This week, the European Commission gave unconditional approval to Google’s $32 billion acquisition of cloud security firm Wiz, clearing one of the last regulatory hurdles for what will be the largest cloud security deal in the company’s history. EU competition authorities concluded the transaction would not significantly impede competition in the cloud infrastructure or security markets and emphasized that “customers will continue to have credible alternatives and the ability to switch providers.”
On its surface, the approval strengthens Google’s position in a competitive cloud market. But for CIOs wrestling with AI exploration and enterprise risk, the real significance of the Wiz deal goes deeper. Security is no longer orbiting cloud platforms as a separate layer. Increasingly, it is being pulled into the core of how infrastructure, AI services and enterprise controls are designed and delivered.
If a hyperscaler owns more of the security function, at what point does the primary technology vendor also double as the primary security authority? And what does this mean for enterprise cloud security going forward?
Diana Kelley, CISO, Noma Security
AI’s pull toward integrated stacks
Over the past decade, enterprise security grew in part because the tools and platforms were modular: identity tools here, firewalls there, SIEMs here, threat analytics there. That model emphasized choice and separation. But as AI workloads proliferate, the complexity of stitching together disparate layers is becoming a strategic liability.
“The AI era is forcing a shift from generic ‘best-of-breed’ software to vertically integrated ‘agentic stacks,'” said Dan Lohrmann, field CISO for public sector at Presidio.
That push toward integrated platforms is seen by some experts as an inevitable response to the engineering realities of AI. Large language models, autonomous agents, and continuous pipelines of training and inference place rigorous demands on compute, identity, logging and monitoring.
Some of that demand shows up in vendor roadmaps, with cloud providers increasingly folding security and policy controls directly into their infrastructure offerings, rather than expecting enterprises to bolt them on.
“The AI era requires both [integration and separation], because many AI systems blur traditional boundaries,” explained Diana Kelley, CISO at Noma Security. Security must be built into how AI systems are constructed and run, she said, not treated as an afterthought once a model goes live.
The operational incentive is straightforward: Simplifying the stack can improve visibility across layers and speed up threat detection and response, a move that many enterprises have been struggling to achieve since AI threats entered the picture. As the threat landscape continues to expand and innovate, IT teams will need an effective, accessible solution.
“Hyperscalers represent the easy button,” said Jo Peterson, CIO at Clarify360. Buying infrastructure, AI capabilities and security controls in one place can accelerate deployment, particularly for organizations without deep engineering teams.
With simplification comes risk concentration
But security simplification through integration is not without tradeoffs, including when it comes to how risk is distributed.
“It reduces risk … but it also reassigns and concentrates risk,” said cloud and AI strategist David Linthicum. That pattern can show up in subtle ways. When logging, policy enforcement, remediation and compute all operate within a single provider’s control plane, enterprises gain consistency while deepening their reliance on that environment.
Edward Liebig, CEO and CISO of Yoink Industries, summarized integration as increasing efficiency and dependency simultaneously. Having these layers operate in a unified environment can reduce configuration errors and improve correlation of data. At the same time, he warned, “We compress the separation between the environment that produces risk and the systems that monitor it.”
And in the AI era, that compression is intensified by shared foundational resources.
“If many teams share the same foundational model or agent infrastructure, one mistake or compromise can affect multiple business functions at once,” Kelley said. When you have common dependencies, a single flaw can cascade across business processes and dramatically scale the blast radius of a security issue.
Keith Townsend, founder, The Advisor Bench
Who defines ‘security’ for the enterprise?
Concentrated risk raises the stakes for the security authority — but who is that in this arrangement? As hyperscalers embed more native security controls, the boundary between vendor-defined configurations and enterprise-defined risk posture grows thinner. What happens when a cloud provider defines not just where workloads run, but how they must be secured?
“If a hyperscaler owns identity and increasingly owns posture management and security visibility, through an acquisition like Wiz, the provider moves from being a technology host to becoming the authority that defines what ‘secure’ means,” said Keith Townsend, founder of The Advisor Bench.
The distinction matters: It’s one thing for a provider to offer a suite of controls, but another for those controls to shape an enterprise’s risk posture simply because they are adopted by default. Default guardrails, integrated policy engines and native monitoring tools can quickly shape how organizations interpret compliance and risk management.
“That’s a meaningful shift,” he said. “It collapses infrastructure provider, identity issuer and risk interpreter into the same entity.”
For Townsend, the strategic risk is less about lock-in to a vendor’s product and more about “lock-in to a vendor’s interpretation of risk and authority,” he said. This reality becomes more consequential when you consider that although cloud providers are concentrating risk, they do not assume ultimate accountability.
“Even if the provider operates the security stack and offers strong service-level commitments, we retain responsibility for regulatory compliance, operational continuity, financial exposure and reputational impact,” Liebig said. “An SLA provides performance assurance. It does not transfer enterprise risk.”
That responsibility cannot be outsourced merely by adopting a bundled platform. As Linthicum put it, “The enterprise owns risk … full stop.”
Kelley proposed a counterbalance strategy: architectural sovereignty. “Architectural sovereignty in a practical manner means an organization stays in control of its technology choices even when using large, integrated AI platforms,” she said.
Retaining that control is possible when leveraging integrated security features but requires visibility into how systems operate, clarity around policy enforcement and credible paths to adapt or migrate workloads if conditions change. The challenge for CIOs is not whether to use those tools, but how to ensure that enterprise governance remains distinct from vendor defaults.
A future calibrated by consequence
Current momentum in the market points toward tighter integration. “Enterprise security strategy is rapidly shifting toward a platform-driven model,” Peterson said. That shift is visible in product roadmaps, partnership announcements and acquisitions such as Google’s purchase of Wiz.
Yet it’s evident that integration does not eliminate the need for independent validation, exit planning and layered oversight. Liebig looks ahead to a more differentiated approach: “Five years from now, the most resilient enterprises will not be purely platform-driven or purely independent. They will be consequence-calibrated,” he said.
That calibration — choosing integration where it makes sense, preserving separation where needed and governing both with rigor — is the real leadership challenge for technology executives in the AI era. As AI systems grow more central to business operations, those decisions will shape not only architecture diagrams, but also the enterprise’s long-term resilience.
Enjoyed this article? Sign up for our newsletter to receive regular insights and stay connected.