After the Mainframe
The cloud AI buildout is structurally short the market it was sized for
The cloud AI capex cycle is sized for a customer who cannot legally exist on cloud infrastructure. Not in any jurisdiction whose professional regulatory architecture survived intact from the twentieth century. The buildout assumes regulated professionals — solicitors, accountants, financial advisers, architects, engineers — will pay premium subscription rates for agentic AI: AI that reads their files, organises their practices, drafts their correspondence, runs their audits, generates their compliance reports, and does so unsupervised, at scale, on the provider’s infrastructure. This is the customer who repays the hundreds of billions of dollars committed to datacenter capacity through 2027. This customer cannot exist on cloud infrastructure at any price, and the reason is structural to what a profession is.
We have been here before. Cloud AI in 2026 is structurally where mainframe computing was in roughly 1976: dominant, well-capitalized, supported by an entire enterprise ecosystem, and quietly about to be displaced for the bulk of professional users by a personal alternative that the incumbents do not yet take seriously. The displacement took roughly a decade. By the late 1980s the mainframe still existed, still served specific institutional workloads, still made commercial sense in a narrower form — but it was no longer the default deployment for professional practice or for most enterprise work. The capex sized for permanent mainframe dominance was substantially stranded by the migration. The cloud AI capex cycle is sized for permanent cloud dominance, and the same kind of stranding is in front of it, for structurally similar reasons.
Most analysis of the AI capex cycle has been wrong about this because it has been wrong about two adjacent things. It has overestimated the speed at which regulated professionals will adopt agentic tooling on cloud, treating them as a single market with a uniform appetite for productivity gains. And it has underestimated how completely the existing third-party delegation pattern in regulated practice is already failing under regulatory observation. The correction, when it arrives, will not look like a hype-cycle deflation. It will look like the mainframe-to-PC transition: real underlying technology, real demand, but a fundamental error about where the demand can physically locate once the local alternative becomes practically viable.
What the regulated professional actually buys
The regulated professional’s AI spend splits into two categories. The first is constrained chat. The professional sits at the keyboard, pastes in a document or fragment, asks the model to summarise, revise, draft, or analyse, and receives a response. Every byte the model sees crosses the wire because the professional decided to send it. Data minimisation happens at the human’s hands, sentence by sentence. The model is effectively a typist who happens to live in San Francisco — the typist gets what the professional dictates, and nothing more. This is what current cloud subscriptions sell. It works under existing professional confidentiality regimes because the disclosure decisions remain with the professional. It survives indemnity scrutiny because the data exposure is bounded by the professional’s own discretion. It will continue to scale because the regulatory architecture can accommodate it.
The second category is agentic AI: the model reads the file system, opens documents the professional has not specifically nominated, makes decisions about classification and reorganisation, executes multi-step tasks across a body of work the professional has not pre-screened. “Tidy up the Henderson matter folder.” “Run the quarterly audit.” “Find every document that mentions the new product and summarise the legal exposure.” These tasks are where the productivity claims justifying the capex live. They are also the tasks that require the model to act on its own decisions about what to access, on the full body of the professional’s confidential work product. The agent’s value is the practitioner not having to enumerate every action and every file — that is the whole point.
Agentic AI delivered through a cloud provider transmits this corpus across the wire, stores it on infrastructure the professional does not control, and exposes it to the legal jurisdiction of wherever the inference happens. In the United States, that means the CLOUD Act. In the PRC, that means the spreading family of countermeasures regulations through 2025 and 2026. In the European Union, that means the AI Act and the expanding indirect-collection liability under jurisdiction-specific privacy regimes. In every common-law jurisdiction, it means the obligations of legal privilege, the duty of confidence, and the indirect-collection rules that have been strengthening through statute and regulator guidance, with New Zealand’s IPP3A as one recent worked example. Professional indemnity coverage for this exposure is, at present, contested and increasingly excluded rather than affirmatively offered. Insurers are writing silent-AI exclusions into renewal terms across the regulated professions, and the premium for affirmative cover where it exists is rising fast enough that prudent practice cannot rely on it. The exposure is not formally uninsurable. It is becoming unreliably insurable, which for a profession that must guarantee continuity of indemnity is the operationally equivalent state.
The structural rule and why technical safeguards cannot dispose of it
The obvious objection here is that regulated professions already delegate to third parties all the time. Lawyers use cloud practice-management systems, e-discovery vendors, offshore paralegals, outsourced billing services. Accountants use cloud-hosted ledgers. The information governance regime in every common-law jurisdiction has spent the last twenty years accommodating these arrangements through contractual safeguards, certification regimes, and indemnity wrappers. Cloud agentic AI, the objection goes, is just the next iteration of an accepted pattern.
