Posts AI in production: Why foundations start with outcomes

AI in production: Why foundations start with outcomes

AI adoption is now widespread across most enterprises, but meaningful, scaled impact remains relatively rare.

Across finance, marketing, operations and technology teams, organisations are using AI to improve forecasting, automate processes, accelerate content creation and support decision-making. Yet despite this momentum, many still struggle to move beyond isolated successes and deliver consistent value across the business.

The challenge is rarely the technology itself. More often, organisations rush to pilot tools and models before defining the outcome they are trying to achieve. In many cases, they also make assumptions about what their foundations should look like, centralising data, building platforms or designing architectures before they fully understand the problem they are trying to solve. The most effective foundations are rarely fixed; they emerge from a clear understanding of the outcome being pursued.

This matters because AI is not a single capability. Different approaches solve different problems, introduce different risks and place different demands on data, governance and operating models. The foundations needed for a predictive model are not the same as those required for a generative assistant or an agentic system capable of taking action across multiple platforms.

Trust sits at the centre of all of this. AI only delivers value when people trust the outputs, understand how decisions are being made and have confidence in the data, governance and security that sit behind them. The organisations seeing the greatest success start with the outcome, choose the right approach and build the foundations to support it. This article explores what those foundations look like in practice.

Choosing the right AI approach for your outcome

AI is often spoken about as though it is a single capability. In reality, it is a collection of different techniques, each designed to solve different problems and deliver different outcomes.

The organisations seeing the most success with AI don’t start by choosing a model. They start by defining the outcome they want to achieve, then selecting the approach best suited to delivering it.

While there are many different flavours of AI, the three below represent some of the most common approaches used in organisations today. For a deeper dive into the wider AI landscape and real-world use cases, see our AI Playbook, written by CACI’s Director of Data & AI Ethics, Sue MacLure.

AI approachWhat it doesExample business outcomesFoundation requirementsKey governance & control considerations
Predictive AI Uses historical data to forecast future outcomes.Predicting customer churn, forecasting demand or identifying risk.Consistent, high-quality historical data with clear definitions and strong data quality controls.Data quality, bias monitoring, explainability and auditability of decisions.
Generative AI Creates new content or enables natural language interaction with information.Internal knowledge assistants, summarising documents, generating marketing content.Well-structured, trusted information sources and effective grounding mechanisms to improve accuracy.Output governance, hallucination management, security of sensitive information and responsible usage policies.
Agentic AI Coordinates systems, data and tools to take actions on behalf of users.Automating workflows, resolving customer requests or orchestrating business processes.Reliable integrations, access to multiple systems and clearly defined operational boundaries.Action authorisation, monitoring, human oversight, security controls and accountability for decisions.

These differences matter because each approach places different demands on the organisation.

A predictive model built on poor-quality data will produce unreliable forecasts. A generative AI assistant without access to trusted information may produce convincing but inaccurate responses. An agentic system operating without appropriate controls can take actions that create operational or security risks.

The organisations that scale AI successfully recognise these differences early. They don’t apply a single blueprint. Instead, they choose the right approach for the outcome they want to achieve and design the foundations, governance and operating model around it.

Designing the right data foundations for AI

There is no single blueprint for preparing data for AI. The way data should be structured, accessed and managed depends on both the outcome you are trying to achieve and the characteristics of the data itself.

Some information lends itself to centralisation and reuse. Other data is more valuable when it remains close to the source. Understanding the difference is key to designing data foundations that support AI effectively.

Data architecture is not one-size-fits-all

One of the biggest misconceptions in AI is that there is a single set of foundations that every organisation should build towards. In reality, the right data architecture depends on what you are trying to achieve. The outcome should shape the foundation, not the other way around.

Some benefit from being highly structured, unified and optimised for reuse. Others rely on data that changes too frequently or is too complex to move and store efficiently in one place.

In these cases, the focus should not be on centralising data, but on enabling secure, governed access to it where it already exists.

Designing your data architecture becomes a set of deliberate choices:

  • What outcomes are you trying to deliver?
  • Which data is critical to achieving them?
  • What needs to be standardised and shared?
  • What is best accessed directly from source systems?
  • How will models interact with that data in a secure and controlled way?

Designing for different data behaviours

The way data behaves should directly influence how it is structured and accessed. If, for example, a customer uses an airline’s AI assistant to ask about an existing booking, the underlying data is relatively stable. It can be standardised, catalogued and surfaced through a semantic layer, allowing the model to respond quickly, accurately and at low cost.

However, if that same customer asks, “How much will it cost to fly to Lagos next week?”, the answer depends on constantly changing inputs such as pricing, availability and demand.

In this case, centralising the data provides little value. Attempting to store and cache it introduces complexity and risk without improving accuracy. Instead, the priority shifts to enabling secure, real-time access to source systems, with the appropriate controls in place to ensure data is used safely and correctly.

Trust, governance and control are architectural decisions

What was once used by a small number of specialists becomes available to many users and systems, often at much higher speed and frequency. Without the right controls, this can quickly expose issues that were previously hidden.

For example, teams working closely with data often build informal safeguards, manually correcting inaccuracies or filtering out known issues. When AI automates those processes, those safeguards disappear. The same data is now consumed at scale, increasing the risk of errors, bias or misuse.

This is where governance becomes critical.

Data needs to be:

  • catalogued, so it can be found and understood
  • labelled, so its meaning, sensitivity and usage are clear
  • traceable, so it is possible to see where it came from and how it has changed
  • controlled, so access is appropriate and auditable

Without this, AI systems cannot be trusted, regardless of how well the model performs. Read more in our insight report on how clean data enables good AI.

Creating a shared understanding of “truth”

When multiple teams and systems rely on the same data, consistency becomes critical.

A “customer” in marketing may not mean the same thing in finance. Without clear definitions, models will produce inconsistent outputs, undermining trust and making results difficult to act on. Approaches such as semantic layers and structured data models help address this by creating a shared, governed view of key data assets, while still allowing for context where needed.

The goal is not to unify everything. That is slow, costly and rarely achievable.

Instead, it is about:

  • identifying high-value data
  • creating clear definitions and ownership
  • and enabling access through well-governed integration

People and operating model

As AI takes on more of the execution, roles shift from doing the work to directing it, interpreting outputs and taking accountability for decisions. AI removes tasks, but not responsibility.

This creates a fundamental change in how organisations need to operate. Teams are no longer just delivering outputs, they are working alongside systems that generate, recommend or take action on their behalf. That requires new skills, clearer ownership and different forms of oversight, with the level of control depending on the type of AI being used and the outcomes it is supporting.

Trust is what enables adoption

For AI to be used at scale, people need to trust it. That trust is not created through mandates or targets. It comes from confidence that the system is:

  • using the right data
  • producing reliable outputs
  • operating within clear boundaries

Without that, adoption will always be limited. People will either avoid using AI altogether, or use it cautiously and inconsistently, which limits its impact.

This is where governance and transparency play a critical role. When people can understand how a system works, where its data comes from and how decisions are made, they are far more likely to engage with it confidently.

Ways of working must evolve

One of the most common failure points in AI adoption is that organisations introduce new technology, but keep existing ways of working.

AI works best in environments where:

  • teams are cross-functional
  • data, technology and business functions collaborate closely
  • accountability for outcomes is clearly defined

Without this, AI remains isolated in pockets of the organisation rather than becoming part of how it operates day to day.

This often requires structural change. Not necessarily to reduce headcount, but to align skills and roles to where value is created. In many cases, it is about redeploying people, not replacing them.

This is a shift, not an optimisation

AI can deliver immediate value by helping organisations do things faster. But the longer-term opportunity lies in reimagining how work is designed, delivered and experienced.

When Thomas Edison invented the lightbulb in 1879, candlemakers didn’t look for ways to use it to produce candles more efficiently. They recognised that it required a fundamental shift in how light was created and used.

The same applies to AI. If organisations focus only on optimising existing processes, they will limit its potential. The real opportunity comes from stepping back and asking what work should look like when AI is part of the system.

With only 12% of organisations feeling prepared to adopt AI in day-to-day operations, it’s clear that very few have fully figured it out. As AI continues to evolve at pace, so too do the ways it can be applied. But those that are already thinking in this way, starting with the opportunity rather than the constraint, are the ones best positioned to move beyond incremental gains and realise meaningful, scaled impact.

Ultimately, AI only delivers value when it is embedded into how the organisation operates. That requires people to trust it, understand it and have clear accountability for how it is used.

AI success looks different across the organisation

Different parts of the business will define AI success differently.

For technology leaders, success often looks like scalable, secure systems that can be trusted to run reliably. For finance teams, it is about cost control, efficiency and measurable return. Data leaders focus on quality, governance and ensuring outputs can be relied upon. Marketing teams may look to AI to personalise experiences, reach the right audiences and improve campaign performance (for more on how AI can help you achieve this, see our whitepaper on AI decisioning).

A marketing team cannot deliver effective personalisation without access to well-structured, trusted data. Finance cannot measure ROI without visibility into how models are performing and what they are costing to run. Technology teams cannot scale AI safely without strong governance, security and integration in place.

This is where organisations often get stuck. AI initiatives are prioritised within individual functions, but the underlying foundations are shared. When those foundations are weak or inconsistent, every use case is affected, regardless of where it sits in the business.

The organisations that succeed recognise this early. They align around common foundations, even as teams pursue different outcomes. In doing so, they create an environment where AI can be applied consistently, safely and at scale.

Turning AI into something your business can rely on

Getting AI into production is not a technical milestone. It is an organisational one.

The challenge is rarely a lack of capability. It is knowing how to apply that capability in a way that aligns with business outcomes, works within real-world constraints and can be trusted at scale.

This is where the difference between experimentation and impact becomes clear. Successful organisations do not treat AI as a bolt-on capability. They design it into how their data is structured, how their systems operate and how their people work.

At CACI, this is the approach we bring to AI. Built on decades of data expertise, we combine deep technical specialism with a practical understanding of how businesses operate. That means going beyond models and tools, taking the time to understand the outcomes you are trying to achieve and designing the architecture, governance and operating model to support them.

Crucially, this is done with trust at the centre. AI only delivers value when people understand it, adopt it and have confidence in how it is being used. That requires strong data foundations, clear governance and a human-centred approach to how systems are designed and deployed.

Because ultimately, successful AI is not about implementing technology. It is about embedding it in a way that works for your people, your processes and your long-term goals. To learn more about how CACI can help your organisation architect AI for scale, get in touch to start the conversation.

Rethinking “buy, not build” in the age of Agentic AI

How agentic AI is redrawing one of tech’s most enduring rules of thumb

Agentic AI is beginning to change how software is developed, particularly in how quickly teams can generate and iterate on code. While this has clear implications for cost and speed, it does not remove many of the underlying complexities of software delivery, and in some cases introduces new ones.

For decades, organisations defaulted to “buy, not build” because building was costly and slow, while off-the-shelf software became more mature, reliable and easier to adopt. That balance is now beginning to shift. Agentic AI is making it faster and, in some cases, more cost-effective to create bespoke solutions, starting to change the economics of building software.

