The weirdest part of modern cloud cost blowups isn’t GPU hours. It’s the stuff that feels like plumbing: egress, logs, traces, and the “helpful” AI integrations that quietly turn your data into someone else’s dependency.
Founders still treat cloud spend as a CFO headache. Operators still treat security as IAM and patching. Both are outdated. In 2026, your cloud bill is increasingly a security incident report in disguise—because the cost centers growing fastest are the same surfaces where sensitive data gets copied, retained, and shipped across boundaries you don’t control.
If you’re building with LLMs (OpenAI, Anthropic), running GPUs (NVIDIA via AWS/GCP/Azure), or standardizing on a telemetry stack (Datadog, Splunk, Elastic, OpenTelemetry), you’re already living this. The contrarian part: the biggest lock-in isn’t your database anymore. It’s your observability + AI data exhaust.
Cost is now a data governance problem (whether you admit it or not)
Traditional cloud discipline assumed three big cost drivers: compute, storage, and databases. That worldview survived a decade because it matched how teams shipped software. AI broke it because AI changes what you move, what you keep, and what you duplicate.
Every “smart” feature you add—semantic search, RAG, agentic workflows, customer support copilot—creates more derived embeddings, vector indexes, prompts, tool traces, evaluation datasets, replay logs. That derived data is valuable, sensitive, and remarkably easy to spray into third-party systems.
Meanwhile, observability moved from “nice to have” to “the only way to run production.” OpenTelemetry became the default instrumentation layer for many teams, and vendors like Datadog, Dynatrace, New Relic, Splunk, Elastic, Grafana Labs, and others compete on who can ingest the most and correlate it best. That competition pushes the same direction: more data, richer context, longer retention.
Security work that doesn’t touch where data actually flows is compliance theater.
AI adds a twist: you can’t govern what you can’t reconstruct. When an LLM feature misbehaves, you need the full chain—prompt, retrieved context, tool calls, model outputs, and user-visible results. Teams respond by logging everything. That makes incidents diagnosable—and breaches more expensive.
The new lock-in stack: model APIs + telemetry + identity
Most founders still talk about cloud lock-in like it’s 2015: proprietary databases, managed queues, serverless runtimes. Those matter, but they’re no longer the sticky core. The sticky core is:
- Model access patterns: prompt formats, tool calling, response schemas, moderation and safety filters, eval harnesses, caching layers, and model-specific quirks.
- Telemetry gravity: where your logs, traces, metrics, LLM traces, and security events live—and how painful it is to move years of them or re-create dashboards and alerts.
- Identity policy reality: the actual enforcement layer is whichever IAM + SSO + device posture + secret manager combination your org operationally trusts. That becomes your real platform boundary.
Look at the real-world product lines. Datadog has expanded aggressively from APM into logs, security monitoring, RUM, CI visibility, cloud cost management, and LLM observability features. Splunk (now under Cisco) remains entrenched for many enterprises as a central event store. Microsoft keeps tightening the loop between Azure, Entra ID, Defender, and Purview. AWS keeps bundling “security posture” alongside CloudWatch and core services. None of this is accidental. If they own your telemetry and identity edges, they own your operational brain.
Table 1: Where lock-in hides in 2026—common stacks and what actually gets sticky
| Layer | Examples (real products) | What gets sticky | Exit pain signal |
|---|---|---|---|
| Model API + tooling | OpenAI API, Anthropic API, Azure OpenAI Service | Prompt/tool schemas, safety workflows, eval harnesses, caching behavior | You can’t swap models without breaking workflows and tests |
| Telemetry backend | Datadog, Splunk, Elastic Observability | Retention, queries, dashboards, alert semantics, historical baselines | Rebuilding alerts takes weeks; history is trapped or expensive to export |
| Open instrumentation | OpenTelemetry, Prometheus, Grafana | SDK footprint, semantic conventions, collector pipelines | Instrumentation drift and cardinality issues become “forever problems” |
| Identity & policy | Microsoft Entra ID, Okta, AWS IAM | Conditional access, app entitlements, auditability, incident response playbooks | Security team refuses to migrate; controls don’t map cleanly |
| Data classification & DLP | Microsoft Purview, Google Cloud DLP | Labeling, scanning, retention, legal holds, policy wiring | Compliance depends on one vendor’s tags and reports |
Egress is back, but it’s not just “leaving the cloud”
Egress used to mean one thing: you pulled data out of AWS/GCP/Azure and the provider charged you. Teams responded with predictable tactics: keep compute close to storage, use CDNs, compress, cache, replicate carefully.
AI made egress more subtle. Data “leaves” even when it never leaves your VPC in the classic sense:
- You send prompts and retrieved context to a third-party model API.
- You ship rich logs to an observability vendor.
- You stream events into a SIEM or managed security platform.
- You mirror production data into a feature store or evaluation pipeline.
- You export telemetry into a lakehouse “for analytics later,” and it never gets deleted.
These are data transfers with governance consequences. The cost story is just the visible symptom.
Telemetry inflation: the slow-motion breach
Everyone knows not to dump secrets into logs. Everyone does it anyway. AI features make it worse because “context” is the product.
Here’s the pattern that keeps repeating: a team adds an AI feature, a handful of edge cases show up, and the first fix is “log the full prompt + retrieved docs + tool outputs.” That log line goes to CloudWatch or Stackdriver, then to Datadog or Splunk, then to a long-retention bucket, then to a data warehouse for “analysis.” Each hop creates another copy, another access path, another retention policy, another breach surface.
