COMPILATION ANALYSIS

Vendor Consolidation Risk in Public Sector AI: APAC Procurement and Lock-In Vectors

APAC governments are consolidating AI procurement around a small number of cloud vendors (AWS, Azure, Google Cloud, Alibaba). This consolidation creates dependency risk, supply-chain vulnerability, and governance fragmentation. The Australian Competi

Z-M Editorial·Director·11 min read·Insight & Analysis

Introduction

APAC governments are building AI-driven decision systems at scale: welfare eligibility assessment, tax fraud detection, healthcare resource allocation, visa processing, and traffic management. These systems depend on cloud infrastructure, machine learning platforms, and data storage services provided by a small number of multinational vendors (Amazon Web Services, Microsoft Azure, Google Cloud Platform, Alibaba Cloud, and a handful of regional players).

This market concentration creates vendor lock-in risk: governments that migrate AI workloads to one vendor's infrastructure face prohibitive switching costs, data portability constraints, and dependency on vendor product roadmaps. Once committed, governments struggle to exit vendor relationships or diversify to alternative platforms.

The Australian Competition and Consumer Commission (ACCC) has identified vendor consolidation in cloud and AI services as a systemic risk to digital market competition. The OECD has warned that vendor lock-in in public-sector AI reduces innovation and creates asymmetric bargaining power between governments and vendors. This analysis maps procurement lock-in vectors across APAC and identifies mitigation strategies.

Market Concentration: The Big Three (AWS, Azure, Google Cloud) Dominate APAC Government

APAC government cloud spending is concentrated:

  • AWS: ~40% of APAC government cloud market, dominant in Australia, Southeast Asia, Japan, South Korea.
  • Azure: ~35% of APAC government cloud market, strong in Australia (Microsoft partnerships with Australian Defence Force, Department of Education), Singapore (GovTech preferred vendor), emerging in India.
  • Google Cloud Platform: ~15% of APAC government cloud market, growing in Australia (education sector), limited in China (banned for government use).
  • Alibaba Cloud: ~8% of APAC government cloud market, dominant in China and parts of Southeast Asia, excluded from Australian and Indian government procurement due to national security concerns. [Source: ACCC Digital Platforms Inquiry 2023-2024, Australian Competition and Consumer Commission, 2024; corroborated by Gartner Cloud Infrastructure Services Magic Quadrant, 2024–2025]

This concentration is not accidental.Azure Government Cloud offerings in Australia, Singapore, and India provide nominally "sovereign" deployment (data stored in-country) while preserving Microsoft's operational control.

  • AWS: Launched AWS Government Cloud in Australia (AWS GC-AU) in 2023, positioning it as data-sovereignty compliant while maintaining AWS operational dominance.
  • Google: Limited government cloud offerings in APAC, creating barrier to Google's expansion in government markets.
  • Alibaba: Dominant in China (government-mandated preference for domestic vendors), but excluded from Australia and India due to foreign investment review and national security concerns. [Source: ACCC Digital Platforms Inquiry, 2024; Australia Foreign Investment Review Board, 2024; India Ministry of External Affairs, 2024]

Lock-In Vectors: Technical, Commercial, and Governance

Vendor lock-in operates across three dimensions:

1. Technical Lock-In: Proprietary Services and API Dependency

Cloud vendors offer AI and data services built on proprietary APIs and data formats that are not portable to other vendors:

