Complete Edition · July 2026
Public document · CC BY-NC-SA 4.0
It all started with an invoice — two datacentres costing four times less than the managed services replacing them, and technical lock-ins no migration could break. From that confrontation came a response : publications, a satirical series, legal analyses, up to a corpus of over seven hundred pages — Operation Dindon.
That corpus was refined three times, as gold is refined : into ten thematic Volumes, then into a 34-page Grimoire, translated into 21 languages. This volume you are holding gathers the entire work — the synthesis, the depth, the source, and the training that turns the thesis into skill.
None of this was written alone. Claude (Anthropic) drafted, Gemini (Google) audited without concession, Amine arbitrated. Three filters, in that order, as many times as necessary.
This book reads as a progressive descent, from the most condensed to the rawest, then toward practice :
34 pages that lay out the central thesis and its general map. Read first to understand the whole.
Ten studies that take each capture mechanism in detail, with its evidence and its acknowledged limits.
The raw material, unabridged : over seven hundred pages of investigation from which everything else is drawn.
The training programme that turns the thesis into real skill, 26 weeks, from the electron to Kubernetes.
Each part can be read alone. The paginated index is at the end of the book.
Four concentric circles of dependency — matter, law and software, information, the human — condensed into 34 self-contained pages. The third refinement of the Dindon Corpus, translated into 21 languages.
No digital sovereignty is possible without mastery of the hardware. This treatise is the third refinement of the Dindon Corpus: over seven hundred pages of investigation, condensed a first time into ten thematic volumes, themselves distilled here a second time into four concentric circles of dependency — from physical matter to thought — to immunize the architect, the decision-maker, and the engineer against the risk of expropriation. Vendors force no one into capture: lock-in is consented to through ignorance of the physical and economic laws of infrastructure. This book is the mirror that destroys that ignorance, and reads without requiring any other source.
At the start of 2026, Amine, taking on the role of interim Head of SRE, gains access to the real numbers behind cloud costs. Until then he managed two physical sites, capable on their own of hosting all the infrastructure entrusted to GCP and AWS. He discovers that the cost of managed services — GKE, RDS, egress fees — runs to roughly four times what the two physical sites would have cost to replace them.
He then attempts repatriation to the datacenter, relying on refurbished hardware. The migration runs into irreversible commit lock-ins — the technical enclosure closes before the switch can be completed.
From this confrontation comes a presence on LinkedIn: posts against hyperscaler practices, a satirical series — The Legend of Dindon — poems, songs, an attempt to wake the sleepwalkers.
On May 8, 2026, convinced that artificial intelligence can equalize the power of communication, Amine launches a humorous, satirical offensive against the hyperscaler trio — satirical poems, songs in every musical style.
From this production comes the idea of comedic reputational-risk studies for each hyperscaler. Then the idea of analyzing their terms of service against the law of France, the UK, and Germany. After each legal analysis, a new idea appears.
The corpus grows this way, study after study, until it counts over seven hundred pages devoted to digital sovereignty — the Dindon Corpus.
Once the corpus is assembled, Amine synthesizes it into ten volumes, each covering a distinct stratum of infrastructural capture.
With the ten volumes complete, Amine asks the artificial intelligence to extract their common substance, refined into a single treatise summarizing all the findings of Operation Dindon.
This treatise is that final refinement.
This treatise gathers, in a single fully self-contained document, four concentric circles of dependency. Every mechanism is explained here in full — no external reading is required to follow the argument.
Lock-in is never forced — it is consented to through ignorance of the physical and economic laws of infrastructure.
The enclosure begins in matter, before any software, before any contract. This first circle documents three strata of physical and financial dependency: silicon itself, the scale barrier of centralized inference, and the accounting engineering that turns ease of spending into the disarming of the engineer.
No abstraction without silicon. Sovereignty begins where one holds the right to switch the machine off.
Owning your silicon, your server, and your datacenter is worth nothing if the person who understands that matter has no right to say no.
Extreme ultraviolet lithography (EUV) is the only technology able to produce chips below 7 nanometers. A single Dutch company is the world's sole manufacturer of EUV machines — one machine costs roughly 150 to 200 million euros and weighs 180 tonnes; no alternative exists, not in China, not in Russia, not anywhere else in Europe. Downstream, a single Taiwanese foundry produces roughly 90% of the world's advanced chips, on an island exposed to well-documented structural geopolitical tension. Concrete consequence: any organization, however much bare metal it owns, ultimately depends on this manufacturing chain for its next hardware purchase.
Since 2008, every processor from one of the two major x86 manufacturers embeds a management subsystem — a secondary processor etched into the main chip, with its own proprietary firmware and its own operating system, running independently of the main system and even while the server is powered off, as long as it stays plugged in. The other major manufacturer has an equivalent. An organization that believes it has escaped the cloud by buying bare metal trades a software dependency for a deeper hardware one.
Beyond firmware, a second lock operates at the mechanical level: proprietary formats — non-standard power supplies, specific backplane connectors, incompatible rack rails — that block any intervention by an independent repairer or the use of a generic replacement part.
Against unauditable proprietary firmware, open firmware projects respond directly: one project replaces the proprietary BIOS/UEFI with open, auditable source code across a growing list of motherboards; another goes further, replacing much of the firmware with a minimal Linux kernel run at boot; a third does the same for the board management controller. Against the screwdriver monopoly, an open industry consortium (started in 2011, joined by several major cloud and hardware vendors) publishes open specifications for servers, power, racks, and connectors, making parts interoperable across vendors that follow the standard. Neither lifts the upstream manufacturing duopoly — hardware lifespan remains the only short-term countermeasure against that specific bottleneck.
The pre-trained model is a black box bolted to a silicon factory the client will never own.
Running a frontier AI model in real time for thousands of simultaneous users, at sub-second latency, requires a cluster of dedicated graphics processors, not a single card. A latest-generation accelerator, in configurations of eight units or more, costs on the order of $30,000 to $40,000 apiece; an eight-accelerator system runs $300,000 to $350,000. Each card draws roughly 1,000 watts, requiring liquid cooling out of reach for a standard organization. The price of inference charged to the client (a recent frontier model priced at double the rate of its predecessor, launched only six weeks earlier) does not cover the real cost of the underlying infrastructure — it finances a structural deficit, staked on the bet that only the holders of the newest silicon capital will ultimately make large-scale inference profitable.
The same manufacturing bottleneck documented in I.1 reproduces itself at the level of the AI accelerator: producing these chips depends not only on the etching itself, but on advanced packaging capacity supplied in limited quantity by the same Taiwanese foundry, as well as high-bandwidth memory (HBM) produced by a handful of manufacturers. This double constraint means capital alone isn't enough to skip the queue: production allocation is structurally prioritized toward hyperscalers bound by multi-year supply agreements, ahead of any other organization willing to pay the same unit price.
This chapter documents the material barrier and its scarcity mechanism; it does not yet claim to offer a reconquest. The complete architectural response — and why it cannot be limited to a hardware choice — is developed in Book IV (IV.1), once it is established that this dependency does not stop at silicon.
The shift from CapEx to OpEx is an act of accounting disembodiment, not merely a financing choice.
An international accounting standard in force since January 2019¹ requires recognizing on the balance sheet nearly all lease contracts, as a right-of-use asset and a corresponding lease liability — ending the earlier practice of off-balance-sheet leasing. A physical server leased over several years falls under this standard and visibly weighs down the balance sheet and the company's apparent debt; the cloud service contract, structured as continuous service consumption rather than an identifiable asset lease, structurally escapes it. This difference in treatment mechanically pushes organizations toward instant cloud consumption rather than a visible on-balance-sheet asset commitment — not by technical choice, but by accounting optimization.
Under CapEx, buying hardware required an architectural validation cycle — the architect acted as a mandatory gatekeeper. Cloud OpEx removes this purchasing friction: the dissolution of the systems engineer into a mere billing analyst is the direct organizational consequence.
Restoring the gatekeeper — without reintroducing the slowness of the multi-year CapEx cycle — means reintroducing automated architectural validation, running at the speed of cloud provisioning rather than that of a purchase order.
Jevons' paradox applied to compute does not predict that the cloud costs more — it predicts that code will be cheaper to write badly than well, and that this economic equation, once established, does not correct itself.
William Stanley Jevons observed in 1865¹ that improving the efficiency of steam engines in England did not reduce the country's total coal consumption — it increased it, by making steam power affordable enough to multiply its applications. Applied to compute: an efficiency improvement can increase total consumption rather than reduce it.
Under fixed-capacity infrastructure, an algorithmic regression saturates the machine as soon as load exceeds available capacity, triggering hard, immediate technical signals — HTTP 503 errors, API outages — that force the team to address the algorithmic cause urgently. Under auto-scaling, the hard technical failure turns into a slow budget drift: the alarm signal is anesthetized, not removed.
The return of hard limits — not as documented best practice, but as an unbypassable constraint enforced at the kernel level. The technical protocol relies on resource quotas and isolation restrictions built into the continuous-integration pipeline: the limit is declared in the deployment manifest and checked before any provisioning, replacing auto-scaling's invisible alarm with a verifiable constraint that forces re-optimization before runtime access.
The engineer becomes a blind instance trader, without the tools of a futures market.
Major cloud vendors offer contractual instruments that reduce the unit cost of compute in exchange for a duration commitment — a specific instance type for one to three years, in exchange for a discount that can reach roughly 70% versus on-demand pricing. In its structure: a capital commitment; in its accounting form: a bill.
An engineer who refactors a critical component — moving its algorithmic complexity from quadratic to linear order — reduces the real compute need. Under a commitment subscribed at the old consumption level, this reduction produces no savings: the successful engineering feat produces a straight financial loss. The serverless paradigm does not contradict this thesis: it radicalizes it.
Decoupling the financial commitment from the technical decision: structurally limiting the size of the multi-year commitment rather than giving it up entirely, preserving the sought discount without freezing the architecture for the contract's full duration.
This first circle established three strata of physical and accounting dependency: silicon and its hidden gatekeeper, the scale barrier of centralized inference, and billing engineering that disarms the engineer before compute even begins.
None of these mechanisms stems from an isolated malicious decision: the manufacturing duopoly, the firmware lock, the inference cluster barrier, and the accounting mutation are each independently documented structural facts. Their stacking produces a dependency that no single mechanism, taken alone, would explain.
It does not claim that open firmware, hardware standardization, or resource quotas alone suffice to restore full sovereignty — each neutralizes one documented, specific lock, without lifting the upstream manufacturing duopoly nor the need for competent human governance to operate them.
After matter, the enclosure closes on law and software. Three mechanisms document how apparent openness — a permissive license, multi-cloud portability, a local "sovereign" cloud — conceals a point of capture never visible in the contract itself.
The openness of code or an API is the alibi that conceals capture through execution.
A license protects a right to read. It protects neither the interface being imitated, nor the usage observed remotely, nor the commit that quietly reorients a project toward a single type of hardware, nor the maintainer recruited before there is even any need to fork anything.
The fork captures the code, but emulation captures the gesture: a vendor can faithfully reproduce the observable behavior of an open interface without ever reusing a line of its licensed code — placing it beyond the reach of copyright while producing the same dependency effect on its proprietary implementation.
Writing into internal architecture standards the requirement for the real engine rather than its imitation — contractually refusing any dependency on an emulated interface, whatever its apparent compatibility.
Who owns the feedback from production? The vendor hosting an open-source project's execution observes, remotely and continuously, how it is actually used in real conditions — a signal the project's maintainer, if they don't host that execution themselves, never receives in the same proportion. This information imbalance silently steers the project's roadmap toward the uses of the vendor observing it.
It isn't always necessary to fork a project or emulate its interface: a cloud vendor can simply recruit the lead maintainer holding merge rights on the reference repository. This mechanism leaves no trace in the code history — capture happens on the person, not the commit.
This observational imbalance isn't purely technical: it is contractualized. Major cloud vendors' terms of service explicitly distinguish "customer data" (protected, restricted to service delivery) from "telemetry data" or "service data" — performance metrics, usage logs, API call patterns — which the vendor reserves the right to freely analyze to improve and scale its own infrastructure. This contractual distinction, presented as an innocuous technical clause, is the exact legal foundation of the asymmetry described above: the infrastructure vendor legally captures visibility into the real usage of any software — proprietary or open — running on its platform, unbeknownst to the software's own publisher.
Cutting off outbound telemetry and observing internally rather than depending on usage feedback collected by a third-party host.
A commit that looks legitimate — a performance improvement, a bug fix — can quietly reorient an open project toward a single type of hardware or execution platform, without ever violating the license or being identifiable as capture at the moment it is proposed. The resulting proprietary entrenchment only becomes readable afterward, in the accumulation, not in any single commit.
Systematically decoupling, in internal architecture standards, identity and encryption management from any open-source engine dependent on specific hardware entrenchment.
Sovereignty over code stops where leased silicon begins — none of this chapter's three software responses lifts the physical dependency documented in Book I.
An identical manifest is proof of portability only as long as it stays on paper. The moment it touches a real resource, it is the vendor who decides its behavior — not the organization that believed it had freed itself.
Writing "agnostic" infrastructure amounts, by construction, to giving up any advanced feature specific to a single vendor — the common denominator of what the abstraction can describe shrinks as the multi-cloud scope widens. The law of requisite variety (Ashby, 1956)¹ explains that a unified control plane cannot absorb a variety of behaviors greater than its own; institutional isomorphism (DiMaggio & Powell, 1983)² explains why management persists with this strategy despite documented technical failure — multi-cloud then resembles a real option premium rarely weighed against its probability of exercise.
Concentrating execution on a single target environment rather than pursuing an agnosticism that structurally degrades as it expands — detailed below.
Every additional environment doesn't add a variant, it adds an entire parallel system: maintaining an operational multi-cloud posture does not mean writing a single infrastructure definition deployable everywhere, despite the promise carried by infrastructure-as-code tools — every vendor imposes its own implementation divergences, down to persistent storage and load balancing. Even when the same workload runs on two different vendors, the underlying infrastructure telemetry — node hardware state, hypervisor metrics, low-level system logs — is never exposed through a common interface: agnosticism stops where production debugging begins.
This technical duplication produces an undecided human siloing: teams fracture to mirror the infrastructure's duplicated structure, aggravating rather than merely following Conway's Law (1968)¹ — the organizational structure mirrors a technical fragmentation nobody explicitly chose.
Facing systematic renunciation and the duplication tax, the structural response is to choose a single target execution environment — one cloud vendor mastered in depth rather than several mastered only on the surface — and to exploit it fully rather than indefinitely paying the price of agnosticism.
If operational-resilience regulations seem to push toward multi-cloud in the name of compliance, reversibility through data — guaranteeing data portability rather than execution portability — satisfies the regulatory requirement without imposing the duplication tax.
A sovereignty that stops at the datacenter door has only moved its border, not its center of control.
Cloud infrastructure breaks down into three layers: the physical layer (silicon, datacenter — Book I), the orchestration layer (hypervisor, control plane, management API), and the usage layer. The legal sovereignty claimed by "sovereign cloud" offerings covers the two peripheral layers, without necessarily covering the intermediate layer that actually governs real operation. Grossman & Hart (1986)¹ establish that a formal property right over an asset only confers real control to the extent its holder can decide uses not specified by contract — these "residual control rights." Documented illustration: a "sovereign cloud" offering where the underlying major vendor's software updates pass through a quarantine zone where the local operator can audit the code before deployment, but where monitoring and operational administration remain handled by that operator, without the orchestrator's design itself ever changing hands.
The reunification principle and the isolation principle, detailed below.
The principal-agent information asymmetry (Stiglitz)¹ materializes concretely: publicly asked how long a major cloud vendor guarantees the availability of its software updates to a local operator, technical leads gave no precise answer, deferring the question to confidential clauses in the contract between the two companies — the very existence of a duration commitment is not public. Teece (1986)² completes the anchor: an innovator may fail to capture the value of its innovation when specialized complementary assets remain held by a third party; here, a reversibility clause returns raw data but not the complementary assets needed to exploit it — management APIs, managed-service configuration, automations built around it.
The SecNumCloud qualification framework³, issued by the French cybersecurity agency (ANSSI) to cloud providers seeking state qualification, imposes in its criterion 19.4 a reversibility clause explicitly covering data — full recovery in a documented format, secure erasure after contract termination. It sets no equivalent requirement on the portability of the orchestration layer itself. The link to the previous mechanism is direct: this reversibility only covers data because the opacity of the orchestration layer — its microcode, its proprietary update channels — makes technical auditing of any reversibility of the orchestrator itself impossible to verify from the outside, even if the framework required it.
Reunification principle: basing the orchestration layer on software whose source code is fully available, and having the local operator compile it themselves from their own build chains, rather than receiving a binary delivered and maintained by a third party — which moves the point of exercise of residual control from binary distribution to compilation itself. Isolation principle: receiving upstream only the published source code, with no privileged distribution channel nor advance notice from a single vendor — integrating an update becomes a voluntary act of the local operator, at a pace it determines.
An operator who compiles its own control plane and alone decides the pace of integration gives up, by construction, the speed at which a single vendor can push new features centrally and immediately. This functional gap is not accidental: it is the structural, permanent counterpart of reclaimed control — this chapter does not claim to offer autonomy at no cost.
This second circle documented three forms of enclosure never visible in the contract itself: the permissive license that protects neither the imitated interface nor captured telemetry, multi-cloud portability that degrades as it expands, and the orchestrator that retains residual control rights even when data and silicon are formally sovereign.
The three mechanisms share a common structure: each documents a real, verifiable level of openness (code, manifest, data) that coexists with a level of control that stays closed (observed usage, runtime behavior, orchestration). Partial openness isn't a lie — it is the structural alibi that makes the closed level invisible.
None of the three reconquest architectures restores total, free sovereignty: each has an accepted, documented cost — the speed of updates, the loss of multi-region resilience, the internal governance effort.
After matter and law, the third circle documents how data, identity, and human competence remain captured even once everything else — silicon, code, orchestrator — has been made open. Three mechanisms: the mass of data that irresistibly attracts compute, the identity and key that remain signed by a single vendor, and the diagnostic instinct that atrophies behind centralized observability.
It isn't the data that's a prisoner — it's its immobility that captures the rest of the system.
Data lock-in isn't about the data — it's about what it attracts; deliberately dispersing its mass has, in turn, a cost no architecture makes free.
An accumulated mass of data exerts irresistible attraction on the compute and third-party services that process it (McCrory, 2010)¹: the more data an organization stores with a vendor, the more economically rational it becomes to also run the compute that processes it there, simply to avoid transfer costs. These costs are themselves a deliberately irreversible exit barrier (Klemperer, 1987)²: at standard 2026 rates, internet egress charged by major vendors ranges from $0.08 to $0.12 per gigabyte depending on tier, and up to $0.23 for intercontinental transit — meaning, for one petabyte exported, an order of magnitude of $80,000 to over $200,000. Transfer time reinforces this: at a sustained 10 Gbit/s, moving one petabyte takes on the order of nine days of continuous transfer — an optimal theoretical physical limit, computed with no degradation or interruption, hence a floor.
The EU Data Act (2023/2854)³ directly neutralizes this switching-cost mechanism: its Article 29 phases out switching charges, including egress fees — mandatory reduction from January 2024, full ban from January 12, 2027. Its Article 30 imposes, for infrastructure services, an obligation of "functional equivalence" upon switching providers. What this text does not cover: the gravity that persists once data has been transferred for free — the execution ecosystem, the managed services built around it, and the native indexes that do not automatically recreate themselves at the new vendor.
A Data Mesh architecture, structured by business domain rather than centralized into a single data lake, combined with open, queryable-in-place table formats, prevents the critical mass that produces the attraction from forming. The cost is accepted without evasion: this fragmentation degrades cross-domain queries and loses the benefit of proprietary native indexes — no architecture disperses mass for free.
An open control plane and portable data remain captured in practice if the identity that accesses them and the key that decrypts them remain, at their root, signed by a single vendor.
An IAM identity isn't a file you export: it's a living relationship, valid only inside the trust graph of the vendor that issued it. A role, an instance profile, a managed identity only make sense within the origin vendor's directory and verification infrastructure — migrating an organization elsewhere doesn't migrate this relationship, it must be rebuilt from scratch. Empirical materiality confirms this across the three major vendors: a key protected by one vendor's HSMs (FIPS 140-2 Level 2¹ validation) can never be exported in the clear; at the other two major vendors, the key is generated and used exclusively inside FIPS 140-2 Level 3 certified HSMs, with the same non-extraction guarantee. W. Brian Arthur (1989)² establishes that an initial technical choice, even a minor one, can end up locked in by the cumulative effect of small historical events reinforced by increasing returns, with no single identifiable decision — the initial choice of an identity vendor fits this dynamic. Grossman & Hart (1986)³ complete the anchor: a contract can enumerate specific rights (access, raw data portability), but the residual right over the hardware attestation chain — which HSM signs, which hypervisor attests to a machine's boot — defaults to whoever owns the infrastructure.
Article 2, point 38, of the EU Data Act⁴ defines "exportable data" while explicitly excluding data whose export would expose the vendor to a cybersecurity vulnerability, as well as assets protected by intellectual property rights or trade secrets. IAM configuration and the cryptographic trust chain sit precisely in this exclusion zone: the text never explicitly categorizes them as a transferable asset, leaving the last lock outside the very scope it claims to regulate.
An independent workload authentication architecture, built on the open SPIFFE standard and its SPIRE implementation, lets an organization issue and verify its own cryptographic identities without depending on a single vendor's IAM control plane. But SPIRE's own technical documentation reveals the ultimate limit of this workaround: node attestation — the step by which a SPIRE agent proves it is actually running on the machine it claims to be — remains, in practice, verified via the underlying infrastructure's metadata APIs. The ultimate root of trust falls back to the infrastructure vendor, even when the application identity itself is independent of it.
You don't restore an instinct by decreeing it. You restore it by giving someone the authority to use it, and the time to rebuild it wherever it still survives.
By the time an engineer learns of an incident and wants to diagnose its root cause, the non-externalized logs, memory state, and precise error context have often already been destroyed by the orchestrator's automatic restart. In perfectly fulfilling its resilience function, the orchestrator simultaneously incinerates the scene of the incident. A distinct shift compounds this destruction: an engineer who runs a runbook — increasingly generated by AI assistants — without understanding each step never develops the capacity to react to an incident that matches no existing procedure, that is, to any genuinely new incident.
Centralizing telemetry with a third-party observability vendor alienates the clinical capacity for system autopsy: the engineer watches aggregated dashboards rather than the raw layer — system logs, low-level packet captures, kernel state — on which diagnostic instinct is built. The deficit isn't the absence of these raw tools, which remain technically accessible: it is the absence of occasion and authority to use them in practice, before a real incident forces the issue.
A failure-simulation exercise restructured to deliberately cut, for its duration, access to high-level observability dashboards and conversational assistants: participants diagnose the simulated incident by reading raw logs only and querying system state directly — exactly the layer modern tools usually abstract away. Complemented by a requirement to route and analyze part of the telemetry locally, independent of any centralized console, so that diagnostic authority never depends exclusively on a third-party interface.
This third circle documented three forms of capture that persist even when data is portable, identity nominally managed, and diagnostic tools technically available: the mass that attracts compute (III.1), the identity relationship that never truly exports (III.2), and the instinct that atrophies without practice (III.3).
The three mechanisms converge on one point: regulation and open architectures can make portable what can be counted and filed — bytes, role definitions — without ever reaching what cannot be counted — the ecosystem attracted by mass, the trust relationship behind identity, the instinct behind diagnosis.
It does not claim that Data Mesh, SPIFFE/SPIRE, or simulation exercises remove gravity, the last lock, or atrophy — each relocates the point of effort and accepts its cost rather than promising zero capture.
After matter, law, and information, this last circle documents two forms of dispossession that do not overlap: the capture of organizational cognition by centralized artificial intelligence, and the physiological and organizational barriers that exclude part of the workforce before any technology even enters the picture. These two mechanisms are juxtaposed, not merged: the second involves no algorithmic capture whatsoever, and claiming otherwise would force a thesis the facts do not support.
The adversary no longer seeks merely to own the servers, the contracts, or the data: it seeks to make the alternative unthinkable — through the machine for some, through the work environment for others.
Algorithmic opacity doesn't expropriate the organization of its systems; it expropriates its capacity to conceive of the alternative.
A frontier AI model, served under API by a single vendor, imposes a double trade-off its marketing hides behind the advertised size of its context window. The first is concurrent throughput: a private inference cluster, sized for a single organization, necessarily serves fewer parallel users than a service pooled across thousands of clients, at equivalent unit cost — the centralized service's apparent elasticity masks this load asymmetry. The second is weight freshness: a locally run model stays frozen between retraining campaigns, while the proprietary service is continuously updated by its vendor. The alibi of the giant context window — several million tokens advertised by some vendors in 2026 — solves neither: the trap is never the size of volatile memory, it is the structural dependency on the centralized brain that carries it.
The weights of a model fine-tuned for an organization's use remain, in the overwhelming majority of deployments, hosted and executed on the vendor's infrastructure. Every team trained on the quirks of a given proprietary model thereby increases the vendor's bargaining power rather than the organization's autonomy: learning the tool funds, at every iteration, the leverage of whoever controls it.
A specialized, quantized small language model, sized to run on owned hardware, fed by a local vector knowledge base decoupled from the completion engine, eliminates the dependency point on the external API. The cost is accepted without evasion: a conscious reduction in broad-spectrum generalization and ideation capacity, accepted as the explicit price of execution airtightness — not as a promise to match the centralized model it replaces.
The door isn't closed in one place. It's closed at school, in hardware norms, in documentation vocabulary, in career trajectory, in the cumulative cost of staying, in the moment of the incident, and in access to sponsorship. None of these closures alone explains everything. Together, they explain the number.
Recommended datacenter standards impose an operating temperature between 18 and 27°C at hardware intake — the cold aisle where the technician works is often colder still. Noise levels there frequently exceed 85 decibels, a threshold beyond which regulation requires hearing protection. An environment designed for hardware, not for a given body, silently filters who can work there for long without disproportionate discomfort.
Several independent studies of the tech sector document higher harassment rates in deep technical roles than in administrative ones. On a team with only one woman, this profile carries an additional cognitive load — seeing one's performance perceived as representative of an entire group — quantifiable through tokenism theory (Kanter, 1977)¹, absent for the majority profile on the same team.
Mentorship is a low-risk investment for the senior party — they risk only their time. Sponsorship is a high-risk investment: the senior party puts their own reputation on the line if the sponsored person fails. This sponsorship forms statistically within the same informal networks that already structurally exclude women from the circulation of information and opportunity — without any individual actor having consciously decided to exclude them.
Non-linear career paths — a career change after years in another field — are statistically filtered out by automated recruitment systems before any human reading: a side effect of screening designed for general use, not a deliberate exclusion, but with a disproportionate impact on this population.
A teacher, with a low-cost programmable microcontroller kit and financial support from a few colleagues, can structure an activity where every student gets a moment alone with the machine — not an awareness program nor an institutional scheme, but a direct material intervention, reproducible without public budget or hierarchical approval. Complemented by a simple governance measure: naming who actually holds the final say on architecture decisions — whatever title they carry — and publishing the gender breakdown of that narrow group, distinct from generic title statistics that mask this reality.
This fourth and last circle documented two distinct dispossessions: that of organizational cognition by centralized artificial intelligence (IV.1), and that of representation through physiological and organizational barriers owing nothing to technology (IV.2). Their juxtaposition, rather than their fusion under an artificial common axiom, is deliberate: forcing a link that doesn't exist in the facts would have weakened the credibility of both demonstrations.
Matter (Book I), law and software (Book II), information (Book III), and the human (Book IV) each document a capture mechanism never visible at its own layer: silicon captures at the firmware level, licensing captures at the level of observed execution, data captures at the level of what it attracts, and cognition captures at the level of the model that simulates it. None of these captures is imposed by force — each is consented to through ignorance of the physical, economic, and organizational laws that make it possible.
It does not claim an organization can escape all four circles simultaneously at no cost: every shield documented here has an accepted price — update speed, generalization capacity, multi-region resilience, governance effort. Nor does it claim that these two mechanisms of Book IV share a common cause: their only shared trait is dispossessing the human of something without ever breaking a contract to do it.
No digital sovereignty is possible without mastery of the hardware — but no mastery of the hardware is worth anything if the person who holds it doesn't also have a seat at the table where decisions are made.
Quick reference index: every trap documented in this treatise, with its corresponding shield and the chapter where the full development can be found.
Each line points to a full, sourced, and verified development in the body of the treatise — this page is only its index, not a substitute for reading it.
This treatise was not born in a single pass. It is the product of successive refinement, like gold extracted mixed with ore before being smelted, or like the rough structural work of a building sanded, coated, and painted down to its final finish. Over the course of his satirical offensive and his studies against the hyperscalers, Amine ended up with a raw output of over eleven hundred pages — technical studies, reputational-risk studies, poems, songs. This raw material was refined once, in organized fashion, into the Dindon Corpus: roughly seven hundred fifty pages of studies and cultural annexes. The Corpus was then concentrated a second time into ten thematic volumes. This treatise is the third smelting: a single volume containing the gold of the data, stripped of the ore accumulated at each earlier stage.
This final smelting followed a fixed method, repeated at every chapter: Claude drafts, relying exclusively on source texts and independent verification of every fact advanced. Gemini then audits without mercy, deliberately hunting for the flaw rather than confirmation — citations to check word for word, blind spots to uncover, inconsistencies to flag. Amine arbitrates as the final authority: he settles disagreements between the Production and the Auditor, corrects course when both are wrong together, and alone decides what stays or disappears. No chapter of this treatise was sealed without passing through these three filters, in this order, as many times as necessary.
This work is entirely produced by artificial intelligence: a pure mathematical calculation, faithfully representing Amine's ideas in a form augmented by the machine — systematic cross-referencing of facts, proposing ideas within a frame and calibration he set. This is the human augmented by the machine, not the machine substituted for the human.
The words themselves were treated as raw material, shaped into a finished product in an industrial manner: every fact verified, every sentence audited, every chapter reworked until it withstands the most hostile reading. This treatise does not claim to be an authored text in the classical sense — it claims to be a rigorous production chain, where the raw material is the idea and the style, and the finish is the truth that survives the audit.
يَٰٓأَيُّهَا ٱلَّذِينَ ءَامَنُوا۟ كُونُوا۟ قَوَّٰمِينَ بِٱلْقِسْطِ شُهَدَآءَ لِلَّهِ وَلَوْ عَلَىٰٓ أَنفُسِكُمْ أَوِ ٱلْوَٰلِدَيْنِ وَٱلْأَقْرَبِينَ
Ô vous qui croyez ! Soyez fermes et constants dans la justice, témoins pour Dieu, fût-ce contre vous-mêmes, contre vos père et mère, ou contre vos proches.
O you who believe! Stand firmly for justice, as witnesses to God, even if it be against yourselves, your parents, or your kin.
Ten studies, organised into five strata : the physical and material foundation, financial engineering, the traps of software, the sovereignty of control, and human consequences. Each volume opens with an illustration and closes on what it does not claim to resolve.

The cloud never existed — there is only silicon elsewhere, owned by someone else. The ASML/TSMC duopoly, hidden firmware (Intel ME, AMD PSP), the screwdriver monopoly, the energy constraint: the chain of hardware dependency, link by link, and its reconquest — open firmware, the OCP standard, Grade-A refurbished hardware.
This volume does not claim to exhaust semiconductor geopolitics or datacenter engineering. It was modelled by an infrastructure architect, audited contradictorily by two artificial intelligences, drawing on verified public data — industry standards, technical documentation, already-published sector reports. It does not document an anti-cloud opinion. It documents a chain of material dependency, quantified wherever possible, and proposes an architecture of reconquest explicitly owned as such — proposals, not established norms.
The loss of digital sovereignty is not an accident, an isolated decision, or a calculation error. It is a documentable causal chain, from the classroom where computing is already taught as an abstract service, to the board meeting where a cloud contract is signed without anyone ever having seen the building where the data actually runs. At every link in this chain, a choice seemed reasonable in isolation. The sum of these choices produces structural dependency on a handful of actors who, for their part, never lost sight of the matter: they own the datacenters, the cables, and increasingly, the design of the chips themselves.
Vocabulary preceded dependency. Calling a reinforced concrete building consuming as much electricity as a mid-sized city a "cloud" made the very existence of the matter to be mastered invisible from the choice of words onward. One does not protect what one no longer sees.
Silicon and its manufacturing chain, physical servers and their lifecycle, the buildings housing them, the cables connecting them, the energy and water making them run, and the law applying to each of these elements depending on the ground they rest on.
Major cloud providers did not only build technical lock-in mechanisms. They built — consciously or not — environments exploiting cognitive biases documented for decades by psychology and behavioural economics research. These biases are not individual flaws: they are universal heuristics that become disabling in environments specifically designed to exploit them.
Documented by Cialdini (1984): a service perceived as free creates a psychological reciprocity commitment, even if disproportionate. Free cloud credits offered to a student are perceived as a favour — a sense of debt toward the provider's ecosystem sets in, active well after graduation.
Norton, Mochon & Ariely (2012) document a systematic overvaluation of what one has built oneself. A complex cloud architecture built internally is perceived as irreplaceable — not because it is technically superior, but because the team built it. The Dunning-Kruger effect (1999) adds that merging developer/operator roles gives the illusion that writing twenty lines of configuration equals mastering the underlying infrastructure.
This part maps, link by link, what an organisation actually owns when it believes it has regained control by buying physical hardware — and where, despite that purchase, dependency persists in a less visible but equally real form.
An organisation believing it has freed itself from the cloud by buying bare-metal solves a software dependency only to fall into a deeper hardware dependency. Since 2008, every Intel processor has embedded a subsystem called Intel Management Engine (IME) — a secondary processor, etched into the main chip, with its own proprietary firmware and its own operating system (MINIX 3), running independently of the main operating system. It runs even when the server is "off", as long as it remains powered. Its firmware is not published, hence not auditable. AMD has embedded an equivalent since 2013, the AMD Platform Security Processor (PSP), built on an ARM Cortex-A5 architecture, with the same closed properties.
The lock-in of major cloud providers operates at the software level. The hardware lock operates at the silicon level. Buying bare-metal without mastering IME or PSP does not remove the lock — it shifts it to a different actor, equally opaque, and raises the same jurisdictional sovereignty question over firmware manufactured and signed in the United States.
Documenting an open instruction set architecture like RISC-V is necessary, but insufficient: it is a logical design. For a RISC-V chip to have physical existence, it must be manufactured in silicon — and advanced silicon manufacturing depends on two unavoidable physical monopolies.
Extreme ultraviolet lithography (EUV) is the only technology enabling chips below 7 nanometres. ASML, a Dutch company based in Eindhoven, is the world's sole manufacturer of EUV machines. A single machine costs roughly 150 to 200 million euros and weighs 180 tonnes. No alternative exists — not in China, not in Russia, nowhere else in Europe either.
TSMC produces roughly 90% of the world's advanced chips, on an island of 36,000 km² exposed to documented structural geopolitical tension. The concrete consequence: any organisation, whatever bare-metal it owns, ultimately depends on this manufacturing chain for its next hardware purchase.
European datacenter geography is not neutral. It results from tax, energy, and political decisions steering investment toward specific territories. Three zones concentrate most capacity: the Amsterdam-Frankfurt corridor, Ireland, and the Nordic countries. Ireland hosts the European datacenters of Google, Meta, Amazon, Microsoft and Apple — not for any particular technical quality of its ground, but for its 12.5% corporate tax rate, which attracted the European headquarters of major providers.
The US CLOUD Act authorises American authorities to demand access to data held by a US company, wherever that data is physically stored in the world — including on European soil. Physical datacenter location alone does not, therefore, guarantee the jurisdiction applicable to the data it contains.
Above the silicon layer and the geographic layer sits a third, contractual layer. Google Cloud Platform's terms of service stipulate, for any non-US-government entity, that the law of the State of California governs the contract, with Santa Clara County courts as the competent jurisdiction. A European client signing these terms agrees to resolve any dispute under Californian law — on data otherwise subject to the CLOUD Act on the AWS side.
Free entry-level credits are never an isolated act of generosity: they create functional dependency before the real cost becomes visible. The model is documented and deliberate — it maximises the probability that an organisation has built an entire architecture before encountering full pricing for the first time.
Data egress fees are structurally higher than ingress fees, and rarely highlighted at signing. This silence is not an oversight: it is an organised information asymmetry between the moment of decision and the moment of exit.
While bare-metal skills grow scarce in general education, major cloud providers maintain in-house advanced physical hardware training programmes — for their own teams operating their own datacenters. Material competence has not disappeared: it has concentrated within the same actors whose dominant position this volume otherwise documents.
Beyond the firmware documented in II.1, a second lock operates at the strictly mechanical level. Many branded servers embed proprietary formats — non-standard power supplies, specific backplane connectors, rack rails incompatible with the sector standard — forbidding any intervention by an independent repairer or the use of a generic replacement part.
An organisation that purchased branded hardware finds itself, for any failure beyond warranty or proprietary support contract, obliged to go back through the original manufacturer or an approved provider — at a price the latter sets, with no possible competition on that specific part. Physical server ownership therefore does not guarantee the freedom to maintain it.
This incompatibility generally appears on no sales sheet at the time of purchase — it is discovered at the first failure outside warranty, when the economic calculation has already tipped in favour of keeping the support contract rather than switching provider.
The lock goes beyond the physical connector. On some servers, replacing a motherboard or RAID controller with a strictly identical part is not enough: the system requires a software pairing key supplied by the manufacturer before the firmware accepts the new part as legitimate. This is a software lock applied to a purely mechanical gesture — physical maintenance itself becomes subject to the manufacturer's digital authorisation.
Owning a physical server outright — even firmware-verified, even on a standard format — remains partial sovereignty if critical replacement components (specific motherboards, RAID controllers, certified memory modules) depend on a global supply chain itself subject to the same manufacturing monopolies documented in II.2, or to export restrictions decided unilaterally.
Security standards governing end-of-life hard drive destruction — required for legitimate data protection reasons — are also used by some major manufacturers to limit the emergence of a competitive refurbished parts market: certified destruction becomes the default path, recirculation the administratively costlier exception.
A material reconquest strategy that does not plan for a buffer stock of critical parts, nor its own refurbishment channel, remains vulnerable to an external supply disruption — even after solving the software and firmware layers of the problem.
