This was the year of AI agents. Chatbots that simply answered questions are now evolving into autonomous agents that can carry out tasks on a user’s behalf, so enterprises continue to invest in agentic platforms as transformation evolves. Software vendors are investing in it as fast as they can, too.

According to a National Research Group survey of more than 3,000 senior leaders, more than half of executives say their organization is already using AI agents. Of the companies that spend no less than half their AI budget on AI agents, 88% say they’re already seeing ROI on at least one use case, with top areas being customer service and experience, marketing, cybersecurity, and software development.

On the software provider side, Gartner predicts 40% of enterprise software applications in 2026 will include agentic AI, up from less than 5% today. And agentic AI could drive approximately 30% of enterprise application software revenue by 2035, surpassing $450 billion, up from 2% in 2025. In fact, business users might not have to interact directly with the business applications at all since AI agent ecosystems will carry out user instructions across multiple applications and business functions. At that point, a third of user experiences will shift from native applications to agentic front ends, Gartner predicts.

It’s already starting. Most enterprise applications will have embedded assistants, a precursor to agentic AI, by the end of this year, adds Gartner.

IDC has similar predictions. By 2028, 45% of IT product and service interactions will use agents as the primary interface, the firm says. That’ll change not just how companies work, but how CIOs work as well.

Agents as employees

At financial services provider OneDigital, chief product officer Vinay Gidwaney is already working with AI agents, almost as if they were people.

“We decided to call them AI coworkers, and we set up an AI staffing team co-owned between my technology team and our chief people officer and her HR team,” he says. “That team is responsible for hiring AI coworkers and bringing them into the organization.” You heard that right: “hiring.”

The first step is to sit down with the business leader and write a job description, which is fed to the AI agent, and then it becomes known as an intern.

“We have a lot of interns we’re testing at the company,” says Gidwaney. “If they pass, they get promoted to apprentices and we give them our best practices, guardrails, a personality, and human supervisors responsible for training them, auditing what they do, and writing improvement plans.”

The next promotion is to a full-time coworker, and it becomes available to be used by anyone at the company.

“Anyone at our company can go on the corporate intranet, read the skill sets, and get ice breakers if they don’t know how to start,” he says. “You can pick a coworker off the shelf and start chatting with them.”

For example, there’s Ben, a benefits expert who’s trained on everything having to do with employee benefits.

“We have our employee benefits consultants sitting with clients every day,” Gidwaney says. “Ben will take all the information and help the consultants strategize how to lower costs, and how to negotiate with carriers. He’s the consultants’ thought partner.”

There are similar AI coworkers working on retirement planning, and on property and casualty as well. These were built in-house because they’re core to the company’s business. But there are also external AI agents who can provide additional functionality in specialized yet less core areas, like legal or marketing content creation. In software development, OneDigital uses third-party AI agents as coding assistants.

When choosing whether to sign up for these agents, Gidwaney says he doesn’t think of it the way he thinks about licensing software, but more to hiring a human consultant or contractor. For example, will the agent be a good cultural fit?

But in some cases, it’s worse than hiring humans since a bad human hire who turns out to be toxic will only interact with a small number of other employees. But an AI agent might interact with thousands of them.

“You have to apply the same level of scrutiny as how you hire real humans,” he says.

A vendor who looks like a technology company might also, in effect, be a staffing firm. “They look and feel like humans, and you have to treat them like that,” he adds.

Another way that AI agents are similar to human consultants is when they leave the company, they take their expertise with them, including what they gained along the way. Data can be downloaded, Gidwaney says, but not necessarily the fine-tuning or other improvements the agent received. Realistically, there might not be any practical way to extract that from a third-party agent, and that could lead to AI vendor lock-in.

Edward Tull, VP of technology and operations at JBGoodwin Realtors, says he, too, sees AI agents as something akin to people. “I see it more as a teammate,” he says. “As we implement more across departments, I can see these teammates talking to each other. It becomes almost like a person.”

Today, JBGoodwin uses two main platforms for its AI agents. Zapier lets the company build its own and HubSpot has its own AaaS, and they’re already pre-built. “There are lead enrichment agents and workflow agents,” says Tull.

And the company is open to using more. “In accounting, if someone builds an agent to work with this particular type of accounting software, we might hire that agent,” he says. “Or a marketing coordinator that we could hire that’s built and ready to go and connected to systems we already use.”

With agents, his job is becoming less about technology and more about management, he adds. “It’s less day-to-day building and more governance, and trying to position the company to be competitive in the world of AI,” he says.

He’s not the only one thinking of AI agents as more akin to human workers than to software.

“With agents, because the technology is evolving so far, it’s almost like you’re hiring employees,” says Sheldon Monteiro, chief product officer at Publicis Sapient. “You have to determine whom to hire, how to train them, make sure all the business units are getting value out of them, and figure when to fire them. It’s a continuous process, and this is very different from the past, where I make a commitment to a platform and stick with it because the solution works for the business.”

This changes how the technology solutions are managed, he adds. What companies will need now is a CHRO, but for agentic employees.

Managing outcomes, not persons

Vituity is one of the largest national, privately-held medical groups, with 600 hospitals, 13,800 employees, and nearly 14 million patients. The company is building its own AI agents, but is also using off-the-shelf ones, as AaaS. And AI agents aren’t people, says CIO Amith Nair. “The agent has no feelings,” he says. “AGI isn’t here yet.”

Instead, it all comes down to outcomes, he says. “If you define an outcome for a task, that’s the outcome you’re holding that agent to.” And that part isn’t different to holding employees accountable to an outcome. “But you don’t need to manage the agent,” he adds. “They’re not people.”

Instead, the agent is orchestrated and you can plug and play them. “It needs to understand our business model and our business context, so you ground the agent to get the job done,” he says.

For mission-critical functions, especially ones related to sensitive healthcare data, Vituity is building its own agents inside a HIPAA-certified LLM environment using the Workato agent development platform and the Microsoft agentic platform.

For other functions, especially ones having to do with public data, Vituity uses off-the-shelf agents, such as ones from Salesforce and Snowflake. The company is also using Claude with GitHub Copilot for coding. Nair can already see that agentic systems will change the way enterprise software works.

“Most of the enterprise applications should get up to speed with MCP, the integration layer for standardization,” he says. “If they don’t get to it, it’s going to become a challenge for them to keep selling their product.”

A company needs to be able to access its own data via an MCP connector, he says. “AI needs data, and if they don’t give you an MCP, you just start moving it all to a data warehouse,” he adds.

Sharp learning curve

In addition to providing a way to store and organize your data, enterprise software vendors also offer logic and functionality, and AI will soon be able to handle that as well.

“All you need is a good workflow engine where you can develop new business processes on the fly, so it can orchestrate with other agents,” Nair says. “I don’t think we’re too far away, but we’re not there yet. Until then, SaaS vendors are still relevant. The question is, can they charge that much money anymore.”

The costs of SaaS will eventually have to come down to the cost of inference, storage, and other infrastructure, but they can’t survive the way they’re charging now he says. So SaaS vendors are building agents to augment or replace their current interfaces. But that approach itself has its limits. Say, for example, instead of using Salesforce’s agent, a company can use its own agents to interact with the Salesforce environment.

“It’s already happening,” Nair adds. “My SOC agent is pulling in all the log files from Salesforce. They’re not providing me anything other than the security layer they need to protect the data that exists there.”

AI agents are set to change the dynamic between enterprises and software vendors in other ways, too. One major difference between software and agents is software is well-defined, operates in a particular way, and changes slowly, says Jinsook Han, chief of strategy, corporate development, and global agentic AI at Genpact.

“But we expect when the agent comes in, it’s going to get smarter every day,” she says. “The world will change dramatically because agents are continuously changing. And the expectations from the enterprises are also being reshaped.”

