Sovereign AI architecture for SA regulated industries.

South African enterprises in regulated industries are under pressure to adopt AI, and most are doing it on infrastructure that routes personal data through foreign jurisdictions. That creates real obligations under POPIA, the Banks Act and SARB directives, and the insurance regime, most of which surface only when a regulator or a legal team starts asking where the data actually goes.

What Custos does

Custos designs the architecture that keeps regulated AI sovereign and defensible. The work spans a POPIA AI readiness assessment, a documented reference architecture for a priority use case, and the build and integration of a production system, on owned hardware, sovereign cloud such as Cassava AI Factory, or a hybrid of the two.

How Custos works

The starting point is always the data flow: the specific places personal information moves when a model runs, from storage to embeddings to prompt history to inference state. That map is what makes a sovereign architecture possible to design and possible to defend.

The context

Cassava AI Factory gave South Africa credible sovereign GPU compute at scale in October 2025. The question for a regulated enterprise has shifted from whether sovereign AI is possible to what its deployment path should be. Custos exists to answer that question, in architecture a CIO can take to legal, risk, and the regulator.

If you are responsible for AI, data, or risk at a SA medical aid, bank, or insurer, and "where does our AI data actually live?" does not yet have a clean answer, that is the conversation worth having.

Start the conversation