For over a decade, the default enterprise infrastructure strategy was simple: migrating as much as possible to the cloud. Today, however, this ‘cloud-first’ mandate is no longer adequate for modern security and business demands.
Today’s CISOs and CIOs are dealing with a complex threat landscape defined by accelerating AI adoption, geopolitical conflict, fragile supply chains, data sovereignty mandates, sophisticated identity-driven attacks, and intense cost scrutiny.
In addition, for numerous organizations, the era of unbridled cloud expansion is colliding with harsh economic realities, as escalating outbound data transfer charges and cloud storage fees, fragmented provisioning, and vendor lock-in erode the cloud’s initial value proposition. Although the public cloud offers unparalleled velocity for startups, more mature, steady-state workloads often face unforeseen financial burdens. Cloud investment was originally supposed to deliver efficiency, but 69% of CFOs now believe that between 10% to 30% of cloud spending is wasted.
For today’s enterprise, the goal has shifted from being “cloud-first” to “control-first.”
The Control-First Placement Strategy
A control-first approach doesn’t mean abandoning the public cloud entirely. Instead, it demands a strategic, nuanced decision on where to place each workload to achieve the optimal balance of risk reduction, cost efficiency, performance, resilience, and governance. This may mean repatriating critical workloads to hybrid, private, edge, or on-premises environments.
Public cloud repatriation, the movement of workloads from public cloud environments back to private infrastructure or alternative hosting providers, has become one of the most discussed trends in enterprise IT. The real discussion now focuses on placement strategy. Where should AI workloads run for the best balance of performance, cost, governance, and resilience? This is why hybrid cloud has moved from being a transitional architecture to becoming the preferred operating model for AI-driven enterprises.
New Security Requirements Drive Infrastructure Decisions
The World Economic Forum’s 2026 cybersecurity outlook points to accelerating AI, geopolitical fragmentation, cyber inequity, and cloud sovereignty as key disruptors, leading to faster, more sophisticated, and unevenly distributed attacks. PwC’s 2026 outlook further confirms that cyber operations are increasingly stealthy, persistent, and identity-centric, often tied to real-world geopolitical conflicts. This means attackers are bypassing the traditional perimeter and instead logging in, blending in, and moving laterally across complex hybrid environments.
Deloitte’s 2026 Tech Trends suggests that as AI moves from experimentation to production, many existing compute strategies are mismatched with the cost, latency, and scalability requirements of inference-heavy workloads. This necessity, not nostalgia, is fueling the return of on-premises and private infrastructure. For example, a 2026 Cloudian survey found that 91% of respondents would choose on-premises, private, or hybrid infrastructure over public cloud for sensitive AI workloads, driven by data sovereignty, unpredictable costs, and real-time performance needs. Even major players like Microsoft are adapting, with the April 2026 announcement of Azure Local scaling to thousands of servers within a sovereign environment, allowing organizations to maintain control over large, local workloads.
The message to every CISO and CIO is clear: the most strategic infrastructure vendors are now selling control, locality, resilience, and choice, not just “cloud-only” solutions.
The New Board-Level Security Imperatives
For the board, the focus is not on the infrastructure location—public cloud, private cloud, on-prem, or edge—but on operational continuity and security posture during a major incident.
The critical questions for security leadership now include:
- Can critical systems remain operational during a regional outage, supply-chain disruption, or targeted cyberattack?
- Is there verifiable proof of the location and access controls for sensitive data?
- Can AI workloads be run without inadvertently exposing proprietary data to environments lacking full control?
- Is it possible to detect identity abuse, lateral movement, and data theft across disparate cloud and on-prem systems?
- Can costs be effectively managed as AI usage transitions from pilot projects to full production deployment?
Ultimately, winning organizations will be defined not by the “purest” cloud strategy, but by the most disciplined workload placement strategy.
The CISO’s Mandate: Visibility and Resilience
The shift toward hybrid and on-prem is fundamentally a trend in detection and resilience. With sensitive workloads distributed across private environments, security teams require full visibility across the entire stack: identities, endpoints, networks, cloud, SaaS, applications, and OT/IoT. Relying solely on public cloud telemetry, endpoint telemetry, or SIEM logs is insufficient.
This is where network detection and response (NDR) becomes a strategic requirement. When adversaries leverage valid credentials, disable agents, move laterally, stage data, and communicate with command-and-control infrastructure, the network often serves as the most independent and reliable source of truth. NDR provides security teams with essential visibility into behaviors that might be missed by identity or endpoint tools alone. In a control-first operational model, NDR is an indispensable signal layer for modern cyber defense.
The Control-First Imperative
The idealistic era of cloud-first dominance has passed. The global landscape has shifted, making a control-first strategy an absolute necessity due to several critical factors:
- Computing economics have been fundamentally transformed by AI.
- Data residency needs have been reshaped by geopolitical dynamics.
- The traditional security perimeter has vanished in the face of identity-centric attacks.
- The financial impact of downtime has been magnified by ransomware.
- Stricter regulations have removed the margin for security uncertainty.
- Corporate boards now demand more from their CISO and CIO leadership.
To meet the requirements of 2026, the cybersecurity directive is clear: establish a holistic infrastructure and security plan that optimizes workload placement, enforces protection across all environments, and maintains rigorous control at every level.
Defining the New Security Requirements
Modern enterprises require the agility and innovation speed of the public cloud alongside the control, locality, resilience, and cost predictability offered by private, edge, and on-premises infrastructure. The winning model is inherently hybrid.
Crucially, this creates a fundamental security requirement: the security platform must transcend infrastructure boundaries. If data, users, applications, and critical AI workloads span cloud, on-prem, edge, and hybrid environments, the detection, investigation, and response platform must do the same. Any other approach creates a security blind spot with every infrastructure decision.
The modern security platform must therefore support security operations across all environments—cloud, on-premises, private cloud, and hybrid—providing teams the necessary flexibility to protect workloads wherever risk, cost, compliance, and business requirements place them.
In a control-first world, infrastructure flexibility is not optional, and neither is security flexibility.
About the Author
Christophe Briguet is the director of product management – AI and Analytics at Stellar Cyber.
Join our LinkedIn group Information Security Community!