However, adopting AI at scale is proving more complex than the technology itself. Many organisations are experimenting with AI-assisted development, but scaling it remains challenging due to skills gaps, governance requirements, trust and integration into existing engineering practices.

The Buy vs Build reality is more nuanced: while AI can accelerate parts of development, it has not replaced the need for strong operating models, domain expertise or human oversight. The advantage comes from combining AI speed with human expertise, not replacing one with the other, a theme explored further in our AI playbook.

Why “buy” won

To understand whether the Buy vs Build rule is changing, you first have to understand why it arose. The instinct is often to frame it as a cost argument: developer time is expensive, so buying a ready-made product is cheaper. That is true, but it undersells the real reasons.

Developer scarcity drove up opportunity cost

Every engineer hour carried an opportunity cost. Building internal tools meant not building something else. The constraint wasn’t just capacity, but trade-offs: investing in non-differentiating systems often came at the expense of innovation or competitive advantage. “Build versus buy” was really a question of value.

Mature products embedded decades of domain knowledge

A well-established CRM (Customer Relationship Management), ERP (Enterprise Resource Platform) or risk platform is not just software. It is the accumulated wisdom of thousands of client implementations, regulatory cycles, edge cases and hard lessons. In these cases, the code mattered much less than the years of accumulated wisdom built into the product.

Operational burden was real

Before cloud-native infrastructure matured, owning a codebase meant owning a significant operational liability alongside it.

Requirements compromise was an acceptable trade-off

Bending processes to fit the software was not ideal, but often a reasonable trade-off because the alternative was too costly.

The result was “buy” becoming the default and “build” only winning when the capability in question was genuinely core to competitive differentiation, and even then, only if the organisation had the engineering depth to sustain it.

Crucially, “buy” never had to justify itself. It was the default. The burden of proof sat entirely with anyone proposing to build, much like the dynamic seen with “cloud-first” strategies, where cloud deployments sailed through architectural governance unchallenged, and it was only on-premise proposals that faced scrutiny.

What Agentic AI changes

Agentic AI – the class of systems that can plan, write code, test it and iterate with increasing levels of automation – directly affects the most visible cost in the build equation: the writing of the code itself.

As tooling matures and agents become more capable of managing their own context and quality gates it shifts the role of engineers from pure builders to orchestrators of AI-driven development.

This shift does not simplify the role of engineering teams, it expands it.

Engineers are increasingly required to work across architecture, governance, security and compliance, often in closer collaboration with legal, risk and business teams.

But what are the consequences for engineering leaders?

Greenfield bespoke tooling becomes economically viable again

Internal tools, data pipelines, workflow automation, custom reporting layers, the kind of work that reliably lost the buy-versus-build analysis on cost grounds for the past fifteen years, can now tip the other way, becoming economically attractive for organisations that previously lacked the scale, budget or technical capacity to justify building in-house.

However, this shift should not be mistaken for simplicity. Much of the cost and complexity of software delivery has never sat purely in writing code. Activities such as requirements gathering, low-level design, security and compliance, efficiency, integration with existing systems, deployment, user adoption and change management remain significant and often more challenging than the development itself.

This is particularly true in existing enterprise environments, where systems are designed for interoperability, resilience and regulatory compliance. While AI makes it quicker to purely generate code, it does not shortcut the design, architecture and contextual elements that has always made software development challenging and exacting.

The cost of requirement compromise falls

Buying off-the-shelf software always meant accepting a trade-off: your processes bent to the software’s logic, not the other way around. Agentic AI changes that calculus. When you can build to your exact requirements at a fraction of the previous cost, that compromise becomes much harder to justify.

Iteration replaces specification

AI-assisted development changes the nature of the build process itself. You no longer need a complete, validated specification before you start. You build, observe and refine cycles that were previously too expensive except for the highest-priority systems.

Why “buy” does not collapse

Despite these shifts, it is important to recognise that many of the original reasons for buying software remain unchanged.

The case for buying has been challenged, but the need has not disappeared. The strongest arguments for buying were never really about code in the first place.

Compliance and security hardening cannot be generated

A mature SaaS product carries years of penetration testing, third-party audits, SOC 2 certifications, GDPR machinery and incident response history. An AI agent can generate code; it cannot generate the audit trail, vendor liability or the enterprise trust that took years to earn.

Ecosystem and integration value is sticky

Established platforms and ecosystems remain the logical choice to “buy” because everything else connects to them. That network effect does not erode simply because building has become cheaper.

Deep domain knowledge still requires human time to reconstruct

Think of a credit risk engine, a tax calculation platform or a clinical trial management system. The rules encoded in that software represent decades of regulatory interpretation, institutional learning and hard-won edge-case handling. A prompt alone does not reconstruct that and attempting to do so carries real risk.

AI-generated code requires stronger human oversight, not less

AI can accelerate development, but it does not replace the need for engineering judgement. Someone still needs to define the architecture, set quality standards, manage dependencies and make the call when AI generates something that looks right, but is not.

What changes is the nature of the role. Engineering teams shift from writing every line of code to directing, validating and governing AI-generated output. That requires new disciplines: clearer architectural guardrails, stronger review practices and teams trained to work effectively with AI systems.

Organisations that treat AI as a shortcut around engineering rigour will see the cost return quickly, in the form of rework, security gaps or fragile systems. The advantage comes from combining AI speed with human oversight, not replacing one with the other.

The “buy” vendors are using the same tools

The gap does not close only from the build side. SaaS providers are accelerating their own development with exactly the same AI capabilities. The competitive starting point keeps moving.

The emerging reframe of “buy not build”

The result is not a reversal of the buy-versus-build dynamic, but a more nuanced version of it.

The old mantra was binary. The new reality is a spectrum, and a better way to frame it is:

Build what differentiates you. Buy the commodity. The principle remains, but agentic AI has moved the boundary. Understanding what to build, buy and how to do both in a scalable, secure way is where the real challenge exists. Many organisations are not yet equipped to make those decisions confidently.

Previously, “what differentiates you” was a very narrow slice. The cost of building meant only truly proprietary capabilities, core algorithms or unique models, could justify investment, with everything else treated as commodity.

Agentic AI expands that slice. Capabilities that were previously too costly to build, such as internal tooling, data pipelines or workflow automation, are now worth revisiting.

However, the “always buy” category remains where value is not in the code itself: regulated platforms, established ecosystems and software underpinned by deep, embedded domain knowledge that is costly and risky to replicate.

The nuance worth preserving

It would be a mistake to read this as a simple reversal, “build, not buy” for a new era. The discipline behind the old mantra still matters and some of it deserves to survive. The question remains “Why does this need to be bespoke?” The answer just has a lower bar to clear than it did before.

The mantra is not dead; it’s being renegotiated.

Of course, it would be a mistake to think of this as a binary option. Agentic AI development is blurring the lines as to what Buy really means, and what Build is in practice. Increasingly, organisations are less concerned with whether something is “built” or “bought”, and more focused on delivering outcomes.

In practice, this means combining AI-generated code, cloud-native resources, third-party platforms and internal components to achieve the desired result, rather than treating build and buy as separate decisions. Blending components and capabilities into a single platform.

The middle ground

There is still a demonstrable need to utilise buy components within a “build first” environment, especially where there are specific requirements and needs around security, governance, perform, context and compliance.

However, there is also a growing middle ground, where organisations combine custom development with proven accelerators and platforms. These approaches retain flexibility while reducing risk, particularly in regulated or complex environments.

For example, accelerators such as CACI’s Jezero enable organisations to accelerate delivery while embedding proven patterns around security, governance and architecture.

This allows teams to take advantage of AI-assisted development without starting from scratch or introducing unnecessary risk.

How organisations should respond safely and effectively

  • Reopen “build versus buy” decision-making: The economics have changed, meaning areas that were previously considered a commodity should be reassessed.
  • Establish governance for AI-generated code: Define quality gates, dependency policies or any architectural guardrails.
  • Design an AI-ready operating model: AI-assisted building is risky without the right operating model and teams skilled in directing and governing AI outputs in place.
  • Partner with a trusted specialist: Most organisations lack the governance, architecture and compliance frameworks to scale AI effectively, which is where a trusted partner can make all the difference.

Agentic AI is quickly becoming part of the standard development toolkit. While it creates clear efficiencies, it also demands stronger governance, critical thinking and well-defined guardrails to ensure systems remain secure, maintainable and fit for purpose.

At CACI, we’ve approached this shift with a focus on control as much as capability. We have embedded defined patterns, development standards and governance controls into how AI-assisted development is used, ensuring that code generated through these approaches aligns with security, architectural and operational requirements from the outset.

Understand what to build, what to buy and where Agentic AI creates real advantage

The build-versus-buy boundary is shifting, but changing that boundary without the right controls introduces as much risk as opportunity.

Agentic AI can reduce the cost of building. It does not reduce the consequences of building the wrong thing, in the wrong place, without the right governance. Navigating this shift requires more than new tools, it requires critical thinking, strong architecture, and deep technical and domain expertise.

At CACI, we help organisations re-evaluate build-versus-buy decisions in light of Agentic AI, not just from a development perspective, but across operating models, governance and long-term ownership. That means understanding where AI genuinely changes the economics of building, how to integrate it effectively into software engineering processes, and where proven accelerators can de-risk and accelerate delivery.

For organisations looking to explore these challenges in more detail, we’ve also captured insights from our recent Architecting the AI-ready enterprise breakfast briefing, to provide a practical view of what adoption looks like in reality.

Ultimately, this is about combining the best of both approaches, AI-assisted development, established platforms and learned experience of complex environments, to build differentiated capabilities in a way that is scalable, secure and sustainable.

This is not about building more; it’s about building where it matters, and knowing where it does not. If you are reassessing how Agentic AI should shape your technology strategy, speak to our specialists to explore how to move forward with clarity and control.

CACI acquires Datalynx to enhance its complex data migration capability

In this Article

New acquisition for CACI to strengthen data migration capability

CACI Limited, a leading data and technology solutions company, has acquired Datalynx Limited (“Datalynx”).

Datalynx provides specialist data and cloud migration services in mission-critical environments to government clients, including the Home Office. Tracy Weir, CEO of CACI in the UK comments:

“We’re delighted to welcome Datalynx and their exceptionally talented leadership and team to our business. Their important position in the Home Office, particularly with the Police, is a testament to both their capability and calibre. We have common core values and a shared culture – a collaborative way of working, a focus on solving real-world problems and a passion for deploying the best and most secure data solutions for our clients. Fred and his team are a perfect fit and an important addition to our Government and Public Sector business.”

Fred Keeling, Managing Director of Datalynx adds:

“Joining forces with CACI gives us more power, resources and support to provide scalable, adaptive solutions to organisations of national importance. We’re excited about the potential for growth, innovation and to deepen our reputation, under the CACI banner, of delivering industry-leading data and cloud migration services in highly secure environments that work for the safety, security and prosperity of the UK.”