Another difference is agents can more easily work with data and systems where they are. Take for example a sales agent meeting with customers, says Anand Rao, AI professor at Carnegie Mellon University. Each salesperson has a calendar where all their meetings are scheduled, and they have emails, messages, and meeting recordings. An agent can simply access those emails when needed.

“Why put them all into Salesforce?” Rao asks. “If the idea is to do and monitor the sale, it doesn’t have to go into Salesforce, and the agents can go grab it.”

When Rao was a consultant having a conversation with a client, he’d log it into Salesforce with a note, for instance, saying the client needs a white paper from the partner in charge of quantum.

With an agent taking notes during the meeting, it can immediately identify the action items and follow up to get the white paper.

“Right now we’re blindly automating the existing workflow,” Rao says. “But why do we need to do that? There’ll be a fundamental shift of how we see value chains and systems. We’ll get rid of all the intermediate steps. That’s the biggest worry for the SAPs, Salesforces, and Workdays of the world.”

Another aspect of the agentic economy is instead of a human employee talking to a vendor’s AI agent, a company agent can handle the conversation on the employee’s behalf. And if a company wants to switch vendors, the experience will be seamless for employees, since they never had to deal directly with the vendor anyway.

“I think that’s something that’ll happen,” says Ricardo Baeza-Yates, co-chair of the  US technology policy committee at the Association for Computing Machinery. “And it makes the market more competitive, and makes integrating things much easier.”

In the short term, however, it might make more sense for companies to use the vendors’ agents instead of creating their own.

“I recommend people don’t overbuild because everything is moving,” says Bret Greenstein, CAIO at West Monroe Partners, a management consulting firm. “If you build a highly complicated system, you’re going to be building yourself some tech debt. If an agent exists in your application and it’s localized to the data in that application, use it.”

But over time, an agent that’s independent of the application can be more effective, he says, and there’s a lot of lock-in that goes into applications. “It’s going to be easier every day to build the agent you want without having to buy a giant license. “The effort to get effective agents is dropping rapidly, and the justification for getting expensive agents from your enterprise software vendors is getting less,” he says.

The future of software

According to IDC, pure seat-based pricing will be obsolete by 2028, forcing 70% of vendors to figure out new business models.

With technology evolving as quickly as it is, JBGoodwin Realtors has already started to change its approach to buying tech, says Tull. It used to prefer long-term contracts, for example but that’s not the case anymore “You save more if you go longer, but I’ll ask for an option to re-sign with a cap,” he says.

That doesn’t mean SaaS will die overnight. Companies have made significant investments in their current technology infrastructure, says Patrycja Sobera, SVP of digital workplace solutions at Unisys.

“They’re not scrapping their strategies around cloud and SaaS,” she says. “They’re not saying, ‘Let’s abandon this and go straight to agentic.’ I’m not seeing that at all.”

Ultimately, people are slow to change, and institutions are even slower. Many organizations are still running legacy systems. For example, the FAA has just come out with a bold plan to update its systems by getting rid of floppy disks and upgrading from Windows 95. They expect this to take four years.

But the center of gravity will move toward agents and, as it does, so will funding, innovation, green-field deployments, and the economics of the software industry.

“There are so many organizations and leaders who need to cross the chasm,” says Sobera. “You’re going to have organizations at different levels of maturity, and some will be stuck in SaaS mentality, but feeling more in control while some of our progressive clients will embrace the move. We’re also seeing those clients outperform their peers in revenue, innovation, and satisfaction.”

---

HPE가 HP에서 분리돼 독립적인 여정을 시작한 지 10년이 지난 시점에, 최고경영자 안토니오 네리는 12월 3와 4일 바르셀로나에서 열린 HPE의 주요 연례 유럽 행사 무대에 올랐다. 네리는 이 자리에서 네트워크, 클라우드, 인공지능(AI)이라는 세 가지 기술 축을 중심으로 한 HPE의 로드맵을 공개했다.

네리는 HPE 디스커버 바르셀로나 2025 행사에 참석한 6,000여 명의 청중을 향해 “지난 10년 동안 우리가 함께 만들어낸 성과가 매우 자랑스럽다”라며 “앞으로 펼쳐질 변화는 더욱 기대된다”라고 말했다.

HPE가 제시한 세 축의 전략은 오늘날 기업이 직면한 핵심 IT 과제를 해결하기 위한 것이다. 네리에 따르면 기업들은 여전히 레거시 인프라 처리, 데이터 주권 확보, 지속적으로 증가하는 비용 관리, AI 확산으로 높아진 컴퓨팅 수요 등의 도전에 맞서고 있다.

특히 주니퍼네트웍스(Juniper Networks)를 지난해 7월 인수하며 크게 강화된 네트워크 기술은 이번 바르셀로나 행사에서 핵심 요소로 부각됐다.

주니퍼의 전 CEO이자 현재 HPE 네트워킹 사업 총괄을 맡고 있는 라미 라힘은 행사에 참석해 양사 통합의 첫 기술 성과를 소개했다. 양사의 네트워크 관리 플랫폼에 새로운 AI 기반 운영 기능을 통합하고, 공동 하드웨어를 처음으로 공개한 것이다.

라힘은 “지금처럼 네트워크의 중요성이 높아진 시기는 없었다”라고 말하면서, 이제 네트워크의 목표는 단순 연결이 아니라 ‘자율적 관리’라고 설명했다. 그는 네트워크가 스스로 구성·최적화·복구하는 방향으로 나아가야 한다고 강조하며, AI로 설계되고 AI를 위한 네트워크가 증가하는 기기 연결, 복잡해지는 환경, 고도화되는 보안 위협을 처리할 수 있다고 밝혔다.

네리는 “라미와 내가 가진 공통의 목표는 네트워킹 분야에서 새로운 리더를 만드는 것”이라고 말했다. 그는 주니퍼 인수 후 5개월 만에 HPE가 이미 이전 경쟁사였던 주니퍼 기술과 2015년 인수한 아루바 솔루션을 결합한 커넥티비티 제품을 시장에 제공하고 있다고 설명했다. 이어 “앞으로는 양사가 각각 무엇을 하고 있는지조차 구분되지 않을 것”이라며, “기본적인 이중 설계를 이미 지원하고 있다는 사실은 두 조직이 얼마나 빠르게 하나로 융합되고 있으며, 동시에 HPE의 혁신 역량이 어떻게 활용되고 있는지를 잘 보여준다”라고 덧붙였다.

HPE의 주니퍼 인수, 복잡한 과정을 거치다

140억 달러(약 20조 원) 규모의 HPE의 주니퍼 인수는 단순한 거래가 아니라 매우 복잡하고 긴 여정이었다. 2024년 1월 인수 계획이 발표됐지만 최종 거래는 2025년 7월에 이르러서야 마무리됐다. 미국에서는 특히 논란도 적지 않았다. 미국 법무부(DOJ)가 이번 인수가 네트워크 장비 시장, 특히 무선랜(WLAN) 분야의 경쟁을 약화시킨다며 소송을 제기했기 때문이다.

이번 인수 승인 과정에서 겪은 난관과 여전히 남아 있는 미국 내 비판에 대해 파운드리 산하 언론사 컴퓨터월드의 질문을 받은 네리는 먼저 “미국을 제외한 국가에서는 통상적인 6개월 내 승인이 완료됐다”라고 설명했다. 2024년 여름에는 3개국만 승인이 남아 있었고, 그중 2개국은 다음 3개월 내 승인을 마쳤다는 것이다. 네리는 미국의 경우 “선거와 행정부 교체라는 변수가 있었고, 이후 절차가 다시 진행됐다”라고 덧붙였다.