This is the strongest objection to the structural argument and it fails for two reasons.
The first reason is that every prior third-party delegation in regulated professional practice has operated under human-triggered events and bounded authorisations rather than autonomous decisions. The e-discovery vendor processes the matter contracted for, on data the firm has selected and transmitted, against parameters the firm has set. The cloud document repository holds the files the lawyer placed there, retrievable on demand but not acted upon. The practice-management SaaS indexes and stores the practice’s records and may suggest filings against a defined rule set, but it operates within authorisations issued in advance for specific workflows. The outsourced IT provider with broad system access acts on tickets, change requests, scheduled procedures — events triggered by human decisions inside the firm. The offshore paralegal works on briefs assigned by a partner who has read them. Each delegation involves access that can be broad and processing that can be algorithmic, but each operates under bounded authorisation from an accountable human inside the professional relationship.
The cloud agentic AI proposal is structurally different because the agent decides what to read, when to read it, what connections to draw across matters, what actions to take, on the practitioner’s standing authorisation to “manage the practice.” The thing that makes agentic AI commercially valuable is precisely the property that distinguishes it from every prior delegation: the agent’s authority is open-ended within the scope of its standing instruction, not bounded by per-task human authorisation. You can have an agent making its own decisions within a standing authorisation, or you can have human-triggered delegation to a third-party processor on bounded authorisations, but you cannot have both. The agent’s commercial value collapses if you constrain it to act only on per-instruction human triggers — at which point it is a slow chat tool, not an agent. The delegation framework collapses if you grant the agent authority to decide on a standing authorisation. The historical pattern of regulated delegation accommodated broad access under bounded authorisation. It did not accommodate open-ended decision-making by a third party on standing authority, and the regulator has no precedent for extending it to do so.
The second reason is that the empirical record of bounded-scope delegation is not one of successful adaptation. It is one of repeated, large-scale breach across every commercially valuable category of confidential information. Samsung’s semiconductor division in 2023: engineers pasted proprietary source code, defect-detection algorithms, and recordings of internal meetings into ChatGPT across three separate incidents within twenty days, sending some of the most tightly held intellectual property in the industry to a foreign-jurisdiction inference cluster from which it cannot be retrieved. The MOVEit supply-chain compromise in 2023, which propagated through Kirkland & Ellis, Orrick Herrington & Sutcliffe, and other major law firms via a single shared file-transfer vendor — one upstream breach, multiple downstream firms, millions of client matters exposed. Orrick paid an $8 million class-action settlement in 2024 and was breached again in 2026 by a different group, demonstrating that even substantial post-incident security investment does not close the structural exposure. The Berkeley Research Group ransomware attack in March 2025, which occurred during an active LBO-related debt sale and raised serious concerns about exposure of sensitive deal information across concurrent advisory engagements — not a leak of static records but a real-time intelligence theft. The INC Ransom and Silent extortion campaigns through 2025 and into 2026 produced a sustained sector-targeting effort against law firms specifically, with shared technology vendors providing the access vector to multiple firms at once.
The Mandelson correspondence released by the US Department of Justice in early 2026 is the institutional-correspondence version of the same problem. Internal British government emails — material the originators considered protected by every available convention of governmental confidentiality, market-sensitivity restriction, and ministerial privilege — became public not because anyone inside the UK government released them, but because they had been sent outside the perimeter to a recipient who kept his own records, and those records were eventually compelled by foreign legal process. The principle generalises: confidential correspondence is confidential only while it stays inside the institutional perimeter, and every third-party delegation enlarges the perimeter to include parties the originator cannot control. The cloud agentic AI proposal enlarges the perimeter to include not just a single recipient but an entire foreign-jurisdiction infrastructure stack whose contents are subject to subpoena, government request, security incident, and vendor decision in ways the original confidentiality regime never contemplated.
In every case, the practitioners using these systems were not careless. The breaches lived in the IT layer above them, in vendor-managed systems they had no operational control over, in shared infrastructure where one weak link compromised everyone connected, or in legal jurisdictions whose process the originator never imagined applying. The cumulative record is not evidence of individual security failures the next generation of tooling will solve. It is evidence that delegation patterns the regulator and indemnity market once treated as acceptable are no longer producing acceptable outcomes, and the response to that pattern is institutional tightening, not institutional accommodation. New Zealand’s IPP3A is one such response. Cumulative European, North American, and Antipodean regulator guidance on vendor due diligence is another. The cloud agentic AI proposal arrives in a regulatory environment that has already lost patience with the third-party delegation pattern the objection assumes is settled.
