Showing Posts From

Governance

AI didn't replace engineering. We just stopped talking about it.

AI didn't replace engineering. We just stopped talking about it.

Artificial Intelligence has become impossible to ignore. Open Gartner. AI. Read CIO.com. AI. Attend Microsoft Build, Google I/O or AWS Summit. AI. Scroll through LinkedIn for five minutes and you'll quickly get the impression that every meaningful conversation in technology now begins and ends with large language models, autonomous agents and AI-assisted development. I understand the excitement. AI is a remarkable technological breakthrough, and its impact will be difficult to overstate. But I've started wondering about something else. Not what we're talking about. What we've stopped talking about. The conversations that quietly disappeared A few years ago, our industry spent enormous amounts of time discussing operating models, governance, architecture, automation, platform engineering and cloud operating practices. Those conversations weren't glamorous. They rarely filled conference halls. They certainly didn't dominate social media. But they mattered. Because they determined whether technology actually worked once the keynote was over. Today those disciplines seem strangely absent from the conversation, as though AI somehow made them less relevant. It didn't. If anything, it made them significantly more important. Engineering never disappeared One of the more curious assumptions behind today's AI enthusiasm is that intelligence somehow compensates for engineering. That if an AI model can generate code, architecture becomes less important. That governance becomes something you can add later. That operational excellence is simply another problem AI will eventually solve. I'm not convinced. Software has never failed because people lacked ideas. It usually fails because complexity quietly grows beyond anyone's ability to understand or control it. AI doesn't remove that complexity. It introduces an entirely new category of it. Unlike traditional software, these systems are probabilistic. They don't always behave the same way twice. They require validation instead of assumption, observation instead of certainty. That doesn't reduce the need for engineering discipline. It raises the standard. Demonstrations have an unfair advantage One reason the current conversation feels so optimistic is that most of what we see are demonstrations. Someone builds an agent in twenty minutes. Another team generates an application from a prompt. A startup orchestrates half a dozen AI services into something that looks almost magical. And genuinely—it often is impressive. But demonstrations have an unfair advantage. They don't have to survive production. They don't have to operate for three years. They don't have to pass security reviews. They don't have to explain themselves during an audit. They don't wake someone up at three o'clock in the morning because an automated decision suddenly affected thousands of customers. Production has always been where technology stops being exciting and starts becoming accountable. That hasn't changed. Abstraction is a wonderful servant The cloud taught us an important lesson: Abstraction is incredibly powerful. We no longer think about physical servers before deploying an application. Kubernetes allows developers to focus on workloads instead of individual machines. Managed services remove enormous amounts of operational burden. Those are extraordinary achievements. But abstraction has always come with an implicit agreement. Someone still needs to understand what happens underneath. Every abstraction layer increases productivity for thousands of people while simultaneously reducing the number of people who understand the foundation beneath it. That trade-off is acceptable. Until the abstraction breaks. Then expertise suddenly becomes scarce. I wonder what we're teaching the next generation When I speak to younger engineers, I'm often impressed by how quickly they adopt new technologies. Many can build sophisticated cloud-native applications long before they have ever managed a physical server. Increasingly, many can also build AI-powered applications before they've fully understood distributed systems, identity, networking or storage. None of that is their fault. We teach what the industry rewards. And right now, the industry rewards speed of adoption far more visibly than depth of understanding. I sometimes wonder what happens twenty years from now. Not when AI becomes more capable. But when the people responsible for critical systems have never needed to understand the layers beneath the abstractions they inherited. The question that interests me most Perhaps this isn't really an article about Artificial Intelligence. Perhaps it's about attention. Technology has always moved in waves. Every few years we collectively decide what deserves our attention, and everything else quietly disappears into the background. Today, AI occupies almost all of that space. Meanwhile, architecture, governance, operational excellence and systems thinking continue doing what they have always done. Quietly determining whether ambitious ideas become reliable systems. Or expensive experiments. Final reflection I have no doubt that Artificial Intelligence will transform our industry. I also have no doubt that most organizations are underestimating what it takes to operationalize it responsibly. Because intelligence alone has never been enough. Not in software. Not in leadership. Not in engineering. Perhaps that is what concerns me most. We celebrate every new abstraction as progress, while paying remarkably little attention to the knowledge it slowly replaces. Every generation of technology asks us to understand a little less of what happens underneath. AI simply accelerates that trend. Maybe that is inevitable. But history has rarely been kind to civilizations that confuse convenience with understanding. The industry is celebrating intelligence while quietly abandoning wisdom. And history has never been particularly kind to civilizations that confused the two.