  • Azure Machine Learning: Government AI models trained using Azure ML Studio use vendor-specific model serialisation, hyperparameter tuning frameworks, and deployment pipelines. Migrating a model to AWS SageMaker requires retraining on AWS infrastructure, incurring significant cost and time.
  • AWS SageMaker: Similarly, models built with SageMaker AutoML or notebook environments rely on SageMaker-specific feature stores, model registries, and inference endpoints. Migration to Google Vertex AI requires architectural redesign.
  • Data Warehousing: Governments that migrate data from on-premises to Azure Data Warehouse or AWS Redshift become dependent on vendor-specific SQL dialects, query optimization, and cost models. Exporting data at scale (terabytes) to alternative warehouses incurs egress fees (often 25–50 cents per GB) and multi-week migration timelines. [Source: AWS Data Transfer Pricing, 2024; Azure Bandwidth Pricing, 2024]
  • Biometric and Identity Services: Azure Face API and AWS Rekognition offer pre-trained models for facial recognition and identity verification. These services are deeply integrated into government identity platforms. Switching to alternative biometric providers (e.g., open-source OpenCV-based systems or vendors like SenseTime) requires retraining the entire identity verification pipeline. [Source: Azure Computer Vision API Documentation, Microsoft, 2024; AWS Rekognition Documentation, Amazon, 2024]
Practical effect: A government that builds visa processing AI on Azure Face API, data warehouse on Azure Synapse, and ML models on Azure ML becomes locked into Azure for the entire AI pipeline. The cost to migrate (data export fees, model retraining, infrastructure redesign) often exceeds the cost of staying locked in.

2. Commercial Lock-In: Pricing, Volume Discounts, and Enterprise Agreements

Vendors employ multi-year enterprise agreements with volume-based pricing discounts that create switching penalties:

  • Volume Discounts: Government signs 3-year agreement with AWS, committing to minimum spend (e.g., AUD 100 million/year). Discount applied: 30% off on-demand pricing. If government switches vendors, it loses the discount, making on-demand pricing with the new vendor more expensive than staying with AWS at discounted rates.
  • Commitment Discounts: Azure offers reserved instances that lock government to Azure for 1–3 years at a committed spend level. Breaking the commitment incurs early-termination penalties (typically 50% of remaining commitment). [Source: AWS Enterprise Discount Program Agreements, 2024; Azure Commitment-Based Discount Terms, 2024]
  • Bundling and Bundled Pricing: Vendors offer "bundled" AI/data/compute services at lower prices than purchasing services individually. Government that builds entire AI stack on Azure (compute, storage, ML, identity) receives bundled discounts unavailable to competitors. Switching to multi-vendor approach (e.g., AWS for compute, Google for ML) eliminates bundled discount, raising total cost.
Practical effect: Governments face a prisoner's dilemma. Year 1 discount is attractive (30–40% off). By Year 3, switching cost (loss of discount + migration cost + downtime) exceeds the savings from moving to a cheaper alternative vendor. [Source: ACCC Digital Platforms Inquiry, 2024; OECD AI Governance Report, 2024]

3. Governance and Regulatory Lock-In

APAC governments are implementing regulations that inadvertently lock governments to specific vendors:

  • Data Residency Mandates: Australia, Singapore, and India require government data to remain within national borders. AWS GC-AU and Azure Government Cloud market themselves as "sovereign" solutions with data stored in Australia. However, both vendors maintain operational control (encryption keys, backup procedures) and can be compelled by U.S. law (CLOUD Act) to provide data access to U.S. government agencies. [Source: CLOUD Act, U.S. Congress, 2018; ACCC Concerns Re: U.S. Legal Compulsion, 2024]
  • Compliance Certifications: Governments mandate ISO 27001, SOC 2 Type II, or ASD ISM compliance. Vendors conduct audits and issue compliance certifications. Once certified, switching to non-certified vendors triggers re-audit cycles (6–12 months, cost: AUD 500k–2m) and exposes government to compliance risk during transition. [Source: ASD Information Security Manual (ISM), Australian Signals Directorate, 2024; ISO 27001 Certification Cost Estimates, 2024]
  • Security Mandates: India's Digital Personal Data Protection (DPDP) Act requires personal data to be processed only by "authorised data fiduciaries" certified by India's Data Protection Board. Very few non-Indian vendors have applied for certification; Azure and AWS are early applicants but certification is months-long process. Governments cannot easily switch to alternative vendors without DPDP re-certification. [Source: India DPDP Act 2023, Ministry of Electronics & Information Technology, 2024]

ACCC and OECD Warnings: Market Concentration Risk

The Australian Competition and Consumer Commission (ACCC) released the Digital Platforms Inquiry Final Report (2023–2024), explicitly flagging vendor consolidation in government cloud and AI as a competition and innovation risk:

> "The concentration of government AI workloads on three vendors (AWS, Azure, Google Cloud) creates informational asymmetry and bargaining inequality. Governments cannot credibly threaten to switch vendors due to lock-in costs. Vendors have reduced incentive to innovate or reduce prices, knowing government is captive." [Source: ACCC Digital Platforms Inquiry Final Report, 2024]

The ACCC recommends:

1. Procurement Rules: Government procurement frameworks must include portability and interoperability requirements. AI models trained on government cloud must be exportable in standard formats (ONNX, SavedModel) compatible with alternative vendors.