About CACI Limited

CACI Ltd is a wholly owned subsidiary of CACI International Inc. Headquartered in London with offices around the UK, Europe, and India, we support government and commercial customers in transforming their businesses by bringing together the power of people, data, and technology. With over 1,600 employees, we are passionate, progressive, and welcome a challenge. Our purpose is to use our specialist skills, technology and data-driven insight to provide expert solutions that truly deliver for our customers.

www.caci.co.uk

About Datalynx

Datalynx is one of the UK’s leading independent data management specialists, with a comprehensive service offer in data migration – from planning through to build, test and compliance. Originally founded by Charlie Spinks in 2002, Datalynx has established excellent processes and frameworks to provide its high profile customers with a service which is secure, efficient and consistent. As a collaborative team from a diverse range of backgrounds Datalynx keeps the values of honesty, integrity, trust and value at the heart of our delivery proposition.  

www.datalynx.net

What is refactoring in cloud migration? 

Refactoring in cloud migration means making significant architectural and code-level changes to an existing application to optimise it for cloud environments. Instead of simply lifting and shifting a workload, refactoring restructures it to use cloud native services such as managed databases, containers, microservices or serverless computing. 

Common migration patterns include rehosting, re-platforming, refactoring, rebuilding or replacing. Refactoring sits in the middle of the modernisation scale, keeping the core application but improving internal structure, removing legacy dependencies, updating frameworks and unlocking new capabilities. 

This approach is growing in adoption, with a large percentage of enterprises now combining cloud migration with application modernisation to remain competitive. When done well, organisations can reap substantial benefits of refactoring from cloud elasticity and faster development to improved resilience and long-term cost efficiency, which this blog uncovers. 

Benefits of refactoring in cloud migration

Refactoring requires investment, but the long-term gains are often significant. In doing so, organisations can gain: 

Improved scalability and performance

By adapting applications to use cloud native components such as container orchestration, managed databases or asynchronous workloads, organisations can achieve higher performance and better resilience under load. 

Reduced long-term costs

Although refactoring may increase migration effort, it often leads to lower operational costs. Cloud-native services offer auto-scaling, pay-per-use pricing and more efficient resource consumption. Over time, this results in better financial performance than traditional lift-and-shift. 

Faster delivery and innovation

Refactored applications are usually more modular and easier to update. This supports continuous deployment, quicker releases and faster time to market, which are ideal for product teams and digital delivery. 

Lower technical debt and easier maintenance

Refactoring replaces old libraries, removes legacy components and reduces complexity. This improves stability and simplifies systems for engineering teams to maintain and enhance. 

Stronger security and compliance

Modern cloud architectures embed identity management, encryption, monitoring and audit controls. This makes it easier to meet regulatory requirements and improve security posture.

Future-readiness and flexibility

Refactored solutions adapt more easily to new technologies, cloud services and business requirements. They are better positioned for AI integration, data platform modernisation and future cloud strategies. 

Challenges of refactoring in cloud migration

Refactoring is one of the more advanced cloud migration strategies, which lends itself to complications. Some of the challenges to be aware of include: 

Higher upfront effort and cost 

Refactoring requires redesigning and rewriting parts of the application. This means more time and investment compared to rehosting or re-platforming. 

Complex transformation risk

Innate changes to architecture may introduce new bugs or operational risk. Without careful planning, live services may face disruption during cutover. 

Legacy constraints and dependencies

Some applications are tightly coupled or built on outdated frameworks, which makes refactoring more time consuming. Legacy systems may require major rework before they are cloud-ready. 

Risk of cloud provider lock-in

Cloud-native services offer significant value, but can complicate multi-cloud strategies. Organisations must balance innovation with portability requirements. 

Cloud skill gaps across teams 

Refactoring requires cloud architecture expertise, software engineering capability, DevOps skills and updated security practices. Many organisations are still building on skills in these areas. 

Delayed return on investment

Refactoring benefits increase over time. Stakeholders may expect instant cost savings, which can create pressure if results take longer to appear. 

Best practices for cloud migration refactoring

Refactoring is most successful when approached with structure and clarity. The following best practices can help reduce risk and improve outcomes: 

1. Carry out a complete application assessment

Review application dependencies, integrations, data flows, technical debt, scalability and risk. This helps map the complexity of the estate and segment workloads based on refactoring suitability. 

2. Prioritise the right applications

Focus refactoring on high-value workloads such as customer facing services, highly scaled systems or applications requiring innovation. Avoid refactoring low-value or soon-to-be-retired solutions. 

3. Create a clear business case and measurable KPIs

Define long-term success: improved performance, cost efficiency, error reduction, increased release frequency or reduced maintenance overhead. Tie each refactoring decision to a measurable outcome. 

4. Adopt cloud native architecture patterns

Use microservices, event-driven design, serverless functions, containers, managed data services, API gateways and infrastructure as code. CACI’s Cloud Engineering and Implementation Services helps organisations effectively adopt this. 

5. Embed security and governance from the beginning

Security must not be retrofitted. Implement identity and access management, encryption, logging, monitoring, network controls and compliance checks early.  

6. Invest in skills and organisational readiness 

Support DevOps adoption, cloud architecture upskilling and platform engineering capabilities. Consider establishing a cloud centre of excellence.  

7. Deliver refactoring in waves

Avoid large, risky transformations. Move applications into the cloud in phases: pilot, assessment, refactor, migrate, validate and optimise. This will reduce risk and increase confidence. 

Cloud migration with CACI

Refactoring during cloud migration can unlock scalability, performance, agility and long-term cost savings. However, success depends on having the right expertise, governance, cloud architecture and migration strategy. 

CACI helps organisations design and deliver modern cloud solutions through its 
Cloud Engineering and Implementation Services, including:  

  • Cloud readiness assessments 
  • Refactoring planning 
  • Modernisation frameworks 
  • Cloud native delivery. 

We also provide Platform Migration for complex legacy estates and Solution Implementation to build secure, scalable platforms for modern applications. 

If you are planning to refactor applications for cloud or considering a modernisation strategy, get in touch with us to find out how CACI can help you achieve scalable, secure and cost-effective results. 

How enterprise architecture helps with cloud migration

Cloud migration has become essential for organisations modernising their digital services, but the process can quickly become complex, costly and slow when not guided by a clear structure. Studies consistently show that cloud transformations fail when organisations lack visibility, governance and coherent decision-making.  

Enterprise architecture solves these challenges by aligning business strategy, technology, data and operations around a unified migration plan. It provides the frameworks, roadmaps and governance needed to move to the cloud in a controlled, secure and cost-efficient way. It offers teams a clear view of what to migrate, when to migrate it and how to deliver the business outcomes expected from cloud. 

In this blog, we explore how enterprise architecture supports cloud migration, the capabilities it provides and how organisations can use it to deliver faster, safer and more value-driven cloud programmes. 

What enterprise architecture means in cloud migration

Enterprise architecture helps businesses understand how their capabilities, applications, data flows and technology platforms fit together so they can smoothly transition to the cloud. It offers clarity across four core areas: 

  • What systems exist today 
  • How they connect and depend on each other 
  • How the future cloud architecture should operate 
  • Which steps are needed to migrate safely and incrementally. 

Without this context, cloud migration can lead to performance problems, security gaps, cost overruns and delays. Enterprise architecture provides the visibility and alignment needed to avoid these issues. 

Resources such as the Microsoft Cloud Adoption Framework reinforce the importance of architectural foundations, landing zones, security baselines and governance when preparing for cloud migration at enterprise scale. 

Why enterprise architecture is essential for cloud migration

Enterprise architecture enhances cloud migration across strategic, operational and technical dimensions through: 

1. Complete visibility across the application estate

Large organisations often lack a single view of their systems, making cloud migration risky. Enterprise architecture documents: 

  • Application inventories 
  • Dependencies 
  • Data flows 
  • Integration patterns 
  • Infrastructure and hosting 
  • Business criticality. 

This visibility prevents migrations that break key services or overlook important interdependencies. 

2. Prioritisation of workloads for migration

Enterprise architecture identifies which workloads should be: 

  • Rehosted 
  • Re-platformed 
  • Refactored 
  • Replaced 
  • Retired

This prevents wasted effort on low value systems and accelerates value by prioritising high impact workloads. 

3. Defining target cloud architecture

A well-defined cloud architecture reduces long term cost, improves resilience and accelerates delivery. Enterprise architecture establishes: 

  • Cloud landing zones 
  • Identity and access management 
  • Networking and security models 
  • Platform engineering standards 
  • Data and integration architecture. 

Cloud providers such as the AWS Well Architected Framework outline best practices that support this approach to achieve secure, efficient and reliable cloud environments. 

4. Strategic alignment to business priorities

Enterprise architecture ensures cloud migration is linked to business priorities, including: 

  • Resilience 
  • Cost optimisation 
  • Customer experience 
  • Regulatory compliance 
  • Agility and innovation 
  • Sustainability targets. 

This turns migration into a strategic programme, not just a technical activity.

5. Strong governance and decision-making 

Enterprise architecture establishes guardrails that: 

  • Remove duplication 
  • Enforce tagging and cost allocation 
  • Standardise cloud patterns 
  • Improve design quality 
  • Ensure compliance with organisation wide standards. 

Frameworks like the Open Group’s TOGAF standard support consistent enterprise architecture governance across the organisation. 

6. Better risk management and security

Enterprise architects plan for: 

  • Secure landing zones 
  • Identity and access control 
  • Encryption and data residency 
  • Compliance requirements 
  • Resilience and disaster recovery. 

Guidance such as the NCSC cloud security collection strengthens these architectural decisions and helps organisations adopt secure cloud services. 

7. Cost control and value realisation

Enterprise architecture is crucial for cloud cost optimisation because it defines efficient architectures that avoid waste. It supports: 

  • Rightsizing decisions 
  • Refactoring choices 
  • Lifecycle governance 
  • FinOps alignment 
  • Workload placement strategies. 

This ensures cloud spend remains predictable and aligned with business value. 

Key enterprise architecture practices that accelerate migration

1. Portfolio assessment and rationalisation

Enterprise architecture evaluates: 

  • Application value 
  • Lifecycle stage 
  • Fitness for cloud 
  • Risk and complexity 
  • Technical debt. 

This prevents migrating applications that should be modernised, consolidated or retired instead. 

2. Cloud readiness assessments

Readiness assessments evaluate: 

  • Code quality 
  • Performance and scalability needs 
  • Security posture 
  • Compliance requirements 
  • Integration and data dependencies. 

These insights inform accurate migration strategies and help teams choose the right approach. 

3. Target state cloud architecture

Enterprise architecture defines the target state, including: 

  • Cloud landing zones 
  • Identity, access and network architecture 
  • Platform engineering 
  • Observability and logging 
  • CI/CD pipelines 
  • Automation standards. 

This ensures consistency across all migration waves. 

4. Business capability alignment

By mapping applications to business capabilities, enterprise architecture ensures migration aligns with organisational goals and modernises the areas that deliver the most value. 

5. Modern data and integration architecture

Cloud migration requires robust integration design. Enterprise architecture helps define: 

  • API-first approaches 
  • Event-driven architecture 
  • Hybrid integration 
  • Data pipelines 
  • Governance and lineage. 

The Google Cloud Architecture Framework offers structured guidance that supports these principles. 

6. Phased migration wave planning

Enterprise architecture supports incremental migration by planning: 

  • Migration waves 
  • Dependency sequencing 
  • Testing and validation 
  • Operational readiness 
  • Change management. 

