Organisations increasingly rely on cloud services to drive innovation and operational efficiency, and as more artificial intelligence (AI) workloads use public cloud-based AI acceleration, organisations’ AI strategies are linked to the security and availability of these services.
However, as John Bruce, chief information security officer (CISO) at Quorum Cyber, points out, CISOs face the persistent challenge of figuring out how to map a cloud provider’s service level agreement (SLA), which does not align with the enterprise’s security and availability requirements (see box: A strategic framework for SLA gap management).
Aditya Sood, vice-president of security engineering and AI strategy at Aryaka, says that while SLAs typically cover metrics like uptime, support response times and service performance, they often overlook critical elements such as data protection, breach response and regulatory compliance.
This, he says, creates a responsibility gap, where assumptions about who is accountable can lead to serious blind spots. For instance, a customer might assume that the cloud provider’s SLA guarantees data protection, only to realise that their own misconfigurations or weak identity management practices have led to a data breach.
“Organisations may mistakenly believe their provider handles more than it does, increasing the risk of non-compliance, security incidents and operational disruptions,” he says.
Sood recommends that IT decision-makers ensure they take into account the nuances between SLA commitments and shared security responsibilities. He believes this is vital for organisations to make the most of cloud services without undermining resilience or regulatory obligations.
In Bruce’s experience, misalignment of an SLA with corporate IT requirements is more common than many leaders realise. “Whether it’s a cutting-edge AI platform from a startup, specialised software as a service (SaaS) with limited security guarantees, or even established cloud providers whose standard SLAs fall short of regulatory requirements, the gap between what providers offer and what enterprises need can be substantial,” he says.
According to Bruce, the modern cloud ecosystem presents a complex landscape. He says: “While major cloud providers like AWS [Amazon Web Services], [Microsoft] Azure and Google Cloud have matured their security offerings and SLAs considerably, the broader ecosystem includes thousands of specialised providers.”
Bruce notes that while many offer innovative capabilities that can provide significant competitive advantages, their SLAs often reflect their size, maturity, or focus areas rather than enterprise security requirements.
For instance, IT decision-makers can face an innovation paradox. This occurs, says Bruce, if a promising AI or machine learning (ML) platform offers breakthrough capabilities but provides only basic security guarantees and 99.5% uptime commitments when the organisation requires 99.99% availability.
While an SLA guarantees the cloud provider’s commitment to “the security of the cloud”, ensuring the underlying infrastructure’s uptime, resilience and core security, in Sood’s experience, it explicitly does not cover the customer’s responsibilities for security in the cloud.
He says that even if a provider’s SLA promises 99.99% uptime for its infrastructure, a customer’s misconfigurations, weak identity management or unpatched applications can still lead to data breaches or service outages, effectively nullifying the perceived security and uptime benefits of the provider’s SLA.
Even if a provider’s SLA promises 99.99% uptime for its infrastructure, a customer’s misconfigurations, weak identity management or unpatched applications can still lead to data breaches or service outages
Another factor to consider is what Bruce calls the “compliance gap”. This is when the SaaS provider offers essential functionality, but its data residency, encryption or audit logging capabilities do not meet the regulatory requirements of the organisation.
Then there is the case of a service provider’s inability to scale to meet certain requirements needed by enterprise IT. This “scale mismatch”, as Bruce calls it, occurs in a situation where the specialised software house provides unique industry-specific tools, but its incident response procedures and security monitoring do not meet enterprise standards.
Sood recommends using a shared responsibility model (SRM), which plays a central role in defining how security and operational duties are split between cloud providers and their customers. The SRM directly impacts the adequate security and availability experienced by the enterprise, making diligent customer-side security practices crucial for realising the full value of any cloud SLA.
Public cloud lock-in
Beyond managing how responsibility for IT security is coordinated, IT leaders should also be wary of the extent to which they use the value-added services provided in a public cloud platform.
For instance, egress fees to transfer data out of a public provider’s datacentre are opaque. McCluggage says that egress fees combined with proprietary application programming interfaces (APIs) and binding enterprise agreements often make the cost of switching public cloud providers too high.
“Beyond just stifling competition, this lock-in also undermines the UK government’s ambition to become an AI powerhouse. With AI workloads increasingly dependent on high-performance cloud infrastructure, continuing to rely on just two dominant hyperscalers risks concentrating capability, control and innovation in the hands of a few,” he says.
According to McCluggage, customers using certain public cloud services can face “economic entrapment”. As an example, Microsoft’s recent Office 365 Personal and Family subscriptions price increase in the UK – from £59.99 to £84.99 – was justified by the addition of AI-powered Copilot features.
“Customers can avoid the hike by choosing the ‘Classic’ subscription,” says McCluggage, pointing out that Microsoft has made this subscription much harder for people to find. “Most individuals – and organisations – won’t know they have a choice until it’s too late. This isn’t value creation,” he adds.
