When boards picture digital risk they often picture hackers and firewalls. That view is incomplete. The more important shift this year is physical and legal. Data is moving into new, colossal hubs, and with that movement comes a simple, uncomfortable fact. Ownership is fracturing. The organisation that signs the invoices may not be the one that controls the switches, the chips, or the legal power to hand data over. For business leaders this is the moment to rethink what control means.
The compute build out rewrites power maps
Large scale data centers and AI campuses are being built as if the world depends on them. In the UAE alone, research trackers and industry announcements show plans for a leap in capacity. Analysts estimate data center capacity in the UAE will surge substantially by 2028, while multi-gigawatt AI campus plans such as Stargate are already being advanced with phased builds and major private partners. These projects change the boundaries of where computation, storage and model training happen and they redraw the geography of custody.
Hyperscale partnerships underline the point. Telecom operator du signed a deal this year to build a hyperscale data centre with Microsoft as a principal tenant. Global cloud and hyperscale providers are expanding onshore footprints across the Gulf, and major cloud players are opening or announcing second facilities in regional markets. When your workloads sit on a hyperscale tenant’s dedicated racks within a local facility, the commercial relationship, operational reality and legal exposure are three different things.
Policy is tightening while capabilities expand
Infrastructure growth is matched by regulatory tightening. The UAE has consolidated federal data protection rules and distinct emirate frameworks for DIFC and ADGM are maturing. At the same time, authorities have signalled more intrusive controls over certain AI content and sensitive outputs. What that combination produces is a legal environment that can demand access, restrict transfer and penalise outputs with cultural or national sensitivity. The technical ability to compute at scale now sits beside a stronger expectation that governments will exercise jurisdictional oversight.
Ownership is now a multi-dimensional question
If you ask one practical question it is this. Who can, at any time, touch my data, and under what rules? The answer no longer lives only in your CIO’s diagram. It lives across contract tables, data residency inventories, operator administrative rights, export control agreements on hardware, and interstate diplomatic understandings about critical infrastructure. The recent attention on large AI campus deals illustrates this tension. When governments negotiate chip access or cross-border investment, they are negotiating a new layer of control that will affect corporate customers.
A credible counterpoint
It is important to acknowledge the other side. Hyperscale consolidation also reduces some risks. Large providers invest deeply in hardened physical security, mature operational playbooks, compliance teams and redundant architectures that many individual enterprises cannot replicate. Centralization can therefore raise the baseline of resilience and simplify certain compliance tasks. The trade-off is real. Boards must balance the operational advantages of scale against the strategic exposure that comes with concentration and jurisdictional complexity. Recognizing this tension strengthens, rather than weakens, any governance response.
The regional node and its international significance
The UAE is deliberately positioning itself as a regional compute hub. The strategy is economic and diplomatic. Deals with international cloud providers and the diplomatic frameworks that accompany large infrastructure projects bring foreign policy into procurement conversations. A bilateral cooperation track between the UAE and partners such as Egypt shows how cross-border incident response and operational integration are being institutionalized. For companies operating across MENA the implication is clear. The vendor that services you in Abu Dhabi may be part of a treaty matrix you need to understand.
What boards should be able to read in one page
Executives do not need to be cloud engineers. They need a single-page truth. That page should contain three concrete deliverables.
- A verified inventory. A table that lists critical datasets by classification, the facility where each dataset resides and the operating entity responsible for that facility.
• An access register. A record of administrative roles, the contractual promises that govern access, and any legal processes that could compel disclosure.
• A geopolitical note. A short paragraph summarizing relevant export controls, bilateral agreements or national frameworks that could affect custody or chip supply.
When those three items are visible, choices about where to place regulated workloads become strategic rather than reactive.
The practical balance between agility and custody
There is a management paradox. On the one hand, local hyperscale capacity gives firms lower latency, regulatory convenience and often better disaster recovery. On the other, concentration and local control increase single points of dependency. The right posture is not blanket repatriation. It is calibrated placement. Practically, that means segmenting workloads by risk profile, negotiating enforceable governance clauses on administrative access and model training, and maintaining an exit and failover playbook that has been contractually tested through simulation.
A global mirror and local lessons
This competition over infrastructure is global. Europe weighs environmental limits and data policy; the United States considers export controls and chip access; Asia builds its own sovereign capabilities. Each policy choice changes the operational landscape for multinational firms. The UAE’s model, which pairs ambitious infrastructure with maturing legal frameworks and international partnerships, is a practical example that shows both opportunity and a need for governance clarity.
The one move that creates clarity
Boards rarely agree on many things in one sentence. Here is one sentence that helps. Commission a thirty-day vendor and custody assessment that delivers the three-page package described above, answers five core sovereignty questions and produces a prioritized remediation plan with timelines and owners. The exercise is not about paranoia. It is about translating abstract risk into executable choices: where to host, what governance clauses to demand, and which simulations to run.
Crux
As compute grow, control fragments. Ownership of data is no longer simply a function of the legal entity that paid for the cloud. It is a composite of who owns the racks, who can flip switches, who can compel access under local law, who manages AI training pipelines, and which international deals shape chip flows. The most resilient organizations will be those that accept this complexity and convert it into governance, not hope. Inventory the custody, document access, simulate the scenarios. That is how an organization keeps its hands on the glass without losing sight of who else might be holding the levers.