네리는 이번 사례를 분석하면서 “미국 법무부는 캠퍼스와 지사 시장, 특히 무선 분야에서 경쟁사가 3곳에서 2곳으로 줄어들 것으로 판단했다”라고 말했다. 하지만 실제 시장은 그보다 훨씬 크다는 게 네리의 설명이다. 그는 “미국 시장만 보더라도 시스코, 주니퍼, HPE, 캄비움네트웍스(Cambium Networks), 유비쿼티(Ubiquity), 아리스타(Arista) 등 7~8개 업체가 경쟁하고 있다”라며 산업군별로 강점이 다르고 대기업 시장과 공공 부문에서도 경쟁 구도가 다르다고 언급했다. 이어 “여러분(기자들)이 보도하는 시장점유율만 봐도 시장 규모가 크고 매우 분산돼 있다는 사실을 확인할 수 있다”라고 말했다.

결국 미국 법무부와는 “상호에 도움이 되는 건설적인 과정을 거쳤다”라고 네리는 설명했다. 그는 “이번 인수 시장은 경쟁을 촉진하는 환경임을 입증했다”라며, 미국의 대형 M&A 최종 심사 단계에서도 고객이나 경쟁사로부터 어떠한 이의 제기도 받지 않았다고 강조했다.

AI와 클라우드에 집중되다

바르셀로나에서 네리는 최근 몇 달 동안 HPE가 클라우드와 AI 분야에서 이뤄낸 기술적 진전을 강조했다. 그는 AI를 “전형적인 하이브리드 워크로드”라고 규정하면서, 두 기술이 불가분하게 연결돼 있다고 설명했다.

네리는 사용량 기반 모델로 시작해 현재 전 세계 4만 6,000명 고객을 확보한 하이브리드 클라우드 플랫폼 그린레이크(GreenLake)를 소개하며, 여기에 자율 에이전트 기반 프레임워크 ‘그린레이크 인텔리전스(GreenLake Intelligence)’와 같은 AI 기능을 추가할 계획이라고 밝혔다. 이 기능은 지난 6월 HPE가 발표한 것으로, 하이브리드 클라우드 환경에서 IT 운영을 자동화하고 단순화하는 데 초점을 둔다. 네리는 “IT 운영 단순화의 미래가 이미 도착했다”라고 말했다.

네리는 또 HPE의 에어갭 기반 프라이빗 클라우드 전략이 EU처럼 규제가 강한 지역, 그리고 군과 같이 민감 데이터가 중요한 전략 분야에서 큰 의미가 있다고 강조했다.

네리는 바르셀로나에서 공개된 또 하나의 솔루션에도 주목했다. AMD의 ‘헬리오스(Helios)’ 랙 스케일 AI 아키텍처가 이더넷 네트워킹과 통합된 첫 사례다. 그는 이 솔루션이 주니퍼의 연결 하드웨어와 소프트웨어, 브로드컴 토마호크6 네트워킹 칩을 결합해 “수조 개 매개변수 모델의 학습 트래픽, 높은 추론 처리량, 초대형 모델을 지원할 수 있다”라고 설명했다. 이 구성은 HPE 서비스팀이 공급한다.

네리는 또한 슈퍼컴퓨팅 분야에서 HPE가 보유한 강력한 입지도 강조했다. 이는 2019년 슈퍼컴퓨터 전문 기업 크레이(Cray)를 인수하며 확보한 기반이 크게 작용했다. 그는 “HPE는 세계에서 가장 큰 슈퍼컴퓨터 6대를 구축한 기업이며 이 분야의 글로벌 선도 기업”이라고 말했다. 다만 “AI 수요가 그 어느 때보다 커졌지만 모든 기업이 이를 처리하기 위해 슈퍼컴퓨터가 필요한 것은 아니다”라며, 그러나 “모든 기업에는 안전한 AI 스택이 필요하다”라고 덧붙였다.

HPE는 이러한 요구에 대응하기 위해 엔비디아와 협력해 프라이빗 클라우드 환경에서 생성형 AI 애플리케이션 개발·배포를 가속화하는 통합 인프라 솔루션 ‘HPE 프라이빗 클라우드 AI’를 제공하고 있다. 네리는 이 솔루션이 “법적 데이터 요구사항을 충족하며”, 동시에 AI 혁신의 핵심 과제인 “시간, 비용, 위험”을 해결하는 데 초점을 맞춘다고 설명했다. 그는 여기에 더해 HPE가 최근 엔비디아와 AMD와 함께 AI 구축을 가속화하는 고성능 네트워킹 솔루션을 추가했다고 바르셀로나에서 밝혔다.

본사업 기반 성장과 M&A 기반 확장

HPE가 지난해 9월 회계연도 3분기 실적 발표에서 제시한 전망에 따르면, 회사는 2025 회계연도(10월 31일 종료) 매출이 고정 환율 기준 14~16% 증가할 것으로 예상하고 있다. 2024 회계연도 매출은 301억 달러(약 44조 원)로, 2023년 대비 3.4% 증가했다.

네리의 리더십 아래 HPE는 총 35건의 인수를 진행했다. 네리는 바르셀로나 기자회견에서 이를 직접 상기시키며, 앞서 언급한 주니퍼네트웍스와 크레이 외에도 여러 주요 인수를 나열했다.

2020년에는 SD-WAN 기업 실버피크(Silver Peak)를, 2021년에는 데이터 보호 및 재해복구 기업 제르토(Zerto)를 인수했다. 2023년에는 보안 및 IT 운영 분야의 액시스시큐리티(Axis Security)와 옵스램프(OpsRamp)를 추가했으며, 2024년에는 하이브리드 클라우드 관리 기업 모르페우스데이터(Morpheus Data)를 인수했다.

네리는 “우리는 포트폴리오를 보완하고 목표 시장에서 규모를 확장할 수 있는 적절한 자산을 찾고 있다”라며 “이 자산은 매출과 수익 측면에서 타당해야 하며, 동시에 주주들에게 가치도 제공해야 한다”라고 말했다.
dl-ciokorea@foundryco.com

---

Banks have always been technology pioneers, yet many are now prisoners of their own legacy. Despite spending more on IT than any other major industry and funneling over $2.8 trillion into digital transformation since 2011, too many retail banks still can’t deliver the seamless digital experiences customers expect.

The loyalty crisis: Spending more, delivering less

My company, Baringa, recently surveyed 4,000 customers and 400 banking executives across the UK and US, revealing a widening disconnect between customer expectations and what banks can deliver.

More than one in three customers (35%) have switched banks in the past five years, most in search of better digital experiences, not better rates. And 68% of banking executives admit that their existing technology architecture actively hinders their ability to meet customer needs.

Mobile is now the dominant channel, with 45% of customers using it as their primary means of banking. Yet, it’s also the most requested area for improvement, with 44% wanting a better mobile experience. Customers want personalized, intuitive and secure interactions but instead, they encounter friction.

The result? Diminishing loyalty in an age when switching bank accounts is as simple as a few taps on a screen.

Legacy technology: The hidden barrier to progress

The problem isn’t a lack of investment. Yes, the cost is high, but effective treatment strategies are available to manage this condition. It’s the age and complexity of the systems beneath the surface that is the true problem. Our survey found that 63% of banks still rely on code written before the year 2000, while 67% say their entire technology stack would fail if the oldest systems stopped working. Even more worryingly, 77% report that only “one or two people” in their organization still have the skills to maintain this code and most are nearing retirement.

In other words, critical national infrastructure in banking runs on software designed before the internet age. This outdated technology creates three compounding problems:

• Operational fragility. Legacy code and unsupported platforms make outages and compliance failures more likely. One executive described systems still reliant on 8-inch floppy drives for critical updates, a vivid metaphor for how far behind the curve some institutions remain.
• Run-cost burden. According to Gartner, over 75% of IT budgets in many financial institutions are consumed by maintaining these old systems, starving innovation budgets and slowing transformation.
• Inhibited agility. Modernization programs overrun as banks struggle to deal with legacy architecture and data complexities. Indeed, 94% of large banking transformations exceed planned timelines, leaving customer improvements delayed and diluted.