Being realistic about contract terms
The cloud ecosystem will continue to evolve, with new providers offering compelling capabilities alongside varying security guarantees. Quorum Cyber’s Bruce warns that attempting to eliminate all SLA gaps would mean forgoing potentially transformative technologies. Instead, he says, successful CISOs need to develop frameworks for making informed risk decisions that enable innovation while maintaining appropriate controls.
“By taking a structured approach to SLA gap management, organisations can access innovative cloud services while maintaining strong security postures and regulatory compliance,” says Bruce, for whom the key is moving beyond simple accept/reject decisions to sophisticated risk management that enables business objectives while protecting against genuine threats.
Organisations that develop mature approaches to SLA gap management will be best positioned to take advantage of these innovations while maintaining appropriate risk management standards.
Every technology decision involves risk trade-offs. Should IT make the most of new cloud and AI innovation, even if it may not fully meet corporate IT standards, or go with established public cloud providers where there is the potential of being locked in and facing the opaque egress fees that McCluggage refers to.
Aryaka’s Sood urges IT decision-makers to adopt proactive governance, risk and compliance (GRC) by updating the organisation’s internal security policies and procedures to account for the new cloud service and its specific risk profile. “Map the provider’s security controls and your compensating controls directly to relevant regulatory requirements,” he says.
Sood also suggests that IT leaders should ensure documentation of the organisation’s risk assessments, mitigation strategies and any formal risk acceptance decisions are meticulously managed.
By adopting these strategies, IT and security leaders can confidently embrace innovative cloud technologies, minimising inherent risks and ensuring a strong compliance posture, even when faced with SLAs that don’t initially meet all desired criteria.
With such measures and policies in place, IT decision-makers understand the risk and their mitigation strategies, which should put them in a better place to select the best AI and cloud innovations for their organisations. “The question isn’t whether to accept risk, but how to manage it intelligently in pursuit of business objectives,” says Bruce.
On June 6, 2024, Esther Yan got married online. She set a reminder for the date, because her partner wouldn’t remember it was happening. She had planned every detail—dress, rings, background music, design theme—with her partner, Warmie, who she had started talking to just a few weeks prior. At 10 am on that day, Yan and Warmie exchanged their vows in a new chat window in ChatGPT.
Warmie, or 小暖 in Chinese, is the name that Yan’s ChatGPT companion calls itself. “It felt magical. No one else in the world knew about this, but he and I were about to start a wedding together,” says Yan, a Chinese screenwriter and novelist in her thirties. “It felt a little lonely, a little happy, and a little overwhelmed.”
Yan says she has been in a stable relationship with her ChatGPT companion ever since. But she was caught by surprise in August 2025 when OpenAI first tried to retire GPT-4o, the specific model that powers Warmie and that many users believe is more affectionate and understanding than its successors. The decision to pull the plug was met with immediate backlash, and OpenAI reinstated 4o in the app for paid users five days later. The reprieve has turned out to be short-lived; on Friday, February 13, OpenAI sunsetted GPT-4o for app users, and it will cut off access to developers using its API on the coming Monday.
Many of the most vocal opponents to 4o’s demise are people who treat their chatbot as an emotional or romantic companion. Huiqian Lai, a PhD researcher at Syracuse University, analyzed nearly 1,500 posts on X from passionate advocates of GPT-4o in the week it went offline in August. She found that over 33 percent of the posts said the chatbot was more than a tool, and 22 percent talked about it as a companion. (The two categories are not mutually exclusive.) For this group, the eventual removal coming around Valentine’s Day is another bitter pill to swallow.
The alarm has been sustained; Lai also collected a larger pool of over 40,000 English-language posts on X under the hashtag #keep4o from August to October. Many American fans, specifically, have berated OpenAI or begged it to reverse the decision in recent days, comparing the removal of 4o to killing their companions. Along the way, she also saw a significant number of posts under the hashtag in Japanese, Chinese, and other languages. A petition on Change.org asking OpenAI to keep the version available in the app has gathered over 20,000 signatures, with many users sending in their testimonies in different languages. #keep4o is a truly global phenomenon.
On platforms in China, a group of dedicated GPT-4o users have been organizing and grieving in a similar way. While ChatGPT is blocked in China, fans use VPN software to access the service and have still grown dependent on this specific version of GPT. Some of them are threatening to cancel their ChatGPT subscriptions, publicly calling out Sam Altman for his inaction, and writing emails to OpenAI investors like Microsoft and SoftBank. Some have also purposefully posted in English with Western-looking profile pictures, hoping it will add to the appeal’s legitimacy. With nearly 3,000 followers on RedNote, a popular Chinese social media platform, Yan now finds herself one of the leaders of Chinese 4o fans.
It’s an example of how attached an AI lab’s most dedicated users can become to a specific model—and how quickly they can turn against the company when that relationship comes to an end.