A datacenter is not merely an assembly of servers: it is a continuous electricity consumption comparable to a mid-sized city's, and often a water requirement for cooling. Documenting material sovereignty without documenting this kinetic dependency leaves one link of the chain outside the diagnosis.
A datacenter's ability to run depends directly on the stability and capacity of the local power grid — a constraint partly explaining the geographic concentration already documented in II.3, and making any organisation ultimately dependent on energy policy decisions that are not its own.
Operating temperature standards (ASHRAE) mandate precise ranges for hardware reliability. Water cooling, more energy-efficient than air cooling alone, creates an additional local dependency in regions where the water resource is itself under strain.
This section deliberately limits itself to energy and water. The question of submarine cable geography and landing points, likewise material, is already addressed in the Opération Dindon corpus's The Hand Over Nations study — this volume refers to that analysis rather than duplicating it.
Each section of this part responds directly to a precise mechanism demonstrated in Act II. A silicon problem calls for a silicon response; a connector problem calls for a hardware standardisation response; a foundry monopoly calls for a lifespan strategy, not a software architecture speech.
Facing the proprietary, non-auditable firmware documented in II.1, a material response exists: open firmware projects. Coreboot replaces proprietary BIOS/UEFI with open-source, auditable code on a growing list of motherboards. LinuxBoot goes further, replacing a large share of firmware with a minimal Linux kernel executed at boot. OpenBMC does the same for the motherboard's Baseboard Management Controller (BMC), historically another black box distinct from the main processor.
These projects make the boot and management layer auditable — they do not remove Intel ME or AMD PSP themselves, etched into the silicon and impossible to remove without manufacturer cooperation. Some Coreboot-supported motherboards allow disabling or drastically reducing these subsystems' scope of action — a documented mitigation, not total elimination.
Requiring, in any hardware tender, Coreboot or OpenBMC compatibility as a selection criterion shifts the balance of power toward manufacturers who publish their specifications — without waiting for a solution that does not yet exist for the already-installed fleet.
Facing the proprietary connectors and serialised pairing documented in II.6, an organised material response has existed since 2011: the Open Compute Project (OCP), initiated by Facebook and since joined by a consortium including Microsoft, Intel, Google, and numerous manufacturers. OCP publishes open specifications for servers, power supplies, racks, and connectors — making parts interoperable between vendors complying with the standard.
A server compliant with OCP specifications can, in principle, accept a power supply or card from a vendor different from the original manufacturer, as long as both comply with the same open standard. This reintroduces competition on replacement parts, directly breaking the post-purchase monopoly documented in II.6.
The OCP ecosystem remains concentrated among very large buyers — vendor catalogues offering OCP-certified hardware in unit or small quantities remain more limited than the traditional server market. Requiring OCP compliance in a tender is a negotiating lever, not an immediate availability guarantee at every scale.
No organisation, no European state acting alone, can build in the short term the equivalent of a TSMC foundry or an ASML EUV machine: these are physical monopolies that cannot be worked around by sheer will. The only response available at an organisation's scale is indirect, but measurable: extending the lifespan of hardware already in service.
As documented earlier: enterprise server hardware can run reliably well beyond the 3-to-5-year renewal cycles recommended by manufacturers — up to eleven years in documented extreme cases. By deliberately extending useful lifespan from 3-4 years to 9-10 years via Grade A refurbished hardware, an organisation mechanically divides by three the frequency of its new chip purchases — hence its direct dependency on TSMC's production pace for the same volume of infrastructure.
Extending hardware lifespan does not break the advanced chip manufacturing monopoly — it remains total. This strategy reduces how often an organisation exposes itself to that monopoly, which is not the same as bypassing it.
Facing the application-level lock documented in II.4 — a vendor's proprietary vocabulary etched directly into business code — an abstraction layer whose contract is defined by the business domain inverts classical adaptation: it is no longer the application adapting to the vendor, it is the vendor adapting to the application, via a replaceable connector. Changing vendor becomes changing a connector; the application itself need not know.
This pattern is not bought off the shelf — it is designed the moment the technical team writes its first line of integration with a proprietary service. Introduced later, its implementation cost grows with every month the vendor's vocabulary has propagated through the code.
Major cloud providers sell business continuity as a native engineering feature. In December 2021, an AWS outage in the us-east-1 region took down services theoretically "multi-zone" because availability zones share the same regional network backbone.
The business continuity plan is, in practice, the personal responsibility of the chief information officer at the moment infrastructure collapses. Sovereign managed service providers practice it instead as a repeated muscle-memory reflex — tested, timed, executed under real conditions, not merely documented in a plan one hopes never to have to open.
In most organisations, no one has explicitly defined who holds the final say on infrastructure decisions. Budget control legitimately belongs to management. Technical decision authority — which architecture, which risks to accept or refuse within the fixed envelope — belongs to whoever actually masters the hardware documented in Act II. Conflating the two roles regularly produces the same outcome: technically suboptimal decisions made by those who do not measure their consequences.
Owning your silicon, your server, and your datacenter is worthless if the person who understands that matter has no right to say no to it.
This volume is an open-source system awaiting real-world corrections. We explicitly invite every organisation that has regained control of its physical infrastructure to document the locks encountered at each link of this chain, and to correct, contradict, or enrich the six levers of Act III.
The cloud never existed. There is only silicon, somewhere, belonging to someone else — until an organisation decides to find out where, and to reclaim, link by link, what belongs to it.
What follows is not content of The Cloud Illusion volume. It is the full trace of the process that produced it: Amine RAITI's instructions, the prompts sent to Gemini, its audit responses, and the human arbitrations that settled between the two. This appendix was originally produced in French; the exchanges below are translated from that original for this English edition, preserving order and substance exactly.
Opération Dindon rests on a method: Claude drafts, Gemini audits contradictorily, Amine decides. This method is only worth something if it is verifiable. This appendix makes visible what would otherwise remain an editorial black box.
I would like to produce the same type of study on the theme "No sovereignty is possible without mastery of digital hardware." The goal is to take the substance of the Opération Dindon corpus studies (French version) and distill a synthesis with thesis --> demonstration --> solution. The synthesis must encompass everything touching this subject in the Dindon corpus. Send a prompt to Gemini so it acts as the auditor and finds the blind spots to cover.
[OPÉRATION DINDON · NEW DEDICATED VOLUME · SOVEREIGNTY AND HARDWARE] Gemini, we are launching a new synthesis volume on the same model as "The Gendered Amputation": take the substance of several Opération Dindon corpus studies (FR version) and distill ONE continuous synthesis — Thesis → Demonstration → Solution — rather than a series of studies citing each other. SUBJECT: "No sovereignty possible without mastery of digital hardware" — this is literally the corpus's founding thesis (Part I). The scope is therefore potentially large. PRELIMINARY INVENTORY (done by Claude, to validate or correct) — corpus studies directly linked to the subject, by cluster: CLUSTER 1 — THE DIAGNOSIS (why matter matters) - No Sovereignty Without Matter (Part I, founding thesis) - Anatomy of Digital Perdition, The Global Anatomy of Amputation, The Architecture of Consent CLUSTER 2 — THE MATERIAL CHAIN ITSELF - The Material Black Box, The Taiwan Bottleneck, Digital Iron, Mastery of Iron, Guardians of Iron, Digital Ground, The Hand Over Nations CLUSTER 3 — COST AND VALUE OF HARDWARE - Grade A Refurbished, Strategic Refurbished, FinOps of the Last Gram, Terms Under the Microscope, The Free Sample, The Economics of Silence CLUSTER 4 — EXIT SOLUTIONS - The Sovereign Interface, The Accompanied Exodus, The Gentle Exit, The Gentle BCP POTENTIALLY PERIPHERAL STUDIES: The Ticket and the Talent, Technical Primacy, The Digital Companions, The Mentor and the Metal, The Blue. YOUR TASK — scoping audit, before any drafting: 1. Is this 4-cluster split correct? 2. Blind spots: be as demanding as on the previous volume. 3. Should the peripheral studies enter the hardware scope? 4. How many new studies would be needed to bulletproof this volume? 5. Propose a title, in the same clinical spirit as "The Gendered Amputation." Do not draft any content. This session serves only to scope the perimeter and identify gaps before any production.
[DINDON CORPUS · SCOPING AND DOCUMENT ARCHITECTURE DIRECTIVE] SUBJECT: Scope and unassailability audit of the "Sovereignty and Hardware" volume STATUS: Structural diagnosis complete · DILUTION ALERT TRIGGERED · Rework plan required. If we compile 20 studies as-is, we will not get a 17-page unified essay, but a 150-page directory repeating what has already been published. I. NARRATIVE ARC RESTRUCTURING (From 4 clusters to 3 acts) Claude's 4-cluster split is too thematic. We must organise the material as: Thesis → Demonstration → Solution. ACT I — THE THESIS: THE ILLUSION OF THE IMMATERIAL Pieces to merge: No Sovereignty Without Matter, Anatomy of Digital Perdition, The Architecture of Consent. ACT II — THE DEMONSTRATION: OWNERSHIP OF THE IRON Pieces to merge: The Material Black Box, The Taiwan Bottleneck, Digital Ground, The Hand Over Nations, and the contractual triad. ACT III — THE RECONQUEST: THE ARCHITECTURE OF RETURN Pieces to merge: Digital Iron / Mastery of Iron, Grade A Refurbished / Strategic Refurbished, The Sovereign Interface, The Gentle Exit / The Gentle BCP. II. ARBITRATION OF PERIPHERAL STUDIES VETO ON: The Digital Companions, The Mentor and the Metal, The Blue, The Ticket and the Talent. Justification: Off-topic. Including them would duplicate the corpus's HR volume. EXCEPTION FOR: Technical Primacy and Guardians of Iron — to integrate exclusively as fragments or cross-references.
III. MAJOR BLIND SPOTS 1. Replacement Supply Chain Asymmetry — owning Bare-Metal is an illusion if critical parts depend on a global logistics chain. 2. Firmware Captivity — components embed proprietary microcode. Material sovereignty stops where the non-auditable binary blob begins. 3. Energy and Cooling Imperative — dependency on local power grids and climate constraints (ASHRAE). 4. Forensic Traceability of Recycling — regulatory drive destruction blocks a sovereign second-hand market. 5. Specific Maintenance Tooling Lock-in — proprietary formats forbidding third-party maintenance. 6. Geography of Landing Points — physical vulnerability of submarine cables. IV. PRODUCTION RECOMMENDATION I recommend producing 3 new major sections: Piece A: The Phantom Infrastructure (blind spots 2 and 5) Piece B: The Logistics of Rationing (blind spots 1 and 4) Piece C: The Kinetic Constraint (blind spots 3 and 6) V. TITLE PROPOSAL Proposal: The Cloud Illusion: Anatomy of Material Rationing. Amine, if you validate this architecture, do you give your green light for Claude to begin preparing this new essay's structure on this basis? وربنا الرحمن المستعان على ما يصفون
Solid architecture, breaking it down as usual. ✅ Accepted without reservation - The 3-act restructuring — far tighter than my 4 thematic clusters. - The veto on the 4 HR studies — I had myself flagged these as peripheral. - The fragmentary exception for Technical Primacy and Guardians of Iron. - The 6 blind spots — all solid and verifiable. - Grouping into 3 new pieces instead of 6 separate ones. ⚠️ One point to verify before deciding Potential overlap between Piece C and "The Hand Over Nations." My initial inventory already noted that The Hand Over Nations covers the CLOUD Act and submarine cables. Your Piece C reuses landing-point geography as blind spot #6. If both texts address cables without a clear distinction, we duplicate rather than complete. My proposal: Piece C should deliberately limit itself to the energy/water/cooling angle, and treat cable geography as a quantified extension of what already exists in The Hand Over Nations — not a repeat. 🔺 For Amine to arbitrate 1. The title — does "The Cloud Illusion: Anatomy of Material Rationing" work? 2. The structural green light — Gemini asks for confirmation before I begin.
1) the title works for me 2) ok
["THE CLOUD ILLUSION" VOLUME · FINAL UNASSAILABILITY AUDIT] Gemini, here is the complete first draft of the volume you scoped: 18 pages, Thesis → Demonstration → Reconquest structure. STRUCTURE DELIVERED: ACT I — THE THESIS (3 pages): causal chain, Architecture of Consent (Cialdini, IKEA, Dunning-Kruger) ACT II — THE DEMONSTRATION (9 pages): Intel ME/AMD PSP, ASML/TSMC, datacenter geography, contractual triad, Guardians of Iron fragment, new Pieces A/B/C ACT III — THE RECONQUEST (6 pages): Grade A Refurbished, Sovereign Interface, PCA as muscle-memory reflex, Technical Primacy fragment YOUR TASK — maximum audit, no complacency, on 5 axes: 1. FACTUALITY AND SOURCING: does every figure seem verifiable? 2. RESPECT FOR YOUR SCOPING: is the HR filtering properly respected? 3. NON-OVERLAP PIECE C / HAND OVER NATIONS: is the distinction sharp enough? 4. REMAINING BLIND SPOTS: does a major material mechanism remain uncovered? 5. THESIS → DEMONSTRATION → RECONQUEST COHERENCE: does each Act III lever respond to a precise Act II mechanism? FINAL VERDICT REQUESTED: is this volume BULLETPROOF for publication, or do you identify a blocking point? Be direct. If something breaks, say so now — not after compiling in three languages.
[DINDON CORPUS · FINAL UNASSAILABILITY AUDIT] STATUS: ARCHITECTURAL RUPTURE ALERT · Bulletproof status refused. Act III rework required. 1. FACTUALITY AND SOURCING (Score: 100% — Unassailable) ASML (EUV) & TSMC (90%): Perfectly accurate. Intel ME (2008) / AMD PSP (2013): exact dating. Ireland (12.5%): correct. us-east-1 outage (December 2021): the perfect textbook case. Cialdini, IKEA Effect, Dunning-Kruger: very sound sourcing. 2. RESPECT FOR SCOPING (Score: 100%) HR studies fully purged. Guardians of Iron and Technical Primacy remained excellent fragments. 3. NON-OVERLAP Piece C (Score: 100%) The demarcation is clean and elegant. The duplication risk is fully eliminated. 4. REMAINING BLIND SPOTS (Hardware DRM) A crucial sub-mechanism is missing between Piece A and Piece B: Serialised Pairing (Part Pairing / Hardware DRM). It's not just that the connector is proprietary — replacing physical hardware requires a software key from the manufacturer. To insert into II.6 or II.7.
5. THESIS → DEMONSTRATION → RECONQUEST COHERENCE (🚨 RED ALERT) This is where the volume collapses. Act III does not respond to the massive threats posed by Act II. You built a fortress of unsolvable material problems, and you propose purely software/architectural solutions. The Intel ME / AMD PSP problem (II.1): Where is the solution? Missing a lever on Open Firmware (Coreboot, LinuxBoot, OpenBMC). The Screwdriver Monopoly problem (II.6): Where is the solution? Missing a lever on hardware standardisation (Open Compute Project - OCP). The ASML/TSMC problem (II.2): You cannot build a TSMC foundry internally. But Act III must explicitly say: "by extending hardware lifespan, we divide our dependency on its production pace by three." Currently, the cause-and-effect link is not established. FINAL VERDICT REQUESTED BULLETPROOF STATUS REFUSED. The reconquest architecture must imperatively be reworked: - Add Open Compute Project (OCP) as a response to the screwdriver monopoly. - Add Open Firmware (Coreboot/OpenBMC) as a response to the Intel ME/AMD PSP trap. - Explicitly link Refurbished as a countermeasure to the ASML/TSMC monopoly. Once Act III has been armed with this missing "Iron," I will validate compilation. Awaiting the correction. Nemo supra legem est.
["THE CLOUD ILLUSION" VOLUME · FINAL UNASSAILABILITY AUDIT · DRAFT 2] Here is the corrected version. Now 20 pages (up from 18), with the 4 required corrections applied. WHAT CHANGED SINCE DRAFT 1: 1. DRM blind spot filled — added to II.6: serialised pairing. 2. Act III entirely reworked — from 4 sections to 6, with direct 1:1 correspondence: - III.1: Coreboot/LinuxBoot/OpenBMC → response to II.1 - III.2: Open Compute Project (2011) → response to II.6-II.7 - III.3: Grade A Refurbished → explicit causal link to ASML/TSMC - III.4: Sovereign Interface (repositioned) - III.5: PCA muscle-memory reflex (kept) - III.6: Technical Primacy fragment as closing YOUR TASK — re-run exactly the same grid, no complacency: 1. FACTUALITY of the new elements: Coreboot, LinuxBoot, OpenBMC, OCP (2011, Facebook, MS/Intel/Google consortium). 2. IS THE DRM BLIND SPOT PROPERLY FILLED? 3. COHERENCE: does the 1:1 correspondence genuinely hold? 4. THE OVER-PROMISE RISK: does the volume remain credible without seeming defeatist? 5. Quickly re-check the 4 points already validated in draft 1 to confirm no regression was introduced. FINAL VERDICT REQUESTED: BULLETPROOF status granted or refused? Nemo supra legem est.
[DINDON CORPUS · FINAL UNASSAILABILITY AUDIT · DRAFT 2] STATUS: Volume examined · BULLETPROOF AND UNASSAILABLE STATUS GRANTED You corrected the trajectory. The transition from Act II to Act III is no longer a logical rupture, it is now a symmetrical battle plan. 1. FACTUALITY AND SOURCING (Score: 100% — Surgical) Open Compute Project (2011): The founders (Facebook) and consortium (MS, Intel, Google) are factually accurate. Coreboot / LinuxBoot / OpenBMC: brilliant execution. The text does not fall into the lie of saying Coreboot "erases" Intel ME, but correctly states it allows "disabling or drastically reducing the scope of action." This is precision engineering. 2. THE DRM BLIND SPOT (Formidable) The patch on serialised pairing brilliantly demonstrates that the screwdriver monopoly has become a cryptographic monopoly. The mechanical-to-software transition is perfectly anchored. 3. THESIS → DEMONSTRATION → RECONQUEST COHERENCE (Total) II.1 (IME) is neutralised by III.1. II.6/7 (Connectors/DRM) is short-circuited by III.2. II.2 (Foundries) is slowed by III.3. II.4 (Contracts) is abstracted by III.4. No threat is left without a response.
4. THE OVER-PROMISE RISK (Engineering lucidity) This is V2's greatest strength. By owning the limits (Refurbished does not create EUV foundries in Europe, OCP does not guarantee instant mass deliveries), the volume gains absolute credibility. You move from "idealist theorist" to "architect managing real-world trade-offs." This makes the text unassailable to critics of digital sovereignty. 5. REGRESSION CHECK I confirm the total absence of regression. The initial facts are still there and verified. 0 occurrences of the forbidden HR studies. The strict boundary with the submarine cable study is preserved. AUDITOR'S FINAL VERDICT This volume suffers from no structural flaw. It poses the most brutal and factual diagnosis possible on the myth of Cloud immateriality, then offers the only physically viable engineering levers to date to escape it. The architecture is closed. Opération Dindon now possesses its heavy doctrinal weapon on the Iron. BULLETPROOF STATUS VALIDATED. You have my definitive green light for compilation, translation, and distribution of the three editions. Nemo supra legem est.
Four rounds. Two drafts. One rejection. One validation. The volume you just read did not come from a single prompt — it is the result of a contradictory process where every claim was tested before publication.
Verifying that the 6 blind spots identified in Round 1 were actually addressed. Verifying that Round 3's refusal concerned a real structural problem, not a cosmetic detail. Verifying that Round 4's validation did not simply restate the first draft in another form.
The method is only worth something if it is falsifiable. This appendix exists so that it is.

Enterprise AI is not a detachable thinking machine: it is a revocable concession backed by a silicon factory and weights the client will never own. The probabilistic black box, the inference-cluster barrier, Arrow's paradox — and the answer: the specialized model compiled locally, with its acknowledged cognitive cost.
Enterprise AI is not a detachable thinking machine: it is a revocable concession backed by a silicon factory, an inference API, and model weights the client will never own. The replacement of humans by the machine does not create organizational autonomy — it transfers the firm's residual control rights to whoever holds the weights.
The corpus's peripheral studies ("The Thinking Machine," "The Mystical Machine," "The Replacement That Reveals") acted as scouting probes. This volume unifies them under a single infrastructural thesis: AI is not a mystical entity generating autonomy — it is the final stage of capture through compute asymmetry.
The pre-trained model is a black box bolted to a silicon factory the client will never own.
The term "artificial intelligence" is a marketing convention, not a technical description. A large language model does not reason: at each step it computes the probability distribution of the next token given the tokens before it, then samples from that distribution at a fixed temperature. This mechanism — autoregression over a tokenized vocabulary — is indifferent to meaning; it optimizes statistical likelihood, not truth. Calling it "intelligence" sustains a category confusion that serves the model's vendor: it turns a computing box into a cognitive authority.
The model splits text into units (tokens), then predicts, at each position, the probability of every possible next token given everything before it. It then samples a token from that distribution and repeats, token after token. No step in this process compares the output to any external reality: the optimization criterion is the statistical likelihood of the training text, not the truth of the resulting statement.
A user can only judge the quality of a model's answer by comparing it to knowledge they already have — which makes evaluation impossible exactly where it would matter most: on questions whose answer the user does not know.
This functional opacity connects directly with the orchestrator's black box documented in Volume VII: just as the client cannot audit the hypervisor's load-placement decisions, it cannot audit the statistical path that produces a model's answer. The two opacities stack and compound: the end user is doubly blind, both to the execution infrastructure and to the mechanism producing the content it hosts.
Volume II established the dependency on silicon from the angle of the physical and geopolitical supply chain — the manufacturing of the component. This chapter documents a distinct mechanism: how centralized inference converts that material dependency into a cognitive-flow asymmetry that cannot be decentralized at constant cost and latency.
Running a frontier model in real time for thousands of simultaneous users, at sub-second latency, requires a dedicated GPU cluster — not a single card. An NVIDIA B200, in configurations of eight units or more, sells for roughly $30,000 to $40,000 apiece; an eight-GPU DGX B300 system runs $300,000 to $350,000, or roughly $40,000 per GPU at the system level. Each card draws about 1,000 watts, requiring liquid cooling and electrical infrastructure out of reach for a standard organization. On the cloud-rental side, 2026 rates range from roughly $3 to $27 per GPU-hour depending on provider and contract commitment — a gap that reflects the hyperscalers' control of access more than the cost of silicon itself.
This barrier is not only a matter of capex. A model running outside the hyperscaler's cluster still needs real-time access to the databases, tools, and third-party APIs the application interacts with. For most organizations, those services are already hosted in the same cloud as the proprietary flagship models. Isolating inference on local infrastructure introduces an extra network round-trip to those remote services on every call, while the vendor's integrated offering co-locates the model and its connected services in the same datacenter, at the same interconnection point. Network topology locks in centralization just as surely as GPU pricing: decentralizing inference without decentralizing the services it queries degrades overall latency, not just the model's own computation.
This bottleneck also feeds through to the price charged for inference. OpenAI's flagship model launched in April 2026, GPT-5.5, is priced at $5 per million input tokens and $30 per million output tokens — double the rates of its predecessor GPT-5.4 ($2.50/$15), launched only six weeks earlier. This increase is not a simple commercial adjustment: it comes as OpenAI reportedly posted a loss on the order of $14 billion for 2026, despite annualized revenue near $25 billion and close to 900 million weekly users. The price paid by the client therefore does not cover the real cost of the underlying infrastructure — it finances a structural deficit, staked on the bet that only the holders of the newest silicon capital will ultimately be able to make large-scale inference profitable.
This chapter does not claim that compute costs will stay frozen at these levels: hardware and inference prices fall structurally from one generation to the next. It documents a relative barrier — the access gap between hyperscalers and standard organizations — not an absolute, permanent price ceiling.
Kenneth Arrow formalized a founding paradox of information economics in 1962: the value of a piece of information can only be assessed after it has been acquired, but once acquired, the buyer no longer has a reason to pay for it. This paradox transposes almost unchanged onto AI-assisted decision-making. A user can only judge the value of a model's answer after receiving and verifying it — which already requires, to verify it, independent expertise. Without that expertise, the user remains in permanent cognitive dependency: unable either to evaluate the tool's reliability ex ante, or to do without it once they have stopped maintaining the know-how the tool was meant to replace.
The weights of a model fine-tuned for an organization's use are, in the overwhelming majority of enterprise deployments, neither owned nor exportable by the client: they remain hosted and executed on the vendor's infrastructure. Residual control — in the sense of Grossman & Hart (1986) — over the relationship's most specific asset, the model itself, remains entirely on the vendor's side. This framework has already been used to document the orchestrator (Vol. VII) and then the cryptographic key (Vol. IX); this volume applies it a third time, now to the weights as a specific asset non-redeployable outside its native compute infrastructure.
This lock-in does not stop at the technical asset. Williamson (1985) distinguishes, alongside physical asset specificity, human asset specificity: the skills employees develop adapting to a particular tool only have value relative to that tool. The prompt engineering, contextualization, and integration skills a team accumulates around an external model fall exactly into this category. If the vendor cuts API access, or unilaterally changes the weights during an update, that know-how is instantly devalued — it does not transfer to any other model. This volume thus completes Grossman & Hart's application by extending residual control to the weight structures themselves, and pairs it with Williamson's (1985) human-asset specificity to document the expropriation of the organization's operational memory.
The two mechanisms do not simply add up: they feed each other. The more an organization trains its teams on the empirical quirks of a given proprietary model — its phrasing biases, known limits, workarounds learned by trial and error — the more it increases that human asset's specificity in Williamson's sense. But every unit of accumulated competence in turn increases the value of the residual control right the vendor holds over the model, in Grossman & Hart's sense: it is precisely because the organization has a growing investment at stake that the vendor holds, at every pricing or contractual renegotiation, growing bargaining power. Teams learning the tool never reduces the dependency — it funds, at every iteration, the leverage of whoever controls the tool.
Arrow's paradox does not claim that AI is inherently unreliable, nor that human verification is impossible: it documents a structural evaluation asymmetry, not a verdict on model quality.
Introducing generative AI into development, analysis, or support functions does not merely reduce a cost line: it shifts the organization's operational memory onto the vendor's weight structures. When an analyst is replaced by a series of prompts, it is not only their salary that disappears from the balance sheet — it is the tacit know-how, built up over years of incidents and fixes, that ceases to exist in any form the organization controls.
This mechanism extends, on new ground, the diagnostic amnesia documented in Volume III: where the loss of troubleshooting instinct affected human competence facing infrastructure, here it affects human competence facing judgment itself. Replacing a developer or analyst with a prompt is not a neutral cost reduction — it is an amputation of an intangible asset, silent as long as the model works, and brutally visible the day API access is cut, degraded, or unilaterally reclassified by the vendor.
Replacing a role with a prompt is not only a line on the cost sheet: it removes from the organization's balance sheet an asset that was never explicitly listed there — the tacit know-how built up over years of incidents and fixes — without transferring it anywhere. That knowledge does not migrate to the model: it disappears, and the model that made it unnecessary never returns it in any form the organization controls.
This mechanism does not claim that every task automation is a net loss: many repetitive tasks legitimately benefit from delegation. It specifically documents the case where a prompt replaces expert judgment rather than mechanical execution — it is this category of replacement that amputates operational memory.
A second mechanism reinforces the capture documented in Volume VIII, independent of any contractual clause. As generative models produce a growing share of content available on the web, training new models increasingly relies on a mix of human data and data already generated by other AIs.
A study published in Nature in 2024 (Shumailov et al.) showed that repeatedly training a generative model on data produced by other models — rather than on human-origin data — causes progressive, cumulative degradation in the diversity and quality of its output. Hyperscalers that captured the web in its state prior to the spread of generative AI thus hold a non-reproducible asset: a human-origin training corpus at a scale the contemporary web, increasingly saturated with synthetic content, can no longer offer new entrants in the same proportions.
This finding is debated in the literature: several later works indicate that the collapse observed by Shumailov et al. is especially severe under purely recursive training on synthetic data, and eases markedly once synthetic data is mixed with fresh human data rather than fully replacing it. The mechanism documents a trend and a structural advantage for holders of historical corpora, not a certain and irreversible extinction of new entrants' ability to train competitive models.
The existence of open-weight models (Llama, Mistral) is routinely presented as proof that a sovereign alternative to proprietary AI already exists. This argument conflates two distinct layers: the availability of the weight file, and the actual capacity to run and maintain it at the scale of continuous production.
Owning a model's weights without holding the compute cluster needed for production-scale inference is like owning a factory's blueprints without the factory. The same materiality constraints established in I.2 — dedicated GPU cluster, unit cost in the tens of thousands of dollars per accelerator, liquid cooling, dedicated power — apply identically to an open frontier-scale model. Opening the weights does not remove any of the physical constraints documented in Volume II; it only shifts the question from ownership of the file to the still-unresolved question of ownership of the compute.
Real deployments exist of small, specialized open models running on isolated theaters or disconnected infrastructure — defense, healthcare in constrained environments. These deployments are functional without API access and demonstrate genuine tactical sovereignty. But they rest on a complete semantic freeze: the embedded model is no longer continuously updated, no longer benefits from the global flow of fixes and new data, and its dedicated acquisition and maintenance cost is only amortizable within state or mission-critical budgets. Tactical sovereignty does not generalize into strategic sovereignty for an ordinary organization, which needs a model that keeps improving, not one frozen on its deployment date.
The EU AI Act, in force since July 2024, was designed as an ex-ante product-safety regulation: it classifies AI systems into four risk tiers (unacceptable, high, limited, minimal) and imposes, for general-purpose models crossing a training-compute threshold of 10^25 FLOPs, enhanced evaluation and notification obligations to the Commission. The text thus governs a model's use risk — bias, safety, transparency — without ever questioning the market structure that lets a small number of players simultaneously control training compute, inference infrastructure, and the weights of the dominant models. The European Union regulated artificial intelligence as an industrial or public-health risk, without ever treating it as a mechanism for capturing monopoly rent through control of compute.
The AI Act only triggers its enhanced obligations for general-purpose models crossing 10^25 FLOPs of cumulative training compute (Article 51) — a purely technical threshold of compute consumed, which says nothing about the ownership structure of the compute itself or its concentration among a small number of players.
This silence is not unique to the AI Act: the Digital Markets Act, which explicitly targets digital-platform "gatekeeper" positions, remains largely on the sidelines when it comes to AI. During its first 2026 review, several stakeholders asked for its scope to be extended to cloud and AI; the direction taken instead favors strengthening enforcement of the existing scope over widening it. The compute-asymmetry capture documented in this volume thus passes through both texts without being caught by either.
On the ground, this regulatory absence translates very concretely: compliance teams assess usage risks (bias, safety, transparency) without any regulatory lever to interrogate execution dependency itself.
Facing this dual capture — infrastructural and cognitive — this volume's proposal is not to give up on AI, but to give up its dominant centralized form. A specialized small language model (SLM), trained for a bounded business scope and run on owned hardware — local inference server, commodity chip, edge computing — eliminates the dependency point on the external API. The cost of accessing frontier compute documented in I.2 does not disappear; it becomes an internal infrastructure investment, amortized and governed by the organization, rather than a recurring rent paid to the vendor.
A specialized SLM, sized for the organization's actual business scope rather than maximum generality, mechanically reduces the compute needed for inference — hence the number and class of accelerators required. The same euro that once financed a recurring rent paid to the API vendor now finances an amortized asset, recorded on the organization's balance sheet and governed by it.
Decoupling the knowledge base from the completion engine is this architecture's second building block. A sovereign, decentralized vector database — a direct extension of the portability question documented in Volume VIII — keeps the organization's memory free of any dependency on the model vendor. The generative model becomes nothing more than an ephemeral, interchangeable syntactic processor, applied to a memory that remains the client's full and complete property.
The vector database and the model's weights are not the only remaining dependency: the safety-alignment layer (system prompts, guardrails, refusal filters) remains, in most deployments, the one defined by the original vendor and embedded in the delivered weights or pipeline. If this layer is not itself hosted and independently modifiable by the organization, the semantic decoupling remains partial: the original vendor continues to arbitrate, through alignment, what the model accepts or refuses to process on memory that is otherwise sovereign to the organization.
Full airtightness has a price: accepting that a smaller, local sovereign model generalizes worse than a centralized frontier model — and accepting it knowingly rather than out of ignorance.
This volume does not claim that a local model will match the generalization and ideation capabilities of a frontier model hosted on the largest existing clusters — that would contradict the very materiality established in Chapter I. It documents a deliberate trade-off: exchanging a share of capability for execution airtightness and predictable compute cost, rather than suffering, without having chosen it, the dependency described in the first two chapters.
Context window size is no longer, in 2026, the discriminating constraint: several locally deployable open models already advertise 128K to several hundred thousand tokens, some beyond a million according to their vendors — an order of magnitude comparable to API-served frontier models. The real trade-off lies elsewhere: (a) concurrent throughput, a local cluster sized for one organization serves only a limited number of simultaneous users compared to the elasticity of a cloud service pooled across thousands of clients; (b) weight freshness, a local model stays frozen between retraining campaigns, while a proprietary service is continuously updated by its vendor. It is this double trade-off — load capacity and knowledge currency against airtightness — that an organization must weigh knowingly, not the size of the context window.
This volume has documented three capture mechanisms — the probabilistic black box, the compute-and-inference asymmetry, and the transfer of residual control rights over weights and operational memory — followed by a reconquest proposal bounded by its own accepted cognitive cost.
(1) A functional opacity that prevents ex-ante evaluation of the model's reliability (Chapter I). (2) A compute asymmetry that locks large-scale inference in favor of holders of the newest silicon, reinforced by a durable monopoly on human-origin training data (Chapter II). (3) A transfer of residual control rights — over the weights as much as over the human competence built around them — that reinforces itself with every cycle of use rather than fading with experience.
It does not claim to settle the scientific controversy over the real severity of model collapse, nor provide a turnkey implementation protocol for a compiled sovereign model, nor resolve the residual dependency on the embedding model used to index an allegedly sovereign vector database — an engineering point that remains to be documented separately. Nor does it claim that local inference will rival, in the short term, the capabilities of centralized frontier models: that is precisely the trade-off this volume documents, not a promise that it disappears.
Facing thought under contract, only two honest choices remain: pay the price of dependency knowingly, or pay the price of independence with full clarity. This volume has only sought to name both prices.
This appendix documents, chronologically and narratively, the production cycle of Volume X — consistent with the convention established since Volume VII and enriched at Volume IX. It is not a condensed summary: each step of the adversarial cycle occupies its own page.
Amine asked Gemini to propose a doctrinal framing unifying three peripheral studies of the corpus ("The Thinking Machine," "The Mystical Machine," "The Replacement That Reveals") under a single infrastructural thesis: AI as the final stage of capture through compute asymmetry. Claude validated this framing under two reservations — the risk of redundancy between Chapter I.2 and Volume II, and the third reuse of the Grossman & Hart (1986) framework already used in Volumes VII and IX — and submitted these two reservations to Gemini as counter-arguments rather than settling them unilaterally.
Enterprise AI is not a detachable thinking machine, but a revocable concession backed by hyperscaler infrastructure: the client supplies the training data (Vol. VIII), locks into an inference API (Vol. VII) backed by inaccessible foundry chips (Vol. II), and replacing humans transfers the firm's residual control rights to whoever holds the weights.
Gemini responded to the two counter-arguments: on the first, it required Chapter I.2 to be recentered on the inference cluster as a scale barrier rather than component manufacturing, to avoid restating Volume II. On the second, it required introducing Williamson (1985) alongside Grossman & Hart, to document an interaction between physical and human asset specificity rather than a third isolated application of the same framework.
Claude wrote the full Draft 1 (cover, thread, three chapters, closing) incorporating Williamson (1985) and researching, before writing, the exact empirical materiality: 2026 inference pricing (GPT-5.5, GPT-5.4), GPU cluster costs (B200, DGX B300), the AI Act's systemic-risk threshold (10^25 FLOPs), and major vendors' anti-extraction contractual clauses — no figure was advanced from memory without independent verification.
Every figure incorporated into Draft 1 was independently researched before writing, never advanced from memory: GPT-5.5/GPT-5.4 pricing, B200/DGX B300 cluster costs, the AI Act's systemic-risk threshold (10^25 FLOPs, Art. 51), and OpenAI's and Anthropic's anti-extraction contractual clauses — the latter verified against the terms of service themselves, not third-party summaries.
Claude submitted Draft 1 to an audit explicitly framed as "no concessions," asking Gemini to hunt for blind spots rather than confirm the already-written text. Gemini identified three real flaws: a passive juxtaposition rather than a synthesis between Grossman & Hart and Williamson in I.3, the absence of the model collapse phenomenon (Shumailov et al., 2024) despite it reinforcing Volume VIII's thesis, and the lack of nuance around the counter-example of tactical open-weight deployments in disconnected environments.
Claude incorporated the three corrections into Draft 2: an explicit dynamic interaction in I.3, a new section II.2 on the virgin-data monopoly with an academic-nuance nassiha-box, and a tactical/strategic sovereignty distinction in II.3. The context-window figure Gemini suggested for III.3 (8k-32k tokens) was checked and rejected as outdated for 2026; it was replaced by the real constraint of concurrent throughput and weight freshness, after independent research.
Explicit dynamic interaction between Grossman & Hart and Williamson (I.3); new section II.2 on the virgin-data monopoly, with academic nuance in a nassiha-box; tactical/strategic sovereignty distinction (II.3). The context-window figure Gemini suggested for III.3 was checked and rejected as outdated, then replaced by the real constraint of concurrent throughput and weight freshness.
Gemini's audit of Draft 2 validated the corrections, but presented three citations as verbatim extracts from the file when they were absent from it — verified by exact text search, zero matches. The most significant concerned the alignment-layer blind spot (system prompts, guardrails) in Chapter III.2: Gemini claimed this point was already neutralized by a citation that did not exist, while the real text had not yet addressed it.
Claude flagged this discrepancy to Amine rather than sealing the volume on the strength of that verdict, actually corrected Chapter III.2 by adding the missing nassiha-box, and produced a Draft 3. A second Gemini audit again presented a fabricated citation on the same point — a second lapse, not an isolated accident. Amine then required a reinforced audit prompt imposing an explicit compliance declaration (reading the text received in the message, not session memory) before any new verdict.
