When half of non-US CIOs anticipate vendor changes because of geopolitical factors, cloud procurement has become foreign policy by another name.
McKinsey's 2026 State of AI report, published earlier this year, contains a finding I have been thinking about for weeks: 88 percent of organizations now use AI, and geopolitical concerns are actively shaping vendor decisions (https://www.mckinsey.com/capabilities/quantumblack/our-insights/the-state-of-ai). That framing, "geopolitical concerns shaping vendor decisions," is new language in a report that has historically focused on adoption rates and productivity. The fact that McKinsey felt it necessary to include geopolitics as a driver of AI vendor selection tells me something about how quickly the landscape has shifted. And it tracks with what Gartner found when it surveyed technology leaders: 50 percent of non-US CIOs anticipate changes to vendor engagement based on regional and geopolitical factors (https://www.gartner.com/en/newsroom/press-releases/2026-04-07-gartner-forecasts-worldwide-it-spending-to-grow-9-8-percent-in-2026). As an IS researcher who studies IT governance, that convergence from two separate research streams is hard to ignore.
Half is a large number. This is not a fringe segment of highly regulated defense contractors. It is half of the people running technology organizations outside the United States, across industries and geographies, who are now treating the national origin of their cloud vendor as a material consideration. Five years ago, that category of analysis barely appeared in IT vendor evaluation frameworks. Today it is generating strategic discussions at the board level in organizations from Frankfurt to Seoul.
The structural reason for this shift is the legal asymmetry built into how the US regulates technology companies. AWS, Azure, and Google Cloud are all US corporations. They are all subject to the CLOUD Act of 2018, which allows US law enforcement and intelligence agencies to compel these providers to produce data held abroad if they have custody or control of it, regardless of where the data physically resides. A European hospital storing patient records on Azure's Frankfurt region servers is not fully insulated from a US federal court order directed at Microsoft, because Microsoft is a US entity with custody of the data. This legal architecture is not a secret. It is the reason the Court of Justice of the European Union invalidated the EU-US Privacy Shield in the Schrems II ruling of July 2020. The court found that US surveillance law made equivalent data protection for EU residents legally impossible under the existing transfer framework. Non-US CIOs in regulated industries have understood this tension for years. The Gartner survey suggests that understanding is now converting into anticipated procurement action.
The IS theory I find most useful for explaining this conversion is the resource-based view (Barney, 1991). When cloud infrastructure was understood as a commodity, vendor selection optimized on cost, capability, and integration. Geography was a latency variable, not a strategic one. The CLOUD Act, Schrems II, and the EU AI Act collectively transformed data sovereignty from a compliance footnote into a scarce and legally significant resource. Under RBV logic, once a resource becomes valuable and difficult to imitate, it drives strategic behavior. The CIO who can demonstrate that their organization's data is genuinely beyond the reach of foreign law enforcement, stored under verifiable sovereignty guarantees, holds something that a CIO running on a globally agnostic hyperscaler cannot offer. That resource scarcity is what is turning vendor selection into a geopolitical act.
Gartner's own framing of this in the 2026 CIO Agenda is "geo-strategically aligned sourcing," positioned as one of three major strategic shifts for technology leaders this year. The phrase "globally agnostic," which described the dominant cloud posture from roughly 2012 to 2022, is explicitly being retired in favor of assessments that treat the vendor's national origin, regulatory exposure, and political stability as first-order evaluation criteria. That is not a minor adjustment to the vendor scorecard. It is a different epistemology for making technology decisions.
What geo-strategic sourcing looks like in practice is more complicated than the survey language suggests. The European hyperscaler market is growing, but it is still significantly smaller in breadth and capability than AWS, Azure, and GCP. OVHcloud, Ionos, and national cloud providers in France, Germany, and Scandinavia offer EU-sovereign infrastructure and are certified under EU frameworks. The EU's GAIA-X initiative provides a governance framework for federated European cloud services. But none of these providers match the managed service breadth, global edge network, or developer tooling ecosystem that the US hyperscalers have built over fifteen years. A CIO who migrates workloads to a sovereign provider for regulatory reasons may be accepting real capability constraints that affect developer productivity and operational complexity. The trade-off is genuine, and the 50 percent figure in the Gartner survey reflects anticipated changes, not completed migrations.