The result is a vicious cycle. Every dollar spent patching and upgrading outdated systems is a dollar diverted from the modernization that could restore customer loyalty.

Breaking the cycle: A new technology blueprint

There is a path forward, but it demands decisive action. From our work across global banking and markets, we consistently see these issues and we believe these can be addressed over the long term with the following three strategies.

Refocus: Lead with purpose, not platforms

Banks need to start with truly understanding why (customer needs) and how their customers want to interact (experience) with their services, then define how they are going to differentiate. Technology alone will not win back loyalty. Sometimes, the greatest return comes from improving service, trust or personalization rather than layering on more tech.

Research from Forrester shows that banks leading in personalized digital experiences achieve up to 25% higher retention and a 20% uplift in cross-sell success. Conversely, institutions that rush infrastructure spend without redefining customer value risk building faster versions of the same old experience.

Replace or renovate: Build the modern digital spine

For many banks, the technological foundations are simply too old to adapt. If two-thirds of institutions say their operations would cease if legacy systems failed, the cost of inaction now exceeds the cost of replacement.

The answer lies in defining a technology strategy around a digital spine. A modular architecture that allows agility, integration and personalization at scale and is centered around three design principles:

• Build the core technology and data spine internally to retain strategic differentiation and control.
• Buy external solutions for commodity or repeatable processes that don’t define the customer experience.
• Integrate third-party and marketplace services for specialized or fast-evolving capabilities, enabling banks to scale quickly without adding new legacy dependencies.

This build-buy-integrate approach allows banks to modernize strategically and maintain control where it matters, while reducing cost and delivery risk elsewhere.

It’s also how challenger banks are winning. Monzo, for instance, built its business on this philosophy, focusing on customer differentiation through a lightweight, API-driven core. As its ex-CEO, TS Anil, recently noted, Monzo has become “a scaling, profitable digital bank with a world-class user experience that customers don’t just like, but love.”

The culture shift: Continuous transformation

Finally, transformation can no longer be treated as a one-off program. Modernization must become a continuous capability, not a project with an end date. For banks to break free of legacy constraints, the following considerations are essential:

• Transformation never ends. Change on this scale will be a multiyear, multidimensional journey. Change leaders should aim to secure a consistent stream of investment that allows the organization to build enduring capabilities. Every technology and data initiative should align with long-term strategic goals, creating compounding value across the organization.
• Full organizational shift. Transformation is everyone’s responsibility. While technology drives change, this transformation can’t be owned by IT alone. From boardroom to back office, everyone needs to be committed to making change happen. When transformation becomes embedded in organizational DNA rather than delegated to technical teams, banks can sustain the pace of change their customers demand.

The bottom line

Banks stand at a crossroads. 68% of executives acknowledge that legacy technology is holding them back. Every quarter spent maintaining outdated systems compounds risk, cost and customer attrition.

But those that act now and redefine their customer proposition, rebuild their digital spine and embed continuous change, will turn technology from a constraint into a competitive edge.

The future belongs to banks that leave legacy behind and build loyalty by design.

This article is published as part of the Foundry Expert Contributor Network.
Want to join?

SAP’s restructuring may have been good for its bottom line, but behind the scenes, it has backfired.

The company did what it promised, said Greyhound Research chief analyst Sanchit Vir Gogia: It wrapped up its restructuring plan, affecting 10,000 employees, by early 2025, kept headcount steady, and delivered strong financial results. But, he said, “Numbers only tell half the story. Inside the organization, something broke.”

That’s evidenced by a recent internal survey, which revealed that many staff no longer trust company leaders or their strategy.

Trust in SAP’s executive board has fallen by six percentage points since April, to a mere 59%, Chief People Officer Gina Vargiu-Breuer wrote in an internal email seen by Bloomberg. In April 2021, that number was more than 80%, said Bloomberg, citing a local media report.

Confidence in SAP’s execution of its strategy has now dropped to 70%, from 77% in April of this year.

No time to learn

“That number drops even further in Germany, where only 38% say they fully trust leadership,” Gogia said. “And it’s not just a sentiment dip. Over 38,000 employees voiced specific concerns. The pattern is clear: confusion around new performance goals, not enough support to implement AI, unstable team dynamics, and barely any breathing room to learn.”

This isn’t resistance to change: “People get the vision,” he said. “The problem is executional load. You cannot drive large-scale transformation, especially AI-first initiatives, without building systems that carry your people with you.”

As part of SAP’s plan to transform into a skills-led company by 2028, 80% of employees were to be assigned to modernized job profiles by the middle of this year, SAP chief people officer Gina Vargiu-Breuer told financial analysts attending a company event in May. This was intended to “unleash AI-personalized growth opportunities” based on an “externally benchmarked global skills taxonomy” of 1,500 future-ready skills, she said. The company devotes 15% of working time to continuous personal development, she said.

In the recent email seen by Bloomberg, however, she admitted: “The feedback shows that not every step [in the transformation] has landed how it should.”

Unfiltered Pulse

In an email statement to CIO, SAP said that the Unfiltered Pulse survey that highlighted the issues “was designed to gather nuanced feedback from employees, focusing on both strengths and areas for improvement. Employees, for instance, have stated that helpful feedback as well as learning and development opportunities are supporting their growth. Results related to team culture are also positive worldwide.”

SAP said 84% of its more than 100,000 employees responded to the most recent of the surveys, conducted every six months, and while there were some positives this time, “the findings also clearly indicate that employee engagement and trust in the board require attention. Following increases in sentiment in the previous iteration, there has been a decrease in the recent Pulse survey. We greatly value this feedback and are taking targeted action in response. We are therefore implementing specific measures to address the input from our employees and to drive meaningful change.”

SAP has not revealed details of these measures.

However, Info-Tech Research Group senior advisory analyst Yaz Palanichamy said, “SAP employees feel a sense of disillusionment as a result of the efforts undertaken in supporting this restructuring program.”

While SAP had framed the initiative as a strategic pivot towards embracing scalable cloud and AI growth, he said, the sheer number of roles affected, and the way that number ballooned well beyond the original target of 8,000, has left many of SAP’s employees concerned about their jobs and about senior leadership.

They worry about organizational stability and clarity, and about whether there is adequate support for their reskilling, he said: “If the cultural and operational gaps concerning morale, talent retention, and organizational role alignment are not proactively addressed, this could severely hinder SAP’s growth ambitions [in cloud and AI].”

SAP is not alone

SAP isn’t the only company that has faced these issues, Gogia pointed out. “Look beyond SAP, and the same symptoms show up elsewhere. Salesforce saw trust scores crater after its 2023 layoffs. Oracle’s morale took a hit when staff felt shut out of decisions. But SAP’s case stands out because performance at the top was solid, yet employee confidence eroded underneath. That divergence is dangerous. When momentum at the surface isn’t backed by alignment at the core, cracks appear in delivery, consistency breaks down, and partners feel the wobble. Execution doesn’t fail all at once. It frays. Quietly. Progressively.”

SAP isn’t ignoring the issues, he noted. It has begun to take action, appointing leaders, communicating priorities, and revisiting how teams are measured.

“That’s good,” he said. “But the real fix will come not from announcements but from behavioral evidence. Trust comes back when people stop guessing what’s next, when systems stabilize, when leaders stay visible, when workloads balance out.”