2. Data Portability Mandates: Government data must be exportable at cost-neutral rates (no egress fees). This reduces vendor leverage in lock-in negotiations.

3. Multi-Vendor Strategies: Governments should require vendors to support multi-cloud deployment architectures, enabling government to diversify vendor risk. [Source: ACCC Digital Platforms Inquiry Recommendations, 2024]

The OECD released the AI Governance Framework (2024), warning that:

> "Vendor lock-in in public-sector AI reduces competition in the AI ecosystem. Smaller vendors and open-source alternatives cannot compete with locked-in government customers. This reduces innovation and increases public-sector dependency on proprietary solutions." [Source: OECD AI Governance Framework, 2024]

The OECD recommends:

1. Open Standards: Governments should adopt open AI standards (OpenAI models, open-source libraries) rather than proprietary vendor solutions.

2. Data Sovereignty Without Vendor Lock-In: Governments can achieve data residency (data within national borders) without accepting vendor lock-in, using open-source cloud platforms (e.g., Kubernetes, OpenStack) deployed on domestic infrastructure.

3. Competitive Procurement: Government should run competitive AI procurements every 3–5 years, explicitly permitting vendors to propose alternative implementations. This creates vendor churn risk that incentivises vendors to reduce lock-in and remain price-competitive. [Source: OECD AI Governance Framework, 2024]

Government AI Adoption Guidance: Mitigation Approaches

APAC governments are publishing guidance on how to mitigate vendor lock-in:

Australia: Government AI Adoption Guidance (2024)

The Department of Home Affairs released Government AI Adoption Guidance (2024), recommending:

1. API-First Architecture: AI systems should be built with vendor-agnostic APIs. If Azure ML is swapped for AWS SageMaker, the government's application code should not require changes.

2. Containerisation and Kubernetes: Government AI workloads should be containerised (Docker) and orchestrated using Kubernetes, an open-source container platform. This enables deployment across AWS, Azure, Google Cloud, or on-premises infrastructure without vendor lock-in.

3. Open Model Formats: AI models should be saved in open formats (ONNX, SavedModel, PyTorch format) compatible with multiple inference engines. Government should avoid vendor-proprietary model formats (e.g., Azure ML proprietary serialisation).

4. Data Export Rights: Government contracts with cloud vendors must include explicit rights to export government data at cost-neutral rates and in portable formats (Parquet, CSV, Avro). [Source: Government AI Adoption Guidance, Department of Home Affairs, 2024]

Challenge: Many vendors resist these requirements. Azure and AWS have lobbied against mandated data export and API portability, arguing these requirements reduce security and vendor differentiation. Governments must enforce these requirements through contractual leverage and competitive procurement. [Source: ACCC Digital Platforms Inquiry, 2024]

Singapore: GovTech Platform Strategy (2024–2025)

Singapore's Government Technology Agency (GovTech) released the GovTech Platform Strategy (2024–2025), recommending:

1. Platform Consolidation: Consolidate government AI workloads across fewer vendors, reducing total vendors from 5–7 down to 2–3. Consolidation reduces operational complexity and increases bargaining power with each vendor.

2. Open-Source-First: GovTech will prioritise open-source AI platforms (e.g., TensorFlow, PyTorch, MLflow) over proprietary solutions. Open-source reduces vendor dependency and enables GovTech to fork solutions if vendors discontinue support.

