CIOs weigh the new economics and risks of cloud lock-in

As CIOs seek to achieve economies of scale in the cloud, a risk inherent in many of their strategies is taking on greater importance of late: consolidating on too few if not just a single major cloud vendor.

And while vendor lock-in has long been a key issue in the cloud, especially for organizations that have not established a credible threat of defection, the emerging AI tools market — and its accompanying arms race among the major cloud vendors — could leave CIOs at risk of the opportunity costs of AI lock-in as well.

The concentration of a handful of cloud vendors supporting enterprise infrastructure “is a significant emerging risk,” according to Gartner’s last two quarterly risk reports, which surveyed roughly 300 C-suite executives who say they worry about three key issues when depending on a particular vendor for multiple aspects of the business: a “wide incident blast radius,” vendor lock-in, and possible regulatory compliance failures.

The more applications and businesses that depend on a single cloud provider, the greater the potential for wide-scale impact of business continuity failures, Gartner’s surveys revealed. C-suite executives betting on a primary cloud provider are also worried about reducing their options in the long term.

For example, what if Google’s Gemini AI technology proves to be significantly better than Azure’s OpenAI Service, but a CIO has gone all in on Microsoft’s cloud? This is the kind of risk that may increasingly keep CIOs up at night in the year ahead.

Here is a look at how CIOs view the nature and nuances of cloud concentration risks — and what many are doing to mitigate them.

Caveat emptor in the cloud

Bob McGowan, CIO of Regeneron Pharmaceuticals, acknowledges the risk of cloud concentration is valid but he is more concerned about the readiness of SaaS partners.

“If we have core business functions running in the cloud, how well are they prepared for a failure?” McGowan asks about SaaS partners such as Salesforce, Veeva, Box, and Oracle Cloud.

“The focus on this is increasing and many of those providing cloud-based solutions as a service are coming under pressure to demonstrate how well they are managing our data and how well they are prepared for business continuity,” McGowan says.

Ciena CIO Craig Williams sees the three primary cloud vendors’ control over the leading AI platforms as a significant issue IT leaders face today.  

“If you’re talking about pure AI tools and using LLMs, yes, it’s tough to avoid vendor lock-in, at least now, because this is such a nascent space,” Williams says. “CIOs should proceed with caution, especially now.”

While McGowan and other CIOs emphasize that the risks of cloud concentration are not new, they acknowledge that IT leaders must have airtight strategies to avert fallout from a failure. “You have to look at it in the context of your business to select where it really matters and then frame out how to mitigate against potential risks,” McGowan says.

John Marcante, US CIO in residence at Deloitte and former global CIO at Vanguard, stresses the importance of selecting an architecture that does not rely on vendors’ most proprietary services.

“Many companies have multiple cloud providers and understand the nuances of developing in multiple cloud environments. This helps keep the providers competitive and helps enterprises understand what it will take to switch an application workload among cloud providers,” Marcante says.

Still, at times, tailoring one’s strategy to fit a single provider has its benefits, he says.

“Picking a cloud provider for a specific workload does make sense if we desire efficiency, speed, and simplicity, so the risk of concentration does exist and needs to be managed,” Marcante says. “Those benefits outweigh the complexity of trying to create an application that runs on multiple clouds versus a single cloud provider.”

In its most recent report released this fall, Gartner ranked cloud concentration fourth among the top five risks identified by hundreds of C-suite executives. Third-party viability, evolving sociopolitical expectations, and mass generative AI availability are cited as the top three emerging risks in Gartner’s survey.

Strategies for CIOs

Dave McCarthy, a cloud analyst at IDC, sees industry consolidation on the major hyperscalers introducing risks but emphasizes a simultaneous rise in market choice.

“It is true that hyperscale cloud providers have hit such a critical mass that they create their own gravitational pull,” he says. “Once you adopt their cloud platforms, it can be difficult and expensive to migrate out. [But] CIOs today have more choice in cloud providers than ever. It is no longer a decision between AWS and Azure. Google has been successfully executing a strategy to attract more enterprise customers. Even Oracle has made the transition from focusing on in-house technology to become a full-service cloud provider.”

CIOs may consider other approaches, McCarthy adds, such as selecting a single-tenant cloud solution offered by HPE or Dell, which bundle hardware and software in an as-a-service business model that gives CIOs more cloud options.  

“Another alternative includes colocation companies like Equinix, which has been offering bare-metal IaaS for several years and has now created a partnership with VMware to extend those services higher up the stack,” he says, adding that CIOs should not view a cloud provider “as a location but rather as an operating model that can be deployed in service provider data centers, on-premise, or at the edge.”

One top IT chief believes the risks are well-established and that CIOs should know how to counter with a variety of strategies to guard against failure.

“Don’t companies have the same issue for data centers on-premise?  Lock-in has always been there for a long time,” says Eric Norman, head of infrastructure architecture and innovation at IHG Hotels and Resorts, in Alpharetta, Ga.

“Companies have a shared responsibility, and though the cloud/SaaS providers provide building blocks, companies must architect their solutions for high availability/business continuity in mind,” Norman says. “Having a hybrid strategy helps mitigate the risk to a company’s product portfolio.”

Another CIO of a large enterprise, who declined to be named, says IT chiefs should “find the balance between cloud diversification and getting maximum discounts and rebates when it comes to concentrating your spend.”

“Building or buying cloud-agnostic solutions is key,” this CIO says.

As for the AI question, this CIO’s approach mirrors that of many CIOs today.

“We are focusing first on leveraging AI and generative AI capabilities within existing SaaS tools and only then explore proprietary or open-source AI accelerators or models,” the CIO says. “We have found that who you do business with is largely use-case driven.”

And for CIOs looking to align use cases with the best AI tool for the job, that may mean engineering greater flexibility in their cloud strategies to ensure they can capitalize on the optimal offering as it arrives.