This reduces risk and improves delivery speed. 

How enterprise architecture reduces cloud migration risks

Enterprise architecture enables organisations to avoid common cloud migration risks, such as: 

  • Downtime, through dependency and impact analysis 
  • Security gaps, by defining robust access and identity models 
  • Cost overruns, by aligning with FinOps and workload sizing 
  • Architecture drift, through strong governance 
  • Integration failures, through complete visibility of data and interfaces 
  • Scope creep, through clear migration sequencing. 

The UK government’s cloud guidance reinforces this structured, architecture-led approach for public sector organisations. 

Enterprise architecture and cost optimisation

Enterprise architecture helps organisations reduce cloud costs through: 

  • Designing efficient cloud architectures 
  • Choosing the right migration pattern 
  • Removing technical debt 
  • Preventing duplication across teams 
  • Optimising data and storage strategies 
  • Enforcing tagging and lifecycle policies 
  • Supporting FinOps capabilities. 

Without enterprise architecture, cloud environments often become fragmented, expensive and difficult to manage. 

Enterprise architecture and AI-ready cloud platforms

AI adoption adds new complexity to cloud estates. Enterprise architecture ensures cloud platforms are AI-ready by defining: 

  • Scalable GPU architectures 
  • Cost efficient AI training environments 
  • Data governance and lineage 
  • Vector database integration 
  • Secure access patterns 
  • Hybrid data strategies. 

This ensures AI is adopted safely, efficiently and sustainably. 

How CACI supports enterprise architecture for cloud migration

CACI delivers robust enterprise architecture and cloud engineering services that accelerate migration while reducing risk, cost and complexity. 

Contact us today to learn more about how our structured architectural approach can help improve your migration quality, accelerate delivery and ensure your cloud investments generate measurable business value.  

Cloud migration challenges: A 2026 guide to risks, strategy & tools

Cloud is now firmly mainstream, with roughly 94% of enterprises using cloud services and a growing majority running over half of their workloads in the cloud. Worldwide end-user spending on public cloud was forecasted to reach roughly $723 billion in 2025, underlining just how critical cloud has become to a business’ strategy.  

Yet despite this investment, cloud migration challenges remain stubbornly persistent. One major study found that organisations spend on average 14% more on migration than planned and 38% of migrations are delayed by more than a quarter, driven by complexity, poor planning and skills gaps. Another widely cited report notes that 84% of organisations struggle to manage cloud spend effectively.  

This guide explores the most common cloud migration challenges, why they occur and how to design a migration strategy, tooling approach and operating model that gives you a much higher chance of success. It also demonstrates how CACI’s cloud, engineering and implementation services can support your journey. 

What is cloud migration and why is it so challenging?

Cloud migration is the process of moving applications, data, workloads and underlying infrastructure from on-premises or legacy environments into cloud platforms. It can also include moving between clouds or from one cloud service model to another.

Types of cloud migration

Understanding the main migration patterns is a useful starting point for setting expectations: 
 

  • Rehost (lift-and-shift): Moving workloads with minimal changes. 
  • Replatform: Making modest optimisations (e.g. managed databases) during migration. 
  • Refactor: Re-architecting applications to use cloud-native services. 
  • Rebuild: Rewriting systems from scratch for the cloud. 
  • Replace: Retiring legacy apps in favour of SaaS solutions. 

Most organisations end up using a mix of these approaches across workloads.

Complex deployment models

Modern estates typically combine: 

  • Public cloud for scale and agility 
  • Private cloud for specific compliance or performance needs 
  • Hybrid cloud spanning on-prem and cloud 
  • Multi-cloud using several providers. 

Gartner expects 90% of organisations to adopt hybrid cloud by 2027, reflecting the reality that few businesses are “all in” on a single environment. More choice is valuable, but it amplifies governance, integration and cost-management challenges.

Cloud benefits versus migration risks

The benefits of cloud are well documented: agility, scalability, resilience, innovation, access to AI services and more. IDC’s overview of cloud market trends highlights how cloud is now the foundation for data, automation and AI use cases. 

However, without a structured approach, migrations can lead to: 

  • Higher-than-expected operating costs 
  • Outages and performance issues 
  • Security gaps and compliance risk 
  • Stalled programmes and change fatigue.

This is where understanding the main cloud migration challenges becomes essential. 

Most substantial cloud migration challenges (by phase)

Grouping cloud migration challenges by phase of the journey helps you anticipate issues before they derail your programme.

1. Strategy & business alignment challenges

No clear business case

Many migrations begin with a general desire to “move to the cloud” without defining measurable success criteria. Are you aiming for reduced costs, faster product delivery, better resilience, improved security or all the above?

Lift-and-shift by default

Under pressure to move quickly, organisations often default to lift-and-shift. While appropriate in some cases, this often leads to increased cloud costs and disappointed stakeholders once workloads land in an environment they were not designed for.

Misaligned stakeholders

Finance wants predictable spend, IT wants stability and business units want new features tomorrow. Without a shared roadmap and governance model, priorities can easily clash.

How to mitigate these challenges

  • Define a clear business case with KPIs (e.g. target cost savings, uptime, deployment frequency)
  • Involve IT, finance and business leaders from the outset
  • Use a structured migration framework and consider partnering with specialists such as CACI’s cloud, engineering and implementation services to co-create your strategy.

2. Discovery & assessment challenges

Poor application and dependency visibility

It is not uncommon for organisations to start migration planning and then discover that they do not have a complete, up-to-date inventory of applications, databases, integrations and dependencies. Missing a single critical dependency can cause outages when workloads are moved.

Legacy constraints

Older platforms, bespoke middleware and tightly coupled integrations obfuscate cloud migration. Some systems may be out of vendor support or lack documentation.

Underestimating integration complexity

Hybrid and multi-cloud architectures must integrate cleanly with on-prem systems and SaaS applications. Underestimating integration can lead to brittle connections and security gaps.

How to mitigate these challenges

  • Use automated discovery and assessment tools to build a realistic view of your estate
  • Map dependencies visually and prioritise high-blast-radius systems
  • Classify workloads using a structured model (retain, retire, rehost, re-platform, refactor, replace)
  • Consider a Platform Migration approach with expert support, such as CACI’s dedicated Platform Migration service.

3. Architecture & technical challenges

Choosing the right architecture

The breadth of cloud services is both a blessing and a curse. Teams must choose between virtual machines, containers, serverless, managed databases, message queues, data lakes and more, often with incomplete information and tight deadlines.

Performance and latency issues

Network design, data placement and application architecture all influence latency and throughput. Poor decisions in these areas can degrade customer experience and internal system performance.

Vendor lock-in

Leveraging cloud-native services maximises value but may also increase dependence on specific providers. Regulatory and data-sovereignty discussions, particularly in the UK and EU, are causing many organisations to carefully consider portability and digital sovereignty strategies.

How to mitigate these challenges

  • Define reference architectures and guardrails early
  • Run performance tests in pilot migrations
  • Make conscious choices about where you accept lock-in for higher value and where you prefer portability.

4. Cloud migration security challenges

Security is consistently cited as one of the top cloud migration challenges. Government and industry bodies emphasise that cloud— used correctly— can be more secure than on-prem infrastructure. The UK government’s Cloud First policy and accompanying guidance stress the importance of security-by-design, shared responsibility and robust governance.

Identity and access management (IAM)

Misconfigured IAM, overly broad privileges and lack of role-based access control are a major root cause of cloud incidents.

Data protection

Sensitive data must be encrypted in transit and at rest, with careful key management and robust backup and recovery procedures.

Compliance and shared responsibility

Regulated sectors must demonstrate compliance with standards and regulations in a model where security responsibilities are split between provider and customer.

How to mitigate these challenges

  • Establish an IAM strategy with least-privilege access and strong authentication
  • Implement encryption, key management and robust logging from day one
  • Use security posture-management tools and align with public guidance such as the UK cloud guide for the public sector
  • Build security into your cloud platform as part of solution implementation rather than as an afterthought.

5. Data & integration challenges

Moving large volumes of data

Migrating terabytes or petabytes of data without impacting operations requires careful planning. Complex cutover plans, bulk transfer tools and synchronisation mechanisms are often needed.

Data quality and consistency

Inconsistent schemas, duplication and poor data governance can lead to mistrust in analytics and operational systems post-migration.

Integrating cloud with on-prem and SaaS

APIs, message queues and integration platforms must be carefully designed to avoid fragile, tightly coupled connections.

How to mitigate these challenges

  • Treat data migration as a dedicated workstream
  • Clean and reconcile data before moving it
  • Design integration patterns (e.g. event-driven architectures) aligned to your target operating model
  • Draw on lessons from real-world programmes like CACI’s case study on HMCTS Court Store and Bench’s move to AWS.

6. Cost, governance & FinOps challenges

Cloud is often sold as a route to lower costs, but the reality is more nuanced. In 2025, 84% of organisations struggled to manage cloud spend and cost optimisation remains a top priority year after year.

Bill shock and opaque spend

Without robust tagging, budgeting and monitoring, costs can escalate quickly. Bursty workloads, test environments left running and underused instances are common culprits.

Weak financial governance

Traditional budgeting models are not always suited to variable, usage-based pricing. Cloud makes it easy to spend money, but not to spend wisely.

Unclear total cost of ownership

Many organisations underestimate the ongoing cost of running cloud environments, including observability, security, data transfer and platform teams.

How to mitigate these challenges

  • Adopt FinOps principles early, not after migration. A growing number of organisations are doing this specifically to tackle cloud waste and align spend to business value
  • Tag resources consistently to enable accurate cost allocation
  • Use budgets, alerts and dashboards to track spend against KPIs
  • Consider getting external support from cloud specialists such as CACI’s Cloud Services to design your governance model.

7. People, skills & operating model challenges

Skills gaps

Cloud-native, DevOps and automation skills are in high demand. Internal teams may lack experience in designing and operating cloud platforms at scale.

Operating model friction

Existing ITIL-style processes and siloed teams do not always translate well to cloud environments, where continuous delivery and shared ownership are essential.

Cultural change

Cloud is not just a technology shift, but a cultural one. Teams must embrace new ways of working, from infrastructure-as-code to platform teams and product-centric delivery.

How to mitigate these challenges

How to build a cloud migration strategy that avoids these challenges

A structured cloud migration strategy is your best defence against these pitfalls.

Step 1: Define business outcomes and KPIs

Start with the “why”:

  • Cost optimisation (e.g. target percentage reduction in run-rate costs)
  • Improved resilience (e.g. RPO/RTO targets, availability SLAs)
  • Faster time-to-market (e.g. release frequency, lead time for changes)

Better customer and employee experience.

Step 2: Assess your current

  • Catalogue applications, services, databases and integrations
  • Classify each workload by business criticality, technical complexity and risk
  • Identify “quick wins” and high-risk areas needing more design work.

Step 3: Plan migration waves

Avoid trying to move everything at once. Instead:

  • Group workloads into waves with clear objectives
  • Start with lower-risk, high-learning systems
  • Use pilot migrations to refine patterns and tooling.