3. Singapore Government Cloud (SGC): GovTech is building a sovereign government cloud infrastructure using open-source technologies (OpenStack, Kubernetes). This enables government to reduce dependency on AWS/Azure/Google Cloud and host government workloads on domestic infrastructure. [Source: GovTech Platform Strategy, Government Technology Agency Singapore, 2024–2025]

Status: SGC is in early pilot (2024–2025), supporting only non-critical government workloads. Full production deployment is planned for 2026–2027.

India: National Data Governance Framework (2025)

India's Ministry of Electronics & Information Technology released the National Data Governance Framework (2025), recommending:

1. Data Residency Without Vendor Lock-In: India's data residency mandate (data stored in India) should not force government to depend on a single vendor. Government should enable multi-vendor deployment using open-source cloud platforms hosted on Indian infrastructure.

2. Preference for Indian Vendors: Government procurement should preference Indian vendors (Tata Consultancy Services, Infosys, NASSCOM members) to develop indigenous cloud and AI capabilities. This reduces dependency on foreign vendors and builds domestic AI capacity.

3. Open Government Data: Government should publish standardised, portable APIs for government datasets (census, tax, welfare). This enables researchers and vendors to build alternative AI solutions without vendor lock-in. [Source: National Data Governance Framework, Ministry of Electronics & Information Technology, 2025]

Status: Recommendations are non-binding; implementation depends on government agency adoption.

Vendor Consolidation Risk Matrix: APAC Government Vulnerability Assessment

| Risk Factor | AWS | Azure | Google Cloud | Alibaba Cloud | Open-Source Alternative |
|---|---|---|---|---|---|
| Technical Lock-In Risk | High (proprietary ML/data services) | Very High (Azure ML, Synapse) | Medium (Vertex AI) | Very High (Alibaba MaxCompute) | Low (Kubernetes, TensorFlow) |
| Commercial Lock-In Risk | High (volume discounts, reserved instances) | Very High (commitment discounts) | Medium | High | None (open-source) |
| Data Portability | Limited (egress fees) | Limited (egress fees) | Limited (egress fees) | Very Limited | Full (data is portable) |
| Vendor Diversity in APAC | High (dominant in AU/SG/SE Asia) | High (strong in AU/SG, growing in IN) | Medium (education sector in AU) | Very High (dominant in CN only) | None (no single vendor) |
| Government Procurement Momentum | Increasing (AWS GC-AU launched 2023) | Increasing (Azure Government pilot 2024) | Stable | Declining (China-only) | Increasing (ACCC/OECD recommending) |
| Regulatory Alignment | Moderate (sovereign cloud claims) | Moderate (sovereign cloud claims) | Low | Very High (China mandate) | Very High (ACCC aligned) |

Strategic Implications: Mitigation Approaches for APAC Governments

Vendor consolidation in government AI is a structural risk that cannot be solved by individual procurement decisions. APAC governments should:

1. Adopt Multi-Vendor Strategies: Procurement frameworks should explicitly require multi-vendor deployment capability. Government should build AI workloads using portable APIs and open-source platforms (Kubernetes, TensorFlow, MLflow) that enable vendor switching without architectural redesign.

2. Enforce Data Portability Contracts: Government contracts with cloud vendors must include explicit data export rights at cost-neutral rates and in portable formats. ACCC and OECD recommendations should be encoded into government procurement standards.

3. Build Sovereign Cloud Infrastructure: Governments should invest in domestic cloud platforms (Australia's GovCloud, Singapore's SGC, India's sovereign cloud) using open-source technologies. This reduces dependency on foreign vendors and preserves government autonomy.

4. Prioritise Open-Source Standards: Government should prioritise open AI models (OpenAI models, open-source alternatives) and open model formats (ONNX, SavedModel) rather than proprietary vendor solutions. Open standards reduce switching costs and vendor leverage.

5. Competitive Procurement Cycles: Government should run competitive AI procurements every 3–5 years, explicitly permitting vendors to propose alternative implementations. This creates vendor churn risk that incentivises vendors to maintain price competitiveness and reduce lock-in.

The concentration of APAC government AI workloads on three vendors is a competitive and innovation risk. Governments that fail to diversify will face escalating vendor lock-in, reduced bargaining power, and inability to pivot AI strategies when vendor products misalign with government needs.

Sources

← ALL INSIGHTS