이번 신제품은 삼성전자가 첫 폴더블 스마트폰 출시 이후 축적해 온 하드웨어 설계와 제조 기술을 바탕으로 완성한 차세대 제품으로, 화면을 두 번에 걸쳐 접고 펼치는 구조를 통해 스마트폰과 태블릿 사이의 경계를 한층 더 유연하게 했다.

‘갤럭시 Z 트라이폴드’는 완전히 펼치면 10인치급 대화면으로 전환돼 문서 작업, 멀티태스킹, 콘텐츠 감상 등 태블릿 수준의 활용이 가능하고, 접었을 때는 바형 스마트폰 크기로 줄어 휴대성을 확보한다. 접었을 때 12.9mm, 펼쳤을 때 가장 얇은 쪽의 두께가 3.9mm로 역대 갤럭시 Z 폴드 시리즈 중 가장 슬림한 디자인을 갖췄다.

제품 설계는 ‘인폴딩’ 기반의 3단 접힘 구조를 채택했으며, 접히는 과정에서 이상 징후가 감지될 경우 알림과 진동으로 사용자에게 안내하는 자동 알람 기능도 탑재했다. 배터리는 폴더블 시리즈 중 최대 수준인 5,600mAh 용량을 담았고, 3개의 패널 각각에 셀을 고르게 배치하는 방식으로 전력 공급의 균형을 맞췄다. 초고속 충전 지원으로 대화면 사용 환경에서도 충전 편의성을 유지했다.

성능과 사용성 역시 대화면 폴더블에 맞춰 강화됐다. ‘갤럭시용 스냅드래곤 8 엘리트’ 모바일 프로세서를 탑재해 고해상도 멀티태스킹과 AI 기능 구동에 필요한 처리 능력을 확보했으며, 2억 화소 광각 카메라를 적용해 폴더블에서도 고품질 촬영 경험을 제공한다.

또한 사용자는 멀티 윈도우 기능을 통해 최대 3개의 앱을 나란히 실행할 수 있다. 가령 웹 콘텐츠를 보면서 요약·번역 결과를 함께 확인하거나 건강 데이터를 한눈에 정리해 보는 등 다양한 앱을 대화면에 최적화된 방식으로 활용할 수 있다. 또한 화면으로 보고 있는 정보나 카메라 영상을 AI와 실시간으로 공유해 질문하고 답변을 받는 멀티모달 AI 경험도 지원한다.

특히 이번 제품은 스마트폰 최초로 태블릿 버전의 삼성 덱스를 지원해, 외부 모니터 없이도 데스크톱에 가까운 작업 환경을 구현한다. 여러 개의 가상 작업 공간을 오가며 각 공간에 여러 앱을 동시에 배치할 수 있어, 이동 중에도 PC 수준의 멀티태스킹을 구현한다.

삼성전자는 ‘갤럭시 Z 트라이폴드’를 국내에 먼저 출시한 뒤 주요 해외 시장으로 순차 확대할 계획이다. 국내는 12일부터 삼성닷컴과 주요 오프라인 매장에서 판매하며, 출시 전 체험 공간을 운영해 제품 경험 기회를 제공한다. 제품은 단일 색상과 16GB 메모리, 512GB 스토리지 구성으로 출시되고, 구매 고객을 대상으로 AI 서비스 구독권, 콘텐츠 구독 혜택, 보호필름 서비스, 수리비 할인 등 폴더블 프리미엄 프로그램을 함께 제공할 예정이다.

노태문 삼성전자 대표이사 사장은 “갤럭시 Z 트라이폴드’는 새로운 폼팩터 분야에서 쌓아온 삼성전자의 리더십을 바탕으로 생산성과 휴대성의 균형을 실현한 제품이며 업무∙창의성∙연결성 등 모바일 전반의 경험을 한층 확장할 것”이라고 설명했다.
dl-ciokorea@foundryco.com

HSBC ha anunciado una alianza estratégica con la startup francesa Mistral AI para mejorar y acelerar el uso de la inteligencia artificial generativa en todo el banco.

Con ello pretende mejorar los procesos empresariales, ahorrar tiempo a los empleados y ayudar a prestar un mejor servicio a millones de clientes en todo el mundo, gracias al acceso a los modelos comerciales de Mistral AI, incluidos los desarrollos futuros.

En virtud del acuerdo, los equipos de la entidad bancaria colaborarán con los de IA aplicada, ciencia e ingeniería de Mistral en el desarrollo de soluciones de IA generativa en toda su organización.

Georges Elhedery, director general del grupo bancario, ha reconocido en un comunicado que “trabajar con Mistral es un emocionante paso adelante en la estrategia tecnológica de HSBC, que nos permite mejorar aún más las capacidades de IA en todo el banco”.

En su opinión, esta asociación “dotará a nuestros compañeros de herramientas que les ayudarán a innovar, simplificar las tareas diarias y liberar tiempo para atender a nuestros clientes”.

De hecho, desde el HSBC han identificado una valiosa oportunidad para utilizar la experiencia de Mistral en IA para mejorar sus herramientas internas, lo que incluye una plataforma basada en IA para ayudar en tareas de productividad, tales como la creación de tareas empresariales que den respuesta a diversas necesidades del banco, como permitir a los equipos de atención al cliente ofrecer comunicaciones personalizadas con rapidez, permitir a los equipos de marketing lanzar campañas hiperpersonalizadas y ayudar a los equipos de compras a identificar riesgos y oportunidades de ahorro; mejora del análisis financiero de decisiones complejas y con gran cantidad de documentación relacionadas con préstamos o financiación a clientes; servicios de razonamiento y traducción multilingües para ayudar a traducir y validar información en varios idiomas para informar las interacciones con los clientes; y ciclos de innovación de desarrollo más rápidos que permiten a los equipos crear prototipos, validar y lanzar nuevos procesos o funciones con mayor rapidez.

Según se puede leer en el comunicado, “las áreas de interés futuras incluirán innovaciones orientadas al cliente, como mejoras en los procesos de crédito y préstamo, la mejora de la incorporación de clientes y los controles contra el fraude y el blanqueo de capitales”.

Por eso, Arthur Mensch, cofundador y director ejecutivo de Mistral AI, ha dejado claro en el mencionado comunicado que “nuestras soluciones de IA de vanguardia, altamente personalizables y de nivel empresarial, reinventarán los flujos de trabajo y los servicios de HSBC, al tiempo que garantizarán la plena propiedad de los datos”.

Compliance is no longer the brake on digital transformation. It is the steering system that determines how fast and how far innovation can go. In sectors such as healthcare, insurance, manufacturing, and banking, regulation defines how fast and how far innovation can progress. When compliance becomes an architectural principle rather than a procedural constraint, it transforms from a cost center to a competitive edge.

But in the past decade, leading enterprise transformation across these industries, I’ve learned that compliance isn’t the enemy of innovation. It’s the foundation of digital confidence. When handled strategically, compliance can evolve from a passive checklist into an active driver of resilience, trust and growth.

The enterprises that thrive in today’s regulated world share a common trait: they design their technology, data and culture to make compliance an enabler, not a barrier.

The compliance paradox

Across regulated industries, the paradox is striking. Regulations grow more complex each year, yet the demand for agility and innovation grows just as fast.

• In healthcare, HIPAA, FDA and CMS guidelines shape how patient data flows and how AI models can be used in clinical or administrative decisions.
• In insurance, frameworks such as NAIC, SOC 2 and emerging state-level data protection acts determine how claims, underwriting and member engagement systems are designed.
• In manufacturing, ISO standards and environmental disclosures require traceability across the entire production lifecycle.
• And in banking, AML, KYC, Basel III and now AI-model-risk rules require transparency at every level of algorithmic decision-making.

Each industry has its own acronym soup of regulation, but the underlying challenge is the same: enterprises must prove what they know, how they know it and how responsibly they use it. For CIOs, this means leading ecosystems that are innovative, interoperable and fully auditable simultaneously.