Key Takeaway
If you can’t say where your prompts and retrieved context are stored, for how long, and who can query them, you don’t have an AI security posture. You have vibes.
OpenTelemetry is not a free pass
OpenTelemetry is a gift: it reduces vendor coupling at the instrumentation layer and creates a sane pipeline model (SDKs → Collector → backend). But teams misread it as an exit strategy. It’s not.
If your dashboards, alerts, SLOs, and incident response muscle memory are built around one backend’s query language and UI, you’re locked in regardless of whether traces arrive via OTel. Treat OTel as a routing layer, not a strategy.
Security teams now care about observability vendors
Five years ago, security teams mostly ignored APM vendors. That era is over. APM and log platforms hold operational secrets: internal service names, hostnames, customer identifiers, sometimes raw payloads. They’re crown jewels by accident.
If your org uses Datadog, Splunk, Elastic, or similar, the permission model inside those tools matters as much as AWS IAM. Yet many teams still treat them like “engineering tools,” not data systems.
What “good” looks like: fewer copies, tighter paths, real retention
There’s a temptation to solve this with policy docs. Don’t. Solve it with architecture constraints that make the bad behavior hard.
Start with three non-negotiables
- Prompts and retrieved context are classified data. Treat them like database rows, not debug strings.
- Telemetry pipelines are production data pipelines. They need schema discipline, redaction, and lifecycle management.
- Every export path needs an owner. If nobody owns the “export to S3 / BigQuery / Snowflake” button, it will be abused.
Use redaction where it actually works: at the collector and SDK edges
If you’re on OpenTelemetry, the Collector is your choke point. If you’re not, build one. Do not rely on “engineers will remember not to log PII.” They won’t—especially under incident pressure.
Concrete move: add an explicit redaction processor in your telemetry path and make it part of the deployment contract. Treat redaction rules like code: version them, review them, test them.
# Example: OpenTelemetry Collector processor config pattern (conceptual)
# Use your actual distro + processors; validate against your Collector version.
processors:
batch:
attributes/redact:
actions:
- key: http.request.header.authorization
action: delete
- key: user.email
action: delete
- key: llm.prompt
action: hash
service:
pipelines:
traces:
processors: [attributes/redact, batch]
logs:
processors: [attributes/redact, batch]
Don’t overfit the snippet. The point is structural: put redaction before your data hits the vendor boundary.
Table 2: A practical “data exhaust” inventory for AI + observability (use as a living register)
| Artifact | Where it commonly lands | Risk if mishandled | Operational control to implement |
|---|---|---|---|
| Prompts + system messages | App logs, LLM observability tools, incident tickets | Sensitive business logic or user data copied broadly | Redact at source; strict retention; access review in log platform |
| Retrieved context (RAG snippets) | Trace attributes, debug logs, evaluation datasets | Confidential docs exposed; cross-tenant mixing bugs amplified | Store references/IDs, not raw text; sample only under gated debugging |
| Tool calls + tool outputs | Tracing spans, webhook logs, vendor audit logs | Credential leakage; internal endpoints and payloads exposed | Secrets scanning; delete headers; separate audit vs debug streams |
| Embeddings + vector indexes | Vector DBs (Pinecone, Weaviate), managed search, internal stores | Hard-to-audit derived data retained indefinitely | Retention policies; rebuild pipelines; per-tenant isolation and deletes |
| Telemetry exports (logs/traces/metrics) | S3/GCS/Azure Storage, Snowflake, BigQuery | “Shadow data lake” with broad access and unclear purpose | Named owner; time-boxed exports; automatic deletion; least-privilege roles |
The contrarian budgeting move: cap observability before you cap compute
Teams love to optimize compute because it feels technical and clean: right-size instances, switch to spot, quantize models, cache responses. Do it. But it’s not where the organization loses control.
Telemetry spend, retention, and exports are where companies accidentally create permanent liabilities. Not because observability vendors are villains—because observability data is high-entropy truth, and truth is expensive to store, index, and secure.
So cap observability first. Not by turning it off, but by making it intentional:
- Define what “debug mode” means for AI features, and gate it (feature flag + time limit + approver).
- Default to identifiers over payloads (store doc IDs, span IDs, request IDs; pull payloads only from controlled stores).
- Shorten retention on high-risk streams (raw prompts, retrieved text) and keep longer retention only for sanitized aggregates.
- Separate audit logs from debug logs so compliance doesn’t force you to retain dangerous data.
- Stop exporting “just in case”; if an export isn’t tied to a named dashboard or detection rule, it’s clutter.
A prediction worth planning around: AI audit trails will become a product requirement
Regulation is heading toward more accountability for automated decisions, and enterprise buyers already ask uncomfortable questions: “Can we reconstruct what the model saw?” “Can we prove who accessed prompts?” “Can we delete user data from derived stores?” Whether your customers cite GDPR, SOC 2, HIPAA, or internal policy, the ask converges on the same thing: an auditable story.
That story will not be told from your primary database. It will be told from your telemetry, your model gateway, and your derived datasets. If those are a mess, you will either fail procurement or build a parallel system under pressure.
Concrete next action: this week, pick one AI feature in production and run a 60-minute “data exhaust review.” Map (1) what gets logged, (2) where it’s stored, (3) who can query it, (4) how long it lives, (5) how it’s deleted. If you can’t answer those five, you’re not “early.” You’re exposed.