Vernon Yai has spent his career navigating the complex intersections of data protection, privacy governance, and emerging technological threats. As a recognized thought leader in risk management, he has watched the corporate world transition from the static safety of local servers to the dynamic, often unpredictable landscapes of the cloud. Today, he argues that the traditional cloud strategy—once a neat collection of PowerPoint slides detailing public and private architectures—has been fundamentally disrupted. In this discussion, we explore the dual impact of Artificial Intelligence and Quantum computing on how organizations must protect their most sensitive information. We delve into the concept of “decision infrastructure,” the shift from architectural questions to operational ones, and why the “harvest now, decrypt later” strategy of modern adversaries necessitates a complete rethink of data secrecy timelines.
This conversation focuses on how AI has transformed cloud strategy into an operational challenge, the hidden dangers of supplier dependency, and the long-term cryptographic risks posed by quantum advancements. We also examine the vital role of board-level accountability in moving past “amber” status reports toward actionable, evidence-based risk management.
AI workloads often create unpredictable spikes in demand and leave “risk pockets” in places that traditional cloud governance might overlook; how do you see this shifting the operational burden for leadership?
The arrival of AI didn’t just join the existing cloud strategy; it wandered through the house, opened every cupboard, and asked why the plumbing sounded so tired. For years, cloud strategy was a sensible debate about location and cost, but AI changed the pattern of how work behaves by creating demand that can spike, pause, and restart before anyone even agrees on who owns the meter. These “risk pockets” are particularly concerning because AI does more than store data—it chews it and leaves traces in prompts, logs, embeddings, and forgotten notebooks that people often fail to check. This shifts the operational burden from a simple billing question of “How much will we use?” to a leadership question of “Who is allowed to create demand, at what scale, and with whose approval?” It is a visceral change that requires leaders to get much closer to the actual data behavior rather than just looking at the architecture where that data sits.
You’ve observed that many firms actually have a “supplier dependency strategy” masquerading as a cloud strategy. How has the rise of AI revealed the cracks in this approach?
Many organizations were shocked to realize that what they thought was a resilient multi-cloud strategy was actually just a deep dependency on specific GPUs, model platforms, and managed services. AI has compressed the distance between a raw idea and public exposure so significantly that teams can connect and release new tools faster than a governance working group can even form; I’ve seen these working groups age in dog years just trying to keep up with the pace of change. When you rely so heavily on third-party APIs and specialist tools, your strategy is only as robust as the supplier’s roadmap, and many executives are soothing themselves with brochures that act like scented candles for the anxious. The real work is in moving past those glossy documents to demand evidence of how these suppliers are managing your risk, because a supplier dependency strategy wearing a cloud badge eventually leaves you vulnerable when the underlying technology shifts.
The “harvest now, decrypt later” threat suggests that some of our data today is already at risk from future quantum capabilities. How should a company begin to triage what needs protection right now?
We have to move away from the idea that all data is equal and instead classify it by its “secrecy life,” because some secrets age like fruit and rot quickly, while others sit like plutonium and remain dangerous for decades. If an attacker collects your encrypted trade secrets, legal records, or health data today, they are simply waiting for better quantum tools tomorrow to crack them open. This “harvest now, decrypt later” reality means that if your most sensitive long-lived data is scattered across cloud platforms, SaaS backups, and archives, your quantum exposure is already live. You can’t just dump this into a cryptography drawer and hope for a weekend patch; you need to conduct a deep discovery of where encryption hides in your APIs, identity systems, and even the old firmware that no one wants to touch. It is a daunting task that requires a map of assets and dependencies combined with a clear understanding of which data must remain secret for the next ten to twenty years.
Why do you believe that “decision infrastructure” is the silent failure point for organizations facing these dual technological shifts?
The most glamorous parts of technology get the applause, but the dull stuff—the decision infrastructure—is what prevents future regret. By decision infrastructure, I mean the actual system by which leaders frame risk, assign ownership, and record choices so they can be revisited when the facts change. I’ve sat in too many meetings where the cloud team sees architecture and the legal team sees liability, but the board only sees “amber,” which is often where hard decisions go to nap. This lack of clear ownership is a quiet weakness because awareness without accountability is just anxiety with better stationery. AI asks if your strategy can keep pace, while quantum asks if it can cope with time, and both will eventually punish any organization that allows its risks to get stuck because everyone was involved but nobody was truly responsible.
When we talk about moving toward a “quantum-aware” cloud strategy, what specific types of evidence should a board be demanding from their technical teams to avoid “theatre”?
A board needs to move past the foggy science projects and start asking for a proof trail that would survive a regulator’s questioning or a post-incident investigation. They should demand cryptographic visibility that identifies exactly which certificates, libraries, and protocols are protecting the services that matter most, because perfection can wait, but blindness cannot. It is also critical to press suppliers for hard evidence of their own quantum readiness rather than accepting vague promises of future updates. Treating every system as equal is how serious work becomes theatre; instead, the board should see a ranked migration plan based on where high business value and long-life data intersect with weak visibility. Building this evidence under pressure is a “sweaty” and expensive process, so the goal is to build that trail now, before the room gets too hot and the cheap decisions have already left the building.
How can a leadership team effectively bridge the gap between the speed of AI adoption and the long-term, slow-burn planning required for quantum readiness?
Bridging that gap requires a “review rhythm” that acknowledges that standards, suppliers, and threats are constantly evolving. You have to balance the high-speed demand of AI, where cost and data control are the primary operational hurdles, with the long-term cryptographic exposure that quantum introduces. This means changing how we report to the board; instead of presenting a stale roadmap that is just a risk register wearing a lab coat, we must report on specific decisions required, risks accepted, and supplier gaps. We must identify which choices must be made now because a migration might take years, and determine exactly what event would trigger faster action. If we don’t build that decision muscle early, we will find ourselves reacting to the clock, and the clock is exactly where the most dangerous risks like to hide.
What is your forecast for the future of cloud strategy as these technologies mature?
My forecast is that the “architecture” question—the debate over where a workload lives—will become entirely secondary to the “leadership” question of how a workload is governed over its entire lifecycle. We are moving toward an era where cloud strategy will be defined by the quality of an organization’s decision muscle and its ability to manage the secrecy life of its data across an increasingly complex web of suppliers. I expect we will see a massive shift toward cryptographic agility, where the ability to swap out encryption methods becomes as routine as a software update, though getting there will be painful for those with deep technical debt. Ultimately, the winners will be the organizations that stopped looking at cloud strategy as a static PowerPoint slide and started treating it as a dynamic exercise in risk appetite, financial discipline, and long-term data control. The clock is already ticking on the data we store today, and the future belongs to those who built their proof trails before they were forced to by a crisis.


