When a clinical artificial intelligence (AI) system fails in a hospital, the issue isn’t uptime – it’s who gets hurt and how far the impact spreads. For Rayed Saad Altukhais, vice-president of digital transformation and CIO at Riyadh First Health Cluster, that question decides whether an AI system stays on sovereign infrastructure or moves to a hyperscaler.
“If patient outcomes, national health intelligence, or loss of control are at stake, sovereignty isn’t negotiable, even if it slows us down or costs more,” says Altukhais. That logic reflects a wider shift across enterprises in the Middle East and North Africa (MENA) region, where sovereignty isn’t about shutting out hyperscalers, but about drawing clear lines around risk, accountability and what cannot be reversed.
Across the Middle East, CIOs are walking a fine line. Governments are pushing for sovereign AI, even as most enterprises still depend on hyperscalers such as Amazon Web Services (AWS) and Microsoft Azure for speed and scale. The real challenge is no longer choosing one over the other, but using both without drifting into lock-in that makes exit slow and expensive.
According to PwC’s 2025 EMEA Cloud Business Survey, 82% of organisations are actively refining their cloud strategies in response to geopolitical and regulatory shifts, while 94% plan to expand or adjust their cloud architecture, driven increasingly by sovereignty alongside scale and flexibility.
Where CIOs draw the line
The practical dividing line is less about infrastructure and more about jurisdiction and operational control. Ashish Banerjee, senior principal analyst at Gartner, observes that MENA IT leaders are increasingly keeping regulated “cores”, identity systems, encryption keys, sensitive citizen data and audited decision-making in sovereign or on-premise environments, while still using hyperscalers for “speed layers” such as development, testing, experimentation and non-sensitive analytics.
“The acceleration of sovereign cloud initiatives in the region reflects this hybrid reality rather than a hard split,” Banerjee notes. This aligns with Gartner’s broader prediction that by 2030, more than 75% of enterprises outside the US will have implemented a digital sovereignty strategy supported by sovereign cloud infrastructure.
For healthcare, the stakes are uniquely high. Altukhais draws a hard line around AI that touches real patients over time. “Anything trained on identifiable clinical data, decision support, risk prediction, population health, or models linked to national registries has to stay on sovereign infrastructure,” he says. “In healthcare, you can’t hide accountability behind a cloud SLA [service level agreement].”
Anything trained on identifiable clinical data, decision support, risk prediction, population health, or models linked to national registries has to stay on sovereign infrastructure Saad Altukhais, Riyadh First Health Cluster
However, hyperscalers still have a clear role. Altukhais relies on global cloud platforms for operational AI – things like scheduling, capacity planning, revenue cycle management and supply chain optimisation – and uses them as a sandbox for experimentation, from model prototyping to de-identified research. “Hyperscalers can accelerate ideas,” he says, “but they can’t own clinical truth.”
Banks are drawing similar boundaries. Jassim Al Awadhi, executive director and head of enterprise platforms at Emirates NBD, says institutions are careful about where responsibility sits. “Customer, transaction and risk data stay within sovereign or regulator-approved environments,” he explains. Hyperscalers still have a role, but regulated workloads are designed so sensitive data never leaves authorised jurisdictions.
The real distinction, says Al Awadhi, is between borrowing intelligence and owning it. Global foundation models may provide a starting point, but anything that shapes credit decisions, fraud detection, anti-money laundering or regulatory reporting is increasingly built, governed and maintained in-house across its entire lifecycle.
Similar patterns emerge beyond banking. Manish Ranjan, research director for software and cloud at IDC EMEA, says the same architectural split is now standard across energy and government, where sovereign cloud and sovereign AI are preferred for patient data, core financial systems, national security workloads and other assets that carry irreversible risk.
IDC’s regional cloud survey for the Middle East reflects this, showing that CIOs now prioritise AI-ready infrastructure, data sovereignty and governance as core decision factors when selecting cloud platforms for AI workloads, not just cost or scale.