Step 4: Design your target cloud architecture

Make conscious choices about:

  • Compute models (VMs, containers, serverless)
  • Data platforms (managed databases, data lakes, warehouses)
  • Networking and connectivity (VPNs, private links, SD-WAN)
  • Platform services for security, observability and CI/CD.

Step 5: Embed security and governance upfront

Step 6: Establish a cloud operating model

Clarify:

  • Who owns the central platform
  • How product and application teams consume it
  • How changes are tested, deployed and supported.

This operating model is where the concept of a cloud-appropriate strategy (rather than “cloud at all costs”) really takes shape.

Step 7: Plan for continuous optimisation

Cloud migration is not a one-off event. After cutover, you should:

  • Right-size resources and use auto-scaling
  • Tune performance and storage tiers
  • Modernise where there is clear value
  • Review costs and security posture regularly.

Cloud migration tools, platforms & frameworks

Choosing the right tools reduces risk and effort at each stage of migration.

Discovery, assessment & dependency mapping

  • Infrastructure discovery tools and CMDBs
  • Application performance monitoring (APM) platforms
  • Dependency mapping and visualisation tools.

Data migration & synchronisation

  • Cloud-native database migration services
  • ETL/ELT tools for structured data movement
  • Bulk transfer technologies for large datasets.

Application migration & modernisation

  • Containerisation and orchestration tools
  • Refactoring accelerators and code analysis tools
  • CI/CD platforms to support new deployment models.

Security, compliance & governance

  • Cloud security posture management (CSPM) and policy-as-code
  • Identity and access management, secrets management and HSMs
  • SIEM and threat-detection tooling.

Observability, performance & FinOps (H3)

  • Monitoring, logging and tracing platforms
  • Cost-management and optimisation tools aligned with FinOps practices.

The specific mix will depend on your chosen cloud providers and operating model, but the categories remain consistent.

Cloud migration best practices

This checklist outlines a practical reference throughout your programme:

Pre-migration

  • Business case and KPIs agreed
  • Application inventory and dependency maps completed
  • Migration patterns decided per workload (rehost / replatform / refactor / etc.)
  • Security and governance baselines designed
  • Cost management and tagging strategy defined.

During migration

  • Workloads migrated in waves, with rollback plans
  • Performance and resilience tested in each wave
  • Security controls verified before go-live
  • Costs monitored against forecasts.

Post-migration

  • Workloads rightsized and tuned
  • Modernisation opportunities assessed
  • Security posture and compliance reviewed regularly
  • KPIs tracked and reported to stakeholders.

Measuring cloud migration success: KPIs & metrics

You cannot improve what you do not measure. Useful KPIs include:

Technical

  • Availability and uptime
  • Latency and response times
  • Error rates and incident frequency.

Financial

  • Monthly cloud run-rate vs baseline
  • Cost per transaction or per user
  • Savings from rightsizing or modernisation initiatives.

Business

  • Release frequency and deployment lead times
  • Time-to-market for new features
  • Customer satisfaction or NPS impact.

Security

  • Number of critical vulnerabilities
  • Mean time to detect (MTTD) and mean time to remediate (MTTR)
  • Compliance audit findings.

These metrics help you demonstrate whether your cloud migration is delivering on its promises or whether strategy and execution need to be re-thought.

Turning cloud migration challenges into an advantages with CACI

Cloud has moved from a novelty to a business necessity, but the real differentiator is how effectively your organisation navigates cloud migration challenges: strategy, security, cost, people and operations.

With the right roadmap, tools and operating model, you can turn those challenges into an advantages: more resilient services, faster innovation and a technology foundation ready for AI and future growth.

If you are ready to move from theory to practice, explore CACI’s Cloud, Engineering & Implementation Services and our dedicated Platform Migration and Solution Implementation offerings. You can also learn from real projects in our article on the actual experience of cloud migration for business.

Cloud Cost Optimisation Strategies for 2026: Unlock Actionable Insights

Cloud adoption continues to accelerate across both public and private sectors, and cloud spending has now reached a scale where cost management is a strategic and board-level concern rather than a purely technical issue.

A Gartner study published in late 2024 projected that global public cloud end-user spending would reach approximately USD 723 billion in 2025, underpinned by sustained double-digit growth driven by digital transformation initiatives, large-scale data platforms and accelerating AI adoption.

As organisations enter 2026, cloud is no longer an experimental or discretionary technology choice. It is a core operational dependency underpinning digital services, analytics, AI delivery and mission-critical systems. As a result, cloud costs now represent a material and recurring component of IT, transformation and operational budgets.

At the same time, there is strong and consistent evidence that a significant proportion of cloud spend does not deliver corresponding business value. IDC estimates that 20-30% of all cloud spending is wasted, even in organisations with established cloud platforms and governance practices.

A 2024 cloud efficiency study referenced by Stacklet found that 78 percent of organisations estimate that between 21 and 50 percent of their annual cloud spend is wasted, with many losing more than USD 75,000 per month due to idle resources, inefficient architectures and weak controls.

In 2026, cloud cost optimisation is therefore no longer about reactive cost cutting or short-term savings. It is about financial sustainability, architectural resilience, responsible AI adoption and long-term operational maturity. Organisations that fail to embed cost optimisation into day-to-day cloud operations risk limiting innovation, constraining AI initiatives and eroding confidence at executive and assurance levels.

This guide sets out practical, execution-focused cloud cost optimisation strategies for 2026, combining industry research, FinOps best practice and real-world delivery experience across complex cloud estates.

A practical cloud cost optimisation roadmap for 2026

One of the most common reasons cloud cost optimisation initiatives fail is a lack of sequencing. Organisations often attempt to optimise everything at once, resulting in fragmented effort and limited impact. Successful programmes instead follow a phased approach aligned to FinOps maturity models and operational reality.

Phase 1: Visibility and accountability (weeks 0–4)

The objective of this phase is to understand where cloud spend occurs and who is responsible for it.

Key activities include:

  • defining a consistent, mandatory tagging standard
  • allocating cloud costs to services, teams and business units
  • establishing baseline dashboards, budgets and alerts

Without this foundation, optimisation efforts lack focus and accountability.

Phase 2: Waste removal and early savings (months 1–3)

Once visibility exists, most organisations can realise rapid savings by addressing obvious inefficiencies.

Typical actions include:

  • identifying idle, unused or oversized resources
  • rightsizing the highest-cost services
  • shutting down non-production environments outside working hours

This phase often delivers visible savings within weeks, helping to build organisational momentum.

Phase 3: Structural and architectural optimisation (months 3–9)

This phase addresses systemic inefficiencies that drive recurring cloud cost.

Key activities include:

  • introducing auto-scaling and demand-based architectures
  • applying savings plans and reserved capacity where usage is stable
  • modernising legacy applications that were lifted and shifted without redesign

Phase 4: Prevention, governance and forecasting (ongoing)

Long-term value comes from preventing waste from re-emerging.

This requires:

  • embedding a FinOps operating model
  • automating cost guardrails and policy enforcement
  • forecasting cloud spend based on business demand rather than historical usage

Why cloud cost optimisation matters in 2026

While cloud growth and waste provide the backdrop, several 2026-specific factors have increased the urgency of cost optimisation.

Cloud spend is now structurally embedded

With global cloud spending measured in hundreds of billions of dollars annually, cloud services now represent a permanent operating cost rather than a variable experiment. In 2026, optimisation must be treated as a continuous operational discipline, not a periodic financial exercise.

AI significantly increases cost pressure

AI and advanced analytics workloads are among the fastest-growing contributors to cloud spend. Model training, inference pipelines, vector databases and large-scale data storage require sustained compute, specialised GPUs and high-throughput data movement. Industry analysis reported by TechMonitor highlights AI adoption as a growing driver of cloud overspend when governance is weak

Visibility and governance remain inconsistent

FinOps Foundation surveys consistently show that more than 40 percent of organisations struggle to accurately attribute cloud spend, particularly across hybrid and multi-cloud estates. Without clear ownership, optimisation initiatives lose traction.

Public sector accountability continues to increase

UK government guidance on cloud usage emphasises transparency, value for money and responsible stewardship of public funds. In 2026, demonstrable control over cloud cost is essential for audit readiness, regulatory compliance and maintaining public trust.

Key cloud cost trends shaping 2026

Across analyst research, FinOps community insights and delivery experience, several structural trends are shaping cloud economics in 2026. These trends explain why cloud costs remain difficult to control, even as tooling, skills and platform maturity improve.

Despite years of investment in cloud platforms, cost visibility tools and FinOps capability, cloud waste remains consistently high. This is not primarily due to technical immaturity, but because cloud operating models still incentivise speed and autonomy over financial discipline. Teams are optimised to deliver features quickly, while the financial impact of architectural decisions often remains abstract or delayed.

In 2026, waste increasingly originates from design-time decisions, such as selecting always-on services for variable workloads, duplicating datasets for convenience, or over-allocating resources to avoid performance risk. This shifts optimisation from a purely operational activity to a design and governance challenge, where cost awareness must be embedded earlier in the delivery lifecycle.

AI and data platforms are redefining what “expensive” means in cloud

Historically, cloud cost growth was driven by general-purpose compute and storage. In 2026, the cost profile will be increasingly shaped by specialised, high-performance services. GPU-backed workloads, vector databases, real-time analytics engines and large-scale data pipelines now dominate spend growth, particularly in organisations scaling AI beyond experimentation.

This trend is significant because these workloads behave differently from traditional applications. They are data-intensive and highly sensitive to architectural choices, meaning small design inefficiencies can have disproportionate cost impact. As a result, organisations are finding that traditional optimisation levers are less effective unless they are complemented by AI-aware financial governance and forecasting models.

FinOps is shifting from insight to intervention

FinOps adoption has moved beyond dashboards and retrospective reporting. In 2026, leading organisations will be using FinOps as an active control mechanism, not just an analytical function. This includes embedding financial signals into delivery pipelines, using cost data to inform architectural trade-offs, and aligning spend decisions with business priorities in near real time.

This shift reflects a broader recognition that cost is a first-class operational metric, alongside reliability, security and performance. As FinOps matures, its value increasingly depends on organisational influence and integration, rather than tooling sophistication alone. The challenge for many organisations is no longer visibility but turning insight into enforceable decisions without slowing delivery.

Multi-cloud complexity is now an economic issue, not just a technical one

Multi-cloud strategies have become standard, driven by resilience, policy, supplier strategy and workload suitability. However, in 2026 the cost implications of multi-cloud are becoming more visible. Differences in pricing models, discount structures, data egress costs and managed services make consistent optimisation across providers difficult.

As a result, organisations are increasingly forced to balance strategic flexibility against economic efficiency. This has elevated the importance of cross-cloud financial normalisation, where spend is compared and governed at a service or capability level rather than by provider. Cost optimisation in multi-cloud environments is therefore becoming a portfolio management challenge, not just a technical exercise.

Public sector collaboration is moving from policy to practice

In the public sector, cloud cost management is evolving from guidance and principle-based frameworks into practical, shared implementation. Departments and agencies are increasingly collaborating on standards for cost transparency, FinOps maturity and data sharing, supported by central initiatives and communities of practice.

