As cloud adoption accelerates, organisations rely on Service Level Agreements (SLAs) to define expectations around availability, security, and performance, to access and process data or service use. Yet SLAs often lag behind innovation. For CTOs and CISOs, this misalignment is a strategic risk and they need to work out how to innovate securely when infrastructure guarantees do not reflect the complexity or criticality of modern digital services.
Rather than viewing SLA gaps as blockers, technology leaders should treat them as indicators of where governance, architecture and measurement must evolve. By taking steps to align SLAs with business objectives and complementing them with Experience Level Agreements (XLAs), Key Risk Indicators (KRIs), and Objectives and Key Results (OKRs), organisations can take control and innovate efficiently.
Innovation is advancing faster than SLA maturity
Modern cloud architectures increasingly rely on container orchestration and serverless computing. Technologies like robotic process automation, generative AI, and edge computing are reshaping service delivery. Yet SLA provisions from major cloud providers (e,g, AWS, Azure, Google Cloud) typically offer 99.9% to 99.99% availability, while actual performance varies depending on configuration and dependencies.
To bridge this gap, organisations can use XLAs to measure service quality and user experience. OKRs should align with XLAs to track business goals, while SLAs and KRIs support delivery and risk management. This model then links technical output to business impact and enables leaders to assess whether innovation is translating into measurable outcomes.
Evolving governance to close SLA gaps and curb shadow IT
Public cloud spending is projected to reach $723 billion this year (Gartner). However, SLA limitations can drive unauthorised use, especially in fast-moving domains like generative AI (MIT). Recent incidents involving ChatGPT, xAI (Grok) and GitHub repositories that were accessed through Microsoft Copilot show how sensitive internal data, submitted by staff seeking efficiency, was indexed by public search engines even after repositories were made private.
While cloud platform risk can be managed by restricting users to approved systems this does not eliminate the emergence of shadow IT and staff may still bypass official channels, exposing private data. Management requires policy, training, and awareness, supported by clear governance and technical controls.
That underlines the need for continuous oversight and proactive governance and monitoring which moves from static compliance to dynamic enablement. This requires the alignment of technical controls with business goals, educating teams on acceptable use, and embedding KRIs into decision-making. Taken together these measures can help prevent shadow IT and maintain operational integrity.
Security and governance: Foundational enablers of cloud innovation
Cloud providers operate under shared responsibility models where infrastructure security is managed by the provider, while data, configuration, and access controls remain the customer’s responsibility.
This reinforces the need for layered security across the stack: hypervisor, application, access, monitoring, and operations. Security as Code, zero-trust architectures, and cloud-native tools such as AWS Security Hub and Google Cloud Security Command Center enable organisations to enhance security. These are also critical for compliance with regulations like the Digital Operational Resilience Act (DORA) and the EU Artificial Intelligence Act.
Governance frameworks such as the NIST Risk Management Framework and COBIT can help link IT with strategy. When integrated with OKRs, XLAs, SLAs, and KRIs, these frameworks can enable a structured approach to managing innovation responsibly.
Architectural strategies to address SLA limitations
Hybrid and multi-cloud strategies increase flexibility, allowing businesses to adjust SLAs through design choices such as microsegmentation, restricted access, and dedicated tenancy. Self-hosting open-source tools like Apache Spark can reduce reliance on commercial providers but need internal skills and governance to manage them. In addition, generative AI platforms may require hybrid configurations to meet data sovereignty requirements. This means that architectural decisions should reflect business needs and risk tolerance, not an idealised pursuit of perfect security.
Strategic withdrawal when SLA gaps are too significant
In some cases, SLA limitations, especially around compliance or sovereignty may require a shift to private cloud or self-hosted solutions. Offerings like AWS Outposts transfer some operational responsibility to the organisation, enabling greater control but requiring enhanced governance and technical capability.
That requires leaders to understand when strategic withdrawal from unmanageable risks can preserve resilience and readiness. Monitoring SLA exposure can then ensure agility and preparedness to allow organisations to re-engage when conditions improve or risks are mitigated.
Conclusion
SLA gaps are therefore not barriers to innovation but indicators of where leadership must act. CTOs and CISOs need to focus not just on meeting technical guarantees but ensuring cloud adoption supports measurable business outcomes.
They can do this by aligning OKRs with XLAs, and underpinning them with SLAs and KRIs, to build governance that is resilient and responsive. In highly regulated yet innovation-reliant economies, technology leaders must balance ambition with accountability. That can mean stepping back when risks are too great, and whether through hybrid cloud, compensating controls, or strategic vendor selection, remaining focused on enabling innovation securely and sustainably.
Ashley Barker, digital strategy and operations expert and Irfan Ahmed, cybersecurity expert, PA Consulting
