Engaging Hyperscaler AI: AWS, Azure, and Google Cloud as AI Vendors — What Enterprise Buyers Need to Know

The three hyperscalers — Amazon Web Services, Microsoft Azure, and Google Cloud — are now the largest AI vendors by revenue and the default AI procurement choice for most enterprises. Each provides foundation model access, AI infrastructure, and AI-specific managed services. For enterprise buyers, hyperscaler AI offers the path of least resistance — existing commercial relationships, established procurement processes, integrated identity and access management, and the operational maturity expected of critical infrastructure providers. But hyperscaler AI is not a default low-risk choice. The specific governance considerations matter, and the contract terms differ from standard cloud services. This guide covers the practical engagement framework.

The three offerings

Amazon Bedrock: managed foundation model service offering access to Anthropic Claude, Meta Llama, Mistral, Amazon Titan, Cohere, Stability, and AI21 models. Bedrock provides a unified API, model evaluation tools, knowledge bases for RAG, agents, and guardrails. Bedrock data handling: AWS confirms customer prompts and outputs are not used to train Amazon models or shared with model providers; this is contractually committed via AWS Service Terms. Bedrock supports specific compliance attestations: SOC, ISO 27001, HIPAA eligibility, PCI DSS, FedRAMP (some models). Bedrock Guardrails provides content filtering, denied topics, PII redaction, and contextual grounding checks. Microsoft Azure OpenAI Service + Azure AI Foundry: managed access to OpenAI models (GPT-4o, GPT-4.5, o1, o3, GPT-5 family) with enterprise contracts replacing OpenAI's consumer terms. Azure OpenAI provides Microsoft-managed data handling: customer prompts and outputs are not used to train OpenAI models, are not shared with OpenAI, and are processed in Azure tenancy. Azure AI Foundry adds model catalog (extending beyond OpenAI), evaluation, and agent capabilities. Microsoft offers a broad compliance program: SOC, ISO 27001, ISO 27017, ISO 27018, HIPAA, FedRAMP High, IRAP (Australia). Google Vertex AI + Model Garden: managed access to Gemini family models, plus third-party models (Anthropic Claude, Meta Llama, Mistral, AI21). Vertex provides similar enterprise data handling, evaluation tools, agent builder, and Vertex AI Search. Compliance program similar to peers.

Data residency and sovereignty

Data residency matters particularly for Australian Government, EU public sector, financial services, and healthcare customers. AWS operates Australian regions (Sydney, Melbourne) with Bedrock availability varying by model; check the specific model and region combination for any deployment. AWS has IRAP assessment for relevant services. Azure operates Australian regions and has IRAP PROTECTED for many services; Azure OpenAI availability varies by region and model. Google Cloud operates Australian regions (Sydney, Melbourne); Vertex AI availability varies. For EU customers: all three hyperscalers operate EU regions; Sovereign Cloud offerings exist (Microsoft Cloud for Sovereignty, AWS European Sovereign Cloud announced for late 2026, Google Cloud sovereign offerings). Customers must verify specific service and region availability rather than assuming hyperscaler-wide claims apply to specific AI services.

Contract terms that matter

Key contract terms for hyperscaler AI engagement: training data exclusion — explicit confirmation that customer prompts and outputs are not used to train models. All three hyperscalers commit to this in standard terms; verify in your specific contract. Data processing location and residency — confirm where data is processed for each AI service used. IP indemnification — AWS, Microsoft, and Google all offer IP indemnification for AI-generated content under specific conditions; read the actual indemnification provisions carefully (typical conditions: using guardrails/safety features, not disabling content filtering, paying customer status). Audit rights — typically through third-party attestations rather than direct customer audit; some agreements allow direct audit on negotiation. Material change notifications — particularly for foundation model providers, model updates can change capability profiles. Liability allocation — standard hyperscaler liability caps apply; negotiation possible for material customers.

Governance documentation

Hyperscaler AI governance documentation typically includes: SOC 2 Type II reports, ISO 27001 certification, ISO 27017/27018, HIPAA attestation, FedRAMP authorisation (US public sector), IRAP (Australian Government), Cyber Essentials Plus (UK), Cloud Security Alliance STAR. ISO/IEC 42001 status is the new variable — AWS, Microsoft, and Google are all working toward ISO 42001 certification but completion status varies by service and date. AI-specific documentation: AWS AI Service Cards, Microsoft Transparency Notes, Google Vertex AI model cards. These are increasingly necessary for enterprise customer governance documentation.

Foundation model marketplace considerations

Hyperscaler foundation model marketplaces (Bedrock, Azure AI Foundry, Vertex Model Garden) raise specific considerations. Multiple models: customers can deploy multiple foundation models through a single hyperscaler relationship — useful for diversification and use case fit. Underlying provider relationships: while data does not flow to underlying model providers (Anthropic, Meta, Mistral, etc.), the model itself is provided by those parties — their licensing terms, model card, and behavioural characteristics apply. Cost optimisation: different models suit different use cases; hyperscalers provide model evaluation tools to support selection. Vendor lock-in: while foundation models themselves are increasingly portable, the surrounding tooling (agents, knowledge bases, guardrails, integration) creates hyperscaler-specific dependencies; consider exit and portability when architecting AI workloads.

Practical engagement framework

Recommended engagement framework: (1) Map AI use cases to hyperscaler services. (2) Confirm data residency and compliance attestation for each specific service-region combination. (3) Confirm training data exclusion in writing. (4) Read IP indemnification terms and confirm preconditions are met by your deployment. (5) Use hyperscaler guardrails and safety features as appropriate to use case. (6) Document model cards / transparency notes for each model deployed. (7) Establish model update monitoring (capability shifts at vendor pace). (8) Integrate with your AI inventory and risk register. (9) For regulated customers, confirm material service provider classification under CPS 230 or equivalent. (10) Maintain exit and portability planning.

Useful third-party resources

• Amazon Bedrock — AWS foundation model service
• Azure OpenAI Service
• Google Cloud Vertex AI
• AWS Compliance Programs
• Microsoft Compliance
• Google Cloud Compliance

Related reading on AIRiskAware

• Engaging AI Vendors: Enterprise Buyer Guide
• AI Vendor Evaluation Scorecard
• Safe AI Tool Selection 2026
• Microsoft Copilot Safe Enterprise Use
• For GRC Teams