Digital sovereignty is not where your cloud runs

Digital sovereignty is not where your cloud runs

Organizations often talk about digital sovereignty as if it is a geographical problem. As if moving workloads from one region to another, or choosing a “European cloud”, somehow resolves it by default. That framing is comfortable. It is also misleading. Because digital sovereignty is not defined by where your cloud runs. It is defined by what you depend on, who controls those dependencies, and how quickly that control can shift without you noticing. And in most modern architectures, those answers are far less reassuring than organizations assume. The illusion of location-based control One of the most persistent misunderstandings in cloud strategy is the idea that data residency equals sovereignty. If data is stored in a specific country or region, the thinking goes, it must be under that jurisdiction’s control. Therefore, the organization is sovereign. But sovereignty is not a storage property. It is an operational condition. Modern cloud environments separate storage, compute, identity, observability, orchestration, and security into distributed services. Even if data is physically stored within a defined region, the control plane often is not. Identity providers, logging systems, container orchestration, key management services, and telemetry pipelines may all cross borders by design. And each of those layers introduces external dependency. So what looks like sovereignty at the infrastructure layer can still be deep dependency at the control layer. The real dependency map is not obvious Most organizations can tell you where their workloads run. Far fewer can explain:Who controls their identity system Where authentication and authorization decisions are evaluated Which external APIs are critical to deployment pipelines How secrets are managed and rotated What happens if a major cloud control plane becomes unavailableThese are not edge cases. They are core architectural facts. Yet they are often treated as implementation details rather than strategic dependencies. The result is a mismatch between perceived autonomy and actual control. A system may look sovereign on a slide deck while being tightly coupled to a small number of global providers in practice. Sovereignty is not binary Another common mistake is treating digital sovereignty as a yes-or-no state. Either you are sovereign, or you are not. Reality is more nuanced. Sovereignty exists on a spectrum of control across multiple dimensions:Data sovereignty: Where data is stored and under which legal regimes it falls Operational sovereignty: Who can change, deploy, or interrupt systems Technical sovereignty: How replaceable core components are Economic sovereignty: How easily costs can be influenced externally Vendor sovereignty: How dependent you are on specific providers or ecosystemsAn organization can be strong in one dimension and weak in another. For example, you might host data locally while remaining fully dependent on a single global identity provider. Or you might have multi-cloud infrastructure but still rely on one provider’s proprietary orchestration layer. Calling this “sovereign” or “not sovereign” misses the point entirely. The real question is: where are you constrained without realizing it? Cloud convenience is a design trade-off Cloud platforms are powerful because they reduce complexity. Managed services remove the need to operate infrastructure at scale. APIs abstract away operational burden. Integrated tooling accelerates delivery. But every abstraction is also a dependency. When you adopt a managed database, you gain operational simplicity. You also accept a specific backup model, a specific failover mechanism, and a specific pricing structure. When you adopt a managed identity provider, you gain security and standardization. You also accept that authentication is no longer fully under your control. These are not flaws. They are trade-offs. The problem arises when organizations treat these trade-offs as reversible defaults rather than strategic commitments. The hidden concentration of control Over time, cloud adoption tends to concentrate control rather than distribute it. Even in multi-cloud environments, the same patterns emerge: One provider becomes the primary identity source One ecosystem dominates observability One pipeline tool becomes the standard deployment mechanism One set of APIs defines infrastructure behavior This is not accidental. It is the natural outcome of efficiency seeking. But concentration introduces fragility. Not necessarily technical fragility in the form of outages, but strategic fragility: reduced negotiating power, limited exit options, and increasing difficulty to redesign systems without significant disruption. The more optimized a system becomes around a single ecosystem, the less sovereign it tends to be. The uncomfortable question: what can you actually replace? A practical way to evaluate sovereignty is not to ask where systems run, but what would happen if key components disappeared. Not hypothetically in a disaster scenario, but structurally:If your identity provider changes terms or access, how fast can you switch? If your primary cloud provider increases costs significantly, what breaks first? If a critical managed service is discontinued, do you have an exit path or just a migration project? If external connectivity is restricted, which parts of your architecture stop functioning immediately?These questions are uncomfortable because they expose design assumptions that are usually left unchallenged. Most organizations discover that their “sovereign” architecture contains far fewer independent components than expected. Sovereignty requires intentional friction True digital sovereignty is not achieved by avoiding cloud platforms. It is achieved by designing for optionality, even when it introduces friction. That can include:Avoiding unnecessary proprietary abstractions in core systems Designing data portability as a requirement, not a future task Separating identity from infrastructure providers Maintaining documented, tested exit strategies for critical services Ensuring that no single provider becomes a structural bottleneckNone of these decisions are purely technical. They are architectural governance choices. And they often conflict with short-term efficiency goals. Which is why they are frequently postponed. Leadership, not infrastructure, defines sovereignty At its core, digital sovereignty is not a cloud architecture problem. It is a leadership problem. Because the hardest part is not building systems that are portable or independent. The hardest part is deciding when dependency is acceptable and when it is not. Every organization will rely on external platforms. The question is not whether dependency exists, but whether it is understood, measured, and intentionally managed. Without that clarity, sovereignty becomes a narrative rather than a capability. Closing thought Digital sovereignty is not where your cloud runs. It is whether you could still operate if your assumptions about that cloud stopped being true. And in most modern architectures, that question is less theoretical than it seems.

