cyber operations, and produce influence content tailored to individuals.
If an adversary has bulk personal data, the kind residency rules are designed to protect, they can profile populations, identify intelligence targets, conduct social engineering at scale, and map the decision-making of foreign companies and governments.
The combination of frontier AI plus large-scale personal data is the formula for targeted intelligence at scale. The capability tells you what to do with the data. The data tells you who to target.
The emerging and stubborn residual risks
None of these problems can be solved by technology alone.
- People inside the system who shouldn’t, but do. The Alibaba case allegedly involved tens of thousands of accounts harvesting Claude’s outputs. On the bank side, it looks like a developer pasting customer records into a personal ChatGPT account. Identity controls reduce the frequency. They cannot eliminate it.
- Outputs that teach a competitor. The Alibaba allegations include claims that harvested reasoning traces are sold to Chinese labs as training data. The pattern: query a frontier model at scale, save the answers, train a smaller model on them. This is distillation. Each query looks normal. The aggregate does not.
- The longer the chain, the less you see. Resellers buy access from approved customers and sell it on. AI vendors subcontract to other providers, who subcontract again. The further down the chain, the harder it is to know where data actually goes.
- Contracts only work where courts work. A contract between a US AI provider and a US customer is meaningful. A contract with a customer in a country whose courts will not enforce US judgements is mostly paper.
- Detection takes time, and time is the gap. The Alibaba allegations describe weeks of activity before it was caught. That is not a detection failure. It is the structural nature of the problem. The person moving the asset has the advantage. The defender has to find a signal in normal traffic.
What managers and practitioners can do
- Write down what you cannot fully control. Be transparent in the board paper about residual risks. Transparency is itself a control posture.
- Map where your data actually goes. Not just the model API, but across every surface where data crosses borders: the retrieval layer, logging backend, prompt cache, feedback pipeline, vendor support telemetry.
- Ask questions of every AI vendor: where does the data sit, and who can legally demand it? Residency and sovereignty are different. Both answers should be addressed by procurement teams.
- Layer the controls. Static analysis prior to deployment. Runtime monitoring in production. Data loss prevention at the network edge. Vendor contracts. Staff training. Each layer builds on the layer beneath. As noted earlier for tools such as Borderlint, the regulatory configuration that drives them should live in a governed system that the privacy function must own, not inside engineering code.
- Treat evidence production as the deliverable. When Anthropic’s controls were allegedly defeated, it had logs detailed enough to file a complaint with two US Senators. Your privacy office should be able to do the same: evidence of what your controls observed, with attribution, version history, and reviewer signatures, available on demand.
Closing
When something goes wrong, what evidence do you have that you were doing the right things, in good faith, with the best tools available? Anthropic can answer that question. Can you?
Sources
• Borderlint, open-source AI data residency static analyser by Iolaire McKinnon.
• Anthropic accuses Alibaba of using fake accounts to extract Claude AI capabilities Reuters reporting, 24 June 2026, based on Anthropic’s letter to Senators Tim Scott and Elizabeth Warren dated 10 June 2026. Covered by InfoWorld:
• US CLOUD Act (Clarifying Lawful Overseas Use of Data Act). Public Law 115-141, Division V, March 2018. US Department of Justice resource page.
About the Author
Viren Mantri is a cybersecurity advisor and former senior technology leader across Standard Chartered, UBS, McAfee, and KPMG. After three decades at the intersection of technology, risk, and regulation, he now helps organisations cut through complexity and make better security decisions.
CC-BY Viren Mantri, 2026, licensed under a Creative Commons Attribution 4.0 International License.
Disclaimer: All views expressed here are entirely mine.
