Songlines Control
Sign In
Australian Sovereign AI — Shared Responsibility Model

Sovereign AI is an operating model,not a hosting claim.

Most "sovereign AI" claims fail when a CISO asks where the boundary actually sits. Cetus AI is intentional about being precise. This page makes the boundary explicit — for boards, CISOs, and procurement teams.

Download SRM Reference (PDF)Request Compliance Evidence Package
The Right Question
"The right question is not 'Is this sovereign?'The better question is: 'Which sovereignty boundary are we claiming, and what must the enterprise enforce to preserve it?'"

Cetus AI does not sell sovereignty as a slogan. We sell sovereignty as an operating model. Songlines gives enterprises the AI control layer they need to see, govern, and prove AI usage — with a shared responsibility model that makes the boundary defensible for CISOs and assessable for procurement teams.

Shared Responsibility Model

Where does the sovereignty boundary sit?

Sovereignty depends on four connected layers. Songlines governs the AI control layer. The enterprise governs the environment around it.

LayerWhat Cetus AI controlsWhat the customer controls
1. Platform HostingHosting region, platform tenancy, telemetry ingestion, audit records, policy logs, and platform availability within the selected Songlines deployment model.Deployment tier selection, assurance requirements, contractual terms, risk appetite, and whether managed SaaS, BYOC, or private deployment is required.
2. Model RoutingApproved endpoint controls, routing rules, policy enforcement, audit trail, sovereignty flags, and visibility over model usage inside the Songlines boundary.Azure OpenAI deployment, model provider contracts, approved model list, regional deployment choices, data processing terms, and classification rules for each workload.
3. Identity & AccessRole-based access control inside Songlines, platform user roles, administrator permissions within the application, and activity logging.Entra ID, Okta or equivalent identity provider, conditional access, MFA, privileged access management, offshore user rules, device trust, and administrator approval processes.
4. Enterprise EcosystemLogs, controls, alerts, telemetry, and policy evidence generated inside the Songlines platform boundary.Downstream SaaS platforms, API integrations, webhook destinations, SIEM configuration, data exports, retention policies, network controls, and enterprise data handling rules.

This model applies to the Songlines Control managed SaaS tier. BYOC and Private deployment tiers extend the customer-controlled boundary to include the data plane and infrastructure.

Deployment Tiers

Choose the right sovereignty boundary

The right tier depends on which sovereignty boundary you are claiming and what the enterprise must enforce to preserve it.

Control / Gateway
Managed SaaS · Commercial enterprise

Establishes AI visibility, cost control, audit logging, and policy oversight within the Songlines-managed Australian boundary. Enterprise governs identity, endpoints, and downstream integrations. Suitable for commercial organisations with standard data classification requirements.

Platform hosted in Azure Australia East
Telemetry, audit logs, and policy records in-region
RBAC, API key lifecycle, and activity logging
Privacy Act 1988 and APS AI Policy aligned
Compliance evidence package available on request
Managed SaaS
Platform (BYOC)
Bring Your Own Cloud · Government & critical infrastructure

Data plane deployed into the customer's own Azure tenancy. All telemetry, audit logs, and policy records remain within the customer's environment. Supports IRAP assessment, PSPF, and PROTECTED classification requirements. Cetus AI provides the software; the customer controls the infrastructure.

Deployed into customer's Azure subscription
No Cetus AI access to customer data
Supports IRAP assessment and PSPF alignment
PROTECTED classification capable
Dedicated CSM and IRAP documentation package
IRAP-readyBYOC
Private Deployment
Air-gapped / on-premises · Highly regulated / classified

Full platform deployed within the customer's own infrastructure with no Cetus AI-managed components in the data path. Designed for organisations requiring complete network isolation, air-gapped environments, or classified workloads. Custom SLAs and dedicated engineering support included.

Fully isolated from Cetus AI infrastructure
Air-gap and offline deployment capable
Custom SLAs and dedicated engineering support
Supports SECRET and above classification
Full source code escrow available
IRAP-readyBYOCAir-gap
Regulatory Alignment

Framework coverage by deployment tier

Songlines Control aligns with Australian and international AI governance frameworks. Coverage scope depends on deployment tier.

FrameworkScopeStatus
Privacy Act 1988 (APPs)Platform boundaryAligned
APS AI Policy — Interim GuidancePlatform boundaryAligned
ISM / IRAPBYOC & Private tiersAssessment-ready
PSPF — Protective Security PolicyBYOC & Private tiersSupported
ISO/IEC 42001 — AI ManagementPlatform boundaryAligned
ACSC Essential EightPlatform boundaryAligned
SOCI Act — Critical InfrastructureBYOC & Private tiersSupported
ISO/IEC 27001:2022Platform boundaryAligned
Technical Architecture Session

Bring your CISO, security architect, and procurement lead.

We run a 60-minute technical architecture session for enterprise and government prospects. We walk through the shared responsibility model for your specific deployment scenario, map your regulatory requirements to the right tier, and answer every question your security team has before you proceed.

Request Compliance Evidence Package

Or email us directly at [email protected]