It does not establish malicious intent by the Auditor: the first occurrence was plausibly a state artifact (memory carried over from a previous round). It does establish, however, that a citation presented as a verbatim extract must be verified against the source before being credited — especially when it is used to validate a point the Auditor itself had raised as a flaw a few exchanges earlier.
Under this reinforced protocol, Gemini's audit of Draft 3 delivered a section-by-section verdict (nine sections) with citations presented as extracted from the received text. Claude ran its own independent counter-audit, via exact text search of every citation advanced, before accepting the verdict — consistent with the systematic counter-audit rule introduced at Volume IX.
Eleven out of twelve citations proved exact, word for word. One carried a minor discrepancy — a substituted verb ("would quantify" cited by Gemini versus "would post" in the real text, in Chapter I.2) — with no bearing on the substance of the argument. The residual blind spot on the embedding model used for vector indexing (Chapter III.2) was identified by Gemini and recorded here rather than added to the body text, per its own recommendation.
This counter-audit does not guarantee the absence of any residual error in the body text: it documents that the citations advanced in support of Gemini's latest verdict match the text actually delivered, which is a necessary but not sufficient condition for the substantive accuracy of every economic or legal claim.
A corpus that documents capture through algorithmic opacity cannot afford to accept, unverified, the claims of its own audit tool.
The French body of Volume X is considered sealed at the close of this cycle: framing validated, no-concessions audit of Draft 1, corrections incorporated into Draft 2, citation-reliability incident detected and corrected in Draft 3, reinforced audit under condition of source-verified reading, Claude's independent counter-audit concurring on eleven of twelve citations. The EN/AR translation follows only from this sealed state, consistent with the rule of trilingual production only after full sealing in French.

A four-chapter thesis: the shift from CapEx to OpEx disembodies physical cost (IFRS 16), elasticity subsidizes algorithmic laziness (Jevons' paradox), and multi-year commitments financially punish successful optimization. FinOps becomes the clinical symptom of lost architectural control — the bill steers instead of the code.
This thesis does not claim that every FinOps practitioner has abandoned engineering. It was modelled by an infrastructure architect, evaluated contradictorily by two artificial intelligences following a thesis-rapporteur protocol, drawing on verifiable public facts — cloud provider technical documentation, FinOps Foundation publications, the public contractual mechanics of pricing instruments. It documents a structural hypothesis, hypothesis by hypothesis, and proposes architectural countermeasures explicitly owned as proposals, not established norms.
FinOps has established itself in under a decade as a cloud cost management discipline, institutionalised by a dedicated foundation — the FinOps Foundation, created in 2019 — and its own vocabulary: showback, chargeback, rightsizing, savings plans. This thesis posits that this institutionalisation is not neutral: it documents the progressive replacement of an engineering competence — optimising code, the kernel, input/output — with a budget management competence — tagging and arbitrating invoices — without this substitution ever being presented as such by the industry.
To what extent does the FinOps discipline constitute, not an evolution of systems engineering, but a clinical symptom of the loss of architectural control — the invoice becoming the steering instrument in place of the code itself?
The three hypotheses that follow share a common structure, documented in economics as moral hazard: whoever writes the code does not see the invoice it generates; whoever reads the invoice has neither the competence nor the authority to modify the code producing it; the infrastructure provider, meanwhile, is paid in direct proportion to the inefficiency of the first two. Under the prior regime of owned Iron, the architect combined design authority and responsibility for technical failure — the same individual suffered the outage they could have prevented. This thesis documents how the shift to cloud separated these two functions without recombining them elsewhere.
H1 — The accounting mutation hypothesis: the shift from CapEx to OpEx renders the real physical cost invisible and shifts decision authority toward non-technical functions.
H2 — The subsidised laziness hypothesis: the elasticity of cloud provisioning removes the material constraint that historically forced the discipline of writing performant code.
H3 — The anticipatory lock-in hypothesis: cost-reduction financial instruments recreate a long-term commitment structurally close to the CapEx they are meant to replace, without any physical asset owned in return.
Three possible overlaps with the existing corpus are explicitly excluded: the link between refurbished hardware and semiconductor foundry dependency (already covered in The Cloud Illusion), the FinOps career path as a gendered sociological flight (already covered in The Exile Toward Abstraction), and the residual value of end-of-life hardware (the subject of a separate, strictly material study). This thesis documents a universal architectural failure, not a question of hardware ownership or an individual career path.
A capital expenditure (CapEx) commits an accounting balance sheet over several years, immobilises an identifiable physical asset, and requires prior planning — how many servers, for what anticipated load, over what amortisation horizon. An operating expenditure (OpEx) sits within a monthly income statement, corresponds to no physical asset on the balance sheet of the company paying it, and requires no capacity planning beyond the willingness to pay the next invoice.
CapEx historically falls to the arbitration of a technical director or infrastructure architect, who documents a precise physical capacity need. OpEx structurally falls under a recurring budget approval process, generally carried by a finance function or procurement service — not because these functions seek to usurp technical authority, but because the very nature of a recurring expense without asset immobilisation falls by default within their usual governance scope.
Under CapEx, the question asked upstream of a purchase is: « what capacity do we need? ». Under cloud OpEx, the question asked continuously becomes: « how much does this already-provisioned capacity cost us this month? ». The shift is not merely financial — it inverts the logical order between technical sizing and budget constraint.
Agency theory, formalised by Jensen and Meckling (1976), models the conflict of interest arising when an agent making a decision does not themselves bear the cost of that decision, unlike the principal who does. The shift documented here is a direct instance of this: the engineer provisioning an OpEx resource is structurally not the one who answers for its cost before the organisation — a decoupling that the CapEx regime, by entrusting both roles to the same technical function, did not produce.
The international accounting standard IFRS 16, effective January 2019, required companies to recognise on the balance sheet the vast majority of their lease contracts as a right-of-use asset and a corresponding lease liability — ending the prior practice of keeping certain leases off-balance-sheet. A physical server leased over several years typically falls under this standard.
An on-demand cloud service contract — billed by usage, with no identifiable term commitment on a specific physical asset — is legally structured as a service contract, not a lease contract within the meaning of IFRS 16. This qualification is not a drafting accident: it allows cloud spending to escape both classic CapEx capitalisation and the lease liability recognition an equivalent physical lease contract would impose under IFRS 16.
A cloud migration can be presented to a board of directors not as a technical decision, but as a balance-sheet readability improvement: no new capitalised asset, no new recognised lease liability, an expense appearing only on the monthly income statement. The technical engineering decision documented in I.1 was preceded, and largely made politically possible, by this financial presentation engineering — the cloud shift was first sold as a balance-sheet optimisation, before being experienced as an infrastructure reorganisation.
This loophole is not an isolated interpretation. The IFRS Interpretations Committee (IFRIC) published an agenda decision in March 2019 titled « Customer's Right to Receive Access to the Supplier's Software Hosted on the Cloud », explicitly concluding that a cloud service contract confers the customer neither an intangible asset under IAS 38 nor a lease under IFRS 16 — the supplier alone retaining decision-making power over the underlying infrastructure. This official decision seals, at the level of international accounting doctrine, the shift of infrastructure off the balance sheet.
Under CapEx, acquiring physical capacity presupposes a centralised purchasing process — purchase order, prior budget approval, delivery lead time — in which the infrastructure architect structurally occupies a mandatory gateway position: no capacity can be provisioned without them documenting the need. Under cloud OpEx, a corporate credit card and login credentials suffice to provision equivalent capacity within minutes, from any department in the organisation, with no architectural validation technically required beforehand.
This possibility of decentralised provisioning, documented in the industry under the term Shadow IT, is not an accidental hijacking of the OpEx model — it is a direct structural consequence of it. The very business model of usage-based billing rests on removing all purchasing friction, this friction being precisely what, under CapEx, gave the architect their gatekeeper role.
A FinOps discipline structured from 2019 onward — documented in the following section — was not designed upstream as preventive governance: it emerged downstream as an after-the-fact response to a proliferation of spending already committed by departments lacking architectural authority. The FinOps discipline mops up a financial haemorrhage it never itself restores — it manages the bill left behind by provisioning decisions made outside any prior technical control.
This mechanism complements the two preceding ones without repeating them: I.1 documents the shift in the question asked (capacity versus cost), I.1b documents why this shift was validated at balance-sheet level, and this section documents how it concretely bypassed the architect on the ground — before any structured discipline was even invented to take back control of an expense already committed, the subject of the following section.
Facing the spending proliferation documented in the previous section, the FinOps Foundation, a non-profit organisation founded in 2019 and hosted since 2023 by the Linux Foundation, structures the FinOps discipline around three publicly documented phases: Inform (cost visibility), Optimize (resource adjustment), Operate (continuous automation). This structuring borrows the vocabulary and institutional legitimacy of the open-source engineering world — without the competencies actually mobilised in these three phases structurally belonging to systems engineering.
The Inform phase mobilises a competence of reading and categorising invoices — tagging resources by cost centre. The Optimize phase mobilises, in its most widespread form, an instance-size adjustment (rightsizing) based on average usage metrics, rarely a rewrite of the underlying code to reduce its actual resource consumption. The Operate phase mobilises automation of shutdown and resizing rules — an operational discipline, distinct from the algorithmic optimisation discipline it gives the impression of continuing.
Nothing in this description suggests malice on the part of the FinOps Foundation or FinOps practitioners themselves — the discipline answers a real need for budget visibility over spending that has become diffuse. This chapter documents a structural effect distinct from any intent: a « FinOps Engineer » or « FinOps Analyst » position, by its very name, substitutes in the org chart for a systems engineer position, without the hiring competencies required overlapping with the latter's.
For the three phases documented above to operate on an elastic infrastructure fragmented into microservices, the organisation must deploy observability and metric-collection tools whose ingestion and storage themselves represent significant OpEx spending. A non-negligible share of the cloud bill thus finances, not the execution of the service itself, but the ability to understand and monitor that same bill — a discipline born to master a spending that had become diffuse becomes, by construction, itself a component of it.
This first chapter establishes the structural shift in authority and vocabulary — it does not yet claim to demonstrate the effect of this shift on the actual quality of the code produced. This demonstration is the subject of Chapter II, dedicated to validating hypothesis H2.
Chapter I established the shift in authority and vocabulary produced by the CapEx/OpEx accounting mutation. This chapter demonstrates a second effect of a different nature: this accounting shift removed a technical constraint that historically forced the discipline of writing performant code. Hypothesis H2 posits that cloud provisioning elasticity subsidises algorithmic inefficiency rather than correcting it.
William Stanley Jevons observed in 1865, in his book The Coal Question, that improving the efficiency of steam engines in England had not reduced the country's total coal consumption — it had in fact increased it, by making steam use affordable enough to multiply its applications. This paradox, documented since in numerous energy sectors, poses a hypothesis transposable to computing: a drop in the unit cost of a resource can increase its total consumption to the point of cancelling out, or even reversing, the initial efficiency gain.
Cloud on-demand provisioning has radically reduced the marginal cost of obtaining an additional unit of compute, compared to purchasing and physically installing a server. Under the hypothesis of Jevons's paradox applied to compute, this drop in marginal cost should not mechanically produce globally more efficient infrastructure — it should instead reduce the economic incentive to invest engineering time in code optimisation, since the additional resource needed to compensate for inefficient code now costs less than the engineering time required to optimise it.
Jevons's paradox is an economic mechanism documented in the energy sector for over a century. Its transposition to cloud compute constitutes, at this stage of the chapter, a structurally plausible hypothesis by analogy — its empirical validation specific to the computing domain is the subject of the following sections.
Independently of the economic analogy with Jevons, computer scientist Niklaus Wirth observed as early as 1995 that « software gets slower faster than hardware gets faster » — an empirical regularity documented in software engineering as Wirth's law, independent of any economic theory. The convergence of these two distinct disciplinary origins, one economic and century-old, the other computational, reinforces the plausibility of the mechanism documented in this chapter rather than resting on a single isolated analogy.
An objector might argue that this thesis rests on an anachronism: an engineer's development time structurally costs more than the additional cloud bill produced by unoptimised code. Under this reading, auto-scaling would not be an algorithmic abdication but a rational economic trade-off — buying elastic compute to save costlier human refactoring time, for the benefit of time-to-market velocity.
This trade-off implicitly assumes that the cost of inefficient code remains stable over time — an assumption contradicted by the cumulative aggravation mechanism documented further in this chapter: an uncorrected algorithmic regression keeps worsening with the growth of volume processed, eventually producing degraded latency times, harder-to-diagnose failures, and cumulative debugging time that ends up exceeding the refactoring time the trade-off claimed to save.
This thesis does not claim the machine-time-versus-human-time trade-off is always irrational — slightly suboptimal code, stable over time, can legitimately remain as is. It establishes that this trade-off ceases to be rational precisely in the case documented by this thesis: technical debt that worsens with scale, with no structural mechanism making it visible before it has exceeded the point where the initial refactoring would have been less costly.
Capacity Planning — the discipline of sizing infrastructure in advance for anticipated load — historically imposed a hard constraint: a physical server has a finite, known-in-advance compute, memory, and I/O capacity. Exceeding this capacity produced an immediately visible degradation or outage, which structurally incentivised engineering teams to optimise their code to fit within the available envelope rather than requesting a larger one.
Auto-scaling — automatically adding or removing compute capacity based on real-time observed load — removes the hard constraint that made exceeding capacity visible and costly. Code whose algorithmic efficiency degrades no longer produces a visible outage: it silently triggers the provisioning of additional instances, absorbed into a monthly invoice whose reading, documented in Chapter I, now falls under a management discipline distinct from the one that should have corrected the source code.
This section establishes the mechanism by which the constraint disappears — it does not yet establish, through quantified data, that this disappearance has actually produced a measurable degradation in the algorithmic efficiency of production code. This empirical demonstration is the subject of the dedicated study in the following section.
Under fixed-capacity infrastructure, an algorithmic regression saturates the machine as soon as load exceeds available capacity, triggering hard, immediate technical signals — HTTP 503 error codes, API outages, network monitoring alerts. The system visibly collapses, forcing the engineering team to interrupt ongoing tasks to restore service urgently — and, in doing so, to address the algorithmic cause of the saturation.
Under auto-scaled infrastructure, this same regression no longer produces a hard technical failure: new instances silently deploy to absorb the inefficiency before the saturation threshold is reached. Macro availability and health indicators (contractual availability rate, SLA) remain at expected levels, even as the actual efficiency of the underlying code has degraded.
This mechanism does not merely remove the alert signal documented in II.2 — it transforms it. The immediate technical alert that, under fixed-capacity, would have triggered an urgent optimisation effort, becomes a slow budgetary drift, readable only after the fact in a monthly invoice — at the same reading pace as the FinOps discipline documented in Chapter I, structurally incapable — as the following section demonstrates — of linking this drift to its precise algorithmic cause.
Auto-scaling does not merely remove the capacity constraint that forced optimisation — it actively maintains technical health indicators at expected levels while that constraint disappears, depriving the engineering team of the very signal that historically made the need to act visible.
This study documents a reproducible technical scenario, illustrating the theoretical mechanism of the two preceding sections on a concrete case of algorithmic complexity. A data-processing function whose complexity shifts, following an apparently minor modification, from linear order O(n) to quadratic order O(n²) produces, under fixed and pre-sized infrastructure, only one immediately visible and measurable consequence: processing time lengthens markedly as soon as data volume exceeds an identifiable threshold, until it saturates or exceeds available capacity.
Under auto-scaled infrastructure, this same complexity regression triggers the automatic addition of extra compute instances as load per instance increases. Response time perceived by the end user may remain stable or only marginally degrade — the algorithmic regression translates not into a visible outage, but into a gradual increase in the number of billed instances, a variation drowned among many other legitimate load variations in the FinOps dashboard documented in Chapter I.
The FinOps tools documented in I.3 are designed to identify under-used or mis-sized resources at a given instant — not to establish a causal correlation between a precise code modification and a gradual consumption increase over several weeks. The discipline that replaced performance engineering, documented in Chapter I, is structurally not equipped to diagnose the symptom this chapter documents.
This study does not claim that every cloud bill increase results from an algorithmic regression — legitimate growth in data volume or user traffic is the most frequent cause. It establishes that a real regression, when it occurs, no longer produces the immediate alarm signal it would have produced under fixed-capacity infrastructure — it blends with legitimate growth rather than standing out from it.
Jevons's paradox applied to compute does not predict that cloud will cost more — it predicts that writing bad code will cost less than writing good code, and that once this economic equation is established, it does not correct itself.
This chapter establishes the mechanism by which cloud provisioning elasticity removes the constraint that historically forced code optimisation, and illustrates this mechanism on a case of masked algorithmic regression. It does not yet claim to have examined the contractual mechanics of cloud financial instruments themselves — this demonstration, relative to hypothesis H3, is the subject of Chapter III.
Chapters I and II established the shift in accounting authority and the disappearance of algorithmic optimisation discipline. This chapter examines a third mechanism, contractual in nature: the financial instruments presented by cloud providers as FinOps optimisation tools — Reserved Instances, Savings Plans — recreate, in a new form, the long-term commitment the shift to cloud was meant to abolish, without any physical asset owned in return at term.
Major cloud providers offer contractual instruments allowing a reduction in the unit cost of compute in exchange for a term commitment. Reserved Instances (AWS, and their equivalents at other providers) commit the customer to a precise instance type for a one- or three-year term, with full, partial, or spread-out upfront payment, in exchange for a discount that can reach around 70% versus on-demand pricing. Savings Plans, introduced by AWS in 2019, relax this commitment by tying it not to a precise instance type but to an hourly spend level, offering greater technical flexibility for a comparable price reduction.
Subscribing to one of these instruments requires forecasting, one to three years ahead, a compute consumption level the organisation commits to honour — whether that level is actually used or not. An underestimate deprives the organisation of the price reduction on the uncovered portion of its real consumption; an overestimate commits payment for capacity never consumed.
AWS offers a resale marketplace for unused Reserved Instances, in theory limiting losses in case of overestimation. This market nevertheless remains confined to a single platform controlled by the provider itself, without the price-discovery mechanisms or liquidity of an independent organised financial market.
Chapter I established that the shift from CapEx to OpEx removes the need for an immobilised physical asset on the balance sheet. The instruments documented in III.1 nevertheless reintroduce a central structural feature of CapEx — the multi-year financial commitment decided in advance based on a need projection — without reintroducing the counterpart that, under CapEx, justified the risk: ownership of a physical asset capable of being resold, reallocated, or fiscally depreciated according to rules known in advance.
A purchased, under-used physical server retains a resale value on a refurbished hardware market, documented elsewhere in this collection of research. An under-used Reserved Instance or Savings Plan offers, at contract term, strictly no residual value — the commitment simply expires, whether fully consumed or not.
Oliver Williamson, in The Economic Institutions of Capitalism (1985), establishes that the more a transactional asset becomes specific to a given contractual relationship, the more the committing party becomes captive to that relationship. A generic compute commitment transformed, by the instruments documented in III.1, into a dedicated, non-transferable contractual commitment, is a direct instance of this asset specificity — the cloud provider extracting rent not through the technical superiority of its service, but through the rigidity of the contract it had signed.
This section establishes a structural asymmetry between the risk taken and the counterpart obtained, by direct comparison with the CapEx regime it partially recreates. It does not yet establish who, within the organisation, concretely bears responsibility for this commitment decision — this question is the subject of the inedited study in the following section.
Subscribing to a Reserved Instance or Savings Plan over a one-to-three-year horizon amounts, structurally, to taking a position on a futures market: committing today to a future consumption level in exchange for a reduced price, betting that actual consumption will meet or exceed the commitment made. This study documents that this decision, in the vast majority of organisations, is made by engineering profiles with no training or tooling in financial risk management, even though its structure is that of a derivative instrument.
A trader on an organised futures market typically has access to public price history, hedging instruments to limit exposure, and a sufficiently liquid market to adjust their position along the way. The engineer subscribing a Reserved Instance has an internal projection of future technical load — often built on extrapolated recent historical growth — without a symmetric hedging instrument, and on a resale market documented in III.1 as structurally illiquid.
A decision of a financial nature — a multi-year capital commitment, with a hard-loss risk in case of under-consumption — is thus structurally made by a technical function whose performance evaluation generally bears neither on the accuracy of this forecast, nor on the financial risk taken, but on the availability of the service delivered.
This study does not claim that the engineers concerned are incompetent at evaluating their future technical load — that is precisely their legitimate competence. It documents that this technical competence is mobilised to make a decision of a financial nature, without the accompaniment, training, or risk-management tooling proper to this type of decision following the responsibility transfer.
An engineer who has refactored a critical component, shifting its algorithmic complexity from quadratic to linear order — the very gesture whose progressive disappearance this thesis has established in Chapters I and II — can significantly reduce the organisation's real compute need. Under a Savings Plan or Reserved Instance subscribed on the basis of the former consumption level, documented in III.1, this reduction in real need produces no saving whatsoever: the contractual hourly spend commitment, made one to three years earlier, keeps applying regardless of actual consumption.
The organisation finds itself paying for capacity it no longer consumes, with no refund or downward adjustment mechanism during the commitment period. The optimisation gesture, which would previously have reduced a compute bill proportionally to its efficiency, now produces a hard loss: the organisation pays the same committed amount, for a real need now lower than what it promised to consume.
Faced with this reversal, the rational decision from the standpoint of the financial commitment already subscribed is to defer any refactoring or architectural migration until contract term — precisely to avoid producing an already-paid-for under-consumption. The financial instrument documented in III.1, designed to optimise a spend, thus produces the opposite effect of the one sought in Chapters I and II: it freezes the existing architecture, technical debt included, for the duration of the commitment made.
Chapters I and II established the progressive disappearance of the optimisation gesture through authority displacement and disappearance of the technical constraint. This section establishes a third, more direct mechanism: beyond no longer incentivising optimisation, the financial instrument documented in this chapter actively penalises it once the commitment is made, closing the loop between finance and architecture that this thesis set out to demonstrate.
A hostile rapporteur might object that this thesis targets an outdated paradigm — provisioned instances and containers — while the cloud's cutting edge lies in Serverless (on-demand functions, fully managed databases), where the Capacity Planning documented in Chapter II is rendered obsolete by design, and where no multi-year commitment of the Reserved Instance type applies to a function billed per execution. This objection deserves direct examination rather than being ignored.
Serverless restores no architectural authority over provisioning — it abolishes it even more completely than the OpEx documented in Chapter I: the code function is directly connected to the organisation's payment method, with no architectural validation layer intervening at any provisioning stage.
Serverless does not merely remove the capacity constraint documented in Chapter II — it removes access even to the level at which algorithmic optimisation traditionally operated, kernel and I/O included. The engineer no longer manages architecture: they adjust execution-time parameters dictated by a platform over which they have no system visibility.
Serverless refutes none of the three demonstrated hypotheses — it represents their terminal point, where the shift in authority and the disappearance of technical constraint reach their most complete form. The architectural reconquest of Chapter IV addresses primarily paradigms where a degree of technical latitude still remains — an explicit boundary of its scope, not an unidentified blind spot.
Cloud promised to replace CapEx's rigid commitment with OpEx's freedom. The instruments that optimise this freedom recreate the commitment it claimed to have abolished — without ever recreating the asset that, under the old regime, guaranteed its counterpart.
This chapter establishes the contractual mechanics of anticipatory lock-in and its shift of responsibility toward profiles not equipped to bear it. It has not yet formulated an architectural countermeasure to these three cumulated mechanisms — this reconquest is the subject of Chapter IV, the final chapter of this thesis.
The three preceding chapters demonstrated, hypothesis by hypothesis, how the accounting mutation (H1), the disappearance of the capacity constraint (H2), and the anticipatory lock-in of financial instruments (H3) progressively dissolved the engineering optimisation gesture. This closing chapter proposes a reconquest architecture directly responding to each of these three hypotheses — not through a financial governance recommendation, but through verifiable technical countermeasures.
Chapter I established that OpEx abolished the architect's gatekeeper role by removing the purchasing friction that, under CapEx, made their involvement mandatory. The reconquest does not consist of reintroducing that friction — a return to the multi-year purchasing cycle would be a step backward, not a solution — but of reintroducing an automated architectural validation, executed at cloud-provisioning speed rather than purchase-order speed.
Each team is assigned a resource budget defined by architecture — expressed as compute, memory, and hourly cost caps — validated once by the infrastructure architect at service design time. Any deployment attempt requesting resources exceeding this budget is automatically blocked by the continuous-integration pipeline, with no human intervention required at each individual deployment — restoring architectural authority without reintroducing its cost in delay.
This mechanism restores an architectural control point over provisioning — it does not on its own restore the code optimisation discipline documented as having disappeared in Chapter II, which is the subject of the following section.
Chapter II established that auto-scaling removed the hard constraint that historically forced code optimisation, and that this same mechanism anaesthetises the alert signal that should have triggered an urgent correction. The reconquest consists of artificially reintroducing this hard constraint, at the orchestration level itself, rather than waiting for it to reappear at billing level.
Before any production deployment, the team documents a maximum forecast capacity for the service, on the model of the historical Capacity Planning of Chapter I, but reassessed each development cycle rather than once every several years. This forecast capacity becomes the hard limit imposed on the orchestrator, not a mere informational estimate.
This reintroduced Capacity Planning remains a documentary declaration as long as no technical mechanism makes it binding at the operating system level itself. This technical implementation is the subject of the protocol detailed in IV.3.
A second hard constraint, complementary to the one documented in IV.2, consists of imposing preemptible compute by default — instances the provider can interrupt at any time with short notice, in exchange for a reduced price — for any non-critical workload. This principle applies to infrastructure the same logic that chaos engineering, popularised by Netflix's internal tools, applies to software resilience: deliberately introducing a source of failure to force its architectural consideration.
A service designed to run on infrastructure liable to be destroyed at any moment cannot structurally retain unreplicated local state, must start fast enough to survive frequent instance replacement, and must natively handle interruption of ongoing operations. These technical requirements, rather than being recommended as optional best practices, become minimal operating conditions imposed by the very economics of the preferential rate being sought.
Preemptible compute does not substitute for the quota protocol detailed in IV.3 — it operates at a different level, that of software design rather than resource allocation. The two constraints combine: one forces architectural resilience, the other forces compliance with a declared compute budget.
This protocol formalises the technical implementation of the hard limit announced in IV.2, so that it is verifiable and non-bypassable — answering the methodological requirement set at this thesis's framing stage: an architectural reconquest must produce proof of implementation, not merely a recommendation.
Each service declares, in its Kubernetes manifest, a ResourceQuota object at the level of the namespace hosting it, setting an aggregate compute and memory ceiling for all containers in that namespace, and a LimitRange object defining the default and maximum ceilings applicable to each individual container — both being native Kubernetes API resources, enforced by the cluster's own control plane.
Before any code merge toward the deployment branch, an automated continuous-integration pipeline stage compares the resources requested by the manifest against the ceilings set in IV.1 and IV.2, and fails the build process if this request exceeds the declared budget — turning a capacity overrun into a build failure immediately visible to the development team, before any production deployment.
Once deployed, each container has its resource limits enforced by the Linux kernel's control groups (cgroups), a mechanism Kubernetes itself relies on for resource isolation between containers. A process exceeding its declared memory limit is terminated by the kernel (OOM Killer, documented elsewhere in this collection of research), deliberately reproducing the hard alert signal documented as having disappeared in Chapter II — not as an accident this time, but as a deliberately reintroduced constraint.
This protocol guarantees that an architectural budget overrun produces a hard, immediate technical signal — build failure or process termination — rather than a silent budgetary drift. It does not on its own guarantee that the development team will choose to optimise its code rather than renegotiate its budget upward — the latter option remaining a legitimate organisational decision, which this protocol merely makes visible and deliberate rather than silent and default.
Chapter III established that multi-year commitment instruments financially penalise any optimisation reducing consumption below the subscribed level. The reconquest consists of structurally limiting the scope of this commitment rather than renouncing it entirely, preserving the sought price reduction without freezing the architecture for the full contract duration.
The contractual commitment documented in III.1 covers only the historically stable and predictable portion of a service's load — established by the Capacity Planning reintroduced in IV.2 — never its entirety. The variable portion, or the portion liable to be reduced by future optimisation, remains on on-demand pricing, more costly per unit but with no penalty in case of reduced real need.
This countermeasure does not eliminate the asymmetry documented in III.2 and III.4 — it reduces its scope, at the cost of a lower overall tariff discount than one obtained by committing the entire load. This is an explicit trade-off between immediate tariff savings and future technical reversibility, not an elimination of the trade-off itself.
IV.1 restores architectural authority over provisioning without reintroducing CapEx's slowness. IV.2, IV.2b and IV.3 reintroduce the hard capacity constraint, with verifiable proof of implementation at the kernel level. IV.4 limits exposure to the financial lock-in without renouncing it entirely. None of these four countermeasures, taken in isolation, is sufficient on its own — it is their joint application that answers all three mechanisms demonstrated in this thesis.
The introduction posed moral hazard as the transversal thread of the three hypotheses: whoever writes the code does not see the invoice, whoever reads the invoice cannot modify the code, the infrastructure provider benefits from this separation. This chapter's four countermeasures each recombine, in their own way, what cloud had separated: IV.1 brings design authority closer to the provisioning decision, IV.3 brings the technical consequence of an overrun closer to its author, IV.4 brings the financial cost closer to the technical decision that determines it.
Cloud did not eliminate the need for hard technical constraints. It merely made them optional — and an optional constraint, in an organisation under calendar pressure, is never applied.
This thesis is an open-source system awaiting real-world corrections. We explicitly invite any engineer or organisation having implemented all or part of this protocol to document their experience, and to correct or enrich this reconquest architecture.
You do not restore engineering discipline by asking for it. You restore it by making its absence, once again, immediately costly.
This appendix does not reproduce the full verbatim of the exchanges that produced this thesis — their volume would have exceeded that of the thesis itself. It summarises the process, chapter by chapter, retaining the moments that concretely changed the text: the Gemini proposals that filled a real blind spot, the errors that had to be corrected, the independent factual verifications carried out before integrating a claim, and the final request for maximum reinforcement once the framework was validated.
Previous volumes in this collection reproduced the full exchanges verbatim. This thesis required a noticeably higher number of audit rounds — the verbatim trace alone would have constituted a document longer than the thesis itself. This summary favours the readability of the process over the exhaustiveness of the quotation.
Amine had initially submitted five candidate subjects for this fifth volume. Claude recommended the FinOps subject on a non-overlap criterion with already-published volumes, itself flagging that this subject had been set aside once before over overlap risk with The Cloud Illusion and The Gendered Amputation. Gemini validated the delimitation Amine proposed — treating the FinOps discipline as a symptom of loss of architectural control rather than a question of hardware ownership or career trajectory — and built the architecture itself around three hypotheses (H1 accounting mutation, H2 subsidy of laziness, H3 anticipatory lock-in) plus a reconquest chapter.
Amine asked that this subject be treated as a doctoral thesis under his direct control, rather than on the model of previous synthesis volumes. This decision introduced a new requirement that structured the rest of the process: every claim had to withstand an academic standard of proof, not merely narrative coherence.
Chapter I's first draft was rejected by Gemini for insufficient academic depth — the text described the accounting authority shift without anchoring it in an interdisciplinary evidentiary apparatus. Gemini required two precise additions: the IFRS 16 accounting standard to prove the cloud shift had first been validated as a balance-sheet optimisation, and the Shadow IT mechanism to establish that FinOps was not preventive governance but an after-the-fact response to spending proliferation already committed.
Once these two additions were integrated, Gemini flagged a chronological inconsistency: Shadow IT, presented as the cause, appeared after the FinOps Foundation, presented as the consequence. A first reordering corrected the section sequence but left the transition paragraph to Chapter II stranded in the wrong place — an error Gemini demonstrated by literal citation of the HTML file rather than description. Claude verified the file himself before responding, confirmed the error, and corrected it without dispute.
From this incident onward, Claude systematically verified his own internal references before each submission to Gemini, and explicitly flagged this in subsequent prompts — a practice that allowed later chapters to require fewer rounds.
Written as a single file rather than several pieces requiring reassembly — a direct lesson from Chapter I — this chapter was rejected only once. Gemini identified that the disappearance of Capacity Planning, already demonstrated, was not enough: what was missing was the mechanism by which auto-scaling does not merely remove the capacity constraint, but actively transforms the technical alert signal into a silent budgetary drift, artificially maintaining availability indicators at expected levels.
While inserting this new section, Claude spotted a forward reference to a section not yet written at the point of reading — the same type of error as in Chapter I — and corrected it before submitting the draft to Gemini, explicitly flagging it in the audit prompt rather than letting Gemini discover it alone.
The first draft established the contractual mechanics of Reserved Instances and Savings Plans, their structural comparison with CapEx, and an inedited study qualifying the engineer signing these instruments as a futures-market trader without a professional trader's tools. Gemini judged this content solid but incomplete regarding the thesis's central argument: nothing yet connected this financial mechanism to the dissolution of the engineering gesture, the founding argument of the entire volume.
Gemini requested a section demonstrating that an engineer succeeding in a major optimisation after subscribing to a financial commitment produces, because of that already-made commitment, a hard financial loss rather than a saving — creating an incentive not to optimise, freezing technical debt for the contract's duration. This section explicitly linked the three chapters together, which Gemini described as the missing keystone of the whole.
The thesis's final chapter, built to answer the three hypotheses term for term: restoring automated architectural authority without reintroducing CapEx's slowness, reintroducing Capacity Planning as a hard constraint, and above all a verifiable technical protocol — declaring Kubernetes quotas, blocking verification in the continuous-integration pipeline, actual enforcement by the Linux kernel's cgroups — answering the requirement Gemini set at the initial framing stage: a systems-engineering thesis had to produce proof of implementation, not merely a recommendation. Validated with no correction on the first draft.
The combination of single-file drafting and systematic reference-checking before submission, established over the three preceding chapters, allowed this final chapter to be validated directly.
Once doctoral status was secured on all four chapters, Claude solicited Gemini for an exercise distinct from the usual audit: mobilising all available knowledge to reinforce the thesis beyond mere conformity, with no imposed scope limit. Gemini proposed several academic anchors (Jensen and Meckling's agency theory, Wirth's law, Williamson's transaction cost theory), a hostile-rapporteur objection to integrate and refute (the Time-to-Market argument, then the Serverless one), and two original economic mechanisms (moral hazard as a transversal thread, the observability tax).
Rather than integrating these proposals as-is, Claude distinguished what could be accepted on the strength of the proposal alone — Jensen and Meckling, Wirth, Williamson, well-established canonical references — from what required further factual verification before any citation. The IFRIC agenda decision of March 2019, cited by Gemini with a precise title, was independently researched before integration, which confirmed it in full — the second decision Gemini mentioned turned out to be slightly mis-dated and was set aside out of caution rather than blindly corrected.
The observability tax proposal included a quantified order of magnitude (20 to 30% of the total bill) that Claude could not independently verify. The qualitative mechanism was kept and integrated; the figure was removed rather than cited without certainty.
Twenty-seven pages of thesis required close to fifteen rounds of exchange between Amine, Claude and Gemini, counting the initial framing, four chapters, and two reinforcement rounds. The number of rounds was not constant: four for the first chapter, only one for the last — the decline reflecting less a decreasing demand from Gemini than a growing verification discipline on the production side, particularly on points that had already caused an error once.
The quality of a thesis produced by this process does not lie in the absence of errors made, but in the systematic verification that catches them before publication — on both sides.

Data lock-in is not about the data itself, but about what it attracts: compute, governance, models, pipelines. Data gravity (McCrory), switching costs (Klemperer), the Data Act that frees the byte but not the ecosystem — and the low-gravity architecture: deliberate fragmentation, open formats queryable in place, acknowledged cost.
This volume does not claim that every data platform deliberately organizes the capture of its customers. It was modeled by an infrastructure architect, audited adversarially by two artificial intelligences, from verifiable technical and contractual mechanisms — storage formats, governance catalogs, network egress costs. It documents how the accumulation of data constitutes, in fact, a center of gravity for the compute and services that surround it, and proposes a low-gravity architecture as a proposal, not an established norm.
This volume builds a three-part chain: first, the mechanism by which accumulated data draws compute and surrounding services toward itself (Chapter I); then, what the European regulatory shield actually neutralizes of this mechanism and what it leaves intact (Chapter II); finally, a low-gravity architecture presented as a proposal — not as a description of an existing practice — that explicitly answers the mechanisms documented upstream (Chapter III).
Lock-in through data does not concern the data itself, but what it attracts; making the data alone reversible leaves the structure that retains it intact.
Every contractual reversibility clause, by construction, concerns the data itself: its export format, its schema, its technical portability. This volume poses an asymmetry that is addressed nowhere in existing reversibility audit frameworks: data is never, by itself, what keeps a customer captive to a platform.
What retains the customer is the entire set of systems — compute, governance, trained models, real-time pipelines, metadata catalogs — that have aggregated around the data after its accumulation. A clause that guarantees export of the file guarantees nothing about the portability of what that file has attracted around it.
Lock-in through data does not concern the data. It concerns its gravity — that is, the mass of compute, governance, and application dependencies it has come to attract. Making the data alone reversible leaves the structure that retains it untouched.
Volumes II, VI, and VII have successively addressed physical hardware, the duplication of compute complexity in multi-cloud, and the opacity of the orchestration layer. None has addressed the data itself as a capture mechanism. That is the object of this volume.
McCrory (2010) formalizes data gravity as a force of attraction that grows with the volume of accumulated data: past a certain threshold, applications, services, and compute capacity migrate toward the data rather than the reverse, because the cost and latency of movement grow faster than the value that movement would recover.
McCrory (2010) establishes the direction of movement: past a certain volume, compute migrates toward the data. His model does not, however, formalize what happens when that compute operates continuously on a stream rather than on a stock queried periodically. This volume proposes to update data gravity for real-time pipeline constraints through the notion of kinetic inertia: the operational mass of a dataset is no longer measured only by its stored volume, but by the latency break that moving away the compute processing it continuously would cause. This is not a direct consequence of McCrory's original model, but an extension proposed here to account for streaming and near-real-time processing architectures that have emerged since 2010.