This trend reflects growing recognition that cloud cost challenges are systemic, not isolated. By sharing tooling patterns, metrics and governance approaches, public sector organisations aim to reduce duplication, improve comparability and strengthen assurance. In 2026, this collective approach is becoming a key enabler of sustainable cloud adoption, particularly as AI and data workloads expand across government.

These trends manifest in a set of recurring challenges that organisations encounter as cloud estates scale.

Common cloud cost optimisation challenges

Despite growing awareness of cloud economics and wider adoption of FinOps practices, many organisations continue to struggle with the same underlying cost challenges. In 2026, these issues persist not because of a lack of technology, but because cloud cost management is as much an organisational and operating-model problem as it is a technical one.

1. Poor visibility and inconsistent allocation

While most organisations collect cloud cost data, many still lack decision-grade visibility. Costs are often visible at an account or subscription level, but not consistently attributed to business services, products or outcomes. This creates a disconnect between cloud consumption and business value.

In practice, visibility breaks down when tagging standards are inconsistently applied, ownership is unclear, or cost data is interpreted differently by engineering, finance and product teams. In 2026, this challenge is compounded by the rise of shared platforms, managed services and AI pipelines, where multiple teams consume the same underlying resources. Without a common allocation model, cloud spend becomes difficult to explain, challenge or forecast, even when dashboards and detailed receipts exist.

The result is a familiar pattern: cost reports are produced, but they do not meaningfully influence decisions.

2. Idle and over-provisioned resources

Idle and over-provisioned resources remain one of the most visible sources of cloud waste, yet they continue to accumulate in mature environments. This is partly because cloud platforms make it easy to provision capacity quickly, but place relatively little friction on leaving it running indefinitely.

In many organisations, responsibility for decommissioning resources is ambiguous. Development and test environments are created for short-term needs but persist long after projects move on. Capacity is deliberately oversized to reduce perceived performance risk, particularly for customer-facing or data-intensive workloads. Container platforms add another layer of abstraction, where unused capacity is less obvious than in traditional virtual machine estates.

By 2026, the challenge is less about identifying individual idle resources and more about preventing sprawl from becoming the default state of cloud environments.

3. Lift-and-shift migrations

Many organisations still operate a significant proportion of workloads that were migrated to the cloud using lift-and-shift approaches. While this accelerates migration timelines, it often locks in cost inefficiencies that persist for years.

Applications designed for on-premise infrastructure typically assume static capacity, peak sizing and tightly coupled components. When moved unchanged to the cloud, these assumptions translate into always-on resources, limited elasticity and higher baseline costs. Over time, teams compensate by over-provisioning to maintain stability, rather than addressing architectural limitations.

In 2026, the challenge is that these workloads often underpin critical services. Their cost impact is well understood, but the perceived risk and effort of refactoring mean optimisation is repeatedly deferred, even as they consume a disproportionate share of cloud budgets.

4. Limited governance and automation

Cloud environments scale faster than traditional governance models. Where policies, approvals and controls rely on manual processes, they quickly become bottlenecks and are either bypassed or ignored.

In many organisations, governance is still applied after resources are provisioned, rather than embedded into how platforms are built and used. This leads to inconsistent enforcement of standards, reactive clean-up exercises and reliance on individual diligence rather than systemic control.

By 2026, the absence of automation will become a cost challenge. Without automated guardrails, organisations struggle to maintain consistent financial control as teams, workloads and environments grow. The result is a cycle of periodic optimisation efforts that temporarily reduce spend, only for inefficiencies to re-emerge.

5. AI and data gravity

AI and data-driven workloads introduce a distinct set of cost challenges that differ from traditional application hosting. These workloads are inherently data-intensive, often requiring large datasets to be moved, duplicated or processed repeatedly across environments.

As models evolve and pipelines become more complex, storage volumes grow, GPU utilisation increases and data transfer costs become more material. Data gravity exacerbates this effect, making it difficult to relocate workloads without incurring additional cost or performance penalties. In many cases, teams optimise for experimentation speed rather than cost efficiency, particularly in early AI adoption phases.

In 2026, organisations are finding that AI cost challenges are not caused by individual services, but by end-to-end pipeline design, where small inefficiencies compound across storage, compute and data movement over time.

Why these challenges persist

Taken together, these challenges highlight a common theme: cloud cost optimisation fails when it is treated as a periodic clean-up activity rather than a core operating discipline. Without clear ownership, aligned incentives and embedded governance, inefficiencies naturally re-emerge as cloud estates and AI workloads continue to scale.

Cloud cost optimisation strategies and best practices for 2026

1. Improve tagging, allocation and cost visibility

What to do
Building on the visibility foundation outlined earlier, define a mandatory tagging standard covering application, owner, environment, cost centre, data classification and compliance context.

How to implement

  • enforce tagging using cloud-native policy tools
  • validate tags in CI/CD pipelines
  • auto-remediate missing metadata

What good looks like

  • over 90 percent of cloud spend accurately tagged
  • monthly showback or chargeback reporting
  • clear ownership of top cost drivers

Organisations often establish this capability as part of a broader cloud landing zone or cloud engineering programme.

2. Adopt continuous rightsizing

Rightsizing should be an ongoing operational activity rather than an annual review.

Effective approaches include:

  • monthly utilisation reviews
  • thresholds such as CPU below 30 percent or memory below 40 percent for sustained periods
  • removal of unused snapshots and volumes

This approach consistently delivers savings without service degradation.

3. Use auto-scaling and demand-based architectures

Auto-scaling ensures capacity aligns with actual demand.

Best practice includes:

  • horizontal scaling for stateless services
  • defined minimum and maximum capacity limits
  • regular load testing
  • automatic shutdown of non-production environments outside business hours

These patterns are commonly implemented during platform migration and modernisation initiatives.

4. Optimise storage and data lifecycle management

Storage costs grow rapidly, particularly for analytics and AI.

Effective strategies include:

  • tiering infrequently accessed data
  • enforcing retention and lifecycle rules
  • archiving logs
  • reducing unnecessary cross-region transfers

These controls are often embedded within data platform and analytics architectures.

5. Align purchasing models with workload patterns

Savings plans and reserved capacity can reduce long-running workload costs by 30–70 percent when applied correctly.

Best practice includes:

  • committing only once usage patterns stabilise
  • targeting utilisation above 70 percent
  • reviewing commitments quarterly

6. Build a mature FinOps operating model

A mature FinOps model includes:

  • a central FinOps capability
  • real-time dashboards
  • shared accountability across engineering, finance and product teams
  • monthly governance reviews
  • demand-based forecasting

Many organisations formalise this capability as a dedicated FinOps and cost optimisation function.

7. Modernise applications to remove architectural waste

Modernisation often delivers greater long-term savings than pricing optimisation alone.

Cloud-native patterns such as containers, serverless and managed services reduce reliance on persistent infrastructure and scale automatically with demand.

8. Optimise AI and advanced analytics workloads

AI workloads require dedicated optimisation strategies.

Effective techniques include:

  • using lower-cost GPU types for development and testing
  • separating training and inference environments
  • tracking cost per inference and cost per model version
  • pruning unused models and datasets
  • monitoring vector database growth carefully

9. Automate cost guardrails

Automation prevents waste before it accumulates.

Examples include:

  • enforcing tagging automatically
  • shutting down idle environments
  • blocking unapproved high-cost services
  • detecting anomalous spend
  • automatically cleaning up unused resources

Cloud cost optimisation with CACI

In 2026, cloud cost optimisation is about predictability, resilience and sustainable innovation, not reactive cost cutting. CACI supports organisations across the full optimisation lifecycle, from rapid waste reduction to long-term architectural transformation and FinOps maturity.

If your organisation cannot clearly explain who owns cloud spend, why costs fluctuate month-to-month, or how AI growth will be funded sustainably, optimisation opportunities already exist. CACI helps organisations move from reactive cost control to value-driven cloud economics that support growth, innovation and public accountability.

FAQs around cloud cost optimisation strategies

What does a cloud cost optimisation strategy include in 2026?

A cloud cost optimisation strategy in 2026 includes cost visibility, architectural efficiency, governance and forecasting, enabling organisations to control spend while scaling cloud and AI workloads. It focuses on embedding cost awareness into design, delivery and operational decision-making rather than reactive clean-up.

How is cloud cost optimisation different from FinOps?

Cloud cost optimisation focuses on reducing waste and improving efficiency, while FinOps is the operating model that makes those improvements sustainable. FinOps aligns engineering, finance and product teams around shared accountability, governance and forecasting.

When should organisations start optimising cloud costs?

Organisations should start optimising cloud costs as soon as cloud usage begins, not after spend becomes excessive. Early optimisation prevents inefficient patterns becoming embedded and reduces long-term cost growth.

How much can organisations save with cloud cost optimisation?

Most organisations can reduce cloud spend by 20 to 40 percent through effective cost optimisation, depending on estate maturity and governance. Savings are highest where idle resources, over-provisioning and legacy workloads are common.

Why do cloud costs keep increasing even after optimisation?

Cloud costs continue to increase when optimisation focuses on one-off savings rather than ongoing governance and demand-based control. New services, data pipelines and AI workloads often grow faster than financial controls evolve.

How do AI workloads affect cloud cost optimisation?

AI workloads increase cloud costs because they rely on high-performance compute, large datasets and repeated processing, which scale non-linearly. This requires AI-specific cost governance and forecasting to remain sustainable.

Is cloud cost optimisation harder in multi-cloud environments?

Cloud cost optimisation is harder in multi-cloud environments because pricing models, discounts and data transfer costs vary across providers. Organisations increasingly manage costs at a service or portfolio level rather than optimising each cloud independently.

Who should own cloud cost optimisation?

Cloud cost optimisation should be a shared responsibility across engineering, finance and product teams, coordinated by a central FinOps or governance function. This ensures cost decisions align with technical and business priorities.

How often should cloud cost optimisation be reviewed?

Cloud cost optimisation should be reviewed continuously using real-time monitoring, with formal governance reviews conducted monthly. This combination enables early detection of anomalies while supporting strategic oversight.

How to strengthen your network security posture

In this Article

When it comes to strengthening your network security posture, doing so is no longer a nice-to-have, but a strategic necessity. The notion of strengthening your network may sound time-intensive and lengthy, however, there are some immediate changes that can lead to quick wins. In this blog, we uncover four key steps IT leaders can take to strengthen network security posture and immediate quick wins that can be achieved upon doing so.  

Four steps to strengthen your network security posture

Security is no longer optional. These four foundational actions will help you reduce risk and build resilience: 

1. Adopt zero trust principles

Zero trust means “never trust, always verify.” Every user and device inside or outside the network must be authenticated and authorised. This approach limits the impact of breaches and is now recommended by the NCSC and leading global providers.  

  • Implement strong authentication for all users and devices.  
  • Segment networks to limit lateral movement.  
  • Continuously monitor for unusual behaviour.  

2. Automate detection and response

Manual processes cannot keep pace with modern threats. Automation can reduce response times by up to 40%, demonstrating its ability to help defenders stay ahead. 

