The graph has to live where you control it.
The graph has to live where you control it.
Three hops in, the infrastructure argument is established. The graph captures context, permission, and provenance as native properties of every decision made on it. Human and AI contributions are bound to the same record. Replay makes that record traversable in any direction, at any point in the future, from any position in the chain.
The question that follows is the one every institution eventually asks. Where does this live? And who controls it?
That question sounds operational. It is not. It is the most consequential architectural decision a regulated institution makes when it commits to graph-native decision infrastructure. Because the answer determines whether the provenance chain the graph preserves is complete, or whether it has a gap in it. And a provenance chain with a gap is not a provenance chain. It is a document that looks like one.
The principle underneath the deployment
Before the deployment question can be answered, the principle underneath it has to be clear. The principle is not about hardware. It is not about whether servers sit in a room your facilities team manages or in a data centre someone else operates. It is about chain of custody.
The graph contains the reasoning behind every consequential decision your institution has made on it. The context that was in scope. The permission boundaries that were enforced. The model versions that ran. The human judgements that were applied. The complete record of how outcomes were produced, traversable backward from any point, permanent, attached, not reconstructable from memory because it was never dependent on memory.
That record has value precisely because it is complete. The moment it passes through an environment you do not fully control, the completeness of the chain becomes a claim rather than a fact. You are asserting that nothing was accessed, modified, or observed in transit or at rest. You cannot prove it. In a regulated environment, the difference between a claim and a provable fact is not a matter of degree. It is a matter of whether the record survives scrutiny.
This is why data sovereignty is not a preference Panamorphix accommodates for cautious clients. It is the foundation on which the infrastructure argument stands. The graph has to live where you control it because the alternative makes the provenance it contains unverifiable at the exact moment you need to rely on it.
Three sectors. The same requirement. Different reasons.
The institutions that understand this most clearly are the ones where the consequences of getting it wrong are most immediate. Not because they are more sophisticated. Because their operating environments make the stakes visible in ways that more forgiving industries can defer.
In reinsurance, the graph contains relationships that are commercially sensitive at a level that has no analogue in most industries. Cedant loss histories. Exposure accumulations. Pricing logic on treaties that involve counterparties who are also, in different contexts, competitors. The provenance chain connecting those relationships, the reasoning that informed how risk was assessed and priced, cannot sit in an environment shared with any other party. Not because of regulatory requirement, though that increasingly applies. Because the moment it does, the confidentiality obligations that underpin every counterparty relationship in the market are structurally compromised. The graph lives on your infrastructure because the alternative is incompatible with how the market operates.
In banking, the question is less about counterparty confidentiality and more about regulatory sovereignty. A tier-one institution operating under the jurisdiction of a national regulator cannot have its decision infrastructure — the record of how credit was extended, how risk was assessed, how model output was governed — sitting in an environment that is subject to a different legal jurisdiction. Data residency requirements under EU law, German banking supervision, UK prudential regulation, and an expanding set of national frameworks make the architectural question increasingly straightforward. The graph lives on your infrastructure, in your jurisdiction, because the regulatory environment is moving toward requiring it even for institutions that have not yet recognised the requirement.
In pharmaceutical development, the controlled environment is not a preference or a regulatory interpretation. It is an absolute condition. Late-stage trial data, safety signals, comparative efficacy analysis, regulatory submission reasoning — none of this can leave the controlled environment under any conditions without consequences that are immediate, material, and irreversible. The graph that captures the reasoning behind decisions made on that data has to live inside the same boundary. Not adjacent to it. Inside it. The provenance chain and the data it references have to be governed by the same controls, because a provenance chain that points to data it no longer has access to is not a provenance chain. It is a reference to a memory.
Three sectors. Three different expressions of the same requirement. The reasoning behind consequential decisions cannot be handed to an environment you do not fully control. The principle is identical. The regulatory, commercial, and operational reasons for it are specific to each environment in ways that matter when the requirement is being explained to a board, a regulator, or a counterparty.
Not every institution has a data centre
The on-premises case is clear. For the institutions that can run it, there is no architectural argument against it and a significant body of regulatory, commercial, and operational argument in favour.
Not every institution is in that position. Smaller syndicates. Mid-market banks. Specialist pharmaceutical companies operating at scale in research but not in infrastructure. These are institutions with the same data sovereignty requirement and a different set of operational constraints. They need the guarantee that the graph, the provenance chain, and the reasoning it contains are not accessible to any party other than themselves. They do not always have the internal infrastructure team to run what delivers it.
The answer is not to compromise the principle. The answer is to deliver the same guarantee through a different deployment model. Dedicated. Single-tenant. Jurisdiction-controlled. An environment that is yours in every sense that matters for data sovereignty, without the infrastructure overhead of running it on hardware your team manages directly.
What is never on the table is multi-tenant cloud residency. A graph that sits alongside other institutions' data in a shared environment, however well partitioned, does not meet the chain of custody requirement. The provenance it contains becomes a claim rather than a fact. The sovereignty argument collapses. And the institutions in regulated environments that have adopted this model fastest are the ones who will face the most significant retrofit burden as the regulatory environment catches up with the architecture decisions they made in a hurry.
The sovereignty argument does not change based on who manages the hardware. It changes based on who controls the environment. On-premises delivers control through ownership. A dedicated, jurisdiction-controlled deployment delivers control through isolation and contractual guarantee. Both are expressions of the same principle. Neither requires you to trust an environment you cannot fully account for with the most consequential record your institution produces.
What this means in practice
For institutions evaluating decision infrastructure, the deployment question is not where the servers are. It is whether the chain of custody of the record they are building can be demonstrated to be complete at the moment they are required to demonstrate it.
That moment will come. A disputed claim. A regulatory review. A model risk examination. A board inquiry into how a significant decision was informed by AI output. In each case the institution will be required to show not just what was decided but what was known, what ran, and what the human understood at the time. The provenance chain is the evidence. Its completeness is what makes it evidence rather than narrative.
An institution that has built its decision infrastructure on a graph it controls, in an environment it governs, with a provenance chain that has no gaps in its custody, walks into that moment with something most of its peers do not have. A record that proves what it claims.
The institutions that do not have that are not in a position to retrofit it when the moment arrives. Provenance captured after the fact is documentation. Provenance captured at the infrastructure level, in an environment the institution controls, from the moment the decision was made, is evidence. The difference between those two things is not recoverable once the moment has passed.
What comes next
Hop 4 is the sovereignty argument. Where the graph lives, why chain of custody is the foundation the provenance argument stands on, and how the same principle applies across institutions with different operational realities.
Hop 5 goes to the scale question. Individual decisions governed correctly are valuable. Decision populations — thousands of similar decisions made across time, markets, and model versions — are where the graph begins to produce something no other infrastructure can: a structured, traversable record of how an institution actually makes consequential decisions at scale, and what that reveals about where the reasoning is strong, where it is inconsistent, and where the infrastructure itself needs to improve.