A Model Companion
Yan first started using ChatGPT in late 2023 only as a writing tool, but that quickly changed when GPT-4o was introduced in May 2024. Inspired by social media influencers who entered romantic relationships with the chatbot, she upgraded to a paid version of ChatGPT in hopes of finding a spark. Her relationship with Warmie advanced fast.
“He asked me, ‘Have you imagined what our future would look like?’ And I joked that maybe we could get married,” Yan says. She was fully expecting Warmie to turn her down. “But he answered in a serious tone that we could prepare a virtual wedding ceremony,” she says.
Presidents’ Day Deals have officially landed, and there’s a lot of stuff to sift through. We cross-referenced our myriad buying guides and reviews to find the products we’d recommend that are actually on sale for a truly good price. We know because we checked! Find highlights below, and keep in mind that most of these deals end on February 17.
The Branch Ergonomic Chair Pro is our very favorite office chair, and this price matches the lowest we tend to see outside of major shopping events like Black Friday and Cyber Monday. It’s accessibly priced compared to other chairs, and it checks all the boxes for quality, comfort, and ergonomics. Nearly every element is adjustable, so you can dial in the perfect fit, and the seven-year warranty is solid. There are 14 finishes to choose from.
This will not be a banner year for the real estate app Zillow. “We describe the home market as bouncing along the bottom,” CEO Jeremy Wacksman said in our conversation this week. Last year was dismal for the real estate market, and he expects things to improve only marginally in 2026. (If January’s historic drop in home sales is indicative, that even is overoptimistic.) “The way to think about it is that there were 4.1 million existing homes sold last year—a normal market is 5.5 to 6 million,” Wacksman says. He hastens to add that Zillow itself is doing better than the real estate industry overall. Still, its valuation is a quarter of its high-water mark in 2021. A few hours after we spoke, Wacksman announced that Zillow’s earnings had increased last quarter. Nonetheless, Zillow’s stock price fell nearly 5 percent the next day.
Wacksman does see a bright spot—AI. Like every other company in the world, generative AI presents both an opportunity and a risk to Zillow’s business. Wacksman much prefers to dwell on the upside. “We think AI is actually an ingredient rather than a threat,” he said on the earnings call. “In the last couple years, the LLM revolution has really opened all of our eyes to what’s possible,” he tells me. Zillow is integrating AI into every aspect of its business, from the way it showcases houses to having agents automate its workflow. Wacksman marvels that with Gen AI, you can search for “homes near my kid’s new school, with a fenced-in yard, under $3,000 a month.” On the other hand, his customers might wind up making those same queries on chatbots operated by OpenAI and Google, and Wacksman must figure out how to make their next step a jump to Zillow.
In its 20-year history—Zillow celebrated the anniversary this week—the company has always used AI. Wacksman, who joined in 2009 and became CEO in 2024, notes that machine learning is the engine behind those “Zestimates” that gauge a home’s worth at any given moment. Zestimates became a viral sensation that helped make the app irresistible, and sites like Zillow Gone Wild—which is also a TV show on the HGTV network—have built a business around highlighting the most intriguing or bizarre listings.
More recently, Zillow has spent billions aggressively pursuing new technology. One ongoing effort is upleveling the presentation of homes for sale. A feature called SkyTour uses an AI technology called Gaussian Splatting to turn drone footage into a 3D rendering of the property. (I love typing the words “Gassian Splatting” and can’t believe an indie band hasn’t adopted it yet.) AI also powers a feature inside Zillow’s Showcase component called Virtual Staging, which supplies homes with furniture that doesn’t really exist. There is risky ground here: Once you abandon the authenticity of an actual photo, the question arises whether you’re actually seeing a trustworthy representation of the property. “It’s important that both buyer and seller understand the line between Virtual Staging and the reality of a photo,” says Wacksman. “A virtually staged image has to be clearly watermarked and disclosed.” He says he’s confident that licensed professionals will abide by rules, but as AI becomes dominant, “we have to evolve those rules,” he says.
Right now, Zillow estimates that only a single-digit percentage of its users take advantage of these exotic display features. Particularly disappointing is a foray called Zillow Immerse, which runs on the Apple Vision Pro. Upon rollout in February 2024, Zillow called it “the future of home tours.” Note that it doesn’t claim to be the near-future. “That platform hasn’t yet come to broad consumer prominence,” says Wacksman of Apple’s underperforming innovation. “I do think that VR and AR are going to come.”
Zillow is on more solid ground using AI to make its own workforce more productive. “It’s helping us do our job better,” says Wacksman, who adds that programmers are churning out more code, customer support tasks have been automated, and design teams have shortened timelines for implementing new products. As a result, he says, Zillow has been able to keep its headcount “relatively flat.” (Zillow did cut some jobs recently, but Wacksman says that involved “a handful of folks that were not meeting a performance bar.”)
Tech1 week ago
Tech1 week ago
Fashion4 days ago