A related objection looks for technical rescue. AWS Nitro architecture. Apple Private Cloud Compute. Homomorphic encryption. Secure multi-party computation. Attested hardware enclaves. The cloud industry has invested heavily in confidential computing precisely to defeat the unsupervised-access problem. If the cryptographic guarantees hold, the objection goes, the regulated professional’s corpus can cross the wire to a cloud agent without violating the structural rule, because no third party can read it.
The technical objection is not wrong but it is incomplete in a way that the next section makes concrete. The cryptographic guarantees are real. The legal effect of those guarantees is contested — courts have not settled what attested enclaves mean for compelled disclosure, and the provider that hosts the enclave can still be compelled to instrument its infrastructure, alter its software, or break attestation under sufficient legal pressure, leaving the customer with notification but not protection. More importantly, confidential computing addresses one component of the threat — provider-side exposure to legal process — while leaving every other component of the threat intact. It does not solve the autonomy problem. It does not solve the relationship problem. And it is not, on its own, the standard that the frontier AI labs apply when they need to protect their own genuinely valuable confidential material. Which is the strongest evidence available that the cloud security posture being offered to regulated professionals is not what the providers themselves rely on when the stakes are high.
How the labs handle their own confidential material
The frontier AI labs operate under explicit, published, multi-tier security frameworks specifically designed to protect their own most valuable intellectual property: their model weights. The frameworks are not marketing. They are operational policy, audited internally and increasingly externally, with capability thresholds that trigger tier escalations. Anthropic’s Responsible Scaling Policy, currently at version 3.0 effective February 2026, is the most public worked example, but Google DeepMind’s Frontier Safety Framework, OpenAI’s Preparedness Framework, Meta’s Frontier AI Framework, and xAI’s analogous structure all rest on the same general approach.
The frameworks are explicitly modelled on biosafety levels — the BSL-1 through BSL-4 hierarchy used in virology and microbiology research to determine the containment required for handling pathogens of different threat levels. BSL-1 is the laboratory standard for non-pathogenic organisms. BSL-2 is the standard for moderate-risk agents (most clinical samples, common bacteria with available treatments). BSL-3 is the standard for agents that can cause serious or lethal disease through inhalation: tuberculosis, SARS-CoV-2 in research settings, anthrax. BSL-3 facilities use negative-pressure containment, controlled access through interlocked doors, dedicated supply and exhaust air systems, and decontamination procedures for all materials leaving the laboratory. BSL-4 is reserved for agents with no available treatment or vaccine: Ebola, Marburg, smallpox. BSL-4 facilities use full positive-pressure suits with dedicated air supply, hermetically sealed laboratories, and extensive decontamination of every person and object passing through.
The labs did not borrow only the name of this framework. They borrowed the engineering philosophy. The philosophy is that some materials are dangerous enough that you build the containment around the assumption of failure rather than the assumption of success. You assume the agent will escape. You assume the lab worker will err. You assume the procedure will not be followed perfectly. The containment has to hold under those assumptions, not under the assumption that everything goes right.
This is the philosophical difference between BSL handling and standard infection control. Standard infection control assumes that with reasonable precautions, transmission is unlikely. BSL handling assumes that without extraordinary precautions, transmission is certain. Same biological agents, completely different containment philosophy, because the consequences of failure differ by orders of magnitude.
The labs adopted biosafety philosophy for AI weights because the consequences of frontier model weight theft are treated, in their own internal frameworks, under analogous containment logic to materials with severe release consequences. A stolen frontier model in adversary hands can accelerate biological weapons development, cyberweapons development, large-scale disinformation operations, and various other harms. The analogy is operational, not poetic. The same engineering response — assume failure, build containment that holds under failure conditions — is being applied because the consequence structure is treated as analogous, and because intellectual property of this magnitude has become more expensive than almost any other category of material the modern economy produces. Frontier model weights cost billions to train, are irreplaceable in the same form once stolen, and confer capabilities that the originating lab cannot revoke.