  • Use AI-driven tools for threat detection and alert triage.  
  • Automate patching, backup, and incident response workflows.
  • Regularly test and updated automated playbooks.

3. Operational load

With many IT teams stretched thin, managed network services allow organisations to focus on strategy while experts handle day-to-day operations, monitoring and compliance. 

  • Consider managed firewall, detection and response and vulnerability management services.  
  • Ensure providers offer transparent reporting and clear SLAs.

4. Secure hybrid work

With two-thirds of UK employees working remotely at least part-time, endpoint protection and secure remote access are essential.  

  • Enforce multi-factor authentication for all remote access.  
  • Protect endpoints with up-to-date security software and policies.
  • Educate staff on secure working practices. 

Quick wins: Immediate actions UK IT leaders should take 

Not every improvement requires a major investment or a long-term project. The following actions can quickly reduce risk and strengthen your security posture:  

Enable multi-factor authentication (MFA) 

Multi-factor authentication (MFA) is one of the most effective ways to prevent account compromise, blocking the majority of phishing and credential stuffing attacks.  

  • Enforce MFA for all users, not just administrators.  
  • Use app-based or hardware tokens for stronger protection. 
  • Regularly review and test MFA coverage.  

Read NCSC guidance on MFA  

Patch the basics consistently and quickly

Most breaches exploit known vulnerabilities. Even delays in patching of a few days can be costly.  

  • Maintain an up-to-date inventory of all assets, including cloud workloads and remote endpoints. 
  • Apply critical patches within 14 days, as recommended by the NCSC.  
  •  Automate patch deployment and monitor for failures.  

Back up critical data securely and test your restores

Ransomware is only effective if you cannot recover your data. Secure, tested backups are essential.  

  • Use immutable, offsite or cloud-based backups.  
  • Regularly test restores to ensure data integrity.  
  • Protect backup credentials with MFA and restrict access.

Review firewall rules and access controls

Firewall policies can become cluttered over time with unused or overly permissive rules, creating hidden vulnerabilities.  

  • Schedule regular firewall reviews to remove unused or risky rules.  
  • Align policies with current business needs.  
  • Use automated tools to analyse policies for overlaps and compliance gaps.   

Run a tabletop incident response exercise 

Plans are only effective if teams can execute them under pressure. Tabletop exercises simulate real-world incidents, allowing teams to rehearse roles and identify gaps.  

  • Involve both technical and business stakeholders.  
  • Use realistic scenarios tailored to your organisation.
  • Capture lessons learned and update your incident response plan.  

See NCSC’s guidance on incident response exercises 

How CACI can help enhance your network security

CACI has helped UK businesses protect their networks for decades. From network security to data centre solutions and IT consulting, our expertise delivers secure-by-design architectures, automation, and incident readiness for robust network security.  

Download our 2026 Network Security Survival Guide today to learn more about how your organisation can set its network environments up for success. 

7 steps to strong cloud security

In this Article

The demand for cloud-based offerings has surged following the uptake of hybrid working and evolving customer expectations and digital infrastructure. Businesses that fail to adapt run the risk of being left behind. Understanding the benefits to determine whether cloud adoption is right for you is therefore critical. 

In our previous blogs, we shared the key advantages of cloud adoption and challenges in cloud security. In our final blog of this series, we share integral steps to strengthen your organisation’s cloud security. 

As more businesses adopt cloud technology, primarily to support hybrid working, cybercriminals are focusing their tactics on exploiting vulnerable cloud environments. Over the last year, a report found that 80% of organisations experienced at least one cloud security breach

This issue has been exacerbated by soaring global demand for tech talent. On a global scale, the demand for cybersecurity professionals reaches well into the millions, which is far beyond the current number of working individuals as is. Hiring and training new talent at pace is impossible with this accelerating demand. 
 
It’s a vulnerable time for enterprise organisations, and cloud security is the top priority for IT leaders. Here we consider the critical steps you can take now to make your business safer. 

1. Understand your shared responsibility model

Defining and establishing the split of security responsibilities between an organisation and its CSP is one of the first steps in creating a successful cloud security strategy. Taking this action will provide more precise direction for your teams and mean that your apps, security, network and compliance teams all have a say in your security approach. This helps to ensure that your security approach considers all angles.

2. Create a data governance framework

Once you’ve defined responsibilities, it’s time to set the rules. Establishing a clear data governance framework that defines who controls data assets and how data is used will provide a streamlined approach to managing and protecting information. Setting the rules is one thing, however; ensuring they’re carefully followed is another. Employing content control tools and role-based access controls to enforce this framework will help safeguard company data. Ensure your framework is built on a solid foundation by engaging your senior management early in your policy planning. With their input, influence and understanding of the importance of cloud security, you’ll be better equipped to ensure compliance across your business. 

3. Opt to automate

In an increasingly hostile threat environment, in-house IT teams are under pressure to manage high numbers of security alerts. It doesn’t have to be this way though. Automating security processes such as cybersecurity monitoring, threat intelligence collection and vendor risk assessments means your team can spend less time analysing every potential threat, reducing admin errors and dedicating more time to innovation and growth activities. 

4. Assess and address your knowledge gaps

Your users can either provide a strong line of defence or open the door to cyber-attacks. Make sure it’s the former by equipping staff and stakeholders access to your cloud systems with the knowledge and tools they need to conduct safe practices, such as by providing training on identifying malware and phishing emails. For more advanced users of your cloud systems, take the time to review capability and experience gaps and consider where upskilling or outsourcing is required to keep your cloud environments safe. 

5. Consider adopting a Zero Trust model

Based on the principle of ‘Never Trust, Always Verify’, a Zero Trust approach removes the assumption of trust from the security architecture by requiring authentication for every action, user and device. Adopting a Zero Trust model means always assuming that there’s a breach and securing all access to systems using multi-factor authentication and least privilege. In addition to improving resilience and security posture, this approach can also benefit businesses by enhancing user experiences via Single Sign-On (SSO) enablement, allowing better collaboration between organisations and increased visibility of your user devices and services. However, not all organisations can accommodate a Zero Trust approach. Incompatibility with legacy systems, cost, disruption and vendor-lock-in must be balanced with the security advantages of Zero Trust adoption. #

6. Perform an in-depth cloud security assessment

Ultimately, the best way to bolster your cloud security is to perform a thorough cloud security audit. Having a clear view of your cloud environments, users, security capabilities and inadequacies will allow you to take the best course of action to protect your business. 

7. Bolster your defences

The most crucial principle of cloud security is that it’s an ongoing process and continuous monitoring is key to keeping your cloud secure. However, in an ever-evolving threat environment, IT and infosec professionals are under increasing pressure to stay ahead of cybercriminals’ sophisticated tactics. 

A robust threat monitoring solution can help ease this pressure and bolster your security defence. Threat monitoring works by continuously collecting, collating and evaluating security data from your network sensors, appliances and endpoint agents to identify patterns indicative of threats. Threat alerts are more accurate with threat monitoring analysing data alongside contextual factors such as IP addresses and URLs. Additionally, traditionally hard-to-detect threats such as unauthorised internal accounts can be identified. 

Businesses can employ myriad options for threat monitoring, from data protection platforms with threat monitoring capabilities to a dedicated threat monitoring solution. However, while implementing threat monitoring is a crucial and necessary step to securing your cloud environments, IT leaders must recognise that a robust security programme comprises a multi-layered approach utilising technology, tools, people and processes. 

Download our Cloud Security Assessment Checklist and discover proven strategies to strengthen your defences in our comprehensive guide.

Cloud innovation trends: Why optimisation must come first

In this Article

Cloud innovation trends: Why optimisation must come first

In the race to modernise, many businesses make a critical mistake: innovating before optimising their cloud infrastructure. It’s an easy trap to fall into – new technologies promise speed, agility and competitive advantage. However, without a solid foundation, those promises can quickly unravel.

So, what difference will optimisation make to cloud innovation? How do complex hybrid environments affect optimisation and what are the repercussions of innovating too soon?

Why optimisation should come first

Cloud optimisation isn’t just a technical exercise – it’s a strategic imperative. Before you invest in AI-driven tools, advanced analytics or multi-cloud deployments, you need to ensure your existing environment is efficient, secure and cost-effective. Otherwise, innovation becomes a gamble rather than a growth driver.

How the complexity of hybrid environments affects optimisation

Modern IT landscapes are rarely simple. Most organisations operate in hybrid environments, combining:

  • Cloud-native workloads
  • Semi-native applications
  • Containerised services
  • Legacy systems migrated via IaaS.

This mix introduces complexity that can quietly erode ROI and performance. Without optimisation, you risk inefficiencies that undermine every future initiative.

Common pitfalls of innovating too soon

When businesses rush to innovate without first optimising, they often encounter:

Duplicated workloads

Hybrid setups frequently lead to duplication of environments or services, especially when containerised and legacy systems overlap with cloud-native tools. This consumes bandwidth and burdens IT and DevOps teams with managing multiple versions of the same workload.

Latency issues

Poor workload distribution across cloud environments increases latency, slowing response times and masking compliance or security issues. For customer-facing applications, this can directly impact user experience and brand reputation.

Security saps

Unoptimised containerised and legacy workloads are vulnerable to governance and compliance risks. Differences in data storage and flow between environments complicate tracking, while unresolved legacy issues can carry over post-migration.

Mounting costs

With up to 30% of cloud spend wasted, inefficiencies inflate monitoring and security costs, draining budgets that could fund innovation.

Why this matters now

Cloud strategies are under pressure to deliver more – faster, cheaper and greener. Without optimisation, businesses risk inefficiency, higher costs and vulnerabilities that stall progress. In an industry where every second counts, building on shaky ground isn’t just risky, it’s expensive.

How to get started

Before chasing the next big trend in cloud innovation, take time to:

  • Audit your current architecture: Maintain visibility by understand what’s running, where and why.
  • Identify duplicated workloads and inefficiencies: Determine whether any services or resources are the cause behind draining budgets.
  • Align resources with business priorities: Ensure any spending on cloud innovation drives value for the business.
  • Implement governance and security best practices: Establishing best practices early on will ensure that innovation is scaled effectively.

This foundation ensures innovation is sustainable, not just a short-term fix.

The CACI approach: Building a cloud that enables innovation

Ready to build a cloud foundation that enables innovation?

Don’t leave your cloud strategy to chance. Our specialist cloud architects and optimisation experts have helped leading organisations modernise, streamline and unlock innovation without compromise. Contact us today to start your cloud optimisation journey.

Case study

How CACI helped Network Rail develop & manage an open data service

Summary

National Rail Open Data (NROD) provides the public with access to a large number of operational data feeds to encourage both greater interest in rail and the development of innovative products that are of use to passengers and the rail industry. CACI processes and manages the NROD platform with the aim of providing continual and easy access to users.

Company size

42,000

Industry

Transport

Products used

Challenge

Network Rail provides a variety of data in different formats from XML, JSON and rail proprietary data structures. These are received with varying levels of frequency from static data to real-time data updated at up to 100 messages per second during peak hours. Our instruction from Network Rail was for the data to be made available with no obfuscation or filtering applied to make it as accessible and easy to use as possible.