Do partnerships really reduce lock-in?
To balance local control with global scale, hyperscalers are leaning into “sovereign-aligned” partnerships. Tie-ups such as AWS’s Sovereign Launchpad with e&, Oracle Alloy with Du, and Microsoft’s partnership with G42 give enterprises access to advanced AI capabilities while keeping data and oversight firmly within national borders.
Ranjan sees these models as a practical response to the real cost of AI. “Running AI, especially generative AI, is expensive, and the costs rise fast if everything is built on a private cloud,” he says. “To avoid heavy capex [capital expenditure], many organisations leverage hyperscaler IaaS [infrastructure as a service] for easy access to compute and storage while keeping sensitive data governed locally.”
But cost efficiency doesn’t automatically translate into strategic independence. Banerjee argues that such partnerships can reduce compliance and audit risk through local residency and controlled operations, “but they don’t reduce strategic dependence if enterprises continue to build heavily on proprietary PaaS [platform as a service] and AI services”.
The real cost appears at exit
For Riyadh First Health Cluster’s Altukhais, the real risk emerges once AI is embedded in daily operations. “When AI goes live, it becomes part of the workflow,” he says. “You’re no longer moving infrastructure; you’re reworking care pathways. The cost of hyperscaler dependence isn’t paid upfront. It’s paid when you try to leave.”
Banks that maintain flexibility separate data from models, ensure governance is platform-agnostic, and train teams on architectural concepts rather than specific products Jassim Al Awadhi, Emirates NBD
For banks, the most significant lock-in risks often stem from surrounding layers rather than the models themselves. Emirates NBD’s Al Awadhi identifies three forms of lock-in that determine exit feasibility: data and integration lock-in, where feature stores or vector databases become intertwined with proprietary systems; control-plane lock-in, where governance and monitoring workflows embed into a single supplier’s platform; and talent lock-in, where teams trained in one environment face execution risk when attempting migration.
“If teams are trained within a single environment or toolset, exit options are limited by execution risk rather than contractual obligations,” Al Awadhi explains. “Banks that maintain flexibility separate data from models, ensure governance is platform-agnostic, and train teams on architectural concepts rather than specific products.”
Looking ahead, Banerjee says the most “irreversible” decisions involve selecting a primary agent runtime or orchestration layer, committing to a heavily fine-tuned model family, and locking in identity and key custody patterns, as these choices embed governance and operations into the stack.
Ranjan notes that providers excelling across technical and regulatory dimensions will lead AI deals in the Gulf Cooperation Council’s (GCC) sovereign AI space.
Sovereignty is more than data residency
For Altukhais, sovereignty extends to the entire model lifecycle. “Who can retrain it, audit it, shut it down, or explain its behaviour? If we don’t fully control that lifecycle, especially for clinical AI, it doesn’t belong outside sovereign boundaries,” he says.
Under Saudi Vision 2030, this control is a strategic imperative. Many organisations fall into the trap of thinking they can “localise” their tech later, but once operations teams rely on AI, exiting becomes costly, Altukhais argues. Avoiding this “drift” towards total dependence requires more than just data scientists; it requires architects and leaders who can design AI to stay portable and controllable from day one.
For banking, Al Awadhi describes a similar strategy: “Governance is most effective when considered an essential banking competency rather than a vendor advantage.” This means separating the execution layer from the control layer, using hyperscale for computation and tools while retaining governance, approval and auditing internally. The organisations that design for this separation from day one, he argues, are the ones that retain genuine optionality as geopolitical or regulatory conditions shift.
The broader lesson across MENA is that sovereignty and hyperscaler dependence are parallel realities. As Banerjee puts it: “Geopatriation is already taking shape in the GCC as an architectural pattern rather than a mass hyperscaler exit.” Unlike Europe’s broad provider shifts, the GCC approach is investment-driven, focused on building domestic capacity to retain control over key AI systems.