Data is not neutral. It changes your organization.

Data is not neutral. It changes your organization.

Most discussions about data start from a familiar assumption: more data is better. Better insights. Better decisions. Better products. Better personalization. It sounds rational, almost self-evident. And in many cases, it is also true. But it misses something fundamental. Data is not a passive resource you collect and occasionally analyze. Data actively reshapes the organization that collects it. Every dataset introduces dependencies. Every tracking mechanism introduces obligations. Every retention policy introduces long-term complexity. And every attempt to “just store it for later” quietly expands the system you are responsible for operating. Over time, data stops being something you use. It becomes something you maintain. The illusion of harmless collection Data collection often begins small. A tracking event here. A user attribute there. A logging mechanism added “just in case.” A consent banner implemented to stay compliant. Individually, none of these decisions feel significant. They are easy to justify, easy to implement, and easy to ignore once they are in place. But data does not remain isolated. It spreads through systems. Once collected, data tends to move:From frontend to backend From application to analytics platform From analytics platform to data warehouse From warehouse to dashboards, models, exports, and external integrationsWhat starts as a simple event becomes a chain of systems that depend on its continued existence. And at that point, removing the data is no longer a technical decision. It is an organizational disruption. Data creates responsibility before it creates value A common misconception is that data becomes “valuable” once it is analyzed. In reality, data becomes expensive the moment it is stored. Not only in infrastructure costs, but in responsibility:Who is allowed to access it? How long may it be retained? Under which legal basis is it processed? How is it secured across environments? How is it deleted when requested?These questions do not appear after value creation. They appear immediately after collection. And they do not scale linearly. The more data you collect, the more governance surface area you create. The more systems you connect, the more failure modes you introduce. The more teams rely on it, the harder it becomes to change anything. At some point, organizations are no longer asking “what can we learn from this data?” They are asking “what breaks if we stop collecting it?” That is a very different question. The feedback loop no one budgets for Data does not just describe reality. It influences it. Once organizations start measuring behavior, they begin to optimize for what is measurable. This creates a feedback loop:You define metrics based on available data Teams optimize toward those metrics Behavior shifts to improve measured outcomes New edge cases emerge More data is collected to explain those edge cases The system becomes more complex and more self-referentialOver time, the metric becomes the target. The target becomes the system. And the system becomes increasingly dependent on its own instrumentation. What started as observation becomes control. And what started as control becomes constraint. Privacy is not a layer. It is a constraint on design Privacy is often treated as something you “add” to a system after the fact. A policy. A banner. A compliance checklist. A legal review step before launch. But privacy is not a layer that sits on top of architecture. It is a set of constraints that should shape architecture from the beginning. Because once data exists, privacy is no longer abstract. It becomes operational:You must track where data flows You must know where it is stored You must control who can