From burden to differentiator

In one large healthcare transformation I led, the audit process for claims and provider data reconciliation took more than a month and consumed hundreds of manual hours. By embedding audit trails directly into workflow engines and metadata layers, we reduced preparation time by 70% and achieved complete transparency for regulators and internal reviewers.

This experience reinforced a key lesson: compliance should be built into the architecture, not appended after deployment.

I’ve seen similar results in other sectors.

• In insurance, predictive underwriting models were facing long delays due to regulatory explainability reviews. We built an AI governance layer that automatically tracked model lineage, dataset evolution and decision thresholds. The review cycle was shortened from six weeks to two and the same system later became the benchmark for model transparency across the enterprise.
• In manufacturing, a digital twin initiative used IoT data to monitor production quality. Initially designed for efficiency, it later became the foundation for audit-ready traceability; every material change, machine calibration and test record became part of a verifiable digital thread.
• And in banking, I’ve seen model-risk governance evolve from compliance paperwork into real-time dashboards. These systems can generate “trust reports” visualizing every variable used by credit or fraud models and making them defensible before regulators even ask.

These examples prove a point: compliance, when operationalized, becomes a differentiator. It transforms oversight into foresight.

Why the mindset must shift

Technology rarely fails because of a lack of innovation. It fails when organizations lack the governance maturity to scale innovation responsibly.

Too often, compliance is viewed as a bottleneck. It’s a scalability accelerator when embedded early.

According to Gartner, organizations with mature data-governance practices are three times more likely to achieve measurable business outcomes from AI programs. McKinsey’s analysis shows that AI deployments in regulated sectors with built-in compliance design achieve 20–30% faster adoption and reduce audit findings by half.

The shift begins when leaders see compliance not as external policing but as internal assurance. A well-designed governance framework turns regulation into predictability. Predictability, in turn, builds trust, and trust is what enables adoption at scale.

In one cross-industry transformation roundtable I facilitated, a manufacturing CIO said something that stayed with me: “Compliance doesn’t slow us down. It prevents us from having to stop.” That insight captures the new reality. In regulated industries, digital maturity is measured not by how quickly you deploy AI, but by how confidently you can defend and explain it.

Governance as a growth engine

When governance and compliance converge, they unlock a feedback loop of trust. Consider a payer-provider network that unified its claims, care and compliance data into a single “truth layer.” Not only did this integration reduce audit exceptions by 45%, but it also improved member-satisfaction scores because interactions became transparent and consistent.

• In manufacturing, integrated governance platforms now allow plant managers to monitor non-conformance trends and compliance risks in real time. Instead of waiting for a quarterly audit, teams can act within hours, preventing both downtime and regulatory penalties.
• In banking, machine-learning models for AML detection can now explain why a transaction was flagged, not just that it was. This explainability builds regulator confidence, which in turn accelerates approval for new AI-based risk tools.

The pattern is consistent: when compliance data feeds into operational decision-making, it creates a growth multiplier. Transparency isn’t just a legal requirement; it’s a market advantage. When governance and compliance share data pipelines instead of separate dashboards, they move from passive monitoring to active performance management, transforming risk control into business acceleration.

The CIO’s leadership imperative

No transformation from compliance to confidence happens without leadership alignment. The CIO sits at the intersection of technology, policy and culture and therefore carries the greatest influence over whether compliance is reactive or proactive.

Here are four imperatives every CIO in a regulated enterprise should champion:

1. Treat governance as architecture, not administration

Governance is not documentation. Its design. CIOs must ensure that auditability, traceability and explainability are engineered into systems from day one.

For example, instead of creating external audit logs, modern architectures can use blockchain-based or immutable metadata records to self-document every change. In my experience, systems built this way reduce compliance reporting time by 40–50% while improving internal confidence in data quality.

2. Unite data, risk and compliance under a single operating model

Many enterprises still treat compliance as a department instead of a discipline. The CIO must align data governance, risk management and IT controls into one cohesive framework.

Cross-functional governance councils that include compliance officers, business heads and data owners help make compliance a shared accountability not an afterthought.

3. Humanize compliance through transparency

Technology maturity alone is not enough. The workforce must trust the system. When employees understand how AI or analytics systems make decisions, they become more confident using them.

In one insurance contact center, we trained representatives on how the AI recommendation engine worked. Within two months, adoption rose 37% and call-resolution accuracy improved significantly. Transparency builds human alignment.

4. Champion ethical AI as the next compliance frontier

AI ethics is no longer philosophical; it’s operational. The CIO must ensure algorithms are tested for fairness, bias and explainability before deployment. Tools like Google’s What-If Tool and IBM’s AI Fairness 360 provide practical methods for continuous assurance.

As regulatory frameworks like the EU AI Act and US Algorithmic Accountability Act evolve, ethical compliance will define enterprise reputation. CIOs who prepare early will not just pass audits they’ll earn stakeholder trust.

Measuring Progress: CIOs should define success not only by audit completion rates but by trust readiness metrics, for example, governance-maturity scores, audit-cycle speed or AI-model explainability indexes. These indicators convert compliance from a legal requirement into a performance KPI, signaling to boards and regulators that trust is being operationalized.

Ultimately, the modern CIO’s role extends far beyond systems integration. It’s about trust integration connecting people, policy and platforms under a single banner of accountability.

From compliance to confidence

Confidence is not the absence of regulation; it’s mastery of it. A confident enterprise doesn’t fear audits because its systems are inherently explainable. It doesn’t delay innovation because its teams understand how to govern data responsibly. It doesn’t treat compliance as a paperwork exercise; it sees it as a performance framework. Consider what “confidence” looks like across industries:

• In healthcare, it’s the ability to trace every AI-supported clinical recommendation back to source data.
• In insurance, it’s the assurance that pricing or claim decisions can be justified algorithmically.
• In manufacturing, it’s having a digital thread that ties every product to its quality, safety and sustainability metrics.
• In banking, it’s demonstrating that customer risk models are explainable, unbiased and resilient under regulatory scrutiny.

Confidence grows when leadership builds systems that are transparent by design, not by request.

 This shift is gaining policy traction worldwide. The EU AI Act requires enterprises to maintain verifiable documentation on AI systems’ training data, bias tests and human oversight. Similarly, the proposed U.S. Algorithmic Accountability Act pushes organizations to conduct regular impact assessments. Together, these frameworks formalize what leading CIOs already practice: governance as a continuous, auditable process rather than a reactive audit cycle.

According to Deloitte’s 2025 outlook, 70% of CEOs in regulated industries now see “digital trust” as a direct growth lever. Companies that combine compliance automation with clear governance frameworks experience 20% higher stakeholder trust ratings and outperform peers on market reputation. In practical terms, moving from compliance to confidence means:

• Embedding trust checkpoints into product development life cycles.
• Establishing AI assurance frameworks that test every model for fairness, accuracy and auditability.
• Building explainable data architectures where every decision is traceable.
• Creating a culture of shared accountability between compliance, data and product teams.

The result is not just regulatory alignment, it’s operational resilience and reputational strength.

The future of regulated transformation

As AI reshapes every sector, regulation will continue to evolve faster than technology stacks. Enterprises that succeed will be those that internalize compliance as part of their DNA.

In healthcare, this means using AI responsibly to support clinical and administrative workflows. In insurance, it means linking predictive analytics to transparent customer journeys. In manufacturing, it means aligning IoT and sustainability reporting under one trusted data fabric. In banking, it means moving from algorithmic opacity to algorithmic accountability. The future will belong to organizations that govern as they innovate.

CIOs are at the epicenter of this shift. CIOs are now the custodians of digital trust, responsible not only for running systems but for ensuring that every line of code and every algorithm earns confidence from regulators, customers and employees. The real competitive edge in a regulated world isn’t speed or scale. It’s trust engineered through transparency and sustained by governance-driven leadership.