Icon - Magnifying glass showing a warning symbol

Varied data formats

Icon - Illustrative workflow

Inconsistent frequency

Icon - Hands holding a heart

Need accessibility

Solution

To achieve this, we offered options for users by providing some conversions (such as to JSON) and enriching data with metadata. We also used AWS infrastructure and highly available components like AWS ECS (Elastic Compute Service) and S3 (Simple Storage Service) to improve access and availability.

Users were provided a portal for account management, allowing them to change details such as their username and password and access links to documentation and endpoint information for the data to aid their use and interpretation. A separate portal manages access for industry clients invited by Network Rail, allowing them to connect to a more stable platform for use in industry applications.

Results

NROD is now used by an engaged, passionate community of over 600 registered users who apply the data in a variety of ways. Since the data was first made available, a range of websites and apps have been created, including Open Train Times, which provides real-time arrival and departure information for each train company and helps passengers plan their journeys, along with Recent Train Times, demonstrating individual trains’ performance and helping users assess the punctuality of different train services to plan their journeys accordingly.

CACI has been collaborating with industry clients and representatives of the broader public client community in a working group to give updates and receive feedback on how best the community can be served. We also discuss enhancements and how to collaborate to address users’ needs at quarterly meetings.

A Grafana dashboard has been developed to keep users informed on the system’s status, including message rates, message latency of the main feeds and an update field showing system downtime updates.

To ensure NROD is accessible to as many audiences as possible, we have worked with Network Rail to provide the same data within the Rail Data Marketplace (RDM), adding to the 100+ other rail data products now available on this platform.

Case study

HMCTS Court Store and Bench Moves to AWS

Summary

The HMCTS Court Store and Bench applications have historically been hosted on the UKCloud’s elevated platform, managed and supported by CACI. In 2021 however, the decision was taken to move the hosting of these projects onto the
AWS platform, with ongoing support in the new environment. CACI was tasked with ensuring the move was achieved in as short a time frame as possible whilst observing the highest level of security.

Company size

18,500

Industry

Government

Challenge

Due to the complexity of the UKCloud solution and application software stack, we decided to migrate the solution in its existing state from UKCloud to AWS. The environments consisted of four AWS accounts and eight Virtual Private Cloud environments. The approach was to split the project into two stages.

In view of the tight timescales, the order of this migration was to first focus on production, with the pre-production environment to be established after go-live. This order was acknowledged by all parties that whilst being far from ideal, there was no alternative. One of the biggest challenges was the volume of data to be migrated from one cloud provider to the other: in excess of 20Tb.

Icon - A hand holding a cog

Stage one environments

Production, sandbox and performance

Icon - Illustrative cog

Stage two environments

Pre-production

Solution

The migration project consisted of several phases:

  • Provisioning a base AWS Infrastructure and protective monitoring setup
  • Export of Virtual Machines in UKCloud and import into AWS as AMIs
  • Provisioning/cloning of AMIs
  • Re-configuration of the application stack, on-VM protective monitoring/backups and internal operability testing
  • Intersystem Connectivity and Operation, Connectivity Testing
  • Configuration of G-Suite and novation of domain from MoJ to CACI
  • End-user testing
  • IT Health Check
  • Operational Readiness Testing
  • Data Migration

CACI’s role was as follows:

  • Solution design
  • Migration plan
  • Infrastructure and protective monitoring
  • Import of Virtual Machine images and data transfer
  • Testing: OAT, ITHC
  • Cutover
  • Overall project management, including other parties: SopraSteria, HMCTS and other MoJ departments

Results

HMCTS can now continue to run its Court Store and Bench operations in the knowledge there is little likelihood of a breakdown in service.

Based on CACI’s experience of migrating similar workloads, this move to AWS also achieved other improvements such as:

  • Use of infrastructure as code: better change management, less human error, increase of delivery quality and reduction in build time
  • Use of AWS security services to increase view of security posture and simplify implementation of some security controls (e.g. encryption, identity and access management)

Other highlights:

  • Completed the project two months ahead of time
  • Ongoing data storage cost savings are in the region of 65%
Two colleagues working together with a bright blue cloud representing the digital cloud in front of them

The top 6 business benefits of cloud adoption

In this Article

Cloud adoption is no longer seen as a means for storage, but a foundation for intelligent business capabilities. Businesses that have adopted the cloud are able to reap benefits far beyond cost savings, enhancing operational flexibility, enabling faster disaster recovery and much more. In the first blog of our cloud security series, we explore the key advantages of cloud adoption. 

Flexibility

Cloud infrastructure is the key to operational agility, allowing you to scale up or down to suit your bandwidth needs. The pay-as-you-go model offered by most cloud service providers (CSPs) also means that you pay for usage rather than a set monthly fee, making IT spending a more manageable operational expense. The ability to scale resources according to demand also ensures performance will be optimal during peak times and eliminate waste during downtime. 

Reduced cost

Kind to your cash flow, cloud computing cuts out the high hardware cost. The availability of the aforementioned pay-as-you-go models can significantly cut costs. Not to mention the cost-savings of reduced resources, lower energy consumption and fewer delays.  

Disaster recovery

From natural disasters to power outages and software bugs, if your data is backed up in the cloud, it is at a reduced risk of system failure as the servers are typically far from your office locations. You can recover data anywhere to minimise downtime by logging into the internet’s cloud storage portal. 

Accessibility

We’ve all heard that the office is dead. Workers want the ability to work anytime, anywhere. With cloud (and an internet connection), they can. The cloud enables workforces to be distributed through secure access to data and applications from any location, which is critical in today’s hybrid working world. 

Greater collaboration

Cloud infrastructure makes collaboration a simple process, changing the parameters of how and where teams can work. The cloud can drastically improve workplace productivity, from online video calls to sharing files and co-authoring documents in real-time. It offers a centralised, secure and real-time working environment that bolsters communication and helps streamline workflows. These cloud-native applications are designed to make our lives more efficient through greater collaboration.  

Strategic value

Ultimately, businesses that have adopted the cloud typically experience greater cost efficiencies, faster speed to market and enhanced service levels. Adopting the cloud not only reimagines business models and builds resilience but also enables organisations to be agile and innovative. For example, adopting DevOps methodologies can be an essential element for businesses looking to get ahead of their competitors. 

But what about security? Earlier this year, a reported 61% of organisations felt security and compliance were their primary barriers to cloud adoption. Rushed application and the resulting lacklustre security have only intensified security concerns as cybercriminals increasingly target cloud environments. 

Download our comprehensive guide to cloud security and start securing your cloud today.

Why Security and Compliance Must Be Built into Your Cloud Strategy from Day One

In this Article

Cloud computing continues to be the engine of digital transformation for organisations across the UK. It enables agility, scalability and innovation, but it also introduces new risks. As cloud adoption accelerates, many IT leaders are discovering that overlooking security and compliance early in the journey can have serious consequences. 

For IT Directors, Digital Transformation Leads, Heads of Innovation and CTOs, embedding security and compliance from the outset is no longer a technical preference – it’s a strategic necessity. 

Cloud security & compliance: More than just technical checkboxes

Security and compliance are often treated as items to be ticked off once workloads are live, but this reactive approach can leave organisations exposed. From GDPR violations to data breaches and operational downtime, the risks of neglecting these areas are significant. 

Regulatory frameworks are becoming more complex and digital sovereignty is increasingly under scrutiny. If sensitive data is stored in the wrong region or accessed without proper controls, the fallout can be severe – both financially and reputationally. Security and compliance must be considered as foundational elements of cloud architecture, not optional extras. 

How cloud security & compliance gets overlooked in the rush to innovate

In many cases, cloud security failures aren’t the result of negligence – they’re the by-product of speed. Teams move quickly to deploy new services, often bypassing governance in favour of agility. This can lead to misconfigured resources, overly permissive access controls and a lack of visibility into where data resides and who can access it. 

Shadow IT is another common issue. When departments provision their own cloud tools without central oversight, it becomes difficult to enforce consistent security policies. Over time, this decentralised approach creates a fragmented environment that’s hard to monitor and even harder to secure. 

Architecting for security from the start

A secure cloud environment begins with a well-defined architecture. At CACI, we use frameworks like AWS’s Well-Architected and Microsoft’s Cloud Adoption Framework to guide organisations in building resilient, compliant cloud foundations. These frameworks are informed by thousands of real-world deployments and help define what “good” looks like in cloud security. 

Whether migrating legacy workloads, building cloud-native applications or operating in a hybrid model, the architecture must reflect the unique risks and requirements of each scenario. Security isn’t one-size-fits-all: it must be tailored to the workload, the data and the business context. 

Shift left: Embedding security into the development lifecycle

One of the most effective ways to reduce risk is to integrate security early in the development process – a practice known as “shifting left.” By embedding security into CI/CD pipelines, teams can identify vulnerabilities before workloads reach production, reducing rework and accelerating delivery. 

This proactive approach ensures that workloads are secure by design, not just secure by default. It also fosters a culture of shared responsibility, where developers, architects and security teams collaborate from the beginning rather than retrofitting controls later.

Defence in depth & limiting blast radius

Modern cloud threats require layered protection. Defence in depth introduces multiple safeguards across the environment, so if one control fails, others remain intact. This approach is particularly important in multi-cloud or hybrid environments, where complexity can increase exposure. 

Equally critical is the concept of limiting blast radius, which ensures that if one asset is compromised, it doesn’t jeopardise the entire environment. Segmenting workloads, applying fine-grained access controls and enforcing least privilege principles all help contain threats and reduce lateral movement. 

Even small missteps like sharing credentials or resetting machines without proper controls can introduce vulnerabilities. Architectural discipline is key to maintaining a secure posture. 

Landing Zone Accelerators: Secure foundations at speed

For organisations looking to move quickly without compromising security, Landing Zone Accelerators (LZAs) offer a fast-track to secure cloud environments. These pre-configured environments provide guardrails, segmentation and automated policy enforcement from day one. 

Rather than granting broad permissions to “just get things working,” LZAs encourage incremental, secure buildouts that maintain architectural integrity. They help teams avoid the temptation to open everything up and instead focus on building with security embedded throughout. 

Cloud security & compliance are continuous disciplines

Security and compliance aren’t one-time tasks – they’re ongoing disciplines. Cloud environments are dynamic, with new workloads, users and integrations added regularly. Each change introduces potential risk, which is why continuous monitoring, automated patching and regular reviews are essential. 

Tools like AWS Security Hub, GuardDuty and Inspector can help maintain visibility and enforce policies across the workload lifecycle. However, tools alone aren’t enough.

Organisations need a strategy that combines automation with governance and cultural alignment.

The CACI approach: Secure by design, resilient by default

At CACI, we help organisations build secure, scalable cloud environments that support long-term growth. Our approach is grounded in architectural best practices, automation and real-world experience. We start by understanding your current environment, identifying risks and designing frameworks that embed security and compliance from the outset. 

We don’t just implement tools; we build strategies. From governance frameworks to workload segmentation and continuous optimisation, we provide the support needed to stay secure, compliant and resilient in a fast-moving digital landscape. 

Want to explore how your organisation can build a secure cloud foundation that enables innovation? 
Speak to our cloud architecture specialists today.