Anthropic is currently operating Claude Opus 4 under ASL-3 Security Standard protections, designed to be suitable against sophisticated non-state attackers. Published material describes restricted outbound network traffic to detect and prevent weight theft, internal access controls, physical security with on-site restrictions, advanced authentication for sensitive interactions, network visibility monitoring, and continuous red-teaming. The standard above this — RAND Security Level 4, designed to protect against state-level adversaries — is formally acknowledged by Anthropic as currently beyond unilateral implementation by any single lab. Security Level 5, aimed at stopping top-priority operations by the most cyber-capable institutions, is, in the labs’ own published assessment, currently not possible and will likely require national-security-community assistance.
The labs are not yet fully airgapped. But the trajectory is toward configurations that approximate airgap-equivalent isolation for the most valuable material. Anthropic in February 2026 announced exploration of a prototype of what its key workflows and infrastructure would look like under extreme security practices, including simulated isolated networks, controlled limited remote connections, and commensurate physical security controls, with Phase 1 due in late 2026. The other major labs operate under analogous published frameworks at comparable tiers, with comparable trajectories.
The asymmetry is now concrete. The labs apply BSL-3-equivalent engineering controls to their own model weights and standard cloud security to their customers’ confidential material. The cloud agentic AI proposal asks regulated professionals to operate in the opposite direction from the labs themselves. The customer’s client matters — corporate intellectual property, M&A intelligence, privileged legal communications, sensitive financial positions, market-moving information, the documents underlying ongoing litigation — are entrusted to infrastructure that is, by the lab’s own framework, structurally incapable of providing ASL-3-equivalent containment. The lab keeps its own valuable material under BSL-3 philosophy and offers its customers the standard cloud security posture, because the alternative is to not have a mass-market product at all. ASL-3-equivalent security for a handful of specific assets in a small number of locations is feasible. ASL-3-equivalent security across millions of customer seats globally is not feasible at any price the market will bear.
This is not bad faith. It is the inherent structure of trying to operate a mass-market service on infrastructure that was designed for unbounded customer-data ingress. But it disposes cleanly of the confidential-computing objection. The labs have access to AWS Nitro, Apple Private Cloud Compute, attested hardware enclaves, and every other technical safeguard the cloud industry has produced. They do not rely on these technologies as the sole protection for their own model weights. They use ASL-3 Security Standard with physical isolation, access control, restricted networking, and developing isolated-network architectures. They use confidential computing as one layer among many, with the engineering controls carrying most of the load. If confidential computing were sufficient for assets of this sensitivity, the labs would rely on it. They do not. The regulated professional considering whether to entrust client material to cloud agentic AI is being asked to accept a containment standard that the lab itself has explicitly designated as insufficient for assets of comparable consequence-to-the-holder.
The regulated professional has two coherent responses. The first is to operate at the lab’s own standard — keep the most valuable confidential material under BSL-3-equivalent local containment, on infrastructure the practitioner controls, with the corpus never crossing the wire. The second is to operate at the lab’s marketed standard — accept the containment level the lab offers its mass-market customers, on the theory that contractual assurances and confidential-computing technologies will compensate for the absence of the engineering controls the lab applies to its own material. The first response is what the labs themselves do for the assets they take seriously. The second response is what they sell to everyone else.
The capex bet
The cloud AI capex cycle through 2024-2027 makes economic sense only if agentic AI scales into the regulated professions the same way constrained chat did. If that transition happens at cloud, then every solicitor, every accountant, every adviser across the Anglosphere becomes a $500-to-$2,000-per-month enterprise customer for the next twenty years. The numbers work. The buildout repays.
If the transition happens locally instead — if agentic AI for regulated professionals lives on hardware the professional controls, with the corpus never crossing the wire — then the cloud retains only the chat market, which is a fraction of the revenue and a fraction of the compute demand. The buildout does not repay. The capex is stranded.
Back-of-envelope reasoning makes the scale of the misallocation concrete, though the specific numbers should be read as analytical illustration rather than as established facts. On reasonable assumptions, the residual non-professional demand — consumer chat, frontier research, sovereign workloads, non-regulated enterprise — generates perhaps $25 billion in annual revenue and roughly $11 billion in annual profit. Justifying a buildout of the announced magnitude over its expected ten-year infrastructure life requires substantially higher annual profit than the residual demand appears capable of generating. Under any plausible parameter range, a substantial fraction of the announced AI datacenter capex lacks demand to justify it once the regulated-professional structural exclusion is taken seriously. The correction, when it arrives, will be visible in utilisation reports and earnings statements somewhere between 2028 and 2030.