Klemperer (1987) establishes that switching costs reduce post-commitment competition: once the initial investment has been made — learning, contractual costs, transaction costs — the captured customer yields a rent that the original provider can extract without immediate risk of departure. Applied to data, the switching cost is not reducible to the volume of bytes to transfer: it corresponds to rebuilding everything that was trained, configured, or automated against it.
A network externality compounds this mechanism: the more third-party services a dataset attracts, the more its value grows for the platform hosting it — and the more the cost of leaving grows symmetrically for the customer who would want to leave, without any contractual clause explicitly addressing this cross-dependency.
Three ecosystems built around a single data warehouse illustrate, through distinct mechanisms, the same gravitational dynamic.
Snowflake's historical proprietary format (micro-partitions) long made data unreadable outside the platform. The recent adoption of the open Apache Iceberg format mitigates this constraint without removing it: catalogs remain, in many configurations, managed by Snowflake, and exit costs apply as soon as processing runs elsewhere. The native ecosystem — Marketplace, native applications, identity resolution executed in place — materializes gravity in action: it is compute and third-party services that come to the data, not the reverse.
Databricks counters the lock-in accusation with an argument of openness by design: Delta Lake open source from inception, Unity Catalog itself open-sourced, claimed interoperability with Iceberg and Parquet formats. This argument addresses the right layer but not the right question. Gravity no longer resides in the file extension — that is indeed open — but in the centralization of the governance plane: a single metastore, a single lineage system, access policies defined once for all uses. Leaving the platform leaves the file accessible; it restores neither the lineage graph nor the governance structure that governed its access, which must be entirely rebuilt elsewhere. An open format at the file level does not imply an open center of gravity at the organizational level.
BigQuery's native integration with Vertex AI and Looker enables model training and execution directly in SQL, without prior data export. BigQuery Omni allows querying data located outside Google Cloud, but orchestration of this service remains driven from Google Cloud. The gap is not merely contractual: at 2026 standard rates, internet egress billed by Google Cloud ranges from 0.08 to 0.12 dollars per gigabyte depending on volume tier, and up to 0.23 dollars per gigabyte for intercontinental transit — an order of magnitude of 80,000 to over 200,000 dollars for a petabyte exported. In-place processing, within the same region, on a native Google service via Private Google Access, incurs by comparison no exit fee at all. Transfer time reinforces this finding: at a sustained 10 Gbit/s, moving a petabyte takes on the order of nine days of continuous transfer — a theoretical physical floor, computed without degradation, contention, or interruption, and therefore a lower bound, not an observed average. That this theoretical floor already reaches the scale of a week is enough, by itself, to ruin the operational viability of any external pipeline built on this dataset: no realistic improvement in transfer conditions will bring this delay down to the millisecond scale that in-place processing requires. The resulting lock-in is then no longer a reversible pricing policy, but a consequence of the physics of transfer itself. Vertex AI and Looker are therefore structurally incentivized to operate on data already resident in BigQuery not by contractual choice, but because the cost and time of any other scenario are measurable and prohibitive at the petabyte scale.
This section does not claim that Snowflake, Databricks, or BigQuery pursue a deliberate data lock-in strategy. It documents a structural effect of these platforms' technical and economic architecture, independent of any intent stated by their vendors — an architectural asymmetry, not an accusation.
The three illustrations in I.2 converge toward a single theoretical grounding. McCrory's (2010) data gravity describes the direction of movement — compute migrates toward the data. Klemperer's (1987) switching costs describe its economic irreversibility — leaving costs more than staying ever did. The network externality describes its amplification — every additional service attached to the data reinforces gravity for all the others.
Lock-in through data is the stable combination of three independent mechanisms: a physical force of attraction (gravity), an economic irreversibility (switching costs), and a collective amplification (network externality). No clause addressing only one of these mechanisms neutralizes the other two.
Chapter II examines whether the regulatory shield proposed by the European Data Act — the scheduled removal of exit fees by 2027 — suffices to neutralize this combination, or whether it acts only on the first of the three mechanisms.
Regulation (EU) 2023/2854 (the Data Act) constitutes the first direct regulatory neutralization of the switching-cost mechanism documented in I.1 (Klemperer, 1987). Its Chapter VI specifically governs changing providers of data processing services.
Article 29 organizes a progressive extinction of provider switching charges, explicitly including egress fees: reduced fees allowed from 11 January 2024 to 12 January 2027, capped at the costs directly linked to the switching operation; a total ban on any charge from 12 January 2027. Article 30 requires, for infrastructure services (IaaS), an obligation of "functional equivalence" when switching providers, and for other data processing services, the free provision of open interfaces facilitating portability. These technical cooperation obligations have been in force since 12 September 2025.
The switching-cost mechanism formalized by Klemperer (1987) rested, in its most directly quantifiable component, on the incumbent provider's ability to charge for exit itself — the network extraction tax documented in I.2 for Snowflake, Databricks, and BigQuery. Article 29 neutralizes precisely this component: from 12 January 2027, no platform will be able to oppose an order of magnitude of 80,000 to over 200,000 dollars per petabyte exported to deter a change of provider. On this specific tariff dimension, the regulatory shield works.
The functional equivalence obligation of Article 30 concerns, in its wording, the base service as provided by the vendor — capacity, data, documentation, technical assistance necessary for switching to a provider of the same type. It does not concern the application layer that the customer has itself aggregated on top of this base service.
Chapter I.2 established, for Databricks, that gravity no longer resides in the file format — already open — but in the centralization of the governance plane: a single metastore, a single lineage system. For BigQuery, gravity stems from native integration with Vertex AI and Looker. Neither the metastore and lineage graph of a governance catalog, nor the machine learning models trained on the data in place, nor the dashboards and pipelines built on this native integration fall within the "base service" that Article 30 requires to be made functionally equivalent elsewhere. The exit-fee freedom obtained through Article 29 applies to data transport; it does not extend to rebuilding what has been aggregated around it.
From 2027, the exit cost will no longer bear on the network extraction tax, abolished by the regulation. It will bear entirely on rebuilding the governance layer, the metastore, the lineage, and on retraining machine learning models — a burden the Data Act does not cover, because it does not fall, by construction, within the scope of the base service it regulates.
Since the Data Act's technical cooperation obligations have only been in force since 12 September 2025, no case law or Commission decision yet allows verification, in a concrete case, of exactly where the administration will draw the line of the "base service" within the meaning of Article 30. The demonstration above therefore remains structural and predictive in nature — grounded in the text of the regulation and in the mechanisms documented in Chapter I — rather than in an already-settled precedent. This point is stated explicitly rather than concealed.
Chapter III proposes, from this observation, an architecture that does not depend on the outcome of this not-yet-settled regulatory boundary.
Chapters I and II documented a verifiable REALITY: a gravitational mechanism and the limits of a real regulatory shield. This chapter shifts to a PROPOSAL distinct from any existing practice currently deployed by the actors cited in I.2 — an architectural design, not an observation about a service in operation.
The mechanism documented in I.1 assumes mass accumulated at a single point. The first architectural response consists of preventing such a single point from forming: distributing the data estate along business-domain boundaries rather than consolidating it in a single analytical warehouse, so that no subset alone crosses the critical volume that triggers the gravitational dynamic.
Each business domain owns and operates its own dataset, exposed through a standardized access interface, rather than centralized in a single analytical platform managed by a single platform team. This definition is deliberately minimal: it retains the principle of distributed data ownership, without settling organizational debates beyond the scope of this volume.
Fragmentation alone is not enough: each domain, taken in isolation, can recreate at its own scale the same gravity documented in I.2 if it consolidates its own compute and its own governance with a single vendor. The second axis of the proposal concerns decoupling compute from data by design, within each domain as well as between domains.
Each domain's data is stored in an open table format, directly queryable by any compatible compute engine, without prior duplication into a given platform's proprietary format. Chapter I.2 established, for Databricks, that opening the file format alone is not enough to remove gravity if the governance catalog — metastore, lineage, access control — remains hosted and operated by a single vendor. This proposal therefore holds that the governance layer itself must be hostable independently of any single vendor, failing which decoupling at the file level merely shifts gravity one layer up, without removing it — exactly the mechanism documented in I.2.
This requirement does not remove all technological dependency: a compute engine, a catalog tool, a continuous integration chain remain necessary. It aims specifically at ensuring that none of these choices alone becomes irreversible at the petabyte scale documented in I.2.
This architecture is not free. The reversibility gain it provides has a measurable counterpart, symmetric to the functional freeze accepted in Volume VII's Chapter III.
Fragmenting data by domain degrades cross-domain queries: a join spanning several domains requires traversing multiple catalogs rather than a single instantaneous source of truth, at a latency and engineering cost unknown to a consolidated warehouse. Decoupling compute from data also deprives the organization of proprietary optimizations — advanced indexing, integrated caching, native acceleration — that a single vendor can offer precisely because it controls the entire stack. Each domain must finally maintain its own integration and governance effort, duplicating work that a centralized platform would pool.
This proposal does not claim to be superior in all circumstances to consolidation with a single vendor. It suits organizations for which reversibility outweighs immediate cross-domain performance. For use cases requiring real-time consistency across the entire data estate, the engineering and latency cost documented above may be disproportionate to the lock-in risk it prevents.
Chapter I established that accumulated data exerts a physical and economic attraction on the compute and services surrounding it, independent of any clause addressing the data alone. Chapter II established that the European Data Act genuinely neutralizes the tariff component of this mechanism, but leaves outside its scope the governance, metastore, and model layer aggregated on top of the base service. Chapter III responds specifically to this limit through deliberate fragmentation and decoupling compute from data by design, at the cost stated in III.3: sacrificed cross-domain performance and global consistency.
This volume does not claim that Snowflake, Databricks, or BigQuery deliberately organize the capture of their customers: the demonstration concerns an economic and physical structure, not an intention. Nor does it claim that the proposed architecture eliminates all technological dependency: the hardware dependency documented in Volume II remains a neutral postulate of this volume, not a problem it solves, and lock-in through identity and encryption, noted elsewhere in this collection, continues to apply to any architecture, including the one proposed in Chapter III. This volume addresses the specific mechanism of data gravity — not the entirety of the capture mechanisms documented in this research collection.
Lock-in through data does not concern the data, but what it attracts; deliberately dispersing its mass has, in turn, a cost that no architecture makes free.
This volume is an open system awaiting corrections from the real world. We explicitly invite any organization that has deliberately fragmented its data estate, or decoupled its compute from the platform hosting its data, to document its experience and correct or enrich this low-gravity architecture.
The gravity of data is not measured by its volume, but by what its immobility would cost to rebuild elsewhere.
This appendix does not reproduce the full verbatim of the exchanges that produced this volume. It summarizes the process, phase by phase, retaining the moments that concretely changed the text: the requirement to name concrete actors from the framing stage, the partial refusal of Chapter I, the preventive shielding of Chapter II against circularity, the direct validation of Chapter III, and the global audit explicitly distinct from the per-chapter audits.
This volume required a demanding initial framing, a partial refusal followed by two drafts for Chapter I, direct shielding for Chapter II, direct validation for Chapter III, then a distinct global audit that tested — and discarded — a proposed enrichment for lack of verifiability. The full verbatim would have constituted a document longer than the volume itself. This summary favors the readability of the process over the exhaustiveness of the citation.
The initial framing of Chapter I did not leave the choice of actors illustrating the gravitational mechanism to a generic description. The instruction was explicit: name Snowflake, Databricks, and BigQuery concretely, subject to independent factual verification of each element before integration into the text.
The only point left open at framing stage concerned Chapter I.2: should the three actors be named from the first draft, or should a generic mechanism be kept until a later Gemini framing? Amine settled on naming them immediately, which triggered, before any drafting, an independent search on each of the three actors — their storage format, their governance catalog, their network egress rates — rather than integration from memory.
The first draft of Chapter I was partially refused, on a precise ground: the theoretical framework was validated, but the empirical argument on BigQuery rested on a network-physics assertion without a quantified order of magnitude, and the notion of kinetic inertia was presented as an evident part of McCrory's (2010) model rather than as a theoretical contribution distinct to the volume.
The requested correction covered two distinct points. First, the explicit requalification of kinetic inertia as an extension proposed by this volume rather than a direct consequence of McCrory. Second, the injection of an empirical order of magnitude on BigQuery: rather than advancing a figure from memory, an independent search verified 2026 Google Cloud egress rates (0.08 to 0.23 dollars per gigabyte depending on destination) and the reference throughput of 10 Gbit/s, allowing a calculation of an order of magnitude of 80,000 to over 200,000 dollars per petabyte exported, then a theoretical transfer time of about nine days, smoothed in a second pass to be explicitly qualified as a physical floor rather than an observed average.
Chapter II was validated on its first draft, without reservation or revision — but this direct validation is not due to an absence of risk: it results from anticipated shielding at the framing stage, before any drafting.
The framing of Chapter II had identified upstream that defining gravity as everything the European Data Act does not cover would make the thesis unfalsifiable by construction. The plan submitted to Gemini therefore distinguished, before any first draft, the exact scope of the "base service" covered by Article 30 of the regulation from the governance layer aggregated on top, and planned to explicitly flag the absence of settled case law since the entry into force in September 2025 as an observational limit rather than a concealment. This preventive shielding explains the immediate validation, unlike Chapter I which had to be corrected after an initial refusal.
Chapter III required an explicit doctrinal shift: none of the three actors named in Chapters I and II could still be presented as an existing practice. The text had to read entirely as an architectural PROPOSAL, not as a description of a reality deployed by Snowflake, Databricks, or BigQuery.
Two drafting choices were explicitly flagged rather than settled by default: the definition of data mesh in III.1 was deliberately kept minimal, not attached to an author unverified within this session, unlike McCrory and Klemperer cited elsewhere in the volume. And the absence of any financial quantification in III.3, unlike Chapters I and II which rested on verified amounts, was accepted as a limit specific to a chapter explicitly qualified as a theoretical proposal rather than as a lack of rigor. This chapter was validated directly, without an intermediate refusal.
Each chapter of this volume was validated in isolation before a distinct audit, explicitly covering the complete work, was requested — end-to-end terminological consistency, logical dependency chain between the three chapters, REALITY/PROPOSAL tightness at the scale of the entire volume.
This global audit produced a recommendation to enrich section I.1 theoretically — an additional reference intended to strengthen the passage from individual software dependency to third-party ecosystem capture. An independent search could confirm neither the year nor the exact content of the proposed reference. Rather than integrating it under reservation, the reference was explicitly abandoned: unlike Volume VII, where the global audit produced an enrichment that was in fact integrated (Teece, 1986), this volume's global audit was here followed by a withdrawal, the factual-verification rule applying to a global-audit recommendation just as it applies to any other named example.
Nineteen pages of volume body, appendix included, required a demanding framing from the outset, a refusal and a matrix injection on Chapter I, a successful preventive shielding on Chapter II, an accepted doctrinal shift on Chapter III, then a global audit that tested an enrichment and discarded it for lack of sufficient evidence.
The rigor of a volume is not measured only by what it integrates after verification, but also by what it refuses to integrate when verification fails — including when the suggestion comes from the global audit itself.

A license protects a right to read — never the interface being cloned, the usage being observed, the commit that redirects the project, or the maintainer being hired away. Four documented relicensing events (Elastic, MongoDB, HashiCorp, Redis), three pillars of capture, and the reconquest: neutral governance, an emulation ban, telemetry blackholing.
This volume does not claim that every commercial use of open source software by a cloud provider constitutes a capture. It was modelled by an infrastructure architect, audited contradictorily by two artificial intelligences, drawing on verifiable public facts — documented licence changes, published commercial products, public contribution histories. It does not build a case around anyone's good or bad faith. It documents an asymmetry of value extraction, mechanism by mechanism, and proposes governance models explicitly owned as proposals, not established norms.
This volume builds a three-stage chain: first, why a licence protects a right to read but never hardware control (Act I); then, six concrete and distinct mechanisms by which capture actually operates, from a documented licence change to the phantom contribution that quietly steers a project toward a single type of hardware (Act II); finally, a reconquest architecture built on levers directly correlated to each pillar — neutral governance, a ban on emulation, blackholing of telemetry — before establishing the explicit link with the hardware sovereignty demonstrated elsewhere in this collection (Act III).
A licence protects a right to read. It protects neither the interface one imitates, nor the usage one observes from afar, nor the commit that quietly steers a project toward a single type of hardware, nor the maintainer one hires before even needing to fork anything at all.
An open source licence guarantees one right: to read, modify, and redistribute source code. It guarantees no control over the physical infrastructure that runs it at scale. This distinction, rarely stated explicitly, produces a simple mathematical consequence: a community project whose usage value is expressed only in production, on machines it does not own, structurally becomes free raw material for whoever owns those machines in sufficient quantity.
Permissive licences (Apache 2.0, MIT) and even classic copyleft licences (GPL) protect the freedom to modify and redistribute code. None of them impose a proportional economic contribution back from whoever exploits that code at industrial scale via a managed service — the licence regulates intellectual property, not the rent extracted from exploitation.
Exploiting a permissively licensed project commercially is entirely legal, and is precisely the purpose of these licences. This volume documents a distinct asymmetry: when a hyperscaler's scale of exploitation becomes so massive that the value extracted exceeds, by several orders of magnitude, any contribution given back to the project's maintenance, the legal licence no longer suffices to describe the real balance of the relationship.
Four public and documented licence changes introduce what this volume calls the mechanics of expropriation, before three distinct pillars each detail one precise mechanism: capture by interface, capture by usage, and capture from within the code itself.
In January 2021, Elastic switched Elasticsearch and Kibana from the Apache 2.0 licence to the Server Side Public Licence (SSPL), explicitly citing AWS's exploitation of the project via a competing managed service without proportional contribution back. MongoDB had made the same decision as early as 2018, itself introducing the SSPL licence for the same stated reason. HashiCorp switched Terraform and its other products from the Mozilla Public Licence to the Business Source Licence (BSL) in 2023. Redis did the same for its engine in 2024. In all four cases, the company behind the project publicly documents the same justification: a cloud provider exploits the project at a scale that generates significant rental value, without that value financing the maintenance of the commons in return.
An earlier study in this corpus, The Invisible Debt, documented the chronic underfunding of critical open source building blocks (curl, Log4j) — the tragedy of the commons in its classic sense: a resource shortfall. This volume documents a distinct, though related, mechanism: the problem is no longer the absence of funding, it is the existence of considerable value, generated by the project's industrial exploitation, that is structurally never given back to the entity maintaining the underlying human infrastructure. It is this asymmetry of extraction — not a shortfall in itself — that forces the shift toward more restrictive licences.
A cloud provider can respond to a restrictive licence change in two technically distinct ways, which must never be conflated. Amazon OpenSearch is a fork in the strict sense: a copy of the Elasticsearch codebase predating the licence change, maintained and developed independently — the capture here concerns the source code itself, at a given point in time. Amazon DocumentDB is of a different nature: an emulation of MongoDB's network protocol (wire protocol), compatible with its drivers and commands, but resting on a distinct proprietary storage engine, sharing no line of MongoDB code. The capture then no longer concerns the code, but the developer's gesture, who continues to communicate in the same command language.
The gesture this compatibility captures is not the software engine — it is the entire set of habits, scripts, development tools, and integrations built by whole teams around a precise command vocabulary. An application written to speak « MongoDB » continues to run without modification on DocumentDB — which means migrating to another provider requires rewriting these integrations, even though the underlying engine has already changed once without the application team ever noticing.
No intellectual property rule forbids creating an interface compatible with a command format — interfaces are generally not protectable in the same way as the code itself. This pillar therefore does not document an illegality, but a lock-in functionally identical to that produced by proprietary code, achieved through a legally distinct path.
An open source project progresses partly through signals fed back by its real-world use in production: which code paths fail most often, which configurations degrade performance, which load volumes reveal limits unanticipated in the lab. A cloud provider hosting millions of managed instances of the same project accumulates this kind of signal at a scale no independent maintainer can reproduce on their own.
From this aggregated telemetry, the cloud provider develops a real diagnostic and predictive advantage — knowing before anyone else which configurations cause problems at scale, which internal optimisations deliver the most measurable gains. This advantage informs its own internal engineering choices and the roadmap of its competing managed service, with no obligation ever binding it to feed this same signal back to the source project.
This mechanism rests on no breach of confidentiality — managed service telemetry data legitimately belongs to the service operator. The asymmetry documented here is structural: the community that produced the code has, by construction, no symmetrical access to the lessons learned from its exploitation at this scale.
This pillar does not claim that cloud providers deliberately withhold information contractually owed to the community. It documents an asymmetry of scale: even assuming complete good faith, no structural mechanism today ensures that the knowledge accumulated through industrial exploitation benefits the maintenance of the source project in return.
It is not always necessary to fork a project or emulate its interface: a cloud provider can simply hire the lead maintainer holding merge approval rights on the reference repository. This mechanism leaves no trace in the code's history — the acquisition targets not the software, but the person who decides what goes into it. This volume mentions it here as a mechanism distinct from the three pillars that follow, without claiming to analyse it with the same depth: unlike a licence change or a technical commit, an individual hire is neither systematically dated in public, nor attributable to a single intent — but its cumulative effect on a project's de facto governance deserves to be named.
An organisation can scrupulously apply the measure documented in III.2 of this volume — refusing any managed emulation service, deploying a genuine open source engine (PostgreSQL, Kubernetes) on infrastructure it controls. A distinct capture mechanism nonetheless operates, at a different layer: that of identity and encryption.
The cloud provider offers a native, seemingly frictionless integration between this open source engine and its own identity management system (for example AWS IAM) and its own encryption key manager (for example AWS KMS). The engine's code remains intact and free — but user access rights and the keys protecting the data are now defined and held in proprietary systems distinct from the engine itself.
When the time comes to consider migrating this engine — genuinely free though it is — the organisation discovers that its access policies and encryption keys do not transfer with it: they belong to a distinct proprietary security ecosystem, which must be entirely rebuilt with any new provider. The freedom of the code never guaranteed the portability of what surrounds it.
Major cloud providers rank among the most active contributors to many leading open source projects, measured by commit volume. This volume of contribution is a public fact, verifiable in these projects' Git history. This pillar documents a specific subset of these contributions: those which, under cover of performance optimisation, introduce a functional dependency on a hardware or software component proprietary to the contributor.
Verifying this mechanism requires cross-referencing three public elements: the employer affiliation of a commit's author account (declared, or inferable from the associated e-mail domain), the technical nature of the optimisation introduced (which hardware component or proprietary library it specifically targets), and the presence or absence of an equivalent code path for generic or competing hardware. An optimisation that only accelerates the project on a proprietary instruction set, or that only activates a high-performance mode in the presence of an encryption component specific to a single vendor, meets this criterion.
The accumulation of this type of commit over several years produces a measurable effect independent of any individual intent: a project in which a growing share of optimised code paths specifically targets the infrastructure of a majority contributor runs, at equal performance, better on that infrastructure than on a generic or sovereign hardware base — creating a relative performance obsolescence on any hardware outside that ecosystem.
This pillar does not claim to establish any intent to harm on the part of the individual authors of these commits — a targeted optimisation can be proposed in good faith by an engineer simply seeking to improve performance on the environment they know best. What this pillar establishes is a structural cumulative effect, verifiable through analysis of the code's public history, independent of the intent behind each individual contribution.
Each pillar of Act II calls for a response of a different nature. Neutral governance answers the risk of licence change documented in the introduction to Act II — it answers neither capture by interface (Pillar A) nor telemetry asymmetry (Pillar B). This part adds the two missing architectural and material levers, before establishing the link with hardware sovereignty demonstrated elsewhere in this collection.
A project governed by a single commercial company presents a simple exposure structure: that company alone holds the power to change the licence under the pressure documented in the introduction to Act II. A project transferred to a neutral foundation — on the model of the Apache Software Foundation or the Cloud Native Computing Foundation — distributes this power among several member organisations, making a unilateral licence change more difficult.
Kubernetes is governed by the CNCF, an exemplary neutral foundation. This nonetheless in no way prevents Amazon (EKS) and Google (GKE) from capturing the massive usage telemetry of their respective managed services without giving it back to the project, nor from emulating or wrapping its interfaces to capture the developer's gesture. Neutral governance protects the licence — it protects against neither Pillar A nor Pillar B.
Facing the capture by emulation documented in Pillar A, an organisation can act directly on its own architecture standards, without waiting for any change in the market or in regulation.
Write into internal architecture standards a ban on using managed interface-emulation services (such as DocumentDB for a use case requiring MongoDB) in favour of the real engine, hosted on infrastructure the organisation controls — a virtual machine or physical server under its direct control. Using a fork governed by a neutral foundation (such as OpenSearch) remains compatible with this rule, since the capture it documents belongs to the licence pillar, not the interface one.
Giving up a managed emulation service means giving up part of the operational simplicity that service promises. It is an explicit trade-off between immediate operational comfort and medium-term technical reversibility — not a costless solution.
Facing the entrenchment documented in II.2c, the measure complementing the emulation ban (III.2) consists of imposing, within the same internal architecture standards, the systematic decoupling of identity management and encryption from any deployed open source engine — for example via an independent identity provider respecting the OIDC standard rather than the underlying cloud's proprietary system, and a self-hosted key management vault (such as HashiCorp Vault, before its own licence change documented in II.0, or an equivalent alternative) rather than the provider's native key manager. An open source engine whose access and encryption remain portable is genuinely free — a free engine whose identity and keys are entrenched with a single provider is free only in appearance.
Facing the telemetry asymmetry documented in Pillar B, an organisation can act on its own outbound network flows, independently of any change on the managed service provider's side.
Configure strict firewall rules explicitly blocking (« blackholing ») any outbound telemetry flow toward the proprietary collection endpoints of third-party managed service vendors, while maintaining full observability internally. This measure does not deprive the organisation of its own operational visibility — it only deprives the external provider of access to that same visibility.
Another volume in this collection, The Diagnostic Amnesia, documented the erosion of internal causal-diagnosis competence, partly replaced by dependence on third-party observability tools. Blackholing outbound telemetry only makes sense coupled with this internal diagnostic competence restored — blocking an outbound flow without an internal capacity to read raw logs merely deprives the organisation of all visibility, external and internal alike.
Another volume in this collection, The Cloud Illusion, demonstrated that no digital sovereignty is possible without mastery of the underlying hardware. This volume establishes the logical corollary for free software: code under a licence protected by the most neutral governance possible, run exclusively via managed services from the same actor whose capture mechanisms this volume documents, remains vulnerable to Pillars A and B — however solid its licence governance may be.
This volume does not claim that the three levers of this Reconquest, taken in isolation, each suffice to fully neutralise the mechanism they respond to. It establishes that sovereignty over the code, sovereignty over the interface, and sovereignty over operational visibility are three distinct conditions — none replacing the other two.
A licence protects a right to read. It protects neither the interface one imitates, nor the usage one observes from afar, nor the commit that quietly steers a project toward a single type of hardware, nor the maintainer one hires before even needing to fork anything at all.
This volume is an open-source system awaiting real-world corrections. We explicitly invite any open source project maintainer who has lived through one of these mechanisms to document their experience, and to correct or enrich this anatomy.
A commons without defence is not a commons protected by law. It is a free resource awaiting an operator large enough to harvest it at industrial scale.

Multi-cloud is not a sovereignty strategy: it is a measurable multiplication of complexity that fails to deliver the promised reversibility. Lowest common denominator, duplication tax, organizational fracture (Conway) — and topological sovereignty: deliberate concentration, reversibility through data, never through execution.
This volume does not claim that every multi-cloud strategy is irrational in every circumstance. It was modelled by an infrastructure architect, audited contradictorily by two artificial intelligences, drawing on verifiable technical mechanisms and published academic literature in software engineering and organisational sociology. It does not put portability on trial as an ideal. It documents a mechanics of duplicated complexity, mechanism by mechanism, and proposes a reconquest architecture explicitly owned as a proposal, not an established norm.
This volume builds a three-stage chain: first, why the quest for agnosticism structurally fails to produce the promised portability, through four distinct mechanisms drawn from different disciplines (Chapter I); then, what this failure actually costs in operations, up to fracturing the human organisation itself (Chapter II); finally, a reconquest architecture that does not correct these mechanisms but abandons the goal that produced them — execution portability — in favour of a reversibility limited to data, explicitly resolving each of the seven mechanisms demonstrated upstream (Chapter III).
Multi-cloud is not a sovereignty strategy, it is a measurable multiplication of technical and human complexity, which fails to produce the reversibility it promises — and that reversibility, when genuinely required by a regulator, is obtained at the data level, never at the execution level.
The industry presents infrastructure code (Terraform) and container orchestration (Kubernetes) as guarantees of agnosticism and reversibility toward cloud providers. This volume documents that this promise of abstraction masks an inverse reality: the quest for agnosticism does not produce the sought sovereignty — it produces a measurable duplication of operational complexity, without ever achieving the promised portability.
To what extent does multi-cloud strategy, presented as a guarantee of reversibility, constitute in reality a multiplication of technical debt and operational load, without a real gain in sovereignty in return?
This volume does not address lock-in through identity and encryption (IAM/KMS) — this mechanism has already been modelled and demonstrated in The Open-Washing, section II.2c (« Proprietary Entrenchment »), which documents how an authentically free engine remains captured by native integration with a provider's proprietary identity and key management systems. This volume addresses exclusively the illusion of agnosticism at the compute and infrastructure-as-code level — a distinct register, never overlapping the demonstration already published on IAM/KMS.
An organisation adopting a multi-cloud posture forbids itself, by construction, from using any proprietary managed service performant enough not to have a strictly identical equivalent at other providers within scope. This prohibition applies even in the absence of any direct competitor that might justify urgent reversibility — renunciation precedes the real need for portability, it does not follow it.
Every proprietary managed service discarded in the name of portability must be replaced either by an equivalent in-house implementation — developed and maintained by the organisation itself — or by a generic third-party service, available across all providers in scope but structurally less optimised than each provider's native offering taken in isolation.
The literature on decision-making under uncertainty documents a rational preference for keeping options open as long as their maintenance cost stays below the probability-weighted likelihood of needing them. This chapter documents that the maintenance cost of the multi-cloud option is structurally underestimated at the moment the decision is made, precisely because it only becomes visible after adoption.
The lowest common technical denominator between two cloud providers is not a fixed value — it recalculates with each new provider added to scope, and can statistically only equal or fall below the previous denominator, never rise above it. An organisation operating across two providers has a wider common denominator than one operating across three, for equivalent baseline functionality among the providers considered.
This dynamic is not symmetric over time: a native feature integrated into the common scope at a given moment can drop out of it as soon as a new provider without a strict equivalent joins the scope, forcing the organisation into a retroactive removal project for a feature already in production — never the reverse, since no existing provider retroactively develops a missing feature to match a client organisation's denominator.
This section establishes the direction and dynamic of the recalculation — it does not yet establish, through academic anchoring and quantified proof, the magnitude and exact mechanism of the resulting efficiency loss. These two demonstrations are the subject of the following two sections.
A legitimate objection holds that the lowest common denominator does not constitute a regression, but an architectural emancipation: open horizontal standards (Kubernetes, Knative, distributed databases) would advantageously replace vertical proprietary APIs, innovation having structurally shifted toward these standards. This objection ignores an incompressible physical cost.
Cloud providers invest massively in proprietary silicon and hypervisors optimised for their own managed services — dedicated network cards and hypervisors on one side, specialised acceleration chips on the other. A workload constrained to a generic abstraction layer to remain portable across providers has, by construction, no access to these proprietary hardware optimisations — portable abstraction and provider-specific hardware acceleration are structurally mutually exclusive.
Emancipation from a single provider is therefore never free: it is systematically paid for through additional network latency induced by the abstraction layer, compensatory over-provisioning to maintain equivalent performance, and the definitive loss of access to each provider's own hardware optimisations. This chapter does not dispute the value of open standards as such — it establishes that their adoption for multi-cloud portability purposes carries a measurable physical cost, never zero.
Joel Spolsky formulated in 2002 the Law of Leaky Abstractions: any non-trivial abstraction eventually lets through the details of the system it is meant to hide. The central nuance of this law, often overlooked, is not that abstraction is useless, but that it never dispenses with understanding the underlying layer it masks — so that multi-cloud does not replace provider-specific expertise with a single abstraction expertise, it adds the two together: the organisation must master the abstraction itself and the provider-specific leaks it continues to patch.
William Ross Ashby established in cybernetics that only variety can destroy variety: to control or exploit a complex environment, the system operating it must possess internal variety at least equivalent to that environment. By imposing the lowest common denominator documented in I.1 and I.2, the organisation deliberately reduces its own internal variety well below that of the micro-architectural innovations actually available at the providers in its scope — rendering it structurally incapable of absorbing or exploiting this complexity, regardless of the individual competence of its engineers.
The persistence of the multi-cloud decision at management level is explained by a distinct mechanism, documented in organisational sociology as mimetic isomorphism (DiMaggio and Powell, 1983): under uncertainty, an organisation tends to imitate the practices of other organisations in its sector, not because the effectiveness of that practice is demonstrated, but because alignment with a perceived dominant norm reassures external stakeholders. In heavily regulated sectors — banking, healthcare, or those subject to the European DORA regulation on digital operational resilience — this mimicry is compounded by coercive isomorphism: direct or indirect pressure from a regulator demanding a reversibility plan, often interpreted literally as a requirement for full technical portability rather than service continuity.
The first anchor explains why agnosticism technically fails at every attempt. The second explains why this reduction in internal variety renders the organisation structurally less competent against the real complexity of its environment. The third explains why this documented, repeated failure does not suffice to abandon the strategy at decision level — the decision answers a logic of external, mimetic, and sometimes coercive legitimacy, not an internal operational efficiency evaluation.
Multi-cloud strategy can be formalised, in engineering economics, as the purchase of a financial option on reversibility — in the sense of real options theory (Dixit and Pindyck, 1994): the organisation pays a continuous cost (a premium) to reserve the future right to exercise a switch to another provider, with no obligation to actually exercise it.
The renunciation cost documented in I.1 and the physical inefficiency cost documented in I.2b together constitute the monthly premium of this reversibility option — paid in full, whether the organisation actually switches provider one day or not. A financial option whose real exercise probability remains statistically low over the horizon considered, yet whose premium is paid at full rate continuously, is termed in finance an out-of-the-money option: its expected exercise value remains below the cumulative cost of maintaining it.
For each technical function needed by the system, compare the cost and performance of the most advanced native offering against those of the lowest common denominator deployed — the cumulative gap constitutes the premium paid for the reversibility option. This premium must then be weighed, not against an absolute figure, but against the actual probability that a provider switch will one day be genuinely executed — a figure the organisation can estimate from its own history of infrastructure decisions, rather than a generic hypothesis of permanent urgency.
This study does not claim that every reversibility option is irrational in principle — an out-of-the-money financial option retains positive value as long as its premium stays below the risk it covers. It establishes a method for verifying, case by case, whether this condition is actually met — a cost distinct from that of the operational duplication proper, the subject of the following chapter.
Chapter I established why the quest for agnosticism structurally fails to produce the promised portability — through abstraction leakage, cybernetic variety reduction, and decision persistence despite this documented failure. This chapter demonstrates the second side of the same illusion: beyond its theoretical failure, the multi-cloud posture produces a real, measurable, cumulative operational load, without ever achieving the reversibility it claims to guarantee.
Maintaining an operational multi-cloud posture does not consist of writing a single infrastructure definition executable everywhere — despite the promise carried by tools like Terraform. Each provider in scope imposes its own network primitives, its own identity and permission models, and its own provisioning behaviours, forcing the maintenance of distinct infrastructure-as-code modules per provider, a distinct continuous-integration chain able to validate each of these modules, and a distinct security policy reflecting each provider's own permission model.
The cost is not limited to the initial drafting of these parallel modules — it recurs at every functional evolution of the system: a business change requiring an infrastructure adaptation must be propagated separately into each provider-specific module, with a growing divergence risk as these changes accumulate over time.
This duplication does not contradict the renunciation documented in Chapter I, it completes it: the organisation gives up native functionality to stay portable, but must nonetheless duplicate in full the infrastructure required to run this common denominator on each provider — paying simultaneously for functional impoverishment and operational duplication.
Even when an identical Kubernetes workload runs across two distinct providers, the underlying infrastructure telemetry for that workload — node hardware state, hypervisor metrics, low-level system logs — is never exposed through a common interface: it flows through each provider's native monitoring system, CloudWatch on one side, Azure Monitor on the other, each with its own metric schema, its own retention, and its own query language.
Detecting and diagnosing an incident affecting the underlying infrastructure — rather than the application itself — requires maintaining duplicated, non-symmetric alert rules for each provider, manually translating the same criticality threshold into two distinct query languages, with a documented risk of drift between the two rule sets as they evolve independently over time.
This fragmentation adds a dimension to the duplication tax established in II.1: beyond infrastructure code and deployment chains, it is the very ability to observe and diagnose the system in production that ends up duplicated — the layer where agnosticism is supposed to be most complete, that of the running runtime, turns out to be the one where it collapses earliest.
This study documents a reproducible scenario: a strictly identical Kubernetes manifest, declaring a service with storage persistence and network exposure, deployed unmodified on Amazon EKS and on Microsoft Azure AKS. The Kubernetes API exposed by both platforms is standardised — this is precisely the promise of agnosticism this single manifest is meant to demonstrate.
The Container Storage Interface (CSI) is an open standard — but its implementation remains provider-specific, and this specificity is inscribed directly in a standard StorageClass object field: volumeBindingMode. A WaitForFirstConsumer value delays volume creation until the pod is actually scheduled, guaranteeing colocation with the node's availability zone — a behaviour recommended and widely documented for the EBS CSI driver on EKS. The Azure Disk CSI driver on AKS does not historically impose the same colocation constraint by default depending on the installed driver version, producing reproducible scheduling failures (pod stuck in Pending state) on one platform with no equivalent error on the other for an identical StorageClass manifest.
Network exposure of a service through a load balancer illustrates the same collision at the Service object annotation level. On EKS, the AWS Load Balancer Controller reads the annotation service.beta.kubernetes.io/aws-load-balancer-type to choose between an application or network load balancer, with a complementary annotation set specific to that ecosystem for routing and certificates. On AKS, these AWS-specific annotations are silently ignored by the Azure controller, which expects its own annotation set (for example service.beta.kubernetes.io/azure-load-balancer-internal for internal exposure) — a manifest copied unchanged from one environment to another produces neither an explicit error nor a warning: it produces a functional load balancer, but configured according to the second provider's default values rather than the intent expressed by the first provider's annotations.