access it You must be able to delete it reliably You must prove all of the aboveThis is not paperwork. It is system design. And systems that were not designed with these constraints in mind tend to accumulate “privacy debt”: workarounds, exceptions, undocumented pipelines, and fragile deletion mechanisms that only work under ideal conditions. The hidden cost of “just in case” data One of the most expensive phrases in data strategy is: “we might need it later.” It is rarely challenged because it feels prudent. Safe. Responsible. But in practice, “just in case” data is rarely used proportionally to its cost. Instead, it accumulates indefinitely:Old events no longer tied to active product decisions Historical logs kept beyond operational relevance User attributes that outlive their original purpose Datasets retained “because storage is cheap”Storage may be cheap. Understanding it is not. Every additional dataset increases:Complexity of access control Risk surface for breaches Cost of compliance audits Difficulty of migration or redesign Cognitive load for engineers and analystsEventually, organizations discover they are no longer collecting data because it is useful. They are collecting it because no one is confident enough to remove it. Data concentration creates architectural inertia As data systems mature, they tend to centralize. Data lakes, warehouses, and unified analytics platforms are built to reduce fragmentation. And they succeed at doing so. But they also create a new form of dependency: architectural inertia. Once multiple teams depend on a centralized dataset, changes to that dataset become politically and technically expensive. Even small schema changes require coordination. Even simple deletions require impact analysis. Over time, the data platform becomes a stabilizing force that resists change. Not because it is designed that way, but because everything depends on it. And when everything depends on it, nothing can easily evolve. The real question is not “can we collect this?” Most organizations still evaluate data decisions in terms of permission:Can we collect this? Is this allowed? Do users consent? Are we compliant?These are necessary questions. But they are not sufficient. The more important question is structural: What does this decision force us to maintain in five years? Because every data point is a long-term commitment to:Infrastructure Governance Security Legal interpretation Organizational knowledgeAnd those commitments rarely decrease over time. They accumulate. Data maturity is not about scale. It is about restraint. A mature data organization is not one that collects everything. It is one that understands the lifecycle of what it collects. That means:Knowing when data stops being useful Designing systems that allow safe removal Avoiding unnecessary granularity in the first place Treating retention as a cost, not a default Being explicit about what is not collectedThis is often counterintuitive. Because maturity is usually associated with capability expansion. But in data systems, maturity often shows up as disciplined limitation. Not everything that can be measured should be measured. And not everything that is measured should be kept. Closing thought Data is often described as an asset. But that description is incomplete. Data is also a commitment. A dependency. A governance responsibility. And, increasingly, a structural constraint on how an organization can evolve. The organizations that treat data as neutral will continue to accumulate complexity they do not fully understand. The ones that recognize its impact on architecture and control will design differently from the start. Not by collecting less for the sake of it. But by understanding that every data decision is also a decision about the shape of the organization itself.