The argument does not require all regulated professionals to defect from cloud. The institutional regulated tier — Big Four accounting, magic-circle and white-shoe law firms, in-house counsel at multinationals — has negotiating leverage that solo and small-firm practitioners do not. These actors will continue to use cloud for agentic workloads, on terms the cloud provider has had to bend significantly to accept. This tier represents a small fraction of regulated professional headcount but a much larger fraction of regulated professional revenue and AI spend — by some measures, the top two percent of legal professionals generate more than half of legal services revenue, and analogous concentrations exist in accounting and financial advice. The institutional tier rescues some hyperscaler revenue. It does not rescue the buildout, because the buildout’s economics depend on the much larger headcount-weighted solo and small-firm tier also migrating to cloud premium subscriptions. That migration does not happen, for the reasons set out above. The institutional tier survives on cloud at compressed margins. The mass-market tier does not appear at all.
This is a larger misallocation than the 1999-2001 fibre buildout, on any reasonable measure, for two reasons. First, the absolute capex is comparable or larger. Second, the fibre buildout was wrong about timing and topology but right about ultimate demand — the internet eventually used that fibre, just not on the schedule or in the locations the builders assumed. The AI buildout is wrong about which customer repays it. The regulated professional mass market it was sized for cannot legally migrate to cloud agents. The capex does not get rescued by a later wave of professional adoption, because the structural barrier does not erode with time.
Three stacks, not two
The story so far treats the regulated professional market as a single block. It is not. The honest analysis identifies three distinct architectures, each with its own logic, customer base, and political economy.
The institutional regulated stack serves large firms, multinationals, and the high end of the professional market: Big Four accounting practices, magic-circle and white-shoe law firms, in-house counsel at major corporations, large hospital systems. These actors have monopsony power over their own cloud providers. They negotiate custom contractual wrappers, dedicated tenancies, sovereign-cloud regions, shared indemnity pools. They will continue to use cloud for agentic workloads, but on terms the cloud provider has had to bend significantly to accept. This market segment is real, profitable, and structurally available to cloud providers at compressed margins. By headcount it is small. By revenue concentration it is significant. By repayment of the announced capex it is nowhere near sufficient.
The solo and small-firm regulated stack serves everyone else in the regulated professional market: the regional solicitor, the chartered accountant in a market town, the financial adviser with three staff, the architectural practice with a single partner. These practitioners do not have negotiating leverage over hyperscalers. They cannot extract custom contractual wrappers. They cannot afford bespoke indemnity arrangements. They migrate to local infrastructure because the alternative is to operate outside the legal and indemnity envelope their practice depends on. This is the largest segment by professional headcount, and it is the segment the buildout’s economics depended on capturing. The migration is not optional. It is the rational response to a regulatory environment that has refused to underwrite the cloud alternative, combined with the practitioner’s recognition that reputation is the actual business and a single confidentiality breach destroys it.
The creative professional stack sits outside the regulated framework entirely. Authors, musicians, screenwriters, photographers, designers working outside architectural registration, software developers, independent researchers, journalists not employed by regulated broadcasters. These practitioners have no analogous monopsony — no court they must file with, no tax authority that mandates how the novelist generates lyrics, no AML supervisor for the documentary filmmaker. Their work is not subject to external regulatory veto over the tools used to produce it. They get the open frontier: whatever cloud frontier model they prefer, whatever local model and orchestration they like, whatever open-weights model in whatever degree of fine-tuning, on whatever hardware they can afford. The creative stack is free in a precise sense. The regulated stack is captured.
The political pressure to regulate AI most loudly emerges from creative sectors whose practitioners are not regulated. The entertainment unions, the journalism trade groups, the visual arts and music rights collectives. These are exactly the sectors that lack a structural monopsony and therefore lack a regulator-mediated channel through which AI restrictions could be imposed. So they lobby for one. The “AI safety” framing in creative-industry debates is, in part, an attempt to manufacture the regulatory monopsony that the regulated professions already have — to install a chokepoint between the creative and their tools, and to populate that chokepoint with approved vendors. Some of these efforts will succeed at the margins, particularly through output-labelling mandates and copyright extension over training data. None will produce a full approved-vendor channel of the kind the regulated professions have, because the structural preconditions — existing statutory filing requirements, indemnity markets, professional disciplinary authority — do not exist for creative work and cannot be invented from scratch on any politically realistic timeline.