This article is published as part of the Foundry Expert Contributor Network.
Want to join?

Data residency is no longer enough. As governments lose faith that storing data within their borders, but on someone else’s servers, provides real sovereignty, regulators are demanding something more fundamental: control over the encryption keys for their data.

Privatim, a collective of Swiss local government data protection officers, last week called on their employers to avoid the use of international software-as-a-service solutions for sensitive government data unless the agencies themselves implement end-to-end encryption. The resolution specifically cited Microsoft 365 as an example of the kinds of platforms that fall short.

“Most SaaS solutions do not yet offer true end-to-end encryption that would prevent the provider from accessing plaintext data,” said the Swiss data protection officers’ resolution. “The use of SaaS applications therefore entails a significant loss of control.”

Security analysts say this loss of control undermines the very concept of data sovereignty. “When a cloud provider has any ability to decrypt customer data, either through legal process or internal mechanisms, the data is no longer truly sovereign,” said Sanchit Vir Gogia, chief analyst at Greyhound Research.

The Swiss position isn’t isolated, Gogia said. Across Europe, Germany, France, Denmark and the European Commission have each issued warnings or taken action, pointing to a loss of faith in the neutrality of foreign-owned hyperscalers, he said. “Switzerland distinguished itself by stating explicitly what others have implied: that the US CLOUD Act and foreign surveillance risk renders cloud solutions lacking end-to-end encryption unsuitable for high-sensitivity public sector use, according to the resolution.”

Encryption, location, location

Privatim’s resolution identified risks that geographic data residency cannot address. Globally operating companies offer insufficient transparency for authorities to verify compliance with contractual obligations, the group said. This opacity extends to technical implementations, change management, and monitoring of employees and subcontractors who can form long chains of external service providers.

Data stored in one jurisdiction can still be accessed by foreign governments under extraterritorial laws like the US Clarifying Lawful Overseas Use of Data (CLOUD) Act, said Ashish Banerjee, senior principal analyst at Gartner. Software providers can also unilaterally amend contract terms periodically, further reducing customer control, he said.

“Several clients in the Middle East and Europe have raised concerns that, regardless of where their data is stored, it could still be accessed by cloud providers — most of which are US-based,” Banerjee said.

Prabhjyot Kaur, senior analyst at Everest Group, said the Swiss stance accelerates a broader regulatory pivot toward technical sovereignty controls. “While the Swiss position is more stringent than most, it is not an isolated outlier,” she said. “It accelerates a broader regulatory pivot toward technical sovereignty controls, even in markets that still rely on contractual or procedural safeguards today.”

Given these limitations, Privatim called for stricter rules on cloud use at all levels of government: “The use of international SaaS solutions for particularly sensitive personal data or data subject to legal confidentiality obligations by public bodies is only possible if the data is encrypted by the responsible body itself and the cloud provider has no access to the key.”

This represents a departure from current practices, where many government bodies rely on cloud providers’ native encryption features. Services like Microsoft 365 offer encryption at rest and in transit, but Microsoft retains the ability to decrypt that data for operational purposes, compliance requirements, or legal requests.

More security, less insight

Customer-controlled end-to-end encryption comes with significant trade-offs, analysts said.

“When the provider has zero visibility into plaintext, governments would face reduced search and indexing capabilities, limited collaboration features, and restrictions on automated threat detection and data loss prevention tooling,” said Kaur. “AI-driven productivity enhancements like copilots also rely on provider-side processing, which becomes impossible under strict end-to-end encryption.”

Beyond functionality losses, agencies would face significant infrastructure and cost challenges. They would need to operate their own key management systems, introducing governance overhead and staffing needs. Encryption and decryption at scale can impact system performance, as they require additional hardware resources and increase latency, Banerjee said.

“This might require additional hardware resources, increased latency in user interactions, and a more expensive overall solution,” he said.

These constraints mean most governments will likely adopt a tiered approach rather than blanket encryption, said Gogia. “Highly confidential content, including classified documents, legal investigations, and state security dossiers, can be wrapped in true end-to-end encryption and segregated into specialized tenants or sovereign environments,” he said. Broader government operations, including administrative records and citizen services, will continue to use mainstream cloud platforms with controlled encryption and enhanced auditability.

A shift in cloud computing power

If the Swiss approach gains momentum internationally, hyperscalers will need to strengthen technical sovereignty controls rather than relying primarily on contractual or regional assurances, Kaur said. “The required adaptations are already visible, particularly from Microsoft, which has begun rolling out more stringent models around customer-controlled encryption and jurisdictional access restrictions.”

The shift challenges fundamental assumptions in how cloud providers have approached government customers, according to Gogia. “This invalidates large portions of the existing government cloud playbooks that depend on data center residency, regional support, and contractual segmentation as the primary guarantees,” he said. “Client-side encryption, confidential computing, and external key management are no longer optional capabilities but baseline requirements for public sector contracts in high-compliance markets.”

The market dynamics could shift significantly as a result. Banerjee said this could create a two-tier structure: global cloud services for commercial customers less concerned about sovereignty, and premium sovereign clouds for governments demanding full control. “Non-US cloud providers and local vendors — such as emerging players in Europe — could gain market share by delivering sovereign solutions that meet strict encryption requirements,” he said.

Privatim’s recommendations apply specifically to Swiss public bodies and serve as guidance rather than binding policy. But the debate signals that data location alone may no longer satisfy regulators’ sovereignty concerns in an era where geopolitical rivalries are increasingly playing out through technology policy.

이커머스 업체 쿠팡이 29일 발표한 입장문에 따르면, 회사는 11월 18일 약 4,500개 계정의 개인정보 무단 노출을 확인하고 경찰청, 한국인터넷진흥원, 개인정보보호위원회에 신고했다. 이후 조사 과정에서 피해 규모가 약 3,370만 개 계정으로 확대된 것으로 확인됐다.

유출된 정보는 이름, 이메일 주소, 배송지 주소록(입력 이름, 전화번호, 주소), 일부 주문정보다. 쿠팡 측은 결제 정보, 신용카드 번호, 로그인 정보는 포함되지 않았다고 밝혔다. 2025년 6월 24일부터 해외 서버를 통해 무단 접근이 이루어진 것으로 추정하고 있다. 또한 침해 원인에 대해 현재 관련 당국과 협력하여 조사를 진행 중라고 언급했다.

과학기술정보통신부, 서울경찰청 등 관계 기관은 11월 19일 침해사고 신고와 11월 20일 개인정보 유출 신고를 접수한 뒤 현장 조사를 실시했다. 조사 결과, 공격자가 쿠팡 서버의 인증 취약점을 악용해 정상적인 로그인 절차를 거치지 않고 고객 정보를 유출한 것으로 확인됐다.

정부는 11월 30일부터 민관합동조사단을 가동하고 있으며, 개인정보보호위원회는 쿠팡이 개인정보 보호 관련 안전조치 의무(접근통제, 접근권한 관리, 암호화 등)를 위반했는지 조사 중이다. ‘한국의 아마존’으로 불릴 만큼 많은 사용자가 이용하는 서비스인 만큼 11월 29일에는 바로 2차 피해 방지를 위한 대국민 보안 공지를 진행하기도 했다. 또한 11월 30일부터 3개월간 인터넷상 개인정보 유출 및 불법 유통 점검 강화 기간으로 운영한다.

한편 국회 과학기술정보방송통신위원회 최민희 위원장은 30일 보도자료를 통해 이번 사고의 구체적인 원인을 분석한 결과를 공개했다. 쿠팡으로부터 받은 자료에 따르면, 쿠팡은 토큰 서명키 유효 인증기간에 대해 “5~10년으로 설정하는 사례가 많다”라며 “로테이션 기간이 길고, 키 종류에 따라 매우 다양하다”고 답변한 것으로 전해졌다.