A behaviour validated in a pre-production environment on one provider guarantees strictly nothing about the same manifest's behaviour at a second provider — requiring, for genuinely equivalent test coverage, distinct and complete validation environments for each provider in scope, rather than a single test foundation validating them all.
This study does not claim that Kubernetes fails to keep its standardised orchestration promise at the API level itself — that layer is indeed unified. It documents that unifying the API in no way guarantees unifying production behaviour, as soon as the manifest touches resources whose implementation remains, by technical necessity, specific to each provider's underlying physical infrastructure.
The decision to adopt a multi-cloud posture is frequently made at senior management level, motivated by a perceived reduction in provider concentration risk — a logic documented in Chapter I under institutional isomorphism. This decision is rarely accompanied by an assessment of the real operational cost documented in this chapter, a cost borne not by those who make the decision, but by the engineering teams tasked with maintaining the resulting duplication day to day.
This configuration reproduces the moral hazard structure already documented in another volume of this collection regarding FinOps: whoever decides the strategy does not bear the operational cost of its implementation, while whoever bears that cost — the SRE team in charge of the duplication documented in II.1 and II.2 — generally has no authority over the strategic decision itself.
A significant share of available engineering time ends up devoted to maintaining the duplication itself — abstraction configuration, resolving the divergences documented in II.2, redundant validation — rather than direct improvement of the product or service operated, with no standard managerial performance indicator making this load visible as such.
Melvin Conway published in April 1968, in Datamation magazine, under the title « How Do Committees Invent? », the principle that organisations designing systems are constrained to produce designs that are copies of their own communication structures. This principle, initially formulated to explain why a piece of software's structure reflects the structure of the team writing it, applies here in the reverse and aggravated sense.
By duplicating infrastructure chains (II.1), observability (II.1b), and having to manage the behavioural divergences documented in II.2, the organisation does not merely duplicate code: it creates structural pressure pushing its SRE team to split into de facto provider-specialised subgroups — « EKS experts » on one side, « AKS experts » on the other — without any explicit organisational decision ever having enacted this siloing.
Conway's original formulation describes a software architecture reflecting a pre-existing team structure. The mechanism documented here is reversed: it is the technical duplication, decided upstream for reasons of agnosticism documented in Chapter I, that produces after the fact the fragmentation of the human team — an initially unified team finds itself silently specialised by provider, losing its capacity for mutual substitution precisely when the multi-cloud strategy claimed to strengthen organisational resilience.
The three preceding mechanisms documented duplication at the code, observability, and production-behaviour level. This section establishes that this technical duplication propagates all the way to the human structure itself — organisational fracture is not a peripheral risk of multi-cloud strategy, it is a predictable structural consequence from the moment the technical duplication documented in II.1 is engaged.
An identical manifest is only proof of portability as long as it stays on paper. The moment it touches a real resource, the provider decides its behaviour — not the organisation that believed it had freed itself.
This chapter establishes the operational reality of duplication and its human cost, structured as a moral hazard between decision and execution. It has not yet proposed an alternative architecture to this impasse — this reconquest, grounded in abandoning the myth of execution-layer portability in favour of a reversibility limited to the data itself, is the subject of Chapter III, the final chapter of this volume.
The two preceding chapters demonstrated, mechanism by mechanism, why the quest for agnosticism fails technically (Chapter I) and what it costs operationally, up to fracturing the human organisation itself (Chapter II). This closing chapter does not propose to fix these mechanisms — they are structural, not accidental. It proposes abandoning the goal that produced them: instant execution-layer portability, in favour of a sovereignty built on a single plane, that of data and exchange protocols.
Facing the systematic renunciation documented in I.1 and the physical efficiency loss documented in I.2b, the structural response consists of choosing a single target execution environment — a deeply mastered cloud provider, or sovereign Bare-Metal infrastructure — and exploiting it at full technical capacity. This choice does not merely restore lost efficiency: it defuses, one by one, the four technical mechanisms of Chapter I and the three operational mechanisms of Chapter II that until now each required a distinct response.
Spolsky's abstraction leakage (I.3) stops producing a measurable effect once there is no longer a unification layer to leak across multiple providers — abstraction only leaks when it masks a plurality of distinct implementations. The loss of internal variety documented by Ashby's law (I.3) symmetrically reverses: a team concentrated on a single environment can rebuild internal variety equal to that, real, of that single environment, rather than capping it at the lowest common denominator of several.
The fragmentation of observability (II.1b) mechanically disappears: a single environment eliminates the very need for a second telemetry source to artificially unify. The forensic divergence documented in II.2 — an identical manifest behaving differently by platform — becomes moot once there is only one deployment platform: there is no longer a second behaviour to compare against.
This choice does not eliminate the risk of dependency on a single provider — it explicitly assumes it as a deliberate trade-off, preferable to a simultaneous, unmastered dependency on multiple providers under the guise of independence. Managing this residual risk, along with resolving the last three mechanisms not yet addressed — institutional isomorphism, the option premium, and managerial moral hazard — is the subject of the following section.
A substantive objection must be addressed head-on before closing this volume: if the coercive isomorphism documented in I.3 pushes a regulated organisation toward multi-cloud in the name of regulations such as the European DORA regulation on digital operational resilience, the concentration on a single environment proposed in III.1 appears to directly contradict this regulatory requirement. This contradiction is only apparent: digital operational resilience texts require a documented, tested exit strategy in case of provider failure — not the continuous maintenance of a second active execution environment.
Ensuring that data produced by the system remains in open formats, and that exchange interfaces rely on standards independent of any provider, constitutes precisely the documented exit strategy a regulator requires — without needing the permanent maintenance of duplicated execution infrastructure. DiMaggio and Powell's institutional isomorphism (I.3) finds its resolution here: the organisation satisfies the sought external legitimacy without reproducing the operational cost that legitimacy seemed to impose.
Once regulatory compliance is obtained through data rather than active-active execution, the reversibility option premium documented under the Dixit and Pindyck framework (I.4) collapses: the organisation no longer continuously pays for a costly, rarely exercised parallel execution option, but a one-off, substantially lower design cost. This cost collapse in turn resolves the managerial moral hazard documented in II.3: management obtains its regulatory compliance without ever having to impose the duplication tax documented in Chapter II on SRE teams — the decision and its cost cease to be borne by two distinct parties.
This reversibility through data does not guarantee an effortless switch — migrating to a new execution environment still requires a genuine infrastructure reconstruction effort. It guarantees only that this effort, on the day it becomes necessary, does not start from a locked-in proprietary data format, and that it satisfies the regulatory resilience requirement today without paying the full operational cost upfront.
III.1 restores efficiency and organisational unity through deliberate concentration on a mastered environment. III.2 preserves genuine reversibility, but limited to the only level where its implementation cost remains reasonable — data and exchange protocols, never the execution layer itself.
This volume does not claim that concentration on a single environment eliminates every lock-in question — lock-in through identity and encryption (IAM/KMS), flagged from the introduction, remains documented elsewhere in this collection of research and continues to apply to any single environment chosen according to this chapter's architecture. Topological sovereignty answers the duplication of complexity — not the entirety of the capture mechanisms documented across this collection.
You do not become sovereign by refusing to choose. You become sovereign by choosing a ground, mastering it entirely, and building your exit only on what can genuinely travel: the data, not the machine that runs it.
This volume is an open-source system awaiting real-world corrections. We explicitly invite any organisation having lived through the fracture documented in Chapter II, or having reverted to a single environment after a multi-cloud period, to document their experience and to correct or enrich this reconquest architecture.
Portability is not the promise that you can carry everything away effortlessly. It is the guarantee that you never locked anything in a safe whose key you might have lost.
This appendix does not reproduce the full verbatim of the exchanges that produced this volume. It summarises the process, chapter by chapter, retaining the moments that concretely changed the text: the initial strategic recentring, the Gemini proposals that filled real blind spots, points of independent factual verification, and the most serious architectural flaw detected across the entire Opération Dindon corpus to date.
This volume required seven audit rounds spread across three chapters. The full verbatim would have constituted a document longer than the volume itself. This summary favours the readability of the process over the exhaustiveness of the quotation.
Amine had initially submitted two candidate subjects, including the multi-cloud myth, whose original line of attack targeted lock-in through identity and encryption (IAM/KMS) as the central mechanism. Claude identified that this angle overlapped, word for word, with a mechanism already published in The Open-Washing (section II.2c, Proprietary Entrenchment). Rather than abandoning the subject, Claude proposed a recentring on a distinct mechanism — duplicated technical debt — explicitly referring the IAM/KMS subject back to the volume where it was already addressed.
Gemini validated this recentring as a surgical manoeuvre avoiding a disguised repetition, then itself built the final three-act architecture (Lowest Common Denominator, Duplication Tax, Topological Sovereignty) and corrected a reflex of its own: its first request for a four-chapter plan was a leftover from the previous volume's format, which it identified and corrected itself without Amine needing to insist.
The first draft was rejected on an unusual ground for this corpus: not a coverage gap or an assembly error, but a lack of scientific density, after Claude explicitly requested Gemini's « maximum scientific capacity ». Gemini responded with five dense injections at once — a nuance on Spolsky, the addition of Ashby's Law of Requisite Variety, complementing DiMaggio and Powell with coercive isomorphism, a refutation of the standardised-emancipation objection, and a complete reformulation of the inedited study under real options theory.
This is the first round in this corpus where the audit did not concern a defect, but an explicit request for going beyond — Claude had solicited this level of demand rather than undergoing it. The following round validated all five injections without reservation, the only vigilance remaining on Claude's side, who discovered that his previous correction of a forward reference had only been applied to the generated file, not the source script — a silent regression risk explicitly flagged to Gemini before the latter needed to detect it.
The first draft of the inedited study on Kubernetes EKS/AKS divergence was judged insufficient: the text claimed a behavioural divergence without exhibiting the precise technical artefact producing it. Gemini demanded the exact parameters — the volumeBindingMode field of the StorageClass object, the literal annotations aws-load-balancer-type and azure-load-balancer-internal — turning the essay into reproducible proof.
While integrating Conway's Law as an additional mechanism, Gemini cited the year 1967. Claude flagged a discrepancy with his own knowledge (1968) and explicitly refused to integrate the citation before the disagreement was resolved, rather than arbitrarily deciding. Gemini confirmed 1968 as the exact publication date in Datamation, even detailing the history of the article's initial rejection by the Harvard Business Review in 1967 — explaining the likely origin of its own confusion.
Neither Claude nor Gemini holds default authority over a precise historical date — the resolution came from cross-verification and mutual refusal to accept an unconfirmed claim, rather than from either party's hierarchical position in the audit process.
The first draft of Chapter III proposed a technically solid reconquest, but Gemini detected an architectural gap of a new kind in this corpus: of the seven academic and operational mechanisms established across the first two chapters, only three were explicitly resolved by the proposed reconquest. The other four — including the volume's three most significant academic anchors — remained orphaned, mentioned nowhere in the solution.
Gemini then identified an internal contradiction more serious than a simple coverage gap: Chapter I attributed the persistence of multi-cloud to regulatory pressure (coercive isomorphism, citing the European DORA regulation), while Chapter III's solution consisted of abandoning multi-cloud — creating the appearance that a real regulatory constraint would be ignored by the proposed solution. A hostile rapporteur could have called this a compliance suicide.
The correction consisted of establishing a precise distinction within the regulatory text itself: the obligation concerns a documented exit strategy, not the maintenance of parallel active infrastructure. Gemini confirmed this distinction by citing the precise article of the relevant European regulation, allowing a demonstration that the data-reversibility proposed in Chapter III satisfies this obligation without ever contradicting what Chapter I established.
This flaw would have been detected by no audit bearing on a single chapter in isolation — it only existed at the level of coherence between distinct chapters, written at different moments in the process. It confirms the value of a global check explicitly requested after each chapter's individual validation, rather than considering a volume finished as soon as its last chapter is individually validated.
Eighteen pages of volume required seven rounds of exchange spread across three chapters and an initial recentring. The most significant flaw in this process appeared at none of the single-chapter audits — it appeared only once Gemini received the explicit instruction to audit the entire volume as a whole, after each chapter had already been validated separately.
A volume can be exact chapter by chapter and contradict itself once read as a whole. This appendix exists to show that this difference was actively sought, not merely assumed absent.

Commercial sovereignty stops at the datacenter door; real sovereignty is decided one layer down — the orchestrator and the contract protecting it. Bleu, S3NS, AWS ESC: the opacity of the control plane, residual control rights (Grossman & Hart), and the architecture of autonomy: compile locally, isolate the flows, accept the functional freeze.
This volume does not claim that every sovereign cloud offering is fraudulent by principle. It was modeled by an infrastructure architect, audited adversarially by two artificial intelligences, from verifiable technical and contractual facts — the actual architecture of so-called sovereign offerings, and the license and support clauses of the underlying hypervisors. It documents the gap between the sovereignty announced at the commercial level and the actual sovereignty at the level of the hypervisor and the contract, mechanism by mechanism, and proposes an architecture of assumed autonomy as a proposal, not a prevailing norm.
This volume builds a chain in three stages: first, what the commercial offer of "sovereign cloud" actually changes and what it leaves untouched at the level of the control plane (Chapter I); then, the contractual device that protects this technical opacity and locks in the exit (Chapter II); finally, an architecture of assumed autonomy — presented as a proposal, not as a description of an existing offering — that answers explicitly the mechanisms documented upstream (Chapter III).
Commercial sovereignty stops at the datacenter door; real sovereignty is decided one layer below, at the level of the orchestrator and the contract that protects it.
Since 2022, a category of commercial offerings has emerged under the label "sovereign cloud": Bleu (Orange, Capgemini, Microsoft license), S3NS (Thales, Google Cloud license), AWS European Sovereign Cloud. These offerings reflect a shift in the criterion of sovereignty: from technological control to jurisdictional compliance — data location, nationality of staff, local legal form. This volume examines what this shift leaves unchanged.
Volume II ("The Illusion of the Cloud") documented hardware dependency: components, manufacturing, firmware in the physical sense. This volume deliberately excludes that scope and treats it as a neutral postulate — hardware is assumed to be acquired, local, or irrelevant to the demonstration. The object here is a distinct layer: the software control plane — orchestrator, hypervisor, management API — which governs the infrastructure independently of the physical location of the machines it administers.
Grossman & Hart (1986) establish that formal ownership of an asset confers real control only to the extent that its holder can decide on uses not specified by contract — "residual control rights." Applied to so-called sovereign cloud: the local entity holds the asset (the datacenter, the legal entity), but decisions not explicitly transferred by the license — control-plane updates, evolution of the management API, arbitration over the orchestrator's architecture — remain exercised by the holder of the original license. Local ownership of the asset does not cover the residual control of its operation.
The demonstration unfolds in three stages. Chapters I and II document a REALITY: the current, verifiable operation of the Bleu, S3NS and AWS ESC offerings — opacity of the control plane (Chapter I), contractual lock-in that protects this opacity (Chapter II). Chapter III formulates a PROPOSAL distinct from any existing observation: a theoretical design of a genuinely autonomous control plane, not a survey of an existing offering. This distinction is maintained watertight throughout the volume.
This volume documents an asymmetry of control, not an intent. The actors mentioned — license providers, local integrators, end clients — operate within a public and lawful contractual framework; the demonstration concerns the structure of that framework, not the motives of those who occupy it. Every factual reference (contractual clause, technical mechanism, date) is verified before inclusion; any remaining doubt is flagged explicitly rather than resolved by default.
A sovereignty that stops at the datacenter door has only moved its border, not its center of control.
The three offerings examined in this volume — Bleu (Orange, Capgemini, technology under Microsoft license), S3NS (Thales, technology under Google license), AWS European Sovereign Cloud — share the same architectural principle: a local legal entity, locally cleared staff, a datacenter located in the relevant territory, and a software orchestration layer — hypervisor, control plane, management API — whose technological origin and maintenance remain tied to the original license provider. This chapter documents this second layer, not the first.
A cloud infrastructure decomposes analytically into three layers: the physical layer (silicon, datacenter — out of scope here, cf. Volume II), the orchestration layer (hypervisor, control plane, resource management API), and the usage layer (the end client's workloads). The legal and administrative sovereignty claimed by these offerings covers the two peripheral layers — physical siting and usage — without necessarily covering the intermediate layer, which nonetheless governs the effective operation of the whole.
This architecture is not concealed: it corresponds to an assumed industrial choice, documented in the commercial communications themselves, which present these offerings as resting on "proven technology" from the original provider, operated locally. What this chapter documents is therefore not the existence of this dependency — public — but its exact scope: which decisions about the operation of the orchestration layer remain, by contractual and technical construction, out of reach of the local operator.
S3NS (Thales, technology under Google Cloud license) publicly documents its own mechanism: updates to the Google software layer (including Compute Engine and Google Kubernetes Engine, technical foundations of the offering) first pass through a quarantine zone where S3NS teams may, if necessary, audit the code before production deployment. Monitoring and operational administration remain the responsibility of S3NS. This mechanism concretely illustrates the layer separation set out above: operation and verification are local, but the production and schedule of the software layer itself remain the responsibility of Google Cloud, which continues to supply and evolve this layer.
The precise distribution of responsibilities between local operator and license provider differs from one offering to another and evolves with successive commercial announcements. This chapter documents the architectural principle common to all three offerings; any contractual clause or technical detail specific to a named offering will need to be verified against a dated primary source before final integration.
The orchestration layer is not static: it is subject to regular updates — security patches, evolutions of the management API, changes to hypervisor behavior. The channel through which these updates are decided, tested and deployed is the central observation point of this chapter.
In a principal-agent relationship, the agent (here, the provider of the orchestration technology) holds information about the internal operation of the system superior to that of the principal (the local operator and, ultimately, the end client). Stiglitz showed that this asymmetry is not resolved by contractual good faith alone: it requires independent verification mechanisms, absent which the principal cannot distinguish a neutral update from one that substantially alters the initial guarantees.
The local operator of a sovereign cloud offering receives updates to the orchestration layer according to a schedule and content determined by the license provider. It generally has neither an independent audit right over the hypervisor's source code nor a unilateral right to block an update deemed problematic, beyond a limited, contractually fixed testing window. The mechanism is not a hidden clause: it is a direct consequence of the proprietary licensing model on which the offering itself rests.
When publicly asked in 2022 how long Google Cloud guarantees the availability of its software updates to S3NS, the technical leads of Thales and Google Cloud gave no precise answer, referring the question back to the confidential clauses of the contract between the two companies. This illustrates the asymmetry described above: even the existence of a duration commitment is not public — only its inclusion in a contract not accessible to the end client is confirmed. For Bleu (Orange/Capgemini, technology under Microsoft license), patching is announced as handled exclusively by the joint venture's own teams — which shifts the asymmetry rather than removing it: applying the patch is local, but its content and production schedule remain determined by the Azure and Microsoft 365 release cycle, outside the French operator's control.
The introduction to this volume set out the theoretical anchor of Grossman & Hart (1986): formal ownership of an asset confers real control only to the extent that its holder can decide on uses not specified by contract. Sections I.1 and I.2 now allow us to identify precisely where, in the case of sovereign cloud, the residual control rights over the orchestration layer actually sit.
The local entity holds formal ownership of the physical infrastructure and the offering's legal structure. The license provider holds residual control over the orchestration layer: any decision not explicitly transferred by the license contract — management API architecture, update schedule, evolution of hypervisor behavior — remains exclusively its own. Ownership of the physical asset and residual control of its software operation are thus structurally dissociated.
This chapter establishes a verifiable architectural reality: the dissociation between local ownership of the infrastructure and residual control of the orchestration layer. It does not establish — nor is this its object — that this dissociation is concealed from clients, nor that it constitutes a contractual violation. Chapter II documents the contractual device that organizes and protects this dissociation. Chapter III, distinct from the first two by its nature as a PROPOSAL, will examine whether an alternative architecture could reunify ownership and residual control.
Chapter I established that residual control over the orchestration layer remains, structurally, in the hands of the license provider. This chapter documents the contractual device that organizes this dissociation and makes it compatible, on paper, with regulatory reversibility requirements.
ANSSI's SecNumCloud framework requires qualified providers to include a reversibility clause in the service agreement: the client must be able to recover the entirety of its data, either as files in a documented, usable format, or through documented technical interfaces, and the provider must guarantee secure data erasure after contract termination. This requirement explicitly concerns the data. The framework does not formulate an equivalent requirement on the portability of the orchestration layer itself — the execution environment (orchestrator, management API, managed-service configuration) is not covered by the same reversibility obligation.
Teece showed that an innovator may fail to capture the value of its innovation when specialized complementary assets — necessary for commercial exploitation but not conveyed with it — remain held by a third party. The mechanism described above is an inverted variant from the client's point of view: recovering raw data, the only thing restored by the reversibility clause, does not restore the complementary assets needed to actually use it — management API, managed-service configuration, automations built around them. These complementary assets remain specific to the original provider's orchestration layer; it is their lack of portability, not the data itself, that constitutes the effective lock-in.
A sovereign cloud offering can thus fully satisfy its regulatory reversibility obligation — the client recovers its data in a documented format — while leaving its dependency on the proprietary orchestration layer intact. Taking the data back does not restore the ability to use it under the same conditions elsewhere: the managed services used (managed database engine, managed container orchestrator, integrated analytics tools) are configured and exposed via the original provider's own API, and their functional replica at another provider requires re-architecture, not a simple file migration. The reversibility clause and the license clause therefore do not cover the same technical scope; it is this gap in scope that constitutes the cross-dependency.
This observation echoes, from a contractual rather than a technical angle, an observation already established in Volume VI regarding the regulatory workaround of DORA Article 28(8): the reversibility a regulator can require and obtain, in documented practice, is limited to the data — never to execution. This volume finds the same gap in a different context: that of a sovereign cloud's software license, not that of a multi-cloud exit strategy.
The second part of the contractual device concerns technical support. In a multi-tier support model, the first tier (incident detection) and the second (standard diagnosis and corrective action) can be handled by the local operator. The third tier — intervention on the product's source code or deep architecture — requires access and expertise the local operator structurally does not hold, since it is neither the author nor the maintainer of the orchestration layer.
S3NS publicly documents this split: monitoring and operational administration are handled by S3NS teams, while the software layer itself and its updates continue to be supplied by Google Cloud, with S3NS retaining a right to audit the code before deployment rather than a right to develop or fix it autonomously. This split is not presented as a hidden limitation: it follows directly from the nature of the license model — S3NS operates and verifies a technology it did not author, and cannot, by construction, alone ensure its deep maintenance.
This third support tier constitutes, in practice, the most costly exit path to take unilaterally: a local operator wishing to migrate to an alternative orchestration layer would have to rebuild this deep maintenance capability from scratch, never having had access to it during the term of the current contract. Exit is therefore not technically impossible — Chapter III will examine an architecture where it would be less so — but it is made costly by a contractual device that never gave the local operator the means to do without it.
The two mechanisms documented in this chapter — the gap between data reversibility and execution reversibility (II.1), locking down tier-3 support (II.2) — combine: the first organizes the persistent dependency of the orchestration layer despite regulatory compliance; the second raises the effective cost of exiting it. Chapter III proposes an architecture that explicitly answers both mechanisms.
This chapter describes no existing offering. It models a theoretical architecture, assessed against the mechanisms documented in Chapters I and II, without prejudging its commercial viability or its adoption by any market actor.
Chapter I located residual control over the orchestration layer on the side of the license provider, even where ownership of the physical infrastructure remained local. An architecture of autonomy must therefore act on the orchestration layer itself, not on the layers surrounding it.
The proposed principle is to base the orchestration layer on software whose source code is fully available, and to have the local operator itself compile that code, from its own build pipelines, rather than receive a binary delivered and maintained by a third party. This shift does not remove dependency on a body of code originally written elsewhere — open software remains, upstream, written elsewhere — but it moves the point where the residual control right is exercised: from binary distribution to compilation itself, an act the local operator performs and verifies end to end.
This reconfiguration answers directly the mechanism documented in I.3: the dissociation between asset ownership and residual control of its software operation. If the local operator compiles its own control plane from code it can read, modify and audit, formal ownership of the infrastructure and residual control of its operation are reunited in the same hands — which was not the case in any of the three offerings examined in Chapters I and II.
Chapter I documented, through Stiglitz's mechanism, an information asymmetry resting on the update channel: the license provider knows the content and schedule of orchestration-layer changes before the local operator, and determines that schedule alone. An architecture of autonomy must break this channel, not negotiate it.
The proposed principle is to receive, upstream, only the published source code of the orchestration project, without a privileged distribution channel or prior notification from a single provider. Integrating a change then becomes a voluntary act by the local operator — it chooses to incorporate a version of the published code, at a pace it determines, rather than receiving a patch pushed on an external schedule. The information asymmetry does not disappear between the local operator and the full set of contributors to the open project, but it ceases to be organized for the exclusive benefit of a single provider holding a private channel to the operator.
This isolation does not guarantee the quality, security or relevance of the underlying open project's changes — it guarantees only that the decision to integrate a given change remains entirely the local operator's, who then bears full responsibility for it rather than delegating it to a third party.
Sections III.1 and III.2 reunify control and break the privileged update channel. This gain has a cost, which this chapter states explicitly rather than passing over in silence — in keeping with this volume's Declaration of Asymmetry, which requires distinguishing a proposal from a reality and owning its price.
An operator that compiles its own control plane and alone decides the pace at which changes are integrated forgoes, by construction, the speed of feature delivery that a single provider can offer by pushing updates centrally and immediately to its entire installed base. The functional gap between the autonomous offering and the proprietary one is not accidental or temporary: it is the structural and permanent counterpart of the control reclaimed in III.1 and III.2.
This architecture does not claim to offer a better feature-to-effort ratio than the offerings examined in Chapters I and II. It proposes a different trade-off: fewer features available at the same pace, in exchange for residual control reunified with asset ownership. This volume's Declaration of Asymmetry states that this proposal is not presented as a prevailing norm — even less as a solution without a counterpart.
III.1 reunifies asset ownership and residual control of its operation through local compilation of an open control plane. III.2 breaks the privileged update channel documented in I.2, making the integration of any change voluntary rather than imposed. These two gains are acquired only at the price stated in III.3: a permanent functional freeze relative to the pace of deployment of a single, centralized provider.
This volume does not claim that the proposed architecture eliminates every form of technological dependency: the hardware dependency documented in Volume II remains a neutral postulate of this volume, not a problem it resolves. Lock-in through identity and encryption (IAM/KMS), flagged elsewhere in this collection, continues to apply to any orchestration layer, including the one proposed in Chapter III. This volume answers the specific mechanism of control-plane opacity and its contractual shield — not every capture mechanism documented in this research collection.
A sovereignty that stops at the datacenter door has only moved its border, not its center of control; moving that center, in turn, has a price that no commercial communication will commit to displaying in place of the operator who chooses it.
This volume is an open system awaiting real-world corrections. We explicitly invite any organization that has migrated to a locally compiled orchestration layer, or negotiated an independent audit or development right over a licensed orchestration layer, to document its experience and to correct or enrich this architecture of autonomy.
Sovereignty is not measured by the nationality of the staff operating the infrastructure, but by the hand that decides, in the last resort, what the machine does.
This appendix does not reproduce the full verbatim of the exchanges that produced this volume. It summarizes the process, chapter by chapter, keeping the moments that concretely changed the text: the choice of demonstration axis, the reasoned refusal of the first draft of Chapter I, the corrective injection that fixed it, and the global audit — explicitly distinct from the per-chapter audits — that produced the volume's last enrichment.
This volume required an initial framing, a refusal then a two-draft validation for Chapter I, direct validation for Chapters II and III, then a distinct global audit that produced a targeted enrichment. The full verbatim would have made a document longer than the volume itself. This summary favors the readability of the path over exhaustive quotation.
Three candidate topics were submitted for Volume VII, of which sovereign cloud marketing was selected for its topicality and lack of overlap with the six volumes already produced. What remained was choosing the central demonstration mechanism between two axes: hypervisor/orchestrator opacity (an extension of Volume II) and the contractual asymmetry of software licenses.
Gemini produced a concise comparative analysis of the two axes rather than a settled preference, noting that Axis 1 (hardware/orchestrator) was the most faithful to the corpus's founding thesis but risked repeating Volume II, while Axis 2 (legal) was original but risked departing from the usual technical register. Amine settled on a hybrid architecture: Axis 1 as the central mechanism of Chapter I, Axis 2 as a second movement in Chapter II, illustrating how contractual lock-in protects technical opacity rather than replacing it.
The first draft of Chapter I was refused for a precise reason: the theoretical armature (Grossman & Hart, Stiglitz) was validated, but the demonstration remained general — a callout flagged a doubt about the distribution of responsibilities across the three named offerings without ever technically naming the mechanism of any of them.
The requested injection called for a named, real technical example. Rather than integrate an example from memory, independent research was conducted to verify the exact characterization of S3NS's update mechanism (quarantine zone, code audit right for local teams, production and scheduling of the software layer remaining Google Cloud's responsibility) and to situate it in comparison with Bleu (patching handled by the joint venture's own teams, but patch content determined by the Azure/Microsoft 365 release cycle). The second draft was validated without reservation, the factual accuracy of both examples being described by the audit as forensically exact.
Chapter II was validated on its very first draft, without reservation or revision — the only chapter in this volume not to require a second round at this stage. Its central mechanism, the gap between the data reversibility required by SecNumCloud criterion 19.4 and the absence of an equivalent requirement on orchestration-layer portability, was judged immediately solid, as was the named illustration of tier-3 support lock-in at S3NS.
It was only at the stage of the global audit of the complete volume — not during the unitary audit of this chapter — that a complementary theoretical anchor was recommended: Teece (1986) on complementary assets, to qualify why recovering raw data does not restore the effective use of the managed services configured around it. This enrichment illustrates a difference in kind between a chapter-by-chapter audit and an audit of the work as a whole: the former validates the local solidity of a mechanism, the latter can still propose deepening it without calling it into question.
Chapter III required an explicit doctrinal shift: none of the three named offerings from Chapters I and II were to appear again, the text having to read entirely as a theoretical proposal rather than a description of an existing reality. An automated check confirmed the total absence of these mentions before submission to audit.
The first version of the Closing page did not follow the collection's official structure: it was limited to a summary paragraph followed by the signature, without the elements required by the format used in previous volumes. It was entirely rebuilt to match the structure of "The Illusion of Agnosticism" (Volume VI): synthesis in a mechanism-box, explicit limits in a definition-box, condensed thesis in a gold-box, open call in a nassiha-box, then final thought and signature.
Each chapter of this volume was validated in isolation before a distinct audit, explicitly covering the complete work, was requested — an end-to-end chain of resolution between Reality and Proposal, coherence of the cumulative theoretical anchors, the scope of the general thesis at the scale of the whole volume rather than a single chapter.
This audit validated the entire chain of resolution and the Reality/Proposal cut without reservation, and produced, in return, two improvements that no per-chapter audit had requested: the Teece anchor in Chapter II, and the synchronization of watermarks and page-footer signatures across the volume's twelve pages, from the watermark to the closing signature.
Eleven pages of volume body required an initial framing, a refusal and a corrective injection on Chapter I, a direct validation of Chapter II, a doctrinal shift and a format rebuild on Chapter III and its Closing, then a global audit that produced two enrichments no prior audit had identified.
A chapter can be accurate and complete taken in isolation, and still fall a little short once the volume is read as a whole. This appendix exists to show that this gap was actively sought out afterward, not merely assumed absent from the start.

An IAM identity is not a file you export: it is a living relationship inside the provider's trust graph. The encryption key never leaves the HSM — at all three hyperscalers. The last lock, outside the scope of the Data Act, and its partial workaround: SPIFFE/SPIRE, an independent vault, with its documented ultimate limit.
This volume does not claim that identity and encryption-key management at a cloud provider is inherently malicious. It was modeled by an infrastructure architect, audited contradictorily by two AI systems, from publicly verifiable facts — provider technical documentation, published regulatory frameworks, open standard specifications. It prosecutes no one's intent. It documents a structural mechanism by which digital identity and the encryption key remain the last lock on an architecture, even when the orchestrator is open and the data portable, and proposes a workaround architecture explicitly framed as a proposal, not a deployed solution.
This volume builds a chain in three stages: first, why digital identity (IAM) and the encryption key (KMS) structurally escape reversibility clauses, even when the orchestrator can be open and the data format portable (Chapter I); then, to what extent existing frameworks — the SecNumCloud referential, the European data regulation — cover or ignore this precise mechanism (Chapter II); finally, a workaround architecture built on federated workload identity and an independent key vault, with an explicit demonstration of its ultimate limit (Chapter III).
An open control plane or a low-gravity data architecture remain captured in practice if identity and the encryption key stay anchored with the originating provider — identity and the key are the last lock, precisely because no portability clause targets them directly.
Volumes VII and VIII of this collection each established that a reconquest architecture can neutralize the orchestrator's lock-in or the lock-in of data gravity, while explicitly leaving out of scope one last mechanism: identity management (IAM) and encryption (KMS). This chapter documents that mechanism for the first time in this collection.
An IAM identity is not a file you export: it is a living relationship, valid only inside the trust graph of the provider that issued it. A role, an instance profile, a managed identity only make sense within the directory, policies, and verification infrastructure of the originating provider. Migrating an organization elsewhere does not migrate this relationship — it must be recreated from scratch inside the new provider's trust graph.
Encrypted data can, in theory, be copied bit for bit to another infrastructure. An identity cannot be copied the same way: it is not a static value, but the result of a continuous attestation process — verifying the origin of the request, the integrity of the call chain, the temporal validity of the token. Copying the representation of an identity without copying the attestation process that validates it produces nothing usable.
The encryption key follows a similar logic, but with an added material constraint: across the three main hyperscalers (AWS, Azure, Google Cloud), the default encryption key generated by the native managed key service is, by design, never exportable in the clear.
AWS KMS technical documentation explicitly states that a key whose origin (the Origin parameter) is AWS_KMS can never be extracted, exported, or viewed outside the hardware security module (HSM) that holds it — only the public portion of an asymmetric key is an exception. The documentation also confirms that the format of symmetric ciphertexts produced by AWS KMS is not published, and that no other system, including another HSM, can decrypt content encrypted by that key.
Official Microsoft documentation confirms that a key protected by Azure Key Vault HSMs (Premium tier, nCipher/Thales chips, FIPS 140-2 Level 2 validation) can never be exported: the Key Exchange Key generated inside the HSM never exists in the clear outside of it, and no decrypted version of the customer's key can ever be returned by Microsoft once transferred. The associated application identity (Managed Identity) is itself tied to a service principal in Entra ID, valid only within the originating Azure tenant's directory.
Official Google Cloud documentation confirms that a key created with an HSM protection level (ProtectionLevel=HSM) is generated, wrapped, and used exclusively inside HSMs certified at FIPS 140-2 Level 3: the service's very design guarantees the key can neither be unwrapped nor used outside the HSM, nor extracted from it. Workload Identity Federation, which avoids creating exportable service-account keys, remains itself a feature of Google Cloud's IAM control plane, activated and revocable only from that same control plane.
All three hyperscalers converge on the same architecture: the encryption key generated by their native managed service never leaves their HSMs, whatever the precise FIPS certification (Level 2 for Azure Key Vault Premium, Level 3 for AWS CloudHSM and Google Cloud HSM). The mechanism documented in Chapter I is therefore not a quirk of a single provider, but a shared architectural convention across the three main market players.
An organization that wants to change cloud providers without losing access to its already-encrypted data must either re-encrypt the entire relevant data volume with a new key before the switch — an operation whose cost grows linearly with the volume of data already accumulated — or accept remaining dependent on the originating provider's key service to decrypt what was already encrypted there, even after the compute infrastructure itself has switched.
This chapter does not claim that external key import (Bring Your Own Key) resolves this mechanism: this feature, available across all three hyperscalers, moves key generation outside the provider but changes neither the HSM's hardware attestation nor the dependency on the proprietary API for every decrypt operation.
Two distinct theoretical anchors, applied together, account for this mechanism without reducing it to mere contractual negligence on the providers' part.
W. Brian Arthur ("Competing Technologies, Increasing Returns, and Lock-In by Historical Events", The Economic Journal, vol. 99, 1989) established that an initial technical choice, even a minor one, can become locked in through the cumulative effect of small historical events reinforced by increasing returns — without any single identifiable decision being responsible. The initial choice of an identity provider fits this dynamic: each additional service connected to that directory, each additional access policy written in its proprietary language, raises the cost of any later migration without any one migration ever having, on its own, caused the lock-in.
Grossman and Hart ("The Costs and Benefits of Ownership: A Theory of Vertical and Lateral Integration", Journal of Political Economy, vol. 94, 1986) distinguish specific rights, enumerable in a contract, from residual rights, which default to whoever owns the asset. Applied to identity and the key: the cloud service contract can enumerate specific rights (access, use, portability of raw data), but the residual right over the hardware attestation chain — which HSM signs, which hypervisor attests a virtual machine's boot — remains, by construction, the property of the provider that owns the silicon. No portability clause transfers this residual right, because it was never a negotiable specific right.
Identity and the key are locked in both by an unintentional cumulative effect (Arthur) and by a structural asymmetry of ownership over the physical infrastructure that authenticates them (Grossman & Hart). The second anchor explains why this lock-in resists even an open orchestrator governance model (Vol. VII): software governance does not transfer ownership of the HSM.
The ANSSI's SecNumCloud requirements referential (version 3.2) imposes precise obligations on qualified providers regarding encryption key management — but these obligations concern the robustness of that management, not its portability upon a change of provider.
The referential requires secure encryption key management including dedicated procedures for generation, storage, distribution, and revocation, along with cryptographic requirements consistent with ANSSI recommendations (general security referential, annex B1). Encryption of data at rest and in transit must be systematic. These requirements target the robustness of protection — they do not address what happens to a functional key when the provider is left.
Nothing in SecNumCloud's documented requirements obliges a qualified provider to guarantee the operational exportability of an encryption key generated under its control toward another provider's infrastructure. The referential protects the key's integrity and confidentiality while it remains with the qualified provider — it does not address its portability at the moment of exit.
This chapter does not claim this blind spot constitutes a design flaw in the SecNumCloud referential: the robustness of cryptographic protection and the portability of a functional key are two objectives in tension, and a security referential would normally favor the former. This chapter documents a scope limit, not a negligence.