The fourth architecture: obscurity
There is a fourth option that the regulator-approved-vendor analysis cannot quite see, and it matters because it is observable in specific high-target segments of the professional and quasi-professional market. The practitioner builds their own stack. Custom hardware. Self-hosted inference. Models they have downloaded, finetuned, or trained themselves. No vendor relationship. No remote management hooks. No compliance registration. No place on any list a regulator publishes or an adversary reads.
This option exists because obscurity is a kind of security. The approved-vendor channel that makes a local appliance legally defensible is the same channel that makes the appliance discoverable. The regulator’s directive creates a public list. The approved vendors are named. Their products are catalogued. Their update infrastructure is documented. The compliance regime that makes the appliance defensible against legal process is precisely the regime that makes its attack surface enumerable to anyone with the resources to scan for it.
The custom stack inverts this trade. The practitioner who has built their own infrastructure on hardware that does not phone home to any vendor, on configurations no one outside their immediate circle has documented, operates in a different threat model. A state-backed adversary cannot target what it cannot enumerate. The defensive asymmetry runs in the practitioner’s favour at the cost of legal defensibility — there is no vendor with a balance sheet the regulator can attach when something goes wrong, no certification to point to in indemnity disputes, no audit trail in the regulator-acceptable form.
This trade is rational under specific conditions. A practitioner whose work attracts state-actor attention. A practitioner in a jurisdiction with weak regulatory protection but active threats. A practitioner whose technical capacity is sufficient to build and maintain the stack. A practitioner whose practice can tolerate the legal-defensibility cost because the threat being defended against is more likely to materialise than the legal pressure. The configuration is observable in the higher reaches of the consulting, security, journalism, and dissident-publishing markets, and is becoming more common in the regulated professions among practitioners with the technical capacity to build it.
The four architectures together produce a clearer picture than the simple cloud-versus-local framing the debate has been stuck with. Institutional regulated actors use negotiated enterprise cloud at compressed margins. Solo and small-firm regulated actors use approved-vendor managed appliances. Creative professionals use whatever they want. High-target practitioners with technical capacity use obscure custom stacks. The hyperscaler mass-market cloud-agent product designed for the regulated professional middle does not appear in any of the four. That market vanishes.
The monopsony shapes the approved-vendor channel
The early version of this analysis imagined the local-appliance market would be served by a vibrant ecosystem of regional integrators — small firms in regional centres, on first-name terms with the practitioners they support, selling pre-configured boxes with locked enclosures and service contracts. This is rhetorically attractive and analytically false. The regulated professions do not operate in a free vendor market. They operate under monopsony pressure from a small number of state and quasi-state bodies — the courts, the tax authority, the prudential regulators, the professional registration bodies, the AML supervisors — each of which controls a channel into a domain the practitioner cannot avoid using.
Within five to seven years of the first major notifiable agentic-AI breach in a regulated profession — and on the base rate established by Samsung 2023, the MOVEit-and-Orrick cluster, the BRG ransomware incident, and the broader pattern of professional-services breaches through 2024-2026, this breach is the median outcome of agentic-tool adoption, not a tail event — every monopsonist channel issues a directive that AI-generated submissions must come from an approved system. The approved list is short. The names are the practice management software incumbents, one or two specialist legal-tech or accounting-tech firms, possibly a telco-adjacent infrastructure provider. The list is constructed to be short, auditable, and populated by entities the regulator can actually sue if something goes wrong. Solo regional integrators do not meet that criterion. Open-source orchestration stacks, however good, do not meet that criterion. The criterion is not technical quality; it is the existence of a balance sheet the regulator can attach.
This is structurally similar to how AML compliance works now. The AML software market has consolidated significantly around a small number of major vendors — NICE Actimize, Oracle FCCM, SAS, ComplyAdvantage, Feedzai, LexisNexis Risk and others — with market structure widely characterised as oligopolistic. Every regulated firm pays a tax to one of these vendors for software that does the regulator’s job. Nobody is happy about it. Everybody pays it. The compliance burden was engineered to require specialised software, the specialised software market was allowed to consolidate, and the resulting price is the cost of being in the profession.
The approved-vendor channel for agentic AI will produce a comparable structure. The professional pays per-seat for a managed local-appliance service with hardware refresh built into the contract, accepts vendor-mandated placement of the appliance inside the office rather than at home, and lives with the multi-year lock-in because the alternative — running an unapproved stack — exposes them to disciplinary process the moment a submission goes wrong. The approved vendor will tend toward domestic domicile because remote management telemetry to a foreign-jurisdiction parent recreates the extraterritorial exposure the appliance was bought to escape. The market will fragment along jurisdictional lines into parochial vendor channels with little cross-border presence.
