After a decade of near-frictionless SaaS adoption, many enterprises are making a move that can be seen as counterintuitive: they’re not leaving the cloud, but they are reclaiming control within it. It’s a rational response to a new set of constraints, data sovereignty, the U.S. CLOUD Act, GDPR, sector-specific rules, and to an operations skill set that is now standard in most industries. Infrastructure-as-Code, Kubernetes, and mature observability have significantly reduced the operational gap that once made “just use SaaS” the default answer.
The strategic question is no longer “SaaS or on-prem?” It’s “who truly controls our infrastructure and data?” The emerging answer is a family of controlled-cloud operating models, including self-managed or hybrid deployments, that combine the scalability of the cloud with the autonomy and trust historically associated with on-premises systems. In parallel, we’re seeing a resurgence of self-hosted and air-gapped architectures for workloads where confidentiality, integrity, and performance cannot be compromised.
Control Moves Back to the Center
A decade ago, the primary risk was moving too slowly. Teams were out-innovated by competitors who embraced SaaS with its promise of instant upgrades and zero maintenance. Today, the risk calculus has changed. Global enterprises must prove where data lives, who can access it, and how changes are authorized. Boards demand transparency on SBOMs, signing, patch cadences, secrets management, and blast-radius scenarios. Regulators don’t care about your vendor’s slide deck; they care about your evidence.
Meanwhile, the operational competence inside enterprises has dramatically improved. Platform engineering and SRE are common jobs in any company, even in smaller ones. Policy-as-code, Git-based workflows, and containerized runtimes have turned what used to be artisanal operations into software-defined routines. The once-obvious benefits of multi-tenant SaaS, speed and simplicity, no longer require handing over the keys to your kingdom.
The Real Choice: Who Runs the Planes?
The most useful way to think about deployment is through two planes:
- Control plane: who governs configuration, identity, policy, and upgrades.
- Data plane: where workloads and data actually run.
Vendor-managed SaaS centralizes both. It remains the right choice when time-to-value is important and data sensitivity is low. But many enterprises now favor models where the data plane stays entirely within their boundary, and often the control plane does, too. Hybrid setups, where the vendor provides software while customer-owned workers operate inside the customer’s VPC/VNet, have become a pragmatic middle path. Self-hosted and air-gapped go further, placing both planes under customer control. The largest organizations will use all four patterns across their portfolios; the art is deciding which model each workload deserves.
What Changed Under the Hood
Four shifts made this return to control realistic:
- Everything-as-Code. Infrastructure, pipelines, policies, and dashboards are declarative and reviewable. Change control becomes a pull request managed through CI/CD best practices.
- Kubernetes and universal runtimes. Packaging and scheduling are standardized across public cloud and private infrastructure, lowering the cognitive tax of “running it yourself.”
- Identity-first security. SSO/RBAC, workload identities, and KMS-backed secrets align governance with delivery. Guardrails travel with the workload.
- Observability by default. Metrics, logs, traces, and append-only audit streams are part of the golden path, not an afterthought.
These ingredients don’t make operations easy; they make them repeatable. And repeatability is what regulators, security teams, and customers trust.
Where Self-Managed Models Shine
- Sovereignty with proof. Data residency becomes a system. Keeping processing “in place” with first-party IAM and KMS simplifies the story you tell auditors and customers.
- Complex, hybrid estates. Real enterprise workflows cross firewalls, private links, and legacy systems. Bringing the platform to the data is often easier than forcing data through someone else’s architecture.
- Latency and locality. Edge and OT environments, trading systems, and safety-critical applications don’t negotiate with physics. Proximity and placement control still matter.
- Security posture. Incident response is faster when your team owns the control plane: your logs, your identities, your keys, your procedures. “We run it, we see it, we prove it.”
This doesn’t banish SaaS. It clarifies its role: net-new, non-sensitive workloads; pilot exploration; or components whose value is scale itself. The mature posture is selective centralization, not dogma.
What This Means for Vendors, and for Ops
SaaS hasn’t failed; it has evolved. The next era belongs to vendors who can deliver the same product across control-plane choices: managed SaaS, hybrid, self-hosted, air-gapped, without diluting developer experience or governance. Customers are telling us, in clear terms: let us decide where control lives; make every option feel first-class.
At Kestra, we chose a path aligned with that reality: run where the customer needs; in their cloud, on-prem, air-gapped, or as a managed service—while keeping everything-as-code and multi-cloud by design. Platform teams deserve tools that respect sovereignty, identity, and state-of-the-art operations.
The job of leadership is to make that choice explicit, to fund the platform discipline that makes it sustainable, and to insist on evidence that the system behaves as designed.
In the moments that matter, an audit, an incident, a critical release, you either own your plane, or you’re a passenger.