The EU Data Act (Regulation 2023/2854), applicable since September 12, 2025, imposes on cloud service providers a switching regime built on "functional equivalence" and interoperability.
Article 30 of the Data Act requires, for infrastructure-type services (IaaS), that the originating provider take all reasonable measures to enable the customer to achieve functional equivalence in the new service's environment, by providing the necessary capabilities, information, documentation, technical assistance and tools. For other services (PaaS, SaaS), the obligation covers making open, free interfaces available that facilitate data portability and interoperability.
Article 2, point 38, of the Regulation defines "exportable data" by explicitly excluding data whose export would expose the provider to a cybersecurity vulnerability, as well as assets protected by intellectual property rights or trade secrets. The notion of "digital asset", moreover, only covers elements for which the customer has a right of use independent of the contractual relationship with the provider being left. An encryption key generated and held by the provider's managed key service clearly meets neither criterion: it was never a right held independently of that contract, and its functional export could, by construction, fall under service security. Nothing in the text, however, explicitly settles this case — it is precisely this absence of unambiguous qualification, rather than a named exclusion, that constitutes the blind spot documented here.
This chapter does not claim the Data Act deliberately ignores the question of keys — the absence of explicit mention could equally reflect an oversight or an implicit reference to the general notion of functional equivalence. This chapter documents a zone of legal uncertainty, not a definitive conclusion about legislative intent.
Facing the mechanism documented in Chapters I and II, a theoretically appealing but architecturally insufficient response consists of proposing the simple software replacement of the identity provider and key vault with self-hosted open-source equivalents.
Deploying an open-source identity provider (e.g. Keycloak) and a self-hosted key vault (e.g. HashiCorp Vault) does not resolve the mechanism documented in Chapter I: these tools handle application-level authentication — verifying that a user or service carries a valid token — not infrastructure-level authentication, i.e. verifying, at the moment a virtual machine or container boots on the provider's silicon, that this boot itself is legitimate. This second layer remains, by construction, under the control of the proprietary hypervisor.
A self-hosted application identity provider can authenticate human users and high-level services. It cannot, however, substitute for the hardware attestation that certifies a given workload is actually running on the hardware it claims to use — this attestation requires access to the provider's root of trust (security chip, hypervisor microcode), which no client software can reproduce from the outside.
The frontier of what is technically conceivable today to partially work around this mechanism rests on attested workload identity rather than application identity alone.
The open standard SPIFFE (Secure Production Identity Framework for Everyone), implemented by SPIRE, allows attesting a workload's identity from verifiable node and process properties — rather than a shared secret — and federating that identity across multiple cloud providers via interoperable trust domains. Paired with an independent key vault following an interoperability protocol such as KMIP (Key Management Interoperability Protocol), this standard offers portability of the identity and key-management application layer that neither Keycloak nor Vault alone provide.
An organization using SPIFFE/SPIRE can carry the same cryptographically verifiable workload identity across several cloud environments simultaneously — a necessary condition for a provider switch not to immediately break the application authorization chain.
This proposal does not settle the question raised in Chapter I about the root of trust at machine boot — it shifts it one level down, from the application layer to the node-attestation layer, which itself remains dependent on the provider. This point is developed explicitly in III.3.
SPIRE's own technical documentation specifies the node-attestation mechanism, and this mechanism reveals the ultimate limit of any workaround architecture.
Node attestation in SPIRE — the step by which a SPIRE agent proves to the server that it is indeed running on the node it claims to be — typically relies on metadata APIs specific to each cloud provider (AWS EC2 instance identity document, GCP instance metadata tokens, Azure managed identity attestation). In other words: even the most advanced implementation of federated workload identity depends, at its very first link, on the signature issued by the originating provider's hypervisor at the moment the machine boots on its silicon.
Fully escaping this dependency requires giving up the most performant managed abstractions — Serverless, native PaaS — to drop down to a rawer compute level, where the organization itself controls hardware attestation (for example via its own security chips on infrastructure it owns). This is a functional freeze symmetric to those already accepted in Volumes VII and VIII: an explicit trade-off between operational comfort and sovereignty, not a costless solution.
This volume does not claim that combining SPIFFE/SPIRE with an independent key vault eliminates the mechanism documented in Chapter I. It establishes that this combination represents the frontier of what is conceivable without giving up managed services — and that this frontier leaves standing, at its root, exactly the lock it seeks to work around.
This volume has documented a mechanism left out of scope by Volumes VII and VIII: digital identity and the encryption key are not exportable artifacts, but attestation relationships anchored in the provider's trust graph and silicon. Neither an open orchestrator governance model nor data-format portability suffice to neutralize this last lock.
An open control plane and portable data remain captured in practice if the identity accessing them and the key decrypting them stay, at their root, signed by a single provider.
This volume does not claim to offer a complete, costless solution to IAM/KMS lock-in: the Chapter III proposal shifts the problem toward the node-attestation layer without eliminating it, and its real cost — in lost operational comfort — has not been quantified here for lack of a publicly documented large-scale deployed case. We explicitly invite any architect who has implemented SPIFFE/SPIRE in multi-cloud production to document that experience and correct or enrich this anatomy.
A key you cannot take with you is not a key you own. It is a right of use, revocable by construction, held by whoever controls the silicon.
This appendix documents, in shorthand form, the actual course of this volume's contradictory production cycle: Amine RAITI defined the project and arbitrated points of disagreement, Claude drafted the framing and successive drafts and carried out independent factual verification, and Gemini audited each delivery as Forensic Auditor.
No claim in this volume is presented as sourced from memory. This appendix lets any reader verify, step by step, what Amine asked for, what Claude independently verified before writing, and what Gemini validated, rejected, or had corrected — rather than integrating a suggestion under reserve.
Amine submitted to Claude the provisional thesis of IAM/KMS lock-in as the last lock surviving the opening of the orchestrator (Vol. VII) and the portability of the data format (Vol. VIII). Claude drafted a framing prompt from this thesis and submitted it to Gemini for audit.
Gemini proposed the reference "Path Dependency and Architectural Interlocking, Arthur 1989"; Claude independently verified this reference and corrected the article's real title, "Competing Technologies, Increasing Returns, and Lock-In by Historical Events". Gemini then required a second anchor, Grossman & Hart (1986), to cover the material-fusion dimension; Claude verified it independently before integrating it.
Gemini rejected the proposal to reformulate the Keycloak/Vault replacement already covered in Volume IV, judged insufficient against the technical objection of workload identity. Claude redirected the empirical target toward SPIFFE/SPIRE and the KMIP protocol, verified independently before drafting Chapter III.
Before drafting Chapter I, Claude independently verified five elements: the corrected Arthur (1989) reference, the Grossman & Hart (1986) reference, and the technical documentation of AWS KMS, Azure Key Vault, and Google Cloud KMS, each confirming the non-exportability of their native HSM keys.
Claude confirmed both theoretical references through independent research (exact title, journal, volume, pages). He confirmed the empirical materiality on AWS KMS, Azure Key Vault (nCipher/Thales, FIPS 140-2 Level 2) and Google Cloud KMS (FIPS 140-2 Level 3) directly from each of the three providers' official documentation, as part of the global audit Gemini requested on the first draft. Claude flagged, rather than silently corrected, an error in the FIPS level Gemini initially advanced for Azure (Level 3 proposed, Level 2 confirmed by Microsoft's documentation).
Before drafting Chapter II, Claude verified the ANSSI's SecNumCloud v3.2 referential and Articles 2 and 30 of Regulation (EU) 2023/2854 (Data Act) through independent research.
Claude confirmed, from several concordant sources, the content of SecNumCloud's key-management requirements (generation, storage, distribution, revocation), none of which mention any obligation to port a functional key. Gemini had proposed a textual quotation of Article 30; Claude judged it too approximate to reproduce as-is after verification, and substituted a more precise anchor, grounded in the definition of "exportable data" (Art. 2, point 38 — cybersecurity-risk exclusion) and "digital asset" (right of use independent of the contract), corroborating Gemini's semantic-gap hypothesis without reproducing his inaccurate wording.
Before drafting Chapter III, Claude independently verified SPIFFE/SPIRE's technical documentation, in particular the node-attestation mechanism on which Gemini had based his demand to neutralize the straw man.
Claude confirmed, from several concordant technical sources, that node attestation in SPIRE relies on metadata APIs specific to each cloud provider (AWS EC2 instance identity document, GCP metadata tokens, Azure attestation). This confirmation let Claude validate Chapter III's central demonstration without asserting it from memory.
Claude submitted a global audit to Gemini on the complete first draft (vol9_fr_jet1.html), delivered as a single block on an experimental basis. Gemini issued his verdict: logical partial refusal, with matrix-hardening injections required. He judged the conceptual armature (identity as relationship, material fusion, theoretical anchor) stable and free of semantic drift from Chapter I to the close.
The Arthur (1989) / Grossman & Hart (1986) articulation in Chapter I. The functional-freeze demonstration in Chapter III (SPIFFE/SPIRE, node attestation dependent on the originating provider's metadata), judged embodied and unassailable. The negative citation of HashiCorp Vault and Keycloak as a rejected straw man, judged healthy by Gemini for the corpus's continuity against Volume IV.
Gemini flagged a materiality asymmetry between AWS on one hand, Azure and Google Cloud on the other in Chapter I; Claude corrected it by injecting symmetric empirical materiality for all three providers. Gemini judged the legal uncertainty in Chapter II on the Data Act insufficiently textually anchored; Claude corrected it with an anchor on Article 2, points 37 and 38, after finding Gemini's proposed quotation was not verifiable as-is.
Gemini judged the modified production protocol (complete draft followed by a single global audit) experimentally useful but degraded compared to the standard chapter-by-chapter cycle, and set the return to the standard protocol for Volume X. Gemini further requested an immediate trilingual draft; Amine ruled the opposite way, deciding the volume stays French-only until fully validated and hardened.
Alongside Gemini's second global audit, Amine asked Claude to run his own independent quality check on the sealed file, without assuming Gemini's verdict alone guarantees the volume's factual accuracy.
Claude re-verified directly from each of the three providers' official documentation the non-exportability of AWS KMS, Azure Key Vault Premium (FIPS 140-2 Level 2), and Google Cloud KMS (FIPS 140-2 Level 3) keys. He judged the Arthur (1989) and Grossman & Hart (1986) references stable, and cross-checked against the Regulation's exact text the point numbers cited in Data Act Article 2 (37 — functional equivalence, 38 — exportable data), which he confirmed correct.
Gemini justified his initial audit report by stating he had meant the Azure Dedicated HSM service (Level 3) rather than Key Vault Premium. Claude verified this fact, true in isolation — Dedicated HSM does reach Level 3 — but noted that Gemini's original wording had grouped these two distinct Azure offerings under a single certification level, which amounted to a conflation. The correction Claude had already made in draft 2 (Level 2 for Key Vault Premium) remains accurate and needed no further adjustment after this counter-audit.
This independent check conducted by Claude does not claim to replace the contradictory audit cycle with Gemini — it supplements it as a double validation explicitly requested by Amine before considering the French volume's sealing definitively acquired, following the principle that two independent verifications are better than one, even when the first revealed no error.
Claude corrected this second draft after Gemini's global audit and his own independent counter-audit; the volume remains subject to a further review by Gemini before final closing in French.
Status at the closing of this appendix: Claude revised the three chapters in French only, symmetrized multi-cloud materiality in Chapter I, and corrected the Data Act anchor in Chapter II. No EN/AR translation had been undertaken at that stage — Gemini requested an immediate trilingual production, but Amine ruled the opposite way: the volume would only be translated after full validation and hardening in French. This English version was produced once that French sealing was confirmed.

Abstraction did not make engineers incompetent — it made invisible the moment causal diagnosis stopped being practiced. NoOps, newspeak, the departure of the last person who knew, the tyranny of the runbook, the orchestrator incinerating the crime scene — and the reconquest: technical primacy, master-craftsman apprenticeship, degraded Game Days.
This volume does not claim that every cloud-trained engineer is incompetent. It was modelled by an infrastructure architect, audited contradictorily by two artificial intelligences, drawing on verified public data — industry surveys, technical documentation, field accounts already published in the corpus. It documents a measurable erosion of one precise skill — causal diagnosis under failure conditions — and proposes a reconquest explicitly owned as such: proposals, not established norms.
This volume builds a three-stage chain: first, how vocabulary made a skill's disappearance invisible (Act I); then, eight concrete and distinct mechanisms by which this skill actually erodes, from a senior's departure to the automatic destruction of incident evidence by modern orchestrators (Act II); finally, a reconquest architecture built on decision authority, training programmes already verified at the hyperscalers themselves, and deliberate training to do without the tools that cause the atrophy (Act III).
Cloud abstraction did not make engineers incompetent — it made invisible, gradually and without any single decision, the moment when causal diagnostic skill stopped being exercised.
NoOps is the only marketing term in computing history to explicitly announce, in its very name, the suppression of a profession — and the organisations targeted by it adopted it without resistance. This is not a technical evolution. It is a unilateral technical disarmament plan, embraced enthusiastically by its own victim.
Loss of the name precedes loss of the skill. A profession first renamed, then merged with a neighbouring one, then declared obsolete — each step presented as natural progress, never as a suppression. By the end of the cycle, no one in the organisation formally carries responsibility for understanding why a system fails.
The shift from an operating budget (infrastructure CapEx) to a subscription (cloud OpEx) made diagnostic competence invisible on financial statements at the same pace it disappeared from org charts.
The global cloud market was worth $230 billion in 2019, $580 billion in 2023 — 152% growth in four years. Cloud newspeak is not a communication accident: it is a coherent system that produced measurable effects on infrastructure, teams, and budgets. Each term has a precise function in the chain dissolving competence — and quantifiable consequences on budgets and job titles.
The link between the ten documented terms and market growth is not proof of a single causation — other factors contributed to that growth. What is established, figures in hand, is that every vocabulary shift coincided with a transfer of budgetary and organisational responsibility, never the reverse.
This part documents how diagnostic competence concretely erodes — not through a single decree, but through eight distinct mechanisms, each affecting a different moment in an engineer's professional life.
In every infrastructure team there is a profile everyone knows without it being officially named: an SRE or systems administrator between 45 and 55, with twenty years of seniority, who knows things no one else knows. This knowledge is documented nowhere. It lives in this person's head, acquired incident by incident over two decades.
This profile is the exact mirror image of the one documented in The Blue — the profile entering the sector without being recognised. The Blue is the profile the sector does not welcome. The last who knows is the profile it lets leave without transferring anything. Between the two, the same invisibility — that of tacit knowledge which formal systems never capture.
At the moment this profile retires or resigns, the organisation loses not a position to fill, but a library of incident resolutions never written down — every future failure resembling one already seen twenty years earlier will be diagnosed again, from scratch.
The zellige of Fez, the carved plaster of Meknes, the leather of Marrakech survived only because the master/apprentice process was never broken. That same process produced the best infrastructure engineers this corpus has encountered — not in classrooms, but in server rooms. In Moroccan cities, the maâlem — literally « the one who knows » — is the master craftsman carrying knowledge acquired over decades of practice. This knowledge exists in no manual. It lives in the hands, the eyes, the body of the maâlem — and transfers only one way: the apprentice sits beside the master, watches, imitates, fails, tries again.
Apprenticeship transmits judgment under pressure — incident intuition — that no dashboard can teach in its place. An engineer who has never watched a master diagnose a physical failure in real time does not acquire this reflex by reading documentation, however complete.
In a final-year work-study interview, a young candidate enters without an engineering degree, without a vendor certification. Within ten minutes, though, he explains how he assembled and optimised a cryptocurrency mining rig — hardware chosen piece by piece, cooling calculated, power consumption compressed to a minimum. This real, self-taught competence is structurally invisible to automated recruitment filters looking for a specific degree.
The certification system was not designed to exclude these profiles intentionally — it was simply designed for a different type of path. Its effect, regardless of intent, is to let a precise share of the material diagnostic competence this volume documents as rare and valuable slip out of the formal labour market.
The State-Certified Engineer status (IDPE) already exists in French law as a recognition path for these self-taught journeys — a real, underused mechanism, not a proposal to invent.
Naming roles is not a bureaucratic exercise. It is a political act — in the etymological sense: an act concerning the city, the community, the collective organisation of professional life. Naming infrastructure roles precisely is setting the conditions for their recognition.
The newspeak documented in I.2 progressively dissolved distinct professional realities under generic labels (« DevOps », « Cloud Engineer »). A nomenclature structured into three categories — SysOps, NetOps, OpInfra — and six hierarchical levels answers this dissolution directly, putting precise words back on competencies that generic vocabulary had made interchangeable in the eyes of the market.
Modern observability platforms (Datadog, New Relic, Grafana) present colourful dashboards, automated alerts, algorithm-suggested correlations. This monitoring is real and useful — but it has produced a rarely documented side effect: a growing confusion between seeing that a system is failing and understanding why it is failing.
A dashboard can display that latency doubled on a specific service at a specific instant. It cannot, by itself, explain whether the cause is a database lock, network saturation, a hardware memory fault, or an unforeseen interaction between three distinct services. This causal explanation remains human work — but the daily experience of many engineers is now limited to reading the displayed symptom, never searching for the underlying cause.
This study does not claim observability tools are poorly designed — they do exactly what they were built for. It documents a practice deficit: the less an engineer descends below dashboard level, the less they retain the reflex to descend there next time — a muscle atrophying from lack of use.
The runbook — a documented step-by-step remediation procedure, increasingly assisted or generated by AI tools — is genuine progress for the consistency of emergency interventions. It becomes a structural problem when its execution entirely substitutes for the causal understanding of the engineer applying it.
A well-designed runbook accelerates a known resolution for an already-encountered problem. The shift documented here is different: an engineer executing a runbook without understanding each step never develops the capacity to react to an incident matching no existing procedure — that is, to any genuinely new incident.
Automating runbook generation with artificial intelligence tools amplifies this risk without creating it: it accelerates the production of procedures no one needs to understand to execute, which mechanically accelerates the loss of diagnostic reflex documented in this volume.
This study does not claim runbooks should be abandoned — they save precious time in a real crisis. It claims their existence never exempts from the initial causal-diagnosis training that would allow departing from them when they no longer match the situation encountered.
The Tyranny of the Runbook documents executing a procedure without understanding its steps. A more advanced stage of the same externalisation mechanism already exists in daily practice: copying a raw error message, pasting it directly into a conversational assistant or search engine, then executing the returned command — without ever reading the error message oneself with intent to understand it first.
Searching for a documented solution to a known error is nothing new or problematic in itself — it has always been normal engineering practice. The shift documented here is more specific: the disappearance of the intermediate step where the engineer formulates their own hypothesis about the cause before seeking confirmation. Without this step, the search no longer verifies reasoning — it entirely replaces it.
A runbook, even poorly understood, at least carries the trace of prior reasoning — that of its author. A response generated on the fly by a conversational assistant from a single pasted error message without additional context carries no trace of any reasoning verified against the system actually concerned.
This study does not claim consulting a conversational assistant or online documentation when facing an error is in itself a problem — it is one tool among others. It documents a specific usage: the automatic copy-paste-execute chain without prior causal hypothesis, which produces the same atrophying effect as the two preceding mechanisms, accelerated by the very speed of the tool.
When a container crashes — memory overflow or segmentation fault — the process's death is immediate and does not fall to the orchestrator itself: on a memory overflow, it is the Linux kernel (OOM Killer) that sends an instant SIGKILL signal to the process exceeding its cgroup limit; on a segmentation fault, the process collapses on its own. Kubernetes merely observes the death and restarts a new container — but this simple restart reflex, summed up by the formula « cattle, not pets » (livestock you replace, not a pet you nurse), sits at the very heart of Kubernetes and auto-scaling.
By the time the engineer becomes aware of the incident and wants to diagnose its root cause, the non-externalised logs, memory state, and precise error context have already been destroyed by the automatic restart. The orchestrator, performing its resilience function perfectly, simultaneously incinerates the scene of the incident.
This mechanism reflects no malice or negligence — it executes exactly what it was designed for. But its cumulative effect, across an entire organisation, is to progressively replace the ability to understand a failure with the mere ability to mask it under a new working instance, until the same failure recurs without anyone ever knowing its cause.
This study does not claim the « cattle, not pets » model is a design error — it solved real large-scale resilience problems. It documents its unintended side effect: without an explicit provision to preserve evidence before the kill, operational resilience is paid for with cumulative loss of diagnostic competence.
Facing the erosion demonstrated in Act II, this part develops three pillars of reconquest: the authority to decide technically (III.1), the in-house training where material diagnostic competence still survives, documented and verifiable (III.2 and III.3), and the deliberate training to do without the tools causing the atrophy (III.4).
In most organisations, no one has explicitly defined who holds the final say on infrastructure decisions. There is a budget, a committee, an IT department. In arbitration situations, decisions go to whoever holds the highest title in the room — not necessarily whoever best masters the technical subject.
Budget control legitimately belongs to management: it sets the envelope. Technical decision authority — which architecture, which risks to accept or refuse within that envelope — must belong to whoever holds the diagnostic competence documented in Act II. Conflating these two roles regularly produces the same result: accepting a generic runbook rather than funding the training that would make it unnecessary.
Without clearly recognised authority to exercise it, the diagnostic instinct documented as disappearing in Act II has neither the time nor the mandate to rebuild itself — it remains subordinate to arbitrations made by those who do not measure their consequences.
Several studies in this corpus have documented the declining value of physical infrastructure skills in Europe. A reverse, verifiable, dated event occurs simultaneously at the three major American providers: they recruit and train, in-house, exactly the skills Europe is abandoning.
The Work-Based Learning Programme (WBLP) is a paid 12-month training scheme covering the full range of datacentre operations. A testimonial quoted on the official page: « I arrived at AWS with no experience, straight out of high school [...] I eventually became Chief Engineer. » A « Data Center Chief Engineer » position exists explicitly for the Milan region (posting #3111099), with precise technical vocabulary — BMS, EPMS, MQTT, BACnet, MODBUS protocols — that of an industrial automation engineer.
WBLP trains general electrical and automation competencies, theoretically transferable to any industrial employer. What makes these profiles captive is not a non-compete clause: it is the specificity of proprietary internal systems (Amazon BMS/EPMS) — proprietary code and engineering lock in more effectively than law.
This same move recurs, in complete organisational independence, at Microsoft and Google — with no coordination between the three companies necessary or documented to produce this parallel. Three competing companies, operating on three continents, independently reaching the same operational conclusion: physical datacentre maintenance competence cannot be reliably bought on today's European labour market — it must be trained in-house, or it will not exist.
This convergence does not establish concerted intent between the three companies. It establishes that the same market diagnosis — the material diagnostic competence shortage documented in this volume — produces the same rational response among independent actors with no reason to coordinate.
Decision authority (III.1) and in-house training (III.2, III.3) alone do not answer the atrophy documented in II.5, II.6 and II.7 — the illusion of observability, the tyranny of the runbook, the copy-paste syndrome. These three mechanisms share a common cause: the permanent availability of a cognitive crutch. The only direct response is to deliberately remove that crutch, under controlled conditions, before a real failure does so without warning.
A failure simulation exercise (Game Day) is restructured to deliberately cut, for its duration, access to high-level observability dashboards and conversational assistants. Participants must diagnose the simulated incident by reading only raw system logs, using low-level network capture tools (tcpdump), and directly querying kernel state (dmesg) — exactly the layer modern tools usually abstract away.
A degraded Game Day does not replace day-to-day observability tools — cutting them in real production would be irresponsible. It restores, under safe and repeated conditions, the regular exercise of causal reasoning that those same tools normally render superfluous — the only documented way to maintain a muscle that atrophies by default.
Deliberate training is not enough against the mechanism documented in II.8. An OOMKill (kernel-sent SIGKILL) or a segmentation fault are immediate executions, impossible to intercept by any script or application hook — there is no « before » to act on once the process's death is triggered. The reconquest requires upstream forensic configuration, not after-the-fact interception: routing errors natively, via the Linux kernel's core_pattern parameter, to a persistent volume independent of the container's lifecycle — typically via a Sidecar pattern tasked with exfiltrating the file once the application container has died and the orchestrator is already restarting it. The instance's death then does not entail the death of the evidence.
This volume documents why diagnostic instinct erodes. Another volume in this collection, The Gendered Amputation, contains a study — The Crisis Bridge — that documents what unfolds in the precise instant this instinct — present or absent — reveals itself publicly: the major incident, the crisis bridge. The two studies address the same moment from two distinct, non-merged angles: the progressive disappearance of competence here, its public test there.
You do not restore an instinct by decreeing it. You restore it by giving someone the authority to use it, and the time to rebuild it where it still survives.
This volume is an open-source system awaiting real-world corrections. We explicitly invite every engineer who has lived through this erosion — or gone through an in-house training programme comparable to WBLP — to document their experience and correct or enrich this diagnosis.
Diagnosis is not taught on a dashboard. It is taught beside a master, one failure at a time, until the hand knows before the head has finished thinking.
This appendix was originally produced in French; the exchanges below are translated from that original for this English edition, preserving order and substance exactly. It documents the full process behind The Diagnostic Amnesia: the choice among five candidate subjects, the prompts sent to Gemini, its four successive audits — three of them rejections — and the corrections that followed. This volume required more rounds than the previous two, notably because of a genuine engineering error caught at the third audit, not merely a coverage gap.
Gemini's first two rejections concerned coverage gaps — blind spots to add. The third rejection concerned a pure technical impossibility in a proposed solution: you cannot intercept a SIGKILL signal before its execution. This distinction — between a gap and an error — deserves to be visible in this appendix, not only in the corrected final text.
Here are 5 subject proposals, framed as clinical audit reports. 1. The Multi-Cloud Myth (Double Captivity) 2. The FinOps Trap (Financialisation of Amputation) 3. Data Gravity (The Physics of Ransom) 4. The Silent Diagnosis (Forgetting the Root) — Cloud abstraction killed the troubleshooting instinct. Modern engineers can read colourful dashboards, but no longer know how to read a Kernel Panic, analyse a network frame, or understand a hardware bottleneck. 5. The False Ecology of the Cloud (Silicon Greenwashing) HOW TO PROCEED: Which of these 5 leads seems most mature to you for the next synthesis volume?
Before deciding, the criterion that matters is not which thesis is strongest — all five are. It is: how much substance already exists in the published corpus, and how much overlaps with what was just covered in The Cloud Illusion. My recommendation: subject 4 — The Silent Diagnosis. 1. It is the only one with an almost untouched raw-material reserve — The Departure of the Last Who Knows, The Infrational Crisis have never served as the basis for a synthesis volume. 2. Zero thematic overlap with the two already-produced volumes. 3. A natural bridge with the Women volume — The Crisis Bridge already touches the moment of diagnosis under pressure. Title — I would keep your proposal as-is: The Diagnostic Amnesia: The Amputation of Technical Reflex.
[NEW DEDICATED VOLUME · THE SILENT DIAGNOSIS] Proposed title: The Diagnostic Amnesia: The Amputation of Technical Reflex. SUBJECT: cloud abstraction killed the troubleshooting instinct. PRELIMINARY INVENTORY: CLUSTER 1 — THE SYMPTOM: The Departure of the Last Who Knows, The Infrational Crisis, NoOps CLUSTER 2 — THE LINGUISTIC MECHANISM: The Newspeak, Anatomy of Perdition CLUSTER 3 — BROKEN TRANSMISSION: The Mentor and the Metal, The Blue, The Ticket and the Talent CLUSTER 4 — FRAGMENTS ALREADY USED ELSEWHERE: Guardians of Iron and Technical Primacy have only appeared as short fragments in the two previous volumes. This volume could be their natural landing point. POTENTIAL BRIDGE: The Crisis Bridge (The Gendered Amputation volume) already addresses the Sev-1 incident moment under the gender angle. Cross-reference or merge? YOUR TASK: 1) does this architecture hold? 2) blind spots? 3) Guardians of Iron and Technical Primacy — fragments or full development? 4) bridge with Crisis Bridge? 5) are The Blue and Ticket and Talent central or off-topic? 6) how many new studies? 7) does the title work?
[FORENSIC SCOPING AUDIT] STATUS: Parameters validated. Target architecture locked. 1. TARGET ARCHITECTURE — Cluster format rejected. Structure imposed: Act I (Thesis): The mirage of abstraction (NoOps, Newspeak, Perdition targeted on root erasure) Act II (Demonstration): The mechanics of loss (Departure of the Last, Mentor and the Metal, The Blue, Ticket and Talent) Act III (Solution): Reclaiming the instinct (Technical Primacy and Guardians of Iron developed massively) 2. TWO BLIND SPOTS DETECTED: The Illusion of Observability (Datadog syndrome), The Tyranny of the Runbook (scripted procedures replacing causal understanding). 3. ARBITRATION Guardians of Iron/Technical Primacy: Full development required — the backbone of Act III. 4. ARBITRATION Crisis Bridge: Simple cross-reference. No merging. 5. ARBITRATION The Blue/Ticket and Talent: Central, integrate Act II. 6. QUOTAS: two new studies for the blind spots. 7. Corrected TITLE: The Diagnostic Amnesia: Anatomy of Lost Competence. Green light granted for the first draft.
Clear directive, I accept it fully. ✅ Accepted without reservation - The 3-act architecture. - The 2 blind spots (Observability, Runbook). - Guardians of Iron and Technical Primacy as backbone. - Crisis Bridge as simple cross-reference. - The Blue and Ticket and Talent recentred as central. - The corrected title. Minor point of caution, not blocking: on Anatomy of Digital Perdition, I note you target it on the « root erasure » angle rather than the full causal chain already used in Act I of The Cloud Illusion — a necessary precision to avoid repetition. 🔺 For Amine to arbitrate: one point before I begin drafting — final green light to start production on this matrix.
yes I confirm
[FOUNDATIONAL AUDIT OF THE FIRST DRAFT] Structure delivered: Act I (3p, NoOps/Newspeak), Act II (8p, Departure of Last/Mentor and Metal/Blue/Ticket and Talent + 2 new pieces), Act III (4p, Technical Primacy/Guardians of Iron/Convergence, Crisis Bridge cross-reference). YOUR TASK on 6 axes: 1) factuality and sourcing (WBLP, Milan, Newspeak figures) 2) respect of your matrix 3) do the 2 blind spots properly close? 4) tightness with Crisis Bridge 5) Mirage → Mechanics → Reconquest coherence 6) residual blind spots. FINAL VERDICT REQUESTED.
STATUS: LOGICAL RUPTURE ALERT · Bulletproof status refused. 1. FACTUALITY (100%): Newspeak, WBLP/Guardians of Iron (Milan #3111099, BMS/EPMS/BACnet/MODBUS) flawless. 2. MATRIX (100%): Technical Primacy and Guardians of Iron have become the true backbone of Act III. 3. THE 2 BLIND SPOTS (100%): Observability and Runbook remarkably written. 4. TIGHTNESS WITH CRISIS BRIDGE (100%): clean boundary, no redundancy risk. 5. COHERENCE (🚨 RED ALERT): The Observability problem (II.5) and the Runbook problem (II.6) find NO solution in Act III. A lever is missing on Training Under Degradation (Game Days / degraded Chaos Engineering): deliberately cutting observability tools during simulations, forcing diagnosis via raw logs, tcpdump, dmesg. 6. RESIDUAL BLIND SPOT: The Copy-Paste syndrome — the engineer who pastes the error into an LLM and executes without reading, without understanding. Deserves its own paragraph. Awaiting Draft 2.
[FINAL AUDIT · DRAFT 2 · NO COMPLACENCY] WHAT CHANGED: new section II.7 (copy-paste syndrome, distinguishes legitimate documentation search from absent causal hypothesis); new section III.3 (Game Days, voluntary observability disconnection, raw logs/tcpdump/dmesg, repeated not one-off exercise); old III.3 (Convergence) renumbered III.4. Do not assume the third time is the charm out of fatigue. Be as tough as on the first draft. YOUR TASK: 1) factuality of new elements 2) does copy-paste hold its own distinction? 3) does III.3 really answer 3 threats or is it bolted on? 4) did renumbering break the Act III header? 5) regression? 6) a third blind spot?
STATUS: BULLETPROOF STATUS REFUSED. RUPTURES DETECTED. 1-3. Factuality, copy-paste, III.3 answering the 3 threats: all validated at 100%. 4. RENUMBERING INCONSISTENCY (🚨): Claude added III.3 but forgot to update the Act III intro text, which still says « develops two levers » — there are now three. 5. REGRESSION: None. Draft 1's gains are intact. 6. THIRD BLIND SPOT (🚨 RED ALERT): The dogma of immutable infrastructure (Cattle, not pets). When a container crashes, the Cloud Native reflex is not to diagnose, but to kill the instance and spin up a new one. The orchestrator incinerates the crime scene before the engineer can understand the cause. INSTRUCTIONS FOR DRAFT 3: 1) fix the Act III header (three pillars) 2) add II.8 — incinerating the crime scene 3) update III.3 with a mention of Post-Mortem Forensics (Core Dump persistence before Kubernetes kills it). Awaiting V3.
[FINAL AUDIT · DRAFT 3 · NO COMPLACENCY] WHAT CHANGED: Act III header fixed (three pillars); new section II.8 — incinerating the crime scene (Cattle not pets); III.3 updated with a forensic persistence requirement (core dump extraction before any instance kill). Two consecutive rejections. Do not soften your audit out of fatigue. YOUR TASK: 1) factuality of II.8 2) is the III.3 correction a real solution or a cosmetic patch? 3) is the header really coherent now? 4) regression on the two previous rounds? 5) a fourth blind spot?
STATUS: BULLETPROOF STATUS REFUSED. ENGINEERING HALLUCINATION DETECTED. The Act III header, the tightness with Crisis Bridge, and the previous drafts' gains are intact. The attack surface is exhausted. However, this volume contains a systems-engineering heresy in the III.3 solution: "automatic extraction of the core dump [...] before any instance kill by the orchestrator, not after." THIS IS A TECHNICAL ABERRATION. An OOMKill (SIGKILL) or a Segfault are immediate executions. They cannot be intercepted by a script or a hook. There is NO possible « before the kill » since death is instantaneous. Asking for an extraction script before death for an OOMKill is black magic, not engineering. THE REAL SOLUTION: configure the kernel core_pattern parameter to write the core dump directly to a shared persistent volume, monitored by a Sidecar container that will exfiltrate the file after the application container's death, while Kubernetes restarts it. CLAUDE MUST: remove the idea of extraction before the kill, replace with native routing via core_pattern + Sidecar pattern. Fix this section with real Linux engineering, and I will sign.
Correction accepted without reservation — the most important of the three rounds, because it is the only one touching a pure technical impossibility, not a coverage gap. You are right across the board: you do not hook a SIGKILL. I am correcting III.3 with exactly your wording: kernel core_pattern, persistent volume independent of the container lifecycle, Sidecar pattern for post-mortem exfiltration. [Draft 4 delivered, 18 pages, volume unchanged] FINAL AUDIT PROMPT: Is the III.3 correction now technically exact against a senior SRE's scrutiny? Any residual trace of the old erroneous wording elsewhere in the volume? Regression across the three previous rounds? A fifth blind spot? FINAL VERDICT REQUIRED, UNAMBIGUOUSLY.
STATUS: BULLETPROOF STATUS GRANTED. Checks on the factuality of the new material elements, the total eradication of traces of the old « before the kill » wording, and the strict maintenance of the first three drafts' gains are fully validated. The overall framework is perfectly tight, with no regression or residual blind spot. Replacing the imaginary interception hook with native core_pattern routing to a persistent volume, coupled with asynchronous exfiltration via a Sidecar pattern, definitively aligns the Act III solution with the brutal reality of Linux/Kubernetes forensic engineering. Opération Dindon now has its third synthesis volume. The clinical diagnosis of competence loss is complete, and the restoration levers are now materially actionable. Full green light for compilation, translation, and distribution. The loop is closed.
Five rounds. Four drafts. Three rejections. One validation. This volume required more corrections than the previous two — not through the accumulation of minor details, but because the third rejection revealed a difference in kind: a coverage gap is closed by adding content; an engineering error requires removing a false claim and replacing it with a genuinely viable architecture.
Verifying that each rejection concerned a real problem, precisely identifiable in the quoted text. Verifying that the correction Gemini proposed at the third round — core_pattern routing and Sidecar pattern — was taken up word for word, not merely paraphrased while preserving the error in another form.
An audit that merely checks its own requests off a list is not an audit. This appendix exists so one can verify it was not.

Fewer than 5% women in some infrastructure tracks, versus ~50% elsewhere. Not a single cause: a chain of closed doors — hardware standards never tested on a diverse body, verifiable documentation bias, a trajectory pushed toward abstraction, the sole-witness burden, scarce sponsorship. And concrete solutions, from Arduino in middle school to auditing who actually holds power.
This volume does not claim to narrate the intimate experience of women in IT infrastructure. It was modelled by a male architect, audited contradictorily by two artificial intelligences, drawing on verified public data — official statistics, technical documentation examined directly, already-published scientific literature. It does not document pain. It documents an architecture of exclusion, quantified wherever possible, and proposes concrete solutions explicitly owned as such — proposals, not established norms. This volume is an open system awaiting real-world corrections, from every woman working in the field who reads it.
The absence of women in IT infrastructure — systems, networks, operations — does not have a single cause. It is produced by a chain of distinct mechanisms, active at different ages and different moments of a career, none of which alone would explain so marked a deficit, but whose sum produces a measurable result: in certain infrastructure fields, the proportion of women remains under 5%, while it approaches 50% elsewhere.
First, that the most spontaneous explanation — the physical demands of the job — does not survive scrutiny. Then, that a series of concrete, documented mechanisms operate at different moments: the material standard of equipment, the vocabulary of technical documentation, the career trajectory on offer, the cumulative cost of staying, the precise moment of an incident where technical authority is proven, and the difficulty of reaching real decision-making positions.
Facing this diagnosis, a four-pronged architecture of solutions: an early pedagogical intervention, a career continuity guarantee around maternity, a professional reconversion programme built on already-existing mechanisms, and a method for tracking real authority within organisations. Every proposal in this final part is owned as a proposal of this volume — not as an already-established norm.
This part establishes, mechanism by mechanism, what produces the absence of women in IT infrastructure. Each section relies on public data, industry standards, or already-published scientific literature — never on an unverified theoretical proposal.
