The hosting debate is not really about hosting.

In regulated organisations, cloud versus self-hosted is not the whole decision. The harder question is whether the organisation can support whatever model it chooses in a controlled, sustainable way.

A lot of AI discussion in regulated settings still gets framed as a technical choice: cloud or on-premises, vendor-managed or self-hosted, public model or private environment. Those distinctions matter, but they are not really the heart of it.

The more important question is whether the organisation can run the chosen model properly. That means in a way that is secure, supportable, governable, and realistic given the skills, systems, and constraints already in place.

There are good reasons why more private or tightly contained deployment models keep coming up. Data sensitivity matters. Assurance matters. Supplier dependence matters. So do auditability, resilience, and a fairly basic organisational concern about where systems run and who controls them. In regulated environments, that instinct is often sensible.

Self-hosting often moves the problem rather than solving it

Self-hosting is often described rather too neatly. It can sound as though it solves the governance problem, when in practice it usually shifts it somewhere else.

Running AI in a more private environment can bring extra demands around infrastructure, security, monitoring, access control, model management, support, procurement, and internal accountability. That is usually where the reality check begins.

Most organisations are not making these decisions with spare capacity lying around. They are making them while IT is stretched, information governance is cautious, operational teams are busy, and ownership is still split across several functions. So the deployment choice does not arrive on a clean sheet. It lands inside the operating model the organisation already has.

Self-hosting does not remove the governance problem. More often, it relocates it.

The middle ground is often more practical than it sounds

There is also a more practical middle ground that tends to get less attention than it should.

Many regulated organisations already have enterprise software agreements, established supplier relationships, and governance patterns that people broadly understand. In many cases, those agreements now need to be revisited properly as AI capability expands. They should not simply be assumed to cover everything by default.

For many UK organisations, the more realistic route may be to build further on an existing enterprise software or cloud agreement rather than create something more bespoke from scratch. The contracts are familiar, the internal trust model is better understood, and much of the surrounding technical estate is already there. That still needs proper scrutiny, but it can reduce some of the skills, support, and deployment burden that comes with standing up a separate environment independently.

The real shift is organisational, not just technical

That does not mean cloud removes the hard work. It does not.

Organisations still need to revisit agreements, test governance assumptions, define data boundaries, and be clear about what use is actually in scope. Existing trust helps, but it is not a substitute for review. The real questions remain much the same: who owns the use case, what data is allowed, what needs human checking, and what is actually approved in practice.

That is probably what will shape the next few years. Not a simple victory for cloud or on-premises, but a gradual adaptation of the operating model around AI: clearer ownership, better data foundations, more explicit governance, and a more workable mix of skills and responsibilities.

The real transition is not just technical deployment. It is organisational adaptation.