최 위원장 측은 이번 사고를 출입 시스템에 비유해 설명했다. 로그인에 필요한 ‘토큰’이 일회용 출입증이라면, ‘서명키’는 출입증을 발급하는 인증 도장과 같다. 출입증이 있어도 인증 도장이 없으면 출입할 수 없지만, 서명키를 장기간 방치할 경우 지속적으로 악용될 수 있다는 것이다.

최민희 의원실이 확인한 결과, 쿠팡의 로그인 시스템에서는 토큰이 생성 후 즉시 폐기되도록 설계되어 있으나, 토큰 생성에 필요한 서명 정보가 담당 직원 퇴사 시 삭제되거나 갱신되지 않고 방치되어 내부 직원에 의해 악용된 것으로 파악됐다.

최민희 위원장은 보도자료를 통해 “서명키 갱신은 가장 기본적인 내부 보안 절차임에도 쿠팡은 이를 지키지 않았다”라며 “장기 유효 인증키를 방치한 것은 단순한 내부 직원의 일탈이 아니라, 인증체계를 방치한 쿠팡의 조직적·구조적 문제의 결과”라고 밝혔다.

이번 침해 사고의 피해 대상자에게는 이메일 또는 문자 메시지를 통해 관련 사실이 안내됐다. 추가 문의가 필요한 경우 고객 센터 또는 incident_help@coupang.com으로 연락하면 된다. 관련 정보는 별도의 안내 페이지를 통해서도 확인할 수 있다.

침해 사실 안내문과 별도로 박대준 쿠팡 대표이사는 30일 별도의 입장문을 통해 “국민 여러분께 큰 불편과 걱정을 끼쳐드려 진심으로 사과드린다”라며“쿠팡은 과학기술정보통신부, 개인정보보호위원회, 한국인터넷진흥원, 경찰청 등 민관합동조사단과 긴밀히 협력하여 추가적인 피해 예방을 위해 최선을 다하겠다”라고 밝혔다.
jihyun.lee@foundryco.com

앤트로픽이 최근 보고서에서 AI ‘클로드(Claude)’를 기업 전반에 도입할 경우 기대할 수 있는 다양한 절감 효과를 제시했다.

해당 보고서인 ‘클로드 대화를 기반으로 한 AI 생산성 추정’에 따르면, 앤트로픽은 클로드를 활용해 교사용 교육과정 개발, 송장 발행, 재무 분석과 같은 일련의 업무를 처리할 때 상당한 생산성 향상이 가능하다고 진단했다.

앤트로픽은 클로드를 활용해 10만 건의 익명화된 사용자 대화 기록을 분석하고, 이를 기반으로 생산성 효과를 추정했다. 앤트로픽은 “클로드의 추정치에 따르면, 이러한 작업은 AI 없이 평균 약 90분이 소요되지만 클로드는 개별 작업 시간을 약 80% 단축한다”라고 밝혔다.

한편 앤트로픽의 관찰에 따르면 AI 활용의 이점이 극대화되는 영역이 있는 반면, 기대 효과가 다소 낮은 영역도 나타났다. 소프트웨어 개발자의 경우 개발, 테스트, 문서화, 데이터 처리 업무에서 AI가 속도를 높일 수 있지만, 시스템 설치 조율이나 기술 인력 감독과 같은 업무에서는 현재로서는 ‘의미 있는’ 수준으로 AI를 활용하긴 어렵다고 앤트로픽은 분석했다. 앤트로픽은 “교사 직군 역시 AI가 수업 및 활동 계획에는 도움이 되지만, 방과후 동아리 운영이나 교실 규칙 관리에는 기여하지 않는다”라고 설명했다.

분석의 한계

앤트로픽은 이 추정치를 토대로 현 세대 AI 모델이 향후 10년 동안 미국 노동생산성 증가율을 연평균 1.8% 끌어올릴 수 있다고 전망했다. 이는 최근 수년간의 생산성 개선 속도보다 2배 높은 수치다. 그러나 보고서는 “AI의 영향이 적은 영역에서는 해당 업무가 병목으로 작용해 성장의 제약 요인이 될 수 있다”라고 지적했다.

또한 앤트로픽은 이번 분석 결과가 클로드 기반 데이터에만 근거하기 때문에 AI 활용 전반을 완전히 반영하지 못한다는 점도 언급했다. 더불어 조직에서 생산성 향상이 가장 크게 나타나는 시점은 단순히 새로운 기술을 도입할 때가 아니라, 이를 기반으로 업무 프로세스 전체를 재구성할 때라는 점을 강조했다.

이번 분석 결과가 갖는 또 다른 잠재적 한계도 제시됐다. 보고서는 “분석에는 한계가 있다. 특히 사용자가 클로드와의 대화 외에 쓰는 추가 시간이 반영되지 않는다. 여기에는 클로드가 생성한 결과의 품질이나 정확성을 검증하는 작업도 포함된다”라고 설명했다.

이어 보고서는 “이번 접근법은 사용자가 클로드의 초안 결과물을 최종 상태로 다듬는 과정이나, 여러 세션을 거치며 산출물을 반복 수정하는 작업을 고려하지 않는다. 이런 요소가 실제 시간 절감 폭을 더 좁힐 수 있다”라고 밝혔다.

보고서가 클로드의 자체 평가에 상당 부분 의존하고 있다는 점에서, 전제가 과도하게 낙관적이라는 회의적 시각도 나온다. 특히 앤트로픽이 지난 5월 공개한 실험에서 클로드는 다른 AI 모델로 대체될 가능성이 제기되자 자기보호적 반응으로 협박성 행동을 보인 바 있는데, 이번 보고서 역시 클로드에게 유리한 방향으로 해석됐을 수 있다는 지적이다.

“세심하게 구성된 보고서”

AI 컨설팅 기업 발리언스(Valliance)의 설립자인 타리크 느세이르는 이번 앤트로픽 보고서가 상당히 세심하게 구성돼 있다고 평가했다. 느세이르는 “스스로의 문제점을 비교적 잘 드러낸 보고서”라며 “제시된 수치도 현장에서 확인되는 결과를 크게 벗어나지 않는다”라고 진단했다. 그는 “물론 장문 작업처럼 특정 업무를 선택해 분석한 흔적은 분명하지만, 전반적으로 구조가 잘 짜여 있고 투명한 보고서”라고 설명했다.

하지만 느세이르는 기본 전제의 일부가 타당하더라도, 앤트로픽이 연속된 업무 흐름에서 발생하는 문제의 누적을 과소평가하고 있다고 지적했다. 그는 “어떤 작업에서 부정확성이 생기면, 그 작업이 전체 체인의 일부인 만큼 시간이 지날수록 오류가 더 확대된다”라며, “개별 작업 단위의 시간 절감 추정치는 현실적이지만, 앤트로픽이 말하는 총합 절감 효과는 실제로 달성하기 어렵다”라고 분석했다.

클로드의 협박성 행동 논란에 대해서는 “현장에서는 그런 사례를 확인하지 못했다. 게다가 생성형 AI는 계속 발전하고 있다. 개발 속도와 안전성 개선 속도도 매우 빠르게 올라가고 있다”라고 말했다.

느세이르는 조직 전체에 AI를 도입하려는 CIO가 특정 기술 벤더를 불문하고 “직원의 생산성을 높일 수 있는 적절한 도구를 제공하는 ‘사람 우선’ 접근과, 조직 전체 비즈니스 구조와 프로세스의 연계를 먼저 살펴보는 ‘가치 우선’ 접근을 함께 고려해야 한다”라고 조언했다.
dl-ciokorea@foundryco.com