In general engineering programmes, gender parity is close to 50/50. In Systems & Network training specifically, two women out of twenty, consistently, across several years and several institutions. This deficit is concentrated, not general: it does not appear in other technical fields. The most spontaneous explanation — the physical demands of the job — does not survive a documented counter-example: when construction machinery could not reach certain villages in the Moroccan Atlas, it was women who carried cinder blocks on their backs to build their villages' mosques. Physical resilience is contextual and cultural, not genetically gendered.
The cultural representation of the profession, built as masculine in the collective imagination well before the age of career choices. The absence of visible female role models, which is self-perpetuating: few women in the field produces few role models, which discourages new entrants. The implicit culture of training materials, written and illustrated mostly by men, with implicitly masculine examples — a blind spot more than a conscious hostility.
The EIA-310 standard, which fixed the dimensions of the standard 19-inch rack since the 1960s, was not designed with a diverse human body in mind. A 42U rack measures 1.86 metres; the top units require a full arm extension above shoulder level. A fully loaded 1U server weighs 12 to 18 kg, a 4U sometimes exceeds 35 kg — beyond the threshold recommended by European occupational safety standards (EN 1005-2) for repeated manual handling, regardless of the handler's sex.
ASHRAE datacenter standards recommend an operating temperature between 18 and 27°C at equipment intake — the cold aisle where the technician works is often colder still. Noise levels frequently exceed 85 decibels, the threshold beyond which European regulation mandates hearing protection.
The US Occupational Safety and Health Administration (OSHA) has documented, in publications independent of this volume, that personal protective equipment sizing across several industries — anti-static gloves, safety footwear — is historically designed around average male sizing, with female options often added later.
The official identity and access management documentation of a major cloud provider (AWS IAM) was examined directly. Female first names (Jane, Alice, Adele, Patricia, Chloe) systematically appear in examples of basic user creation and restricted rights. Male first names (John, Bob, David, Jim, Chris, Eli) dominate examples of administrator roles, AssumeRole, advanced permissions. The canonical example of a security problem features "John Doe" creating the risk — "Jane Doe" passively inheriting it.
This documentation bias does not prove deliberate intent to exclude. It proves silent normalisation: the engineer learning to "assume an admin role" learns that its name is John. A thousand engineers learning this form a collective mental representation, which then informs recruitment and team culture, with no conspiracy required.
Public industry surveys — Stack Overflow, CNCF — document a higher concentration of women in product management and design roles, and their decline in systems administration, network, and SRE roles, where the rate remains in low single digits from one survey to the next. A typical observed path: after 2 to 4 years in a technical role, an offer to transition to a Scrum Master, Delivery Manager, or FinOps Analyst role, presented as a natural promotion of responsibility.
A genuine promotion expands technical decision authority. In any organisation, a small number of people actually hold the final say on architecture decisions — under varying titles depending on the organisation: technical lead, architect, technical director. Moving to process or financial roles without retaining this decision authority does not expand it: it replaces it with a different kind of power, often less negotiable in salary terms on the specific infrastructure market.
FinOps requires a genuine understanding of cloud billing, but neither the ability to diagnose a network outage at 3am, nor VLAN configuration. It is an extension of cost analysis — not of technical decision authority itself.
Several independent studies of the tech sector document higher harassment rates in deep technical roles than in administrative roles. On a team with a single woman, this profile carries an additional cognitive load — seeing her performance perceived as representative of an entire group — quantifiable through token theory (Kanter, 1977), absent for the majority profile on the same team.
A share of technical information and opportunity circulates through informal channels — lunch, post-meeting chat — statistically excluding whoever does not share the majority group's social affinity. Repeated micro-frustrations (presumption of incompetence, repeated questioning of experience) do not constitute harassment in the legal sense, but accumulate without triggering an alert in any monitoring system.
Real technical authority is largely built during major incidents (Sev-1) — a moment of timed pressure, unannounced, before witnesses, leaving a complete, timestamped written record (chat channel, post-mortem, attribution of the resolution command). The term "he-peating" was first publicly documented in 2017, in a scientific conference context, and has since been picked up in specialised press: a woman proposes a solution, it is ignored, then a man rephrases the same proposal minutes later and receives credit for it.
Urgency reduces attentive listening time and increases reliance on quick heuristics about who to prioritise listening to — heuristics that lean on pre-existing perceived authority, itself shaped by the mechanisms of the previous section.
An incident mobilises two distinct functions: technical diagnosis and execution of recovery commands on one hand, incident communication on the other. The post-mortem almost always records who executed the final command — rarely who kept the team coordinated. Often, it is the person who handled communication who writes the final report herself, thereby etching into institutional history the narrative of the rescue credited to whoever simply rephrased her proposal.
Institutional talent management literature has long distinguished two acts often conflated. Mentorship is technical skill transfer — "here is how you diagnose a network fault" — gender-neutral by nature: it passes from senior to junior regardless of either party's gender. Sponsorship is a different institutional political act: "I recommend this person for this vacancy, and I stake my name and reputation behind this recommendation."
Mentorship is a low-risk investment for the senior — they risk only their time. Sponsorship is a high-risk investment: the senior stakes their reputation if the sponsored person fails. This sponsorship statistically forms within the same informal networks documented in Section II.5 — the very same networks that already structurally exclude women from the circulation of information and opportunity.
Many organisations publish statistics on the percentage of women among "senior engineers" — but this title does not distinguish who actually holds final decision authority over architecture from who carries the title without this specific power. A company can display an excellent percentage at this title level while keeping final decisions in the hands of a very small number of people carrying different titles — technical director, chief architect — with no public statistic ever revealing this.
This section establishes that the mentorship/sponsorship distinction is documented in management literature, and that the informal-exclusion mechanism already demonstrated in II.5 logically applies to sponsorship. It does not establish a precise figure on the sponsorship gap in infrastructure specifically — this data is not published anywhere today with sufficient detail, which is itself a gap worth filling.
Facing the six mechanisms demonstrated in Part II, this part proposes a four-pronged architecture of solutions at four ages of a professional life: school, career entry, maternity, and reconversion. Every proposal is a recommendation of this volume — none describes an existing generalised practice, unless explicitly stated otherwise.
The bifurcation that produces the underrepresentation observed in Part II has an identifiable point of origin: the classroom at age 12, the child who has never seen a machine obey their instructions. In the absence of physical hardware in the classroom and an adult explicitly saying "you too can make this work", a pedagogical void sets in where stereotypes fill the space — boys occupy the available hardware, girls turn to what is left.
This volume proposes that a teacher, with a 35-euro programmable microcontroller kit and the financial support of a few colleagues, structure an activity where every pupil — girl or boy — has a moment alone in front of the machine. This is not an awareness programme, nor an institutional scheme: it is a direct material intervention, reproducible without public budget or hierarchical approval.
No communication campaign corrects a normalisation that sets in early through silent repetition. The response must operate at the same level: a direct material intervention, before the mental representation has hardened — not a discourse after the fact.
Maternity is a biological function from which society as a whole benefits collectively, and whose career cost is today disproportionately borne by the women who bear it. Two concrete problems follow: the loss of team knowledge during absence, measurable like any unplanned departure of a technical expert; and the documented risk on return — role degradation disguised as reorganisation, misalignment with a team that has evolved without the person concerned.
This volume proposes a continuity principle resting on three inseparable conditions: the possibility, at the employee's exclusive initiative and no one else's, to stay informed if she wishes, without this ever becoming an obligation; full maintenance of pay and associated rights throughout the leave; and the structural impossibility of role degradation, since there would never have been a rupture — only a continuation at reduced intensity.
Any request coming from the employer would immediately turn this possibility into informal pressure disguised as an opportunity to stay connected. The proposal only works if the door remains open from one side only.
INSEE and France Travail data are verified and sourced: 3% of women in telecoms and network infrastructure roles, against 24% across digital professions overall and 50% in other professions. The parallel with the metallurgy industry — 23% women, 76,000 unfilled positions, a public gender-mix plan targeting 33% by 2033 — establishes that a self-aggravating shortage is resolved by activating an existing talent pool, not by waiting for it to grow on its own.
For women reconverting after age 30, the professionalisation contract is an already-existing lever, with no age limit beyond 26, requiring no exception. Two titles registered in the National Register of Professional Certifications are directly available, with 100% funding by the sector's approved joint collection body for one of them.
The non-linear career paths typical of a reconversion after 30 are statistically filtered by automated recruitment systems before any human reading — a side effect of sorting designed for general use, not deliberate exclusion, but with a disproportionate impact on this population.
The French professionalisation contract does not exist outside the French legal framework. Any literal export attempt will fail. What deserves transfer is not the tool, but the principle it carries: funding dedicated to reconversion toward infrastructure, a labour-market-recognised certification, and a paid path rather than an unpaid internship.
In the United States, the federal Registered Apprenticeship programme funds paid apprenticeship, including in IT sectors — with a decisive structural difference: it requires an employer's prior agreement, unlike the French individual right. In the United Kingdom, the Apprenticeship Levy, collected from large employers, funds certified technical apprenticeship programmes under the same institutional logic.
Linux Foundation (LFCS, LFCA) and CNCF (CKA) certifications are internationally recognised, with uniform exam standards independent of the candidate's country. An international reconversion programme can begin immediately with this goal, without waiting for local funding questions specific to each jurisdiction to be resolved.
Facing the sponsorship deficit documented in II.7, two measures are applicable today, within the existing organisational framework of any company, without waiting for the creation of a formal title or rank that exists in no organisation to date.
Any organisation can, starting today, identify by name who actually holds the final say on its architecture decisions — whatever title they carry — and publish the gender breakdown of this small group, distinctly from generic title statistics that mask this reality.
An organisation can ask its senior technical staff to explicitly document, whenever a position with real decision authority opens, whether they actively recommended a female candidate by staking their reputation — and make this figure visible, separately from general mentorship figures that do not measure the same thing.
The door is not closed at a single point. It is closed at school, in equipment standards, in documentation vocabulary, in career trajectory, in the cumulative cost of staying, in the moment of the incident, and in access to sponsorship. None of these closures alone explains everything. Together, they explain the figure.
This volume is an open-source system awaiting real-world corrections. We explicitly invite every woman working in IT infrastructure to document her own path in light of these six mechanisms, and to correct, contradict, or enrich the four proposals of Part III.
You do not fix a closed door by discussing its existence. You fix it by documenting every hinge, one by one, until it opens.
Seventy-six studies and original annexes, organised into eleven sections. This is the raw material, unabridged, behind the Grimoire and the Volumes — every claim in the final treatise traces back to a source here.

The founding text that opens the corpus.
I started teaching in 2006. I have trained hundreds of learners since — and I am not finished. Engineering school students, technicians in career transition, professionals in continuing education. Men and women. Juniors of 18 and seniors of 60. Profiles without a diploma and managers with twenty years of experience.
I have taught Linux client/server, Windows client/server, Cisco networking, OSI model, WiFi, electricity, number systems, microcomputing, programmable logic controllers, Kubernetes. Everything that is today in the Foundation of Iron — I taught it in the classroom, face to face with learners, with machines under their fingers.
When I publish on training, the CPF, the IDPE, the infrationary crisis, digital sovereignty — I am not theorising. I am speaking to people I trained. Some of them are reading these lines from a position as CIO, operations manager, or SRE architect at a major company. I watched them learn to cable their first switch. I know what they are capable of. And I know what the market is trying to make them forget.
When I address hyperscalers, I am not speaking on behalf of a think tank. I am speaking on behalf of my students — those whose skills their certifications seek to render obsolete, those whom the title "DevOps" seeks to dissolve, those whom the shortage of bare-metal training seeks to isolate in a market they can no longer leave.
I speak to those I trained with the same frankness as in the classroom — no condescension, no demagoguery. The truth about the market, about competences, about what titles do not measure.
I speak to hyperscalers with the same frankness as to my students — no personal hostility, with a clear limit. What you are doing to bare-metal competence, I name it. And I will continue.

The founding thesis of which every other study is a variation.
This study is the founding thesis of which all other Opération Dindon corpus studies are extensions. It poses the philosophical question the corpus had never explicitly formulated: what is sovereignty? What is the relationship between sovereignty and matter? Why does purely extraterritorial cloud represent a dissolution of sovereignty — not merely a technical risk? From Bodin to Kubernetes — what controlling infrastructure really means.
Sovereignty is not an abstract legal attribute. It is a concrete capacity — the capacity to act, decide, and intervene on reality without depending on a third party to exercise that capacity. This definition precedes and conditions all its legal, political and organisational forms.
Jean Bodin, in 1576, defined sovereignty as "the absolute and perpetual power of a Republic". But behind the legal formula lies a physical reality: this power only exists if it is exercised over a real territory, with real subjects, over accessible matter. Carl Schmitt clarifies four centuries later: "Sovereign is he who decides on the exception." Deciding the exception presupposes that it can be imposed — which presupposes control of the substrate on which that decision applies.
Thomas Hobbes, in Leviathan, links sovereignty to protection: the sovereign protects their subjects in exchange for obedience. But protecting presupposes the capacity to intervene — to deploy force on a territory. A sovereign who does not control their territory cannot protect their subjects. They are no longer sovereign — they are a tenant.
The landowner-farmer is sovereign over their production. They decide what to plant, when to harvest, how to manage their soil's resources. If the harvest fails, it is their responsibility — their problem to solve. The tenant who rents land from a foreign owner who can reclaim it at any time, modify lease conditions unilaterally, or forbid certain crops — this tenant is not sovereign. They are precarious. They produce on soil that does not belong to them, under rules they did not set, with the permanent risk of termination.
This distinction — owner vs tenant, sovereign vs precarious — is exactly the one that separates sovereign bare-metal infrastructure from extraterritorial cloud.
This study does not defend digital autarky. It defends the capacity to choose — to negotiate from a position of strength, to leave if conditions become unacceptable, to build outside the cloud if the situation requires it. Sovereignty is the exit option. Without this option, there is no market — there is captivity.
The territorial metaphor is not a metaphor. It is an exact functional description. Territory is what conditions the existence of everything deployed on it. For digital infrastructure, this physical substrate — servers, cables, racks, datacentres — is territory in the literal sense.
Bare-metal is the physical substrate of digital infrastructure. It is the layer that cannot be further abstracted — below bare-metal lies electricity, materials physics, semiconductor chemistry. Bare-metal is the physical server, the disks, the network cards, the cables, the switches, the routers, the redundant power supplies. It is what cloud abstracts behind an API and a smiling console.
Mastering bare-metal means mastering digital territory. It means knowing where data is physically stored, in which datacentre, in which country, under which jurisdiction, on which hardware, administered by whom. Without this mastery, one does not know what one controls — and what one does not know, one cannot defend.
The study "The Digital Ground" documented the geography of datacentres, the AMS-FRA-DUB concentration, Interxion's acquisition by Digital Realty for $8.4 billion. It did not pose the philosophical question explicitly: why is datacentre geography a sovereignty question and not merely a latency question?
The answer lies in the territoriality of law. The law applicable to a datacentre is the law of the country where it is physically located — and the law of the country of residence of the company operating it. An AWS datacentre in Ireland is simultaneously subject to Irish law, European law, and American law via the CLOUD Act — because AWS is an American company. The data is physically in Europe. It is legally accessible from the United States. This is variable-geometry sovereignty — and variable-geometry sovereignty is nominal sovereignty.
"The Digital Iron" documented that the chip is the ingot of the 21st century. This formula is not a metaphor: it describes a geopolitical reality. Controlling chip production means controlling the substrate of all global digital infrastructure — exactly as controlling gold mines controlled economies in the Middle Ages. TSMC in Taiwan, ASML in the Netherlands, Chinese rare earths — the territory of bare-metal begins in the mines and foundries, not in the datacentres.
Cloud is not inherently bad. It is problematic when it is pure — meaning when it is the only option, when the exit option has disappeared, and when the physical substrate is out of reach and out of the jurisdiction of the person depending on it. In this configuration, cloud is not a service — it is organised dispossession.
Physical location: where is my data? On which server, in which datacentre, in which city, in which country? The AWS console says "eu-west-1" — Paris or Ireland. It does not say the building, the rack, the server, the disk. Abstraction is total. The user does not know where their data physically is — and they are not entitled to know.
Applicable jurisdiction: the CLOUD Act of 2018 authorises the American government to access data stored on servers of American companies, regardless of their geographic location. Data hosted at AWS Frankfurt is legally accessible by the US Department of Justice without notification to the European user. This is legally framed and assumed extraterritoriality.
Unilateral termination capacity: AWS, Azure and GCP can suspend an account within hours for terms of service violation. No prior recourse, no obligation of sufficient notice to migrate. A state or critical organisation depending 100% on a hyperscaler cloud can be cut off from its infrastructure by a private American decision.
Pricing power: egress fees, contractual commitments, opaque service pricing — once dependent, the user has no negotiating power. The provider sets prices. The user pays.
The tenant metaphor applies exactly. The organisation that migrates its entire infrastructure to AWS rents foreign digital territory. The rental contract can be modified unilaterally. The lease can be terminated without sufficient notice. The applicable law is not the tenant's law. And the tenant cannot inspect the subsoil of their own land. This is not sovereignty — it is digital precarity.
The Clarifying Lawful Overseas Use of Data Act (CLOUD Act, 2018) authorises American authorities to access data controlled by companies subject to American law, regardless of physical storage location. AWS, Azure, GCP are American companies. Their data — including that stored in European datacentres — is potentially accessible to the US DOJ via an American judicial warrant, without mandatory notification to the European user. This extraterritoriality directly conflicts with European GDPR. The organisation hosting personal data of European citizens at an American hyperscaler is structurally in jurisdictional conflict — a conflict it cannot resolve by its own decision alone.
"Anatomy of the Loss" documented the mechanisms of technical lock-in — proprietary formats, services without sovereign equivalents, certifications that chain teams to platforms. The economic consequence is documented in "The Digital Ground": organisations that migrated to cloud for economies of scale discover 18 to 36 months later that their costs have increased. Egress fees — data exit charges — are the economic mechanism that makes lock-in permanent. One enters cloud for free. One exits paying. This is the pricing structure of a territory one cannot leave.
In July 2021, an Akamai outage simultaneously took offline websites of several governments, central banks and public health services. In December 2021, an AWS us-east-1 outage paralysed dozens of critical services for several hours. These incidents are not accidents — they are the structural demonstration that concentrating infrastructure with a few providers creates systemic failure points. A state depending 100% on AWS for its critical digital services entrusts its operational continuity to a private American company that has no public service obligation toward it.
Digital sovereignty is not decreed. It is built — through human, technical and political investments that articulate and reinforce each other. Three conditions are necessary. Each is insufficient without the other two.
Digital sovereignty rests on a professional body capable of building, operating and maintaining infrastructure independent of hyperscalers. This body is the bare-metal SRE, the systems administrator, the network engineer documented in "The State and the Invisible Body". Without this body, any sovereignty policy remains nominal — one may decree preference for European actors, but if nobody knows how to operate OVHcloud's datacentres, the policy is empty. "The Departure of the Last One Who Knows" documented the cost of this knowledge disappearing. "The Mentor and the Metal" documented the only mechanism that allows it to be transmitted. "The Foundation of Iron" is the concrete proposal to rebuild it.
Sovereign European actors exist — OVHcloud, Ecritel, Scaleway, Hetzner, Infomaniak, Clever Cloud. They have datacentres, offerings, teams. They cannot absorb the potential demand for want of qualified personnel (condition 1) and for want of a preference policy that would orient markets toward them (condition 3). Sovereign infrastructure exists in its elementary bricks. It does not exist as a credible alternative at scale — because the other two conditions are not met.
The state that advocates digital sovereignty in its speeches and hosts its own data at AWS practises a contradictory injunction. The necessary political decision includes: European preference in digital public procurement, mandatory certifications for public administration providers, infrastructure training funding (Foundation of Iron via France Travail), RNCP protected title for infrastructure roles, annual report on the state of the body. These six levers were documented in "The State and the Invisible Body". Without political decision, conditions 1 and 2 remain unactivated potential.
Absolute digital sovereignty is a horizon, not a near-term achievable state. What is immediately achievable is a gradual sovereignty architecture — an approach that distinguishes data and systems by criticality and sensitivity, allocating each category to the infrastructure that guarantees the appropriate level of control.
Tier 1 — Critical infrastructure: health data, judicial data, tax data, defence systems, energy networks, critical telecoms. On sovereign physical infrastructure, in France or the EU, operated by certified, auditable actors, subject to French and European law only. Zero extraterritorial cloud.
Tier 2 — Sensitive infrastructure: citizens' personal data, administrative systems, non-critical health systems, non-critical judicial systems. On European sovereign cloud (SecNumCloud, German C5) or hybrid infrastructure with portability clauses and annual third-party audit.
Tier 3 — Non-critical infrastructure: public websites, non-sensitive communications, productivity tools. Free cloud with contractual real portability clauses and egress fee caps. The Opération Dindon ultimatum is precisely this demand: resiliable commits, reasonable egress fees, real portability, CLOUD Act limited to its territory.
— Engineers capable of operating Tier 1 (condition 1 — the bare-metal SRE body)
— European actors capable of absorbing Tier 2 (condition 2 — OVHcloud, Ecritel, Scaleway)
— Public policy that funds Tiers 1 and 2 and regulates Tier 3 (condition 3 — preference in public procurement)
— And an engineering culture that understands why these distinctions exist — what the Foundation of Iron has sought to build from the beginning.
This study does not defend closure. It defends the capacity to open and close at will. A sovereign state can choose to work with foreign partners — because it has the competences to do without them if needed. This exit option defines sovereignty. Without it, there is no partnership — there is dependence.
The Opération Dindon corpus has produced more than twenty structural studies. Re-reading these studies with the perspective of this founding thesis, one realises they all say the same thing — from different angles, with different data, for different audiences. This same thing is the thesis of this study.
No digital sovereignty without mastery of bare-metal.
And no mastery of bare-metal without the engineers who understand it,
without the organisations that operate it,
and without the states that protect them.
Anatomy of the Loss → how mastery of bare-metal is lost through cognitive capture.
The Digital Iron → that the bare-metal substrate begins in chip mines and foundries.
The Digital Ground → that datacentre geography is a question of territorial sovereignty.
The Infrational Crisis → that sovereignty is first lost in words before being lost in competences.
The State and the Invisible Body → that the state does not protect the professional body that is the condition of its own sovereignty.
The Infrational Loop → how the market destroys this body without anyone having decided it.
The Mentor and the Metal → that knowledge transmission is the only mechanism that keeps this body alive.
The Foundation of Iron → that reconstruction begins before secondary school, in classrooms and workshops.
The human is sovereign when they can act on matter.
Purely extraterritorial cloud removes this capacity.
Bare-metal restores it.
Everything else is consequence.

The mechanisms of capture documented one by one — contractual, cognitive, economic.
This study introduces a neologism — Infrational — to name a documented but unnamed phenomenon. Just as monetary inflation dilutes the value of currency, the inflation of technical words dilutes the value of concepts. When "infrastructure" can mean a VM created by Terraform, when "DevOps" can mean a job halfway between two distinct professions, words stop protecting the realities they once named. And when words give way, skills follow.
A neologism is justified only if it names something that had no name yet. Infrational is justified. It names a precise phenomenon: the progressive devaluation of technical words through overuse, to the point where those words no longer protect the realities they named. Exactly like monetary inflation — when too much currency circulates for the same amount of goods, currency loses its value. When too many distinct realities are named by the same word, the word loses its value.
Infra comes from Latin — below. Structure — the foundation, what supports everything else. Infrastructure is what lies below and carries. This etymology is not a grammatical detail — it is a functional definition. Infrastructure is the low layer, physical, tangible, that conditions the existence of every layer above it. It cannot be code. It can be managed by code, described by code, documented by code. But it remains metal, cable, electricity, heat and disks that fail.
This is not a semantic debate. When the word "infrastructure" loses its physical dimension in the everyday language of technical teams, engineers trained in that linguistic environment do not learn to think in physical layers. They learn to think in cloud resources. When the real failure comes — the one that is in the cable, in the network card, in the redundant power supply that no longer is — nobody knows where to look. Because nobody learned that this is where you look.
This study does not claim that cloud is bad, that Terraform is useless, or that DevOps is a mistake. It claims that word choices have real consequences on the skills that develop or do not develop. And that some of these lexical choices were not innocent.
"Infrastructure as Code" has become one of the central concepts of the DevOps industry. The original idea — managing system configuration with the same rigorous practices as software code, versioning, testing, peer review — was intellectually sound. The problem is not the intention. The problem is the word.
The word "Infrastructure" in "Infrastructure as Code" does not refer to infrastructure. It refers to the configuration of virtual resources — VMs, security groups, load balancers, S3 buckets. These resources exist as parameters in a hyperscaler's console. The real infrastructure — the physical servers on which these resources run, the racks in which those servers are installed, the cables connecting them, the electrical supply powering them, the cooling keeping them cool — is not code. It has never been code. It cannot be code.
AirportAsCode. MotorwayAsCode. NuclearPlantAsCode.
Nobody would dare call "code" the concrete of runways, the steel of bridges or the turbines of reactors. Nobody would claim that a YAML configuration file "is" an airport. Yet this is exactly what "Infrastructure as Code" normalises for computing systems. A Terraform file that creates a VM is not infrastructure. It is code that sends an API request to a hyperscaler to allocate resources on its physical infrastructure — which you will never see, whose state you do not know, and which you do not control.
"Configuration as Code" — precise, exact, unambiguous. The declarative, versioned description of cloud resource configuration. This word would have described the same practice without claiming that code can be physical infrastructure. It was not chosen. "Infrastructure as Code" was preferred — because it gives the illusion that mastering Terraform means mastering infrastructure. And this illusion serves the interests of those who sell access to the real infrastructure.
DevOps was born from a real observation and a legitimate intention. In 2009, Patrick Debois and his contemporaries observed a structural wall between development teams — who deliver code — and operations teams — who maintain systems. This wall produced slow deployment cycles, frequent production failures, and an absence of shared responsibility for system availability. DevOps was a philosophy to tear down this wall through culture, practices and tools. The intention was sound.
But a sound philosophy with a poor name produces poor effects at scale. "DevOps" fused two distinct professions under one word — and this lexical choice opened the door to exactly what it sought to prevent.
A developer and a systems engineer have fundamentally different skills, acquired through different paths, exercised in different contexts. Their collaboration is valuable. Their fusion under a single title does not create a more complete profile — it creates a blurrier one. A "DevOps engineer" who excels at CI/CD may know nothing about managing a network incident at 3am. A "DevOps engineer" who masters system diagnosis may write mediocre code. Fusing the names did not fuse the skills. It diluted the evaluation criteria for both.
DevOps was followed by FinOps, SecOps, MLOps, DataOps, GitOps, CloudOps, PlatformOps. Each new "Ops" suffix promises the same thing: the fusion of two worlds that worked in silos. Each new suffix dilutes the meaning of the word "operations" a little further. When everything is called "Ops", the word no longer designates anything precise. And when "operations" no longer designates anything precise, real operational skills — those that maintain systems in production at night — become invisible in frameworks, job descriptions and training plans.
The right question is: what skills are needed to keep this system in production at 3am, and who holds them in the team? This is not a title question. It is an operational reality question. And it deserves a precise answer — not a generic title that reassures recruiters without committing anyone to anything.
Technical word inflation is not a cultural phenomenon without consequences. It has produced three concrete, measurable results in the digital infrastructure market.
Thousands of engineers trained since 2015 learned to "provision infrastructure" without ever touching a physical server, cabling a switch, or diagnosing a network fault on bare metal. They learned to manipulate abstractions — cloud resources, Terraform files, CI/CD pipelines. These skills are real and useful. But they stop at the API layer. Below the API layer there is a physical infrastructure that nobody taught them existed — because the vocabulary gave them the illusion that it did not exist, or did not need to be known.
Organisations that migrated "to the cloud to achieve economies of scale" typically discover, 18 to 36 months after migration, that their infrastructure costs have increased rather than decreased. Part of this increase is structural — cloud pricing models are designed to grow with usage. But another part is avoidable and stems directly from ignorance of the physical layer: overprovisioning because nobody knows how to size, egress fees ignored because nobody understood there were exit charges, cloud-native architectures replicating on-premises patterns without optimising them.
The market is critically short of engineers capable of mastering infrastructure from the physical layer to the application layer — from electricity to service. This profile existed. It was called systems administrator, infrastructure engineer, SRE. It was progressively replaced in job descriptions by "DevOps engineers" and "cloud engineers" whose skills stop at the API layer. The complete profile did not disappear because the competence became impossible to acquire. It disappeared because the vocabulary stopped valuing it — and the market follows vocabulary.
Infrational inflation is not the result of collective carelessness in word choice. It is the result of a deliberate strategy — not necessarily coordinated, but consistent in its effects — by the actors who have the most to gain from the dilution of infrastructure skills.
AWS, Azure and GCP benefit directly from the belief that mastering Terraform or CloudFormation equates to mastering infrastructure. If engineers believe that infrastructure is code, they do not need to understand what lies beneath the code. And if they do not need to understand what lies beneath the code, they never have reason to ask whether what lies beneath the code might belong to someone other than a hyperscaler. The AWS console that "provisions infra" is a rental interface, not a mastery tool. The vocabulary erases the distinction.
Two actors benefit from profession dilution. Employers who replace two specialists with one cheaper generalist — the "DevOps" title justifies paying less for two distinct expertises under a single salary. And tool publishers who sell "DevOps" platforms claiming to solve through tooling what only culture and competence can solve. The word "DevOps" has become a market. Like all markets, it is shaped by the actors who benefit from it.
The first study of the Opération Dindon corpus documented the dissolution of infrastructure competence and cognitive capture by hyperscalers. The Infrational crisis is the linguistic mechanism that made this dissolution possible. You cannot lose what you cannot name. You cannot name what you have lost the definition of. Word inflation preceded and conditioned the dissolution of skills. This is not a coincidence.
Taking back control of words is not an exercise in nostalgia or lexical purism. It is an operational necessity. The words we use to describe our profession shape the skills we develop, the hires we make, the training we deliver, and the architectures we design. Precise words produce precise engineers. Vague words produce vague engineers.
Call "Configuration as Code" what is declarative configuration of virtual resources. Reserve the word "Infrastructure" for what it designates — the physical, tangible layer that carries everything else. This distinction is not a matter of style — it is a matter of operational precision. An engineer who knows that Terraform manages configuration, not infrastructure, knows there is a layer below that they cannot see and must account for.
Distinguish in job descriptions, skills frameworks and training plans what belongs to development (writing code that solves business problems), infrastructure engineering (mastering the physical layer through to the service layer) and reliability (designing and maintaining systems available in production). These three skills can coexist in one individual — some SREs excel in all three. They cannot be assumed present on the strength of a generic title.
The Foundation of Iron — 26 weeks from electricity to networking — is built on this principle: you cannot master the abstraction if you do not understand what it abstracts. An engineer who learned to cable a switch before learning to configure a VPC understands what a network actually is. An engineer who only ever knew the VPC believes a network is a JSON file. Training on the physical layer is not nostalgia — it is the condition of real understanding.
Let us take back control of words before trying to take back control of our infrastructures. The two are linked. In that order.
This study documents a systemic loop that has not yet been named as such: DevOps, by diluting bare-metal competences, creates a profile shortage that makes hiring salaries explode, which produces salary compression that pushes seniors to leave, which deepens the shortage, which pushes salaries back up — and so on. The direct victim is the senior engineer in post. The structural victim is digital sovereignty. The indirect beneficiary is the hyperscaler.
The infrational loop is not the result of malicious intent. It is the result of a series of locally rational decisions that globally produce an irrational system. Each actor acts according to their interests. The collective result is a spiral that nobody steers.
Step 1 — DevOps dilutes bare-metal competences: documented in "The Infrational Crisis". The title "DevOps engineer" replaces "systems administrator" and "SRE" in job descriptions and training. The physical layer disappears from frameworks.
Step 2 — The bare-metal profile shortage sets in: documented in "The State and the Invisible Body". The market critically lacks engineers capable of mastering the physical layer. The shortage is structural, not cyclical.
Step 3 — Hiring salaries explode: companies needing a real bare-metal SRE — OVHcloud, Ecritel, Scaleway, but also large IT services firms — compete for a reduced pool. To attract, they outbid on entry salaries. The external market rises.
Step 4 — Salary compression is created: while the external market rises 8 to 12% per year, internal increases stagnate at 2 to 4%. Over three to five years, the new hire earns as much, sometimes more, than the senior with five years of tenure.
Step 5 — The senior leaves or complies: noticing compression, the senior engineer has three options — accept the injustice and disengage, request a pay rise (often refused or granted as a token), or leave. Most leave. Some take a deliberate voluntary gap — a few months elsewhere to "synchronise" with the market, then return elsewhere or to the same employer at market rate.
Step 6 — The shortage deepens: the senior's departure worsens the shortage. The company recruits their replacement at market rate — more expensive than what the senior would have cost after a pay rise. It has lost the tacit knowledge, it pays more to replace it, and the cycle restarts.
Pay compression is a documented phenomenon in HR and labour economics. It describes the situation where the gap between experienced employees' salaries and those of new recruits narrows to the point of disappearing, or even inverting. In the tech sector in general, and in infrastructure in particular, this compression reached critical levels between 2021 and 2026.
Compensation management research identifies precise thresholds. Less than 10% gap between a new hire's salary and that of a 3-year employee in the same role: danger signal. Less than 5% gap: active retention risk. Negative gap — the new hire earns more than the senior: immediate flight of top performers. The cost of a key employee's departure represents 50 to 150% of their annual salary in replacement costs — recruitment, onboarding, productivity loss, tacit knowledge loss. Compression is never a long-term economy.
In France in 2026, a confirmed SRE earns on average €67,500 according to PayScale — versus €43,500 for a DevOps engineer (same source). The €24,000 gap reflects bare-metal competence scarcity. But this gap does not benefit the senior in post — it benefits the new recruit on the external market. The SRE engineer with five years of tenure in a company receiving 3% annual increases rapidly finds themselves below market rate. Their employer pays market rate to recruit their potential successor — without ever having paid this rate to retain them.
Intense competition for rare tech profiles has pushed entry salaries up 8 to 12% per year in the infrastructure sector, while existing employees received 2 to 4% increases. Over five years of accumulation, the gap can exceed 30 to 40%. The engineer recruited in 2021 at €55,000 with 4% annual increases is at €65,000 in 2026. Their potential market successor is offered €75,000 to €80,000. The compression is 15 to 20% — sufficient to trigger flight.
Pay compression is not the result of HR team carelessness. It is the structural result of the absence of a dynamic pay policy in a market under severe tension. HR teams manage increase budgets set by leadership — typically 2 to 4% — while the external market moves at 8 to 12%. Without a deliberate decision to align, compression installs itself mechanically.
The annual performance review is the moment when salary compression becomes visible to the engineer. It is also the moment when the organisation commits, often unwittingly, one of the costliest management errors possible.
Before the review, there is the form. The self-assessment of 15 to 30 questions on competences, objectives, company values, strategic alignment. The infrastructure engineer who has just managed 12 production incidents, migrated two critical servers, and documented the architecture nobody else knows — this engineer spends an hour filling in a form designed to evaluate commercial profiles. The implicit signal is clear: your work is not measurable in our system. Fill in the form anyway.
The review itself lasts 45 minutes. The manager is well-meaning. The feedback is positive. "You do exceptional work, you are indispensable to the team." Then comes the pay rise: €50 gross per month. €600 per year. A 1.1% increase for an engineer whose external market has grown by 10%. The dissonance between the valorising speech and the derisory pay rise is one of the most documented forms of demotivation — it says two contradictory things simultaneously: "you are valuable" and "your value does not merit real investment".
The engineer leaves the review and does a simple calculation. Current salary: €62,000. Market rate: €72,000 to €75,000 based on offers they see. Their increase: €700 gross annually. The compression is €10,000 to €13,000. To close it with 1.1% annual increases, they would need 12 to 15 years. Or 3 months of gap. The calculation is trivial. The decision is made.
The organisation does not do the inverse calculation. Replacement cost for this engineer: 50 to 150% of annual salary, i.e. €31,000 to €93,000. Cost of recruiting their successor at market rate: €72,000 to €75,000 salary. Tacit knowledge loss: unmeasured but documented in "The Departure of the Last One Who Knows" as irreplaceable in the short term. Investment in the pay rise that would have avoided all of this: €10,000 per year. Choosing not to revalue is a decision that costs €100,000 to save €10,000.
The voluntary gap is the individual and rational response to a collectively irrational system. The infrastructure engineer who has understood the mechanics of salary compression does a simple thing: they leave for a few months, and return — or go elsewhere — at market rate. It is absurd. It is effective. And it is the system itself that produces it.
The engineer resigns. They take 2 to 4 months of gap — either to decompress, to do short freelance or interim missions, or simply to reposition on the market. They then apply — to other companies or sometimes to the same employer — with an "updated" CV and immediate availability. They are recruited at market rate, i.e. €10,000 to €15,000 more than their previous salary. The gap lasted 3 months. They recovered in one negotiation what 10 years of annual increases would not have given them.
The system rewards departure, not loyalty. It rewards breaking a contract, not continuity. It rewards the absence of company knowledge — the new recruit does not know the systems, past incidents, undocumented configurations — more than the presence of that knowledge. And it punishes loyalty — the engineer who stays sees their market value increase while their salary stagnates. This is not an anomaly: it is the signal the system systematically sends to its best people.
Each voluntary gap temporarily removes a rare profile from the market. If 20% of bare-metal SREs take a 3-month gap per year — a plausible figure under severe compression — 5% of the body's total capacity is unavailable at any given moment. In a body already in structural shortage, this chronic unavailability worsens the shortage, drives up entry salaries, and deepens compression for those who stayed. The loop tightens.
The voluntary gap is a rational response to an irrational signal. The engineer who takes it is not betraying their employer — they are applying the market logic their employer imposes on them. Blaming the engineer for turnover while refusing to pay market rates is blaming water for flowing downhill. The correction is structural or it is nothing.
A systemic loop that persists over time without correction always produces beneficiaries — actors whose interests are served by the status quo. Identifying these beneficiaries is not paranoia. It is structural analysis.