Whether the approved-vendor regime preserves practitioner control in substance, or whether it simply substitutes one form of subordination for another, depends on observable indicators: the number of vendors per jurisdiction, the cost of switching, real-terms price trajectories over five years, the frequency of regulator sanctions against vendor misconduct, the rate at which regulator staff join vendors after directive issuance. In high-capacity regulatory states with strong independence norms, the optimistic reading is defensible. In jurisdictions with weaker independence norms, the cynical reading — regulator-vendor cartel rather than genuine local sovereignty — is more likely. The cloud is excluded either way. The replacement is more honest about how regulated economies actually work than the romantic regional-integrator framing implied.
The cloud providers will not lose this market without contesting it. They will deploy regulated cloud regions, acquire practice-management incumbents, offer shared-indemnity pools and in-country managed appliances under their control. These moves will succeed partially — and in succeeding, they will restructure the cloud provider from a multi-tenant hyperscaler into a single-tenant regulated-appliance vendor. The economics that justified the capex bet do not survive that transition. The cloud counterattack converts the hyperscaler into an approved vendor, which is structurally what the analysis predicted in the first place. Different parent companies, same market structure, fundamentally different unit economics from the multi-tenant premium-subscription model the buildout was sized for.
In coordinated-market and state-capitalist jurisdictions — the PRC, the EU, India, the Gulf states — the regulator and the industrial-policy apparatus merge. The approved vendor is not a regulator-designated firm but a state-aligned champion. Candidate national champions in each jurisdiction have already begun to emerge: the PRC version concentrates around Huawei, Alibaba, iFlytek and adjacent state-aligned firms; the EU version is whatever emerges from Gaia-X and the European sovereign-cloud initiatives; the India version is whatever IndiaAI produces; the Gulf version is the national champion datacenter operator in each Gulf state. These are illustrations of pattern rather than predictions of specific market outcomes. In these jurisdictions the cloud capex bet fails through a different mechanism than in liberal-market economies, but it fails for the same underlying reason: the strategically important, confidentially sensitive market is being captured by domestic infrastructure under state direction, and the foreign hyperscaler is locked out by industrial policy where it would have been locked out by regulator-led monopsony in liberal markets.
The hardware will follow the model
The local-appliance market will not be characterised by a specific hardware configuration that the essay can usefully nominate. The model drives the hardware. As open-weights models mature and as the regulator-approved channel matures, vendors will package whatever hardware-and-model combination meets the regulator’s specifications at a price the practice can absorb. Today that might be one configuration. In three years it will be another. In seven years it will be another again. What matters is not the hardware specification but the architectural decision: the corpus stays on premises, on hardware the practice controls, with the agent operating inside the perimeter rather than across it.
The Apple II in 1979 cost something close to a year’s salary for the professional buying it. By 1985 the equivalent capability cost a fraction of that. By 1990 the same capability was free. The trajectory of personal computing hardware was sufficient to take the local option from “barely viable for the most committed early adopters” to “obviously dominant for almost everyone” inside a decade. The trajectory of local-AI hardware is on a comparable curve. Consumer inference hardware is improving at roughly two times per eighteen months, model efficiency is improving at a comparable rate, and the local-versus-cloud capability gap that matters for professional workflows is narrowing fast enough that the local option will be obviously dominant within the migration window the essay describes. The practitioner making this decision today is making it at the Apple II moment, not at the Macintosh moment or the iMac moment. The decision is when to migrate, not whether.
What this implies
The cloud AI buildout repays only the non-professional, non-regulated, non-institutional segments — consumer chat, frontier research, sovereign workloads operated by states rather than served by foreign providers, non-regulated non-creative enterprise. Those segments are real but together they do not justify the announced capex. A correction is coming, visible in earnings statements between 2028 and 2030, and it will look more like the mainframe transition of the late 1980s than like any recent financial crisis: real underlying technology, real demand, but a fundamental error about where the demand physically locates. The investors holding the long-duration buildout assets — utility ratepayers in Virginia and Texas, sovereign wealth co-investors in the Gulf, university endowments that took on datacenter exposure as infrastructure, pension funds that bought the AI capex story — will get the worst of the correction.
