The migration of digital assets to the cloud has been underway for several decades, beginning with applications like email and customer relationship management. Next came the adoption of cloud-based test-and-development environments offered by providers like AWS, Azure, and Google Cloud Platform (GCP), and around 15 years ago, by customer-facing services (e.g., websites and e-commerce platforms).

Over the past decade, enterprise software as a service has expanded significantly to include core systems such as finance and procurement, as well as foundational elements like databases and data lakes. Software began being offered on a cloud-first and (increasingly) a cloud-only basis. The benefits of cloud-based digital systems are well established: reduced capital investment, lower maintenance requirements, increased flexibility, enhanced resilience, built-in redundancy, and strengthened security.

However, over the last five years, the “everything to the cloud” philosophy started to shift, driven initially by highly regulated domains with sensitive data — defense, critical infrastructure, and healthcare, for example. New data sovereignty rules, such as GDPR (General Data Protection Regulation) in Europe, began acting as a constraint. Low-latency applications, such as industrial control systems, are also less suitable for cloud migration.

This led to the first hybrid cloud solutions with critical systems on-premise and others remaining in the cloud (see ADL Viewpoint “Open Digital Architecture: The Next Frontier for Resilience” for an example architecture pattern). Cloud providers started offering tech solutions in customers’ own data centers (e.g., Azure Stack, AWS Outposts, and Google Distributed Cloud). As Majster notes, “Digital capabilities have become increasingly core to the intrinsic value of a business, but outsourcing the whole thing has become less and less attractive.”

Nevertheless, most large enterprise users, especially those not in highly regulated or sensitive sectors, are still cloud-dependent.

The first step in strengthening control of digital assets is assessing the tech stack (infrastructure, platforms, and applications/data) and deciding which workloads are most critical in terms of business continuity and competitive advantage — and where they reside.

Repatriating everything on-premise is virtually impossible. For example, in most organizations, it doesn’t make sense to replace basic cloud services like Teams, OneDrive, and Windows or enterprise system platforms like Salesforce. Identifying high-criticality workloads that must remain under direct control, low-criticality workloads that can reside in the public cloud, and those in between that may be suited to a hybrid approach is relatively straightforward.

Ideally, infrastructure should be brought into sovereign jurisdiction. A modular approach can be adopted for on-premise compute for critical workloads. Establishing hybrid architectures can ensure that critical systems are not fully dependent on one provider. Proprietary cloud-dependent services can be replaced with open source equivalents where justified.

Data is one of the biggest risk areas, and maintaining control of sensitive data within the enterprise is key. This may require updated data management policies and the implementation of advanced encryption systems. Just as important is a thorough review of the commercial and legal implications of reducing cloud reliance — including exit clauses and contractual limitations on what external providers have permission to do.

Organizations seeking a more comprehensive solution can set up a sovereign factory. This is a secure, enterprise-controlled environment for developing and operating digital assets outside the jurisdiction of foreign-based providers and US hyperscalers. However, if developed in-house, this type of solution tends to be expensive and time-consuming, and it usually requires several new skills. Most businesses following this route are large enterprises in sensitive sectors, such as defense, finance, and energy.

Some companies are partnering to share the burden of establishing a sovereign factory. “We see more and more initiatives by critical infrastructure companies like energy transmission operators, railway networks, and airports setting up a sovereign factory jointly for critical processes. Not only does this distribute costs and risks, but it also provides an excellent platform for data sharing and co-innovation,” says Majster.

However, providers such as OVHcloud, Orange/Capgemini Bleu, and Deutsche Telekom are now offering sovereign factory as a service — external third-party solutions that deliver strict sovereignty guarantees under local or national jurisdiction. Hybrid solutions are also emerging.

Of course, ensuring your digital assets remain under the sovereignty of your home country isn’t always a good thing. “In many nondemocratic countries, companies and private individuals are putting their data outside the country because they don’t trust the government,” explains Karim Taga, Managing Partner and Global Head of Functional Practices at ADL.

Once integrated and scaled, AI becomes embedded across the entire technology stack. It relies on underlying infrastructure, platforms, and data, and is increasingly integrated into applications, processes, and operations. AI also introduces a parallel substack — comprising the AI platform, AI-specific data, and the deployed models.

As a result, the risks inherent in each layer of the technology stack apply equally to AI, with additional risks stemming from dependencies on hyperscalers and external AI solution providers. Moreover, as AI — and particularly agentic AI — scales within the enterprise, it becomes increasingly critical to business continuity.

AI warrants particular attention in the context of digital sovereignty. In essence, enterprises must adopt the right operating architecture to suit the criticality of the AI workload: on-premise sovereign factories where data is highly sensitive, third-party sovereign platforms where local data residency and compliance are needed, and public AI platforms for generic and less sensitive data. (The recent ADL Blue Shift report “AI’s Hidden Dependencies” explores this in-depth.)

Building an on-premise AI sovereign factory may seem like a tall order for a midsized or smaller company. Fortunately, the task is getting easier. “Even if you’re a small company, the world has changed. For example, companies like Mistral are offering a full AI suite that operates on three GPUs,” says Taga. A tier of specialist GPU clouds, including CoreWeave, Lambda, Crusoe, Scaleway, and Nebius, has emerged, offering localized or sovereign compute options outside hyperscaler control.

Many companies today feel the need to develop and deploy as many AI use cases as possible. But experts caution that relying solely on widely available, off-the-shelf AI applications is unlikely to deliver sustained competitive advantage. Over time, these tools will become as ubiquitous — and as undifferentiating — as Excel or Windows.

Innovation-focused businesses are already looking at more bespoke and specialized small language AI models with proprietary datasets that better meet their needs. There is little doubt that if an AI model is designed to analyze molecular configurations for chemical development, it does not also need to generate dinner recipes. As Taga says, “Using AI as a foundational technology to create something unique and differentiating, or producing a new small language model to help your client or yourself, gives you competitive advantage.” Owning digital and AI capabilities creates intrinsic value for a business, and there are already good examples of in-house datasets and digital capabilities being deployed to generate new income streams.

Given the pace of technological advancement and today’s uncertain geopolitical climate, businesses should consider advancing their data and AI sovereignty position sooner rather than later.