Data centres
We know how to balance the management of physical, digital and compliance risks.
Built Environment & Infrastructure Risk Management
-
Search
Engineering secure and resilient data centres requires moving beyond the traditional focus on uptime and redundancy. While redundancy provides essential backup capacity, it does not guarantee sustained normal operation during a crisis.
Over the last decade, the data-centre landscape has transformed from self-contained, on-premises IT sites to globally distributed, cloud-connected, AI-driven infrastructure. Previously segregated systems, namely operational technology (OT) and building management systems (BMS), have converged.
This convergence enables greater efficiency and automation but also introduces new systemic risk pathways, compelling organisations to redefine their security strategy.
Resilience-led engineering, designing systems that will continue to function when assumptions fail, necessitates an understanding of how these interdependent subsystems behave collectively - not merely how each performs in isolation.
AI remains at the centre of the data-centre economy. But unlike conventional cloud computing, AI infrastructure introduces a new level of complexity. The shift to AI has created extreme concentration risk, where disproportionate financial, operational and strategic value, is consolidated within individual facilities.
Closely coupled systems mean that the failure of a single component can rapidly cascade into full service interruption, escalating consequence severity. A primary operational challenge therefore becomes isolation: the ability to contain a failing zone without compromising core system functions.
From this perspective, physical security controls are a core component of data-centre resilience. Effective design depends on a site’s ability to maintain effective security control even when individual components, layers or procedures fail. It assumes that barriers will be breached, systems will go offline, and people will make mistakes.
Truly resilient data centres are therefore engineered through:
Resilience-led engineering shifts the focus from the reactive question: “Did the perimeter hold?” to a fundamental one: “Will the security architecture continue to function as a system throughout the incident?”
In this environment, resilience is ultimately a measure of how intelligently risk is engineered into the ecosystem.
The global race to dominate the AI‑driven economy is fundamentally geopolitical. To avoid falling behind, governments and companies are moving to secure control over the infrastructure and supply chains that underpin AI compute.
Regulation has become a strategic lever to control access and investment. We see this in the form of:
Energy geopolitics, power availability, reliability and cost, further complicates this landscape. In practical terms, data-centre site selection has become more politicised, extending well beyond power and permitting considerations to include:
In this new economy, security considerations take precedence over regional preference. Organisations must navigate these geopolitical complexities when deciding where to host data, with enhanced due diligence mandated by an expanding web of regulatory requirements.
The specialised hardware and firmware ecosystems that AI-dependent data centres rely on create deep dependencies on a narrow vendor base and highly embedded technologies. Consequently, cyber compromise now carries implications that extend far beyond data exposure.
A breach of third-party BMS, access-control platforms or remote monitoring tools can directly disrupt cooling, power distribution, fire suppression and physical site access. In this context, cyber weaknesses in the supply chain translate into immediate physical resilience risk.
Detection gaps between IT and BMS networks can leave operators blind to attacks targeting heating, ventilation, air conditioning, power management and access systems – actions capable of opening secure doors, disabling alarms or destabilising power.
While hyperscalers increasingly design for this convergence by integrating cyber, OT and physical security, co-location and legacy assets often maintain siloed disciplines, creating larger attack surfaces. Attackers exploit cyber weaknesses to trigger physical disruption at scale.
AI‑driven data‑centre infrastructure expansion is increasingly constrained by power availability, natural‑resource limitations, climate pressures, geopolitical tension and rising social discontent.
Environmental and resource constraints are among the most immediate barriers. Climate change, extreme weather and chronic water scarcity pose direct operational risks to facilities requiring unprecedented levels of power and cooling. As a result, operators are compelled to redesign facilities around energy efficiency, liquid cooling, renewable power and modular architecture that can adapt to shifting resource availability.
These constraints are already reshaping development feasibility. In parts of Australia, for example, drought conditions mean that earmarked sites may simply be unable to secure the water volumes required for high-density AI workloads. Similarly, in Malaysia, even though authorities are relentlessly working to secure sufficient power and data sources for data centres, the rate of construction is now outpacing the capacity of the national grid, creating a risk that power infrastructure may fall behind project demand.
Physical and structural demands compound the sustainability challenge. AI-optimised data halls now host extremely heavy, GPU-dense racks, often exceeding 3,700 kilograms per rack in some high-performance deployments. A single 8-MW hall may require only a few dozen racks, but the cumulative structural load drives enormous concrete volumes for slabs and multi-storey floors. Cement production is itself a major source of carbon emissions, meaning that even before power and cooling are considered, the embodied carbon footprint of the AI data centre draws stricter regulatory scrutiny, often lengthening permitting timelines in jurisdictions with aggressive climate targets.
Reputational and societal risks are now inseparable from operations. As water, power and land become more politically sensitive, AI data centres are increasingly viewed not as neutral infrastructure but as contested assets. Communities that perceive themselves as bearing the environmental burden without receiving commensurate economic benefits are more likely to mobilise against new development, positioning data centres as strategic targets. These local tensions often escalate into national scrutiny, the case of xAI’s Memphis facility illustrates this.
Beyond engineering and cyber controls, operators and investors must account for the environmental, political and societal contexts in which data centres are being developed. A broader, resilience-led lens is imperative.
Enhanced due diligence is critical for informed investment in data centre assets. It involves comprehensive risk assessments to flag areas of concern for further investigation or remediation.
Firms engage Control Risks to conduct comprehensive due diligence and avoid stepping into acquisitions they do not fully understand.
Engaging security expertise during the master planning phase is fundamental to resilience and cost effectiveness. Retrofitting security design during or after construction leads to significant cost overruns and compromised outcomes.
A recent case illustrates the cost of late engagement:
In addition to late engagement, common mistakes that undermine resilient design include:
Early engagement prevents these pitfalls and ensures resilience is built in from day one.
Resilience is not solely a technical challenge - it is an engineering, cyber, regulatory, operational and strategic one, all unfolding simultaneously.
In an environment where these risks are deeply intertwined, independent assurance is critical to mitigate blind spots and groupthink. It provides the necessary challenge to test assumptions, validate security designs and interrogate operational decisions.
This is particularly important in regions scaling rapidly, where the freedom to innovate must be matched by the expertise to connect cyber, physical security, compliance and engineering disciplines early and deeply enough to keep pace with current realities and emerging risks.
Contact our global Data Centre Resilience team for integrated security and risk management services.