The contract dimension of this rethink is underappreciated. Standard enterprise cloud contracts are adhesion agreements: the provider sets the terms, the customer accepts or goes elsewhere. For organizations worried about geopolitical exposure, the clauses that matter include data residency guarantees, law enforcement request policies, transparency reporting, and exit provisions that allow clean data retrieval if migration becomes necessary. Most large enterprises do negotiate these terms, but the negotiation starts from the provider's standard agreement, which is written under US, Irish, or Singaporean law depending on entity structure. A CIO doing geo-strategic sourcing needs legal counsel that understands both the organization's regulatory environment and the governing law of the cloud contract. Those two legal contexts often create friction that no single technology decision resolves cleanly.
The sociotechnical systems perspective (Trist and Bamforth, 1951) is relevant here in a way that often gets missed in vendor strategy discussions. Migrating cloud infrastructure is not just a technical act. It is an organizational change that affects developer workflows, operational processes, team skills, and vendor relationships built up over years. The social system around cloud infrastructure, the teams who maintain it, the institutional knowledge of how to operate it, the cultural assumptions about which platforms are reliable, does not migrate cleanly with the workloads. A CIO who shifts to a European sovereign provider for legitimate regulatory reasons may find that the technical migration is the easy part. The sociotechnical disruption to how the organization's engineers work and what they know is harder and slower.
What worries me as an IS researcher is the gap between strategic intent and governance reality. The 50 percent figure tells me that half of non-US CIOs intend to change vendor relationships. It does not tell me how those intentions translate into actual architecture decisions, contract renegotiations, or new procurement processes. Institutional theory would predict that coercive pressure from regulators will produce surface compliance, meaning visible changes to vendor language and procurement documentation, while deeper architecture dependencies on US hyperscalers persist because the switching cost is too high. That pattern, compliant on paper but dependent in practice, is exactly what Feldman and Pentland's (2003) routine dynamics framework calls the difference between the ostensive routine and the performative routine. The CIO announces geo-strategic alignment. The organization continues using S3 buckets for production data because no one has built an alternative pipeline yet.
The question this raises for my research on IT governance is whether we have adequate frameworks for studying how organizations navigate this kind of institutional pressure when the cost of genuine compliance is high and the verification of compliance is imperfect. Regulators can require data residency. Auditors can check contract terms. Neither can easily verify that every data flow in a complex cloud architecture actually respects the sovereignty boundary it claims to respect. That verification gap, between the policy and the architecture, is where my research interest sits. The 50 percent figure from Gartner is where the story starts. What happens inside organizations as they try to make it real is the question I want to follow.
---
claims_checked:
- "88% of organizations use AI, geopolitical concerns shaping vendor decisions": "https://www.mckinsey.com/capabilities/quantumblack/our-insights/the-state-of-ai"
- "50% of non-US CIOs anticipate vendor engagement changes based on geopolitical factors": "https://www.gartner.com/en/newsroom/press-releases/2026-04-07-gartner-forecasts-worldwide-it-spending-to-grow-9-8-percent-in-2026"
- "CLOUD Act 2018 allows US compelled production of data held abroad": "public fact"
- "Schrems II July 2020 CJEU invalidated EU-US Privacy Shield": "public fact"
- "Barney 1991 RBV": "academic reference, consistent with field knowledge"
- "Trist & Bamforth 1951 sociotechnical systems": "academic reference, consistent with field knowledge"
- "Feldman & Pentland 2003 routine dynamics": "academic reference, consistent with field knowledge"
claims_unverified:
- "GAIA-X as a governance framework for federated European cloud: publicly known industry fact, not from a single cited URL in this post"
- "OVHcloud, Ionos as sovereign EU alternatives: publicly known industry facts"
sources_used:
- "https://www.mckinsey.com/capabilities/quantumblack/our-insights/the-state-of-ai"
- "https://www.gartner.com/en/newsroom/press-releases/2026-04-07-gartner-forecasts-worldwide-it-spending-to-grow-9-8-percent-in-2026"
word_count: 1120
About the author
Share
More notes
Related notes