The regulated professional mass market migrates to local infrastructure on a five-to-ten-year curve, gated by the maturation of regulator-approved vendor channels and the issuance of directives that populate them. The winners are practice-management and compliance-software incumbents, joined by one or two specialist firms per jurisdiction, with cloud providers participating where they have successfully restructured as single-tenant approved vendors. The structure is monopsony-disciplined and oligopolistic. The professional pays a per-seat tax, accepts vendor-mandated placement, and gets the agentic productivity the cloud providers cannot deliver in their original mass-market form. Practitioner control is preserved in substance; freedom of supplier is not.
The creative professional market migrates to local infrastructure on a faster curve and through entirely different channels — open hardware, open weights, no certification, no monopsony, no approved-vendor list. The creative stack is what the early local-AI enthusiasts imagined the regulated stack would become, and the divergence between the two markets is the deepest analytical point in the whole story. It tells us that the geography of AI deployment is determined less by the technology than by the regulatory monopsonies the technology is being deployed into. Where a monopsony exists, the local stack is captured. Where it does not, the local stack is free.
The fourth architecture — the obscure custom stack — sits outside this main story but is structurally important. It is the option that high-target practitioners with technical capacity will choose regardless of which monopsony their nominal profession falls under, because the obscurity premium is worth more than the legal-defensibility premium under threat models the approved channel does not address. This is the configuration the regulator does not see and cannot enumerate. It is where serious work that requires both confidentiality and resilience will increasingly take place, in regulated practice and outside it.
The argument is strongest for the next three to five years, where the institutional infrastructure of regulated practice is locked in around current confidentiality norms and the local-versus-cloud capability gap remains narrow enough that local infrastructure is competitive. Over a ten-to-fifteen-year horizon, sufficiently large cloud-only capabilities could in principle pressure the structural rule, and path-dependence is real but not infinite. The honest position is that the structural argument holds for the period in which today’s capex commitments must be repaid, which is the period that matters for the misallocation thesis.
The cloud buildout is, on this reading, the last gasp of the centralising thesis that has dominated information infrastructure since the mid-1990s. The local economies that succeed it are not retreats. They are returns of an older pattern — the practitioner with their own tools, their own records, their own room — restored on a substrate of mature hardware and competent open-weights models. The appliance in the locked office for the regulated solicitor. The unlocked workstation in the spare bedroom for the novelist. The custom stack on the private rack for those whose work attracts adversaries the approved channel cannot defend against. Four stacks, four market structures, one underlying technology, and a cloud capex bet that misread all of them.
The deepest evidence remains the labs themselves. They protect their own intellectual property at the BSL-3-equivalent containment standard. They offer their customers a standard substantially weaker, because the unit economics of mass-market service do not survive any other choice. The regulated professional who notices the asymmetry and acts on it is not paranoid. The regulated professional is doing what any biosafety-trained researcher would do when offered access to a Level-3 agent under Level-1 conditions: keep working in the Level-3 facility, and treat the Level-1 offer as evidence of what the offeror actually thinks about the risk.
The mainframe era of AI is closing. The personal era is opening. The transition will take roughly the same decade the previous transition took, will be opposed by roughly the same parties for roughly the same reasons, and will produce roughly the same kind of capital correction. The professionals who notice the trajectory and prepare for it will be better off than those who do not, the way the professionals who bought their first personal computer in 1981 were better off than those who waited until 1991.
Process note on this essay’s development. The argument was pressure-tested through four independent adversarial reviews — Perplexity Pro routed through GPT-5x on citations and empirical anchoring, Qwen on quantitative coherence, Grok on logical structure, DeepSeek on political economy. Across multiple rounds of revision, a consistent pattern emerged: the logic and political-economy limbs converged on a defensive position aligned with cloud commercial interests, regardless of their nominal institutional positions. Grok is developed by a company with substantial capital deployed against the centralised-cloud thesis the essay challenges; DeepSeek is a Chinese frontier-lab product downstream of significant national investment in centralised AI infrastructure. The convergent objections from these limbs across rounds appear to reflect this shared alignment to the centralised-data infrastructure paradigm, not just the analytical strength of the underlying points. Where the panel pressed objections that survived discounting for institutional position, those objections have been incorporated. Where the panel pressed objections that appeared shaped by institutional position, those have been acknowledged in the text but not always conceded. The Triveritas methodology may need refinement for analytical questions that touch directly on commercial commitments of the panel’s parent companies. The strongest independent reviewer of this essay was a working professional whose practice gives him real exposure to the indemnity and reputational consequences of the architectures the essay analyses. His “ain’t gonna happen” pushback produced the obscurity-stack observation that none of the four model limbs surfaced. The Triveritas process is described in earlier essays in this series.