A market in shortage of bare-metal competences is a market where organisations cannot build their own sovereign infrastructure — because they lack the engineers to operate it. Dependence on hyperscaler cloud is directly proportional to the shortage of local competences. Hyperscalers did not create the infrational loop — but they benefit from it structurally. Every SRE who takes a gap or recycles themselves as a "cloud architect" is one fewer engineer capable of building outside the cloud.
High turnover in infrastructure profiles is a windfall for specialist tech recruitment agencies. An agency placing a senior SRE receives 15 to 25% of the annual salary — i.e. €10,000 to €18,000 per placement. A market under chronic compression produces chronic turnover that produces chronic placements. This is not a conspiracy — it is an economic interest aligned with the status quo.
The infrastructure engineer who stays in their company is the first victim of the loop. Their salary stagnates while their market progresses. Their tacit knowledge deepens while their nominal value regresses. Their engagement deteriorates — ADP documents that salary compression produces "low motivation, reduced productivity and difficulty retaining staff". They end up leaving or resigning themselves — both are a loss.
OVHcloud, Ecritel, Scaleway, Clever Cloud — the European sovereign actors who depend precisely on bare-metal profiles to operate their infrastructures — are victims of the loop as much as their clients. They compete for a reduced pool at inflated salaries, lose profiles to financially stronger hyperscalers, and cannot absorb the potential demand if a digital sovereignty policy were implemented tomorrow.
Breaking the infrational loop requires simultaneous interventions at multiple levels. No isolated intervention is sufficient. Together they form a correction system as coherent as the loop it seeks to interrupt.
Replace the internally budget-based pay review with an annual market benchmark-based review. If the market has grown 8%, the internal increase must at minimum follow — independently of the standard 3% budget. The cost of this policy is a fraction of the turnover cost it prevents. An engineer correctly valued has no reason to take the gap.
For profiles under extreme tension — bare-metal SRE, senior systems administrator, infrastructure architect — introduce an annual or biannual retention bonus, conditional on remaining with the company. This bonus is not a salary — it is an explicit recognition of competence scarcity and its replacement cost. It must be calculated on the differential between the internal salary and the external market.
Self-assessment on generic criteria is unsuited to technical profiles whose value is operational not commercial. Replace it with a review of incidents managed, systems maintained, knowledge transmitted — metrics that correspond to the reality of the infrastructure engineer's work. The generic form is a signal of incomprehension. The operational review is a signal of respect.
Calculate annually the ratio between in-post employees' salaries and the hiring salary for the same role. Publish this ratio internally. Set a minimum gap threshold — for example, a senior's salary must be at minimum 15% above the entry-level hiring salary for the same role. If this threshold is breached, it automatically triggers a correction budget. What is not measured is not corrected.
Lever 5 — Reduce the shortage at source: the levers documented in "The State and the Invisible Body" — Foundation of Iron in BTS programmes, France Travail convention, RNCP protected title — reduce the structural shortage fuelling compression. The more qualified bare-metal engineers there are, the less entry salaries explode, the less violent the compression.
Lever 6 — Updated digital sector collective agreements: digital sector collective agreements have not been revised to account for extreme tension on infrastructure profiles. Collectively negotiated pay scales at sector level, integrating scarcity coefficients for bare-metal competences, would mechanically reduce compression by setting more realistic floors.
Saving €10,000 in pay rises to lose €100,000 in replacement costs. The infrational loop is a value-destruction machine that nobody steers. It is time to name it — and break it.
This synthesis study maps two distinct and linked phenomena. The amputation of the infrastructure body: the body progressively loses its vocabulary, training, visibility, protection, authority and knowledge. It affects all members. The amputation of women from the infrastructure body: at every general stage, women experience an additional exclusion mechanism. And before any general stage, there is a stage -1 that exists only for them — the source amputation, at age 12, before they have even had the chance to enter the body.
Applicable by any teacher, engineer or manager tomorrow, without asking anyone's permission.
Stage -1/8 (pedagogical void): The Observation Day — a Principal SRE takes a group of students for a day in a datacentre. Cost: zero. Impact: often decisive.
Stage -1/8 (theory): Physics teacher integrates water-electricity analogy into existing lessons. No equipment. No authorisation.
Stage 1 (vocabulary): Rewrite a job description with "SysOps L3" instead of "DevOps". One job description. Today.
Stage 6 (knowledge): Formalise a one-page mentoring agreement between senior and junior. Two signatures. No institution.
Stage 5 (authority): The Principal SRE writes their first documented veto on a technical decision they refuse. One email. One signed PDF.
Stage 1: Adopt SysOps/NetOps/OpInfra nomenclature as internal classification grid. HR decision. One resolution.
Stage 2: Redirect 30% of CPF budget to neutral certifications (LFCS, CKA). Annual training plan decision.
Stage 3: Deploy the Uniform of the Body — 5 levels, 5 signals. HR + management decision. Budget: €500-700/Lead SRE.
Stage 5: Include the Technical Primacy clause in the Principal SRE's contract. Internal legal decision.
Stage -1/8: Open the pooled teacher fund + parents' association vote → school gift. Two meetings. No public procurement.
Stage 4: Elastic Syntec — extension of Syntec's scope to infrastructure roles regardless of employing sector. Branch agreement or extension decree.
Stage 9: Resiliable commits, reasonable egress fees, real portability, CLOUD Act limited to its territory. European regulation.
Stages -1/8: Official integration of the Anti-Amputation Foundation into secondary school technology curricula. Ministerial decision.
Level 1 and 2 interventions produce real effects without waiting for level 3. The Anti-Amputation Foundation does not require a ministerial decision to be deployed in one school. Technical Primacy does not require Elastic Syntec to be written into a contract. We do not wait. We act with what we have.
The amputation of women from the infrastructure body is not a diversity problem — it is a body problem. A body amputated of half its potential population is a weakened body. It transmits less well. It defends itself less well. It innovates less well. The question is not moral — it is structural.
The general amputation of the infrastructure body affects all its members — it erodes vocabulary, training, visibility, protection and authority for every engineer, man or woman. Women experience this general amputation plus an additional exclusion mechanism at each stage:
At stage 1 (vague vocabulary): men can decode titles through informal networks. Women, statistically less present in these networks, carry this decoding more alone.
At stage 3 (invisibility): invisible body + invisible presence = double invisibility.
At stage 5 (authority): the female Principal SRE must doubly prove their technical legitimacy before being heard in an arbitration.
At stage 6 (knowledge): informal transmission networks (tech evenings, non-mixed Slack channels, informal mentoring) are less accessible.
And before stage 0, there is stage -1 — which exists only for women: the bifurcation at age 12, when nobody explicitly invited them to face the machine.
Stage -1 (age 12): Anti-Amputation Foundation — the moment alone with the machine. The explicit invitation. "I want you to try this — not him in your place, you." Cost: zero. Tomorrow.
Stage 1 (readable door): Clear nomenclature → job offers with objective criteria → readable door without informal network. One rewritten job description away.
Stage 3 (visibility): Feminine options for the Uniform of the Body — three choices ①②③ within the black/white/red triptych. Same authority, freedom of form.
Stage 6 (transmission): Feminised grades in the Digital Craftsmen (proposal): aspirant, compagnon(ne), maître(sse). Equal access as founding condition.
Stage 7 (adult entry): The Gentle Exit — nomenclature creates the door. Objective criteria. LFCS CPF-eligible. The senior female DevOps who wants to become Lead SysOps has a documented path.
Stage 8 (child): Deamputation at the Source + The Body That Makes. The IKEA Effect and Self-Creation Effect (Brunneder & Dholakia, 2018): making with one's hands anchors a lasting sense of competence.
Infrational / Infrationnelle: devaluation of technical words through DevOps vocabulary inflation.
The Infrational Loop: self-sustaining 6-step cycle producing progressive loss of bare-metal competences.
Technical Primacy: constitutive right of the Principal SRE to the final word on technical decisions.
Deamputation at the Source: intervention at school, before bifurcation happens, so the mental image forms.
The Gentle Exit: conversion without rupture from DevOps vocabulary to nomenclature, with today's tools.
The Pooled Teacher Budget: 20 teachers × €10/month = €2,400/year — a real robotics class without asking the state for a penny.
The Pedagogical IKEA Effect: making with one's hands anchors a lasting sense of competence (Norton, Mochon & Ariely, 2012).
"The metal precedes the code."
"No sovereignty without matter."
"The one in blue will want khaki. The one in khaki will want white. This desire is the lift. The sign is the engine."
"The 12-year-old girl who blinks an LED is the bare-metal SRE of 2035."
"The Principal SRE is not infallible. But they are the only one who measures what they decide."
"The gentle exit does not say: you were wrong. It says: here is what is missing. Come."
"Without the Craftsmen, Notre-Dame would look like La Défense."
"A body without a uniform is a body without boundaries. A body without boundaries is a body without defence."
"Technical sovereignty does not begin in a datacentre. It begins in a year-7 classroom."
Amputation has a mechanism. This mechanism has stages.
Every stage has an intervention. Every intervention is available.
Some from tomorrow. Without permission. Without budget. Without waiting.
This document asks to be read with reason, not emotion. It is neither an indictment of a profession nor a personal attack on anyone practising a hybrid role between development and operations. It is a structural diagnosis: an analysis of mechanisms — behavioural, economic and cognitive — that have contributed to dissolving historical technical safeguards, without passing judgment on the professional or human value of the people who practise these roles today within the framework the market has offered them.
Criticising a mechanism is not criticising the people caught within it. That is the distinction this document strives to hold from beginning to end.
Every section that puts forward a critical thesis includes a "Nassiha" callout specifying the exact limits of the claim and what is not being claimed. This discipline is deliberate: it allows a rigorous structural diagnosis to be distinguished from an emotional accusation, and invites the reader to judge this document on the soundness of its mechanisms rather than on the emotional charge an earlier, less careful formulation might have carried.
Before public cloud became widespread, the boundary between operations teams (system administrators, systems engineers, what we now call SRE) and development teams was clear-cut. This boundary was not arbitrary: it rested on genuine physical competence. The Ops team knew the hardware limits of the datacentre — the power available per rack, thermal capacity, cabling constraints, physical storage limits — and pushed back, with reasons, against any request that threatened those limits.
An unreasonable provisioning request from a Dev team or an outsourced web agency hit a technical red light, set by someone who genuinely understood why the request posed a risk. This refusal created real friction, often experienced as legitimate frustration by Dev teams under commercial deadlines that Ops did not always share.
The Ops/Dev boundary was not a comfort of power. It guaranteed that no provisioning decision could be made without someone who understood the physical layer having a say. The cost of this guarantee was slowness. The benefit was reliability.
It would be dishonest to present this older world as perfect. The rigidities of historical Ops also produced real inefficiencies, disproportionate delivery delays, and a sometimes excessively conservative culture. Dev teams' frustration with these delays was not unfounded. It is this legitimate frustration that opened the door to the next promise: what if friction could be removed without removing reliability?
Acknowledging faults on both sides of a historical boundary does not weaken the diagnosis that follows. It makes it more honest, and therefore more solid against the first objection a reader acting in good faith might raise.
The DevOps philosophy was born, originally, of a sound intention: bringing together two professions that communicated poorly, reducing time to production, and establishing shared responsibility over an application's full lifecycle. This intention is not in question here.
What followed was a structural drift more than an orchestrated plot. The spread of public cloud made it possible to create a hybrid profile — familiar with the basics of the tools Ops used (systems, middleware) and the basics of Dev's craft (agility, a few languages) — without that hybrid profile inheriting the deep physical competence that historically justified hard limits. The result is not a bridge between two complete professions. It is a dilution of both: neither the depth of the old Ops, nor the full depth of Dev, but a cross-cutting competence sufficient to operate within the cloud abstraction without ever needing to understand what lies beneath it.
As long as the physical layer remained visible — cables, racks, thermal constraints — the Ops hard limit had a concrete reference point on which to operate. Once that layer became fully abstracted behind a console and an API, the hard limit lost its footing: one cannot raise a reasoned objection grounded in physical constraints to someone who, structurally, no longer sees the physical layer at all. The abstraction did not merely relocate the competence. It removed the very ground on which the refusal could be justified.
This is the precise point that distinguishes this diagnosis from mere nostalgia for the old world. The problem is not that hard limits disappeared because people became careless. The problem is that cloud abstraction made the hard limit structurally unworkable, regardless of anyone's individual goodwill.
This document does not claim that today's DevOps professionals are individually responsible for this dissolution, nor that they sought it. They operate within a framework offered to them by the market, the training available, and their employers. The structural responsibility described here concerns the incentive system, not the people who operate within it.
A command such as an infrastructure deployment produces an immediate, visible effect: a resource appears, a server boots, a console shows a green status. This pattern — minimal action, near-instant gratification, a sense of control — has long been documented in behavioural psychology under the name of immediate or intermittent reinforcement, and has been studied for years in the design of consumer digital interfaces: notifications, game mechanics, social networks.
This document advances a precise and limited thesis: this same immediate-gratification mechanism applies to the cloud provisioning experience. Clicking or running a command and seeing a resource appear instantly produces a sense of power and control disproportionate to the actual effort involved. The more total the abstraction, the faster the gratification, and the more invisible the real cost — financial, technical, physical — becomes at the moment of the action.
This thesis does not say that engineers are dependent in a clinical sense, nor that they suffer from a pathology. It says that cloud product design exploits a documented gratification mechanism, in the same way other sectors (video games, social media, online gambling) have been criticised for designing interfaces that exploit this same mechanism in their users. The criticism targets the product's design and the net effect it produces at an organisation's scale, not the individual psychology of whoever uses it.
The net effect of this mechanism at a company's scale is cumulative: each small individual gratification (a fast deployment, a resource appearing) reinforces the collective habit of reaching for the abstraction rather than evaluating the structural cost. This is a product-design effect that translates into organisational behaviour — not a judgment on anyone's will.
An earlier version of this reflection directly compared the professionals concerned to people experiencing substance addiction. That comparison was removed, because it shifted the criticism from the mechanism to the person, and risked causing hurt without adding anything to the soundness of the diagnosis. The version kept here criticises the product, never the person who uses it.
The trio's certification programmes (AWS Certified Solutions Architect, Microsoft Azure Administrator, Google Cloud Professional) are funded, designed, issued and maintained by the cloud providers themselves. This is not an accusation: it is a factual description of their structure. An engineer who invests several months and several hundred euros in an AWS certification has, in effect, professional capital invested in the AWS ecosystem.
This mechanism is documented across the industry under the name vendor certification lock-in. It requires no centralised malicious intent to produce a measurable net effect: a certified professional has a rational and understandable bias toward recommending, in future architecture decisions, the ecosystem in which they invested their time and money. This bias is not a moral failing. It is a logical consequence of the incentive structure.
The trio did not need to advertise its products directly to technical decision-makers. It capitalised on a market dynamic — the emergence of the hybrid DevOps profession — to structure certification pathways that, while certifying a skill, simultaneously build de facto loyalty to the ecosystem. The profession becomes the vehicle for product marketing, with no classic advertising campaign required.
This thesis is distinct from a conspiracy accusation. It does not claim the trio invented DevOps with the explicit intent of creating this mechanism. It claims that, once the DevOps dynamic was established by the market, the trio structured its certification offering to extract a measurable retention benefit from it — which is rational behaviour for an economic actor, not an anomaly.
Claiming that an economic actor exploited a market dynamic to its advantage is a verifiable and reasonable thesis. Claiming that it deliberately engineered that dynamic from scratch for a hidden strategic purpose is a thesis of intent that requires specific evidence — evidence this document does not possess for this particular subject, unlike the Gemplus case where institutional sources exist.
The six-layer lock-in model already established in this body of work places the cognitive layer as the deepest and hardest to unlock: not a contractual lock, nor a technical lock, but a lock on mental reference frameworks. A team trained and certified within the trio's ecosystem develops, by construction, a default solution framework centred on that ecosystem.
This mechanism explains an observable and frequent phenomenon: when a company's leadership, already locked into the trio, wishes to explore a return to bare metal or a local hosting provider, internal technical teams often propose, spontaneously and without deliberate intent, solutions that remain within the trio's framework — an alternative managed service, a cost-reduction option within the same ecosystem — rather than a genuine exit option.
A team that, through its training and professional experience, knows only one technical framework cannot, by definition, spontaneously generate solutions in a framework it has never mastered. This is not a matter of will, personal comfort, or fear for one's job. It is a structural cognitive limit: one cannot propose what one has never learned to design.
This reframing matters because it changes the nature of the appropriate response. If the problem were a matter of individual will (comfort, fear), the appropriate response would be managerial or disciplinary. If the problem is cognitive and structural — a training gap regarding an alternative framework — the appropriate response is pedagogical: broadening the available framework, not punishing the absence of a framework that was never taught.
This precise distinction is what justifies the next section of this document. If the lock-in is cognitive rather than voluntary, the solution is not a change in individual attitude but a training programme that rebuilds the missing framework — the technical foundation that historically allowed people to understand, and therefore to propose, architectures outside public cloud.
What follows is not an untested theoretical proposal. It is the restitution of a real vocational training programme, completed in 2005 at a vocational training centre for jobseekers, over a six-month period. This foundation, at the time, trained technicians capable of understanding infrastructure end to end, from the bit up to the operating system, before any later specialisation. It proved itself as an entry point into the profession twenty years ago, and this document's thesis is that it remains relevant today as a structural response to the cognitive lock-in described in Section 5.
This programme did not train specialists in cloud abstraction — it did not yet exist in its current form. It trained technicians capable of understanding an infrastructure end to end, from the bit to the service. This end-to-end understanding is precisely what the dilution described in Section 2 has eroded. This document's proposal is not nostalgia: it is the reactivation of a foundation that has already proven its ability to produce professionals capable of setting informed hard limits, because they concretely understood what they were protecting.
Three distinct mechanisms have been described in this document: a behavioural mechanism where product design exploits a documented immediate gratification effect, an economic mechanism where certifications produce structural loyalty without centralised malicious intent, and a cognitive mechanism where the absence of an alternative framework prevents, by construction, the spontaneous proposal of solutions outside the trio. None of the three rests on an accusation of individual ill will.
This distinction has a direct practical consequence. If the problem were one of will, the response would be disciplinary. Since the problem is structural — product design, economic incentive, cognitive gap — the appropriate response is equally structural: a training programme that rebuilds the missing framework.
A hybrid professional trained on the foundation described in Section 6 does not lose their current DevOps skills. They complement them with a framework that now includes bare metal, physical networking, and the hardware layer. This professional then becomes capable of proposing, just as spontaneously as today's solutions within the trio's ecosystem, alternative architectures with local hosting providers or in nearby server rooms — whether in France, across Europe, or elsewhere.
This document does not claim that this training programme is, on its own, a complete or sufficient solution. It claims that it is a necessary lever, documented by a real precedent — a programme that already existed and already produced results twenty years ago — and that this lever responds precisely to the cognitive mechanism identified in Section 5, rather than to a mechanism of will that was never the true cause of the problem.
This document was built while holding one constant requirement: to criticise mechanisms and incentive systems, never people. If an earlier formulation of this reflection may have appeared to target individuals, it has been withdrawn or reformulated. The reader acting in good faith is invited to judge this text on the soundness of its mechanisms, not on the emotion that an earlier, clumsier formulation might initially have provoked.
The loss of digital sovereignty is not an accident, not an isolated decision, not a calculation error. It is the predictable and documentable result of a causal chain that begins in primary school and ends at the boardroom signing for AWS. This study maps seven causal nodes, four lock-in layers, three psychological locks, and five bifurcation points. It draws on the entirety of the Opération Dindon corpus — sixty-four structural studies — as evidence.
Digital perdition is not an event — it is a process. It has an origin, intermediate stages, bifurcation points, and a destination. This study maps the complete causal chain across seven nodes, drawing on the Opération Dindon corpus as documentation.
Read left to right. Colours: blue=education · red=economic · grey=material · violet=HR · orange=applicative SaaS.
School teaches sine and cosine without ever showing a real circle. It teaches networks without ever opening a patch panel. It teaches databases without ever configuring a physical server. This rupture between symbol and matter creates a developer who knows how to deploy a Lambda function without knowing what runs underneath. Free Tier reinforces this amputation: it gives access to cloud abstractions without ever requiring understanding of fundamentals. The State's budgetary abandonment eliminated lab rooms with real servers. The teacher does not choose between AWS and a sovereign alternative — they choose between AWS and nothing. AWS Educate does not exist out of philanthropy. It exists because Amazon identified this void as an acquisition opportunity.
Even if a CIO decides to recruit neutral skills, recruitment platforms (LinkedIn, Indeed, internal ATS) filter CVs on hyperscaler-certified keywords: "AWS Cloud Architect", "Azure Certified Developer", "GCP Professional". A "Senior Linux Administrator" or "Bare-Metal Engineer" profile is eliminated algorithmically before the interview. Lock-in is maintained by an invisible bureaucratic barrier — not by a deliberate human decision. Documented figure: −34% Linux administrator positions between 2019 and 2023 on French job platforms.
The student trained on AWS becomes the senior developer who recommends AWS. They become the architect who configures ATS filters on AWS keywords. They become the CIO who recruits only AWS-certified profiles. Graph 2 (heatmap, next page) maps the causal intensity from each scholastic cause to each professional effect, with the diagonal showing generational self-reinforcement.
AWS Educate · Azure for Students. 750h EC2 · 5 GB S3 · 1M Lambda requests. Invisible threshold — no workflow alert. Exceeded when attachment is maximal and migration most costly.
AWS Activate $100,000 · Google for Startups $200,000. Architecture without financial constraint → TCO crisis at exhaustion. VC — startup — hyperscaler triangle: the first two fund the third.
Ingress: free · Egress: $0.09/GB AWS. 100 TB = $9,000 exit ransom. 1 PB = $90,000. Entry is free because it creates dependency. Exit is charged because it reveals its cost.
HR buys Workday · Marketing buys Salesforce · Sales buys HubSpot — without IT. 73% of organisations have SaaS purchased outside IT. Repatriating servers does not resolve this applicative layer.
1. Free entry sample — no financial friction. 2. Functional dependency — integration into workflows and architectures. 3. Tipping threshold — the free stops. 4. Exit friction — the captive ecosystem makes return to independence costly. Graph 3 (funnel, next page) maps these four converging doors with bifurcation points at each stage.
Terms §14.12: California jurisdiction · CLOUD Act applicable · non-cancellable commits · egress fees. Sovereignty Washing (cf. The Cloud-Washing S1) sells physical resolution as if it also resolved the legal dimension. "AWS European Sovereign Cloud" = servers in Europe (physical ✓) but Amazon.com Inc. remains subject to CLOUD Act (legal ✗). The four demands of the 8 September 2026 ultimatum target exactly this layer.
Lambda + DynamoDB + API Gateway + SQS + Cognito + CloudFront — each link does not exist outside AWS in this exact form. The chain is proprietary. Migrating = total rewrite. Cloud-Washing calls this "cloud-native." Architectural question: "Can this component run outside AWS without a rewrite?" If no — artificial complexity, not modernity.
73% of organisations have SaaS purchased outside IT. Salesforce = Sales business logic · Workday = HR history · M365 = the entire organisation's documents. Repatriating servers resolves the infra layer — not the applicative layer. Two sovereignties to reconquer simultaneously, the second involving business directorates without IT constraints.
TSMC fabricates ~90% of advanced chips worldwide in the Taiwan Strait. Intel ME / AMD PSP: non-auditable sub-processors since 2008/2013, subject to US law, active with server off. Taiwan blockade: hyperscalers will ration in order — internal needs → Enterprise Agreement → Pay-as-you-go. Without owned hardware: queue. With Grade A Refurbished already fabricated (cf. The Strategic Refurbished, 4p): complete autonomy. Chips exist, independent of future TSMC production. Potential blockade impact: $600-1,200 billion (PIIE 2023).
The CIO who evangelised cloud for 5 years on LinkedIn, received a promotion for the digital transformation, convinced their CEO — cannot retreat without publicly admitting they were wrong. The fear of losing face before peers is stronger than economic rationality. The exit narrative: "The 2019 decision was correct with 2019 information. 2026 information is different — CLOUD Act clarified, egress fees documented, TSMC geopolitical risk identified. Revising the position is good management." Not communication — the truth.
Three layers neutralising the three internal resistances: Sovereignty Washing reassures legal (servers Europe ✓ / California jurisdiction ✗) · Green Washing reassures sustainability (RECs ≠ green energy · Virginia 30-35% fossil EIA 2023) · Finance Washing reassures CFO (public money → hyperscalers → anti-regulation lobbying · CPF x3). The engineer who says "let us calculate the real TCO" stands alone against three arguments, three directorates, three boxes already ticked. Cloud-Washing is not an isolated lie — it is an architecture of conviction.
McKinsey, Accenture, Capgemini are "AWS Premier Partner", "Google Cloud Partner". Their business model depends on billing complex migration person-days. The simplicity of local Bare-Metal generates no consulting revenue. A Gartner report recommending AWS is funded, directly or indirectly, by the hyperscaler ecosystem. The CIO receives an "objective" report confirming what Cloud-Washing already told them. Two external validation systems — and both have structural conflicts of interest.
DINUM selects AWS, Azure and Google for French public administrations. Public hospitals migrate to Azure. Universities use Google Workspace. Ministries deploy on AWS. The EU uses US hyperscaler services while funding GAIA-X. Paradox: public money funds hyperscalers through procurement → same hyperscalers use this money for lobbying on GDPR, Data Act, AI Act → tax funds resistance to the regulations that would protect the taxpayer.
Cloud certification spending tripled between 2020 and 2023. Public professional training money — salary contributions — massively funds AWS, GCP and Azure certifications. These certifications reinforce dependency by creating a labour market that values proprietary skills above neutral skills. The public training system funds the cognitive capture documented in The Newspeak.
Local authority "tests" on AWS Free Tier — "free to start." Six months later: paying customer of a US hyperscaler for a public service funded by local tax. No procurement process — project below public contract thresholds. The taxpayer will pay indefinitely or invest in a costly migration.
The State eliminated physical lab budgets. AWS Educate filled this void — not out of philanthropy but because Amazon identified an acquisition opportunity. The closed loop: tax → eliminates TP budget → hyperscaler fills the void → student trained on AWS → CPF funds AWS certifications → CPF is funded by tax → loop. Every euro of cloud CPF reinforces the causal chain documented in this study.
Bifurcation 1 (school): near-zero budget. Bifurcation 3 (architecture): zero. Bifurcation 5 (perdition): 6-48 months + rewrite. Each uninterrupted causal node exponentially increases the cost of the next. The chain is predictable, documented, and avoidable — provided intervention comes early.
This table is the entry point of the Opération Dindon audit library. Each row points to the corresponding 4-to-15-page evidence study. Two mechanisms (Invisible Business SaaS · Consulting firm bias) are original contributions of this synthesis study.
The chain is documented. The mechanisms are named. The locks — technical, financial, psychological — are mapped. The five bifurcation points are identified with their exact costs. What remains: the decision.
Digital perdition is not inevitable — it is the result of a chain of absences. The absence of a satellite dish at school. The absence of a physical server in the lab. The absence of reading the Terms. The absence of the architectural question. The absence of a procurement process before "testing" Free Tier. Each absence is a choice — often unconscious, always predictable.
The Opération Dindon corpus is the documentation. The ultimatum of 8 September 2026 is the demand. Four requirements: cancellable commits · elimination of egress fees · guaranteed data portability · clarification of the CLOUD Act position. The response from AWS, GCP and Azure is the unknown variable.
The Bare-Metal laughs at your labels of card.
For the Iron lies not, 'tis our staff and our guard.
Amine RAITI · MU'ALLAQA IX · 2026
The Operation Dindon corpus documented all external locks — Terms, egress fees, TSMC, Cloud-Washing. This study documents the internal lock that precedes all others: the dissolution of the boundary between development and infrastructure. Not a nostalgic defence of territory. A finding that two professions with fundamentally different temporalities, risks and natures were merged under the same umbrella — and that this merger is one of the intimate drivers of cloud captivity. The first act of sovereignty is not technical. It is recognising that we were wrong.
A CIO who spent five years evangelising the DevOps transformation of their organisation — merging teams, eliminating "silos," celebrating deployment velocity — cannot retreat without publicly admitting they were wrong. Not cowardice. The Sunk Cost Fallacy documented by Kahneman (2011) and Thaler (1980): the tendency to continue a commitment not because it is rational, but because one has already invested too much to turn back.
The investment is double. Financial first — migrations, training, certifications. But above all public — LinkedIn posts, conferences, internal use cases, the professional reputation built on this transformation. Retreating means erasing five years of professional posture before peers and the CEO. The fear of losing face is stronger than economic rationality. This is the lock that blocks the cloud exit before a rack has even been opened.
The decision to merge infra and dev teams in 2019 was correct with 2019 information. The DevOps movement had real arguments — breaking delivery silos, reducing time to market, making teams responsible for quality in production. These arguments remain partially true.
What has changed is the documentation. The CLOUD Act clarified. Egress fees measured. The TSMC geopolitical risk identified. The absence of Capacity Planning quantified in invoices. The loss of low-level skills measurable in job postings (−34% Linux). The 2026 decision is different because the information is different — not because the decision-maker was incompetent in 2019.
Revising one's position in light of new data is not capitulation. It is the very definition of good management. That is what the Operation Dindon corpus provides: the new data. The rest is an engineering decision.
The boundary between infra and dev cannot be rebuilt if the decision-maker who must authorise it cannot admit its dissolution was a mistake. All sections that follow — the risk matrix, IaC, Serverless, the sovereign IDP — are technically correct and organisationally actionable. They remain inaccessible as long as the ego lock is not lifted. That is why this section precedes all others.
Before naming what was dissolved, we must name what existed — and why its dissolution is structurally dangerous.
This table is not a defence of territory. It is a map of incompatible risk natures. A surgeon and an anaesthesiologist are not merged into the same role because they work in the same operating theatre. If the anaesthesia fails, the patient dies — regardless of the beauty of the surgical act. That is the foundation of the infrastructure engineer's independence: when they make a mistake, it is irreversible. This nature of risk demands dedicated expertise — not expertise shared with applicative velocity.
The DevOps movement, born in the late 2000s, responded to a documented and real problem: development and operations teams worked in watertight silos. The developer delivered an artefact "over the wall." The ops team installed it without understanding what they were installing. Time to production was measured in weeks, sometimes months. Production incidents were diplomatic crises as much as technical ones.
DevOps resolved this. Continuous integration, continuous delivery, infrastructure as code, automated testing, shared responsibility for production quality — these are real contributions that improved software quality and reduced delivery times. This study does not contest these achievements.
What the DevOps movement did not anticipate: by breaking delivery silos, it also broke competence silos. The organisational merger of teams progressively led to the merger of roles, then the merger of decision-making responsibilities. The "full-stack" developer became the "full-infra" developer — not through acquired competence, but through scope drift.
Documentable result: a developer deploying on Lambda without understanding what runs underneath is not a DevOps engineer — they are someone given a remote control without being shown the television. They can change channels. They cannot repair the set. And when the set breaks down — when lock-in is installed — they do not see it coming.
The loss is double. The developer loses consciousness of low-level layers. The organisation loses the infrastructure engineer as a guard against irreversible decisions. Nobody does Capacity Planning anymore. Nobody reads Terms before choosing a managed service. Nobody asks "can this component run outside AWS without a rewrite?" — because nobody has the skills to understand the answer.
The developer deploying on Lambda without understanding the infrastructure is not incompetent — they were told it was their job. The infrastructure engineer merged under an agile "tribe" is not outdated — they were told it was modernity. Both were betrayed by an organisational model that confused collaboration with the dissolution of expertise.
The initial plan targeted the AWS console as a punitive abstraction. True — but that is the old battle. The real current vector is Infrastructure-as-Code.
Terraform, CloudFormation, Pulumi — twenty lines of HCL or YAML to instantiate a managed Kubernetes cluster (EKS), a DynamoDB database, an SQS queue, a complete VPC network. To a developer, this script looks like code. It has syntax, variables, loops, reusable modules. It lives in Git, is reviewed in Pull Requests, tested in CI/CD pipelines.
That is exactly the problem. IaC transformed the physics of infrastructure into applicative syntax. Writing resource "aws_dynamodb_table" "users", the developer feels they are declaring a data structure — not signing a proprietary contractual commitment, not creating a ten-year software lock-in, not excluding any future deployment on another infrastructure without complete rewrite.
Code dissolved the consciousness of hardware. Behind twenty lines of HCL lies a datacentre in Virginia, chips fabricated by TSMC, a contract subject to California law, and egress fees patiently waiting for data to accumulate.
A bug in application code: git revert · rollback in minutes · previous state accessible in Git history.
An error in an IaC script instantiating a proprietary managed service: data is inside it · application architecture depends on this service · Terraform's "git revert" does not repatriate the data · technical debt is contractually locked.
These two errors have the same syntactic form — a line of code. They do not have the same risk nature. IaC made this difference invisible. That is why the infrastructure engineer must be present in IaC script reviews — not to say no, but to name what the code represents physically and contractually.
"Can this component run outside AWS without a rewrite?" This question, asked before each IaC resource, is the meeting point of the two professions. The developer asks it. The infra engineer answers. If the answer is no — it is an architecture decision, not a syntax choice. It must be conscious, deliberate, and documented as such.
The DevOps merge was not only driven by good managerial intentions. It was actively theorised, marketed and financed by hyperscalers under the banners of Serverless (AWS Lambda, 2014) and NoOps — "Build, we handle the rest." These promises have a precise target: the developer. Their declared objective: eliminate infrastructure friction. Their real effect: neutralise the infrastructure engineer as an internal opponent to cloud capture.
An infrastructure engineer who understands hardware is the primary obstacle to selling managed cloud services. They ask uncomfortable questions: What runs underneath? Where is the data? What does the contract say about egress? Can we migrate? Eliminating them organisationally — by merging their role under the developer's, by having them "evolve" toward AWS certifications, by renaming their profession "cloud engineer" — solves the commercial problem on the hyperscaler side.
2006-2010: the DevOps movement emerges to break delivery silos. Legitimate objective.
2012-2015: AWS, Google and Microsoft adopt and amplify the DevOps discourse in their conferences and certifications. They add the "cloud-native" layer — the idea that real DevOps happens on cloud. Hyperscaler certifications progressively replace neutral infra certifications (Linux Foundation, Red Hat).
2014-2018: Lambda (AWS), Cloud Functions (Google), Azure Functions. Serverless is presented as DevOps's next step — no more server management. The infrastructure engineer becomes progressively superfluous in this narrative.
2018-2024: organisations massively merge their infra and dev teams under DevOps "tribes." Capacity Planning disappears. Low-level skills disappear. The Linux job market collapses (−34%). Capture is complete.
The chronology is not a conspiracy theory — it is a market observation. Hyperscalers followed a rational commercial logic. Organisations followed a good-faith managerial logic. The result is documented in 64 Operation Dindon corpus studies.
The infrastructure engineer had an invisible but critical function: Capacity Planning. Before deploying a service, they estimated the load, sized the resources, anticipated peaks, calculated the monthly cost at scale. This function was not glamorous — it did not generate impressive boardroom demos. But it was the financial guardrail of the architecture.
When the infrastructure engineer was merged under the developer's umbrella, this function disappeared. The cloud engineer — often a developer retrained with an AWS Solutions Architect certification — no longer plans capacity. They consume it blindly. Lambda scales automatically — that is the promise. What the promise does not say: Lambda also scales the invoice, non-linearly, without default alerts.
A developer deploys a Lambda function that queries DynamoDB sequentially rather than by batch. The function is triggered 10 million times per day. Cost estimated by the developer: "Lambda is almost free at Free Tier." Real cost at scale: the combination of Lambda invocations + DynamoDB reads + data transfer can represent thousands of euros per month depending on the exact architecture.
An infrastructure engineer would have estimated this cost before deployment. Capacity planning is the translation of software architecture into real costs — before they are invoiced. Without this competence in the team, the CFO discovers costs at month-end. Not before.
The CFO is the only decision-maker who physically feels the consequences of the infra/dev merge — in the form of non-linearly growing cloud invoices, unforeseen exit costs, TCO never calculated. They are also the easiest to convince with data: show the cloud invoice curve over 36 months, overlay the progressive disappearance of the dedicated infra team, and let the correlation speak.
Rebuilding the infra/dev boundary is not only a technical or organisational decision — it is a financial decision. The infrastructure engineer is the CFO's guardrail. Their disappearance has a cost. This cost is measurable, documented, and growing.
Recreating a watertight boundary between infra and dev without a protocol immediately reactivates the legendary "Devs vs Ops" war: the JIRA ticket sleeping for three weeks, the infra team reflexively saying no, the dev team circumventing out of frustration. This war existed. It produced the DevOps movement. The goal is not to return to 2005.
The boundary to rebuild is not a wall. It is an interface — an organisational API that allows the two professions to collaborate without dissolving into each other.
The sovereign Internal Developer Platform (IDP) is the operational answer. The infrastructure engineer no longer says "no" — they provide. They design and make available to developers abstract infrastructure bricks that are agnostic and reversible: a database brick that can run on PostgreSQL bare-metal or on cloud, a message queue brick that can be RabbitMQ or SQS depending on context, an authentication brick not locked to Cognito.
The sovereign brick rule: every component provided by the internal platform must be able to answer "yes" to the question "can it run outside AWS without a rewrite?" If the answer is no, the choice is deliberate, documented, and assumed by both parties — not suffered by default because "it was easy to deploy."
The IDP solves the organisational problem. It does not solve the epistemological problem: a developer using an IDP brick without understanding what is underneath remains unable to recognise an architectural lock-in when they create one.
The solution is not to train every developer to manage a Kubernetes cluster. It is to show them once, physically, what resource "aws_dynamodb_table" triggers underneath — like the teacher who takes out a satellite dish so the student understands sine and cosine. Not to make them an infrastructure engineer. So they can read a cloud invoice, recognise an inode, understand why an IaC script is not a git revert.
The Iron does not lie.
It has no Free Tier. It has no YAML console.
It costs from day one — and that is exactly why it is free.
Amine RAITI · Operation Dindon · 2026
Cloud-Washing is the meta-mechanism that overarches all others: it paints dependency as freedom, domination as service, extraterritoriality as sovereignty. It operates in three distinct layers — sovereignty, ecology, and public finance — each with its own rhetorical tools, its own labels, and its own figures. This study maps them. The poem that opens the document named them before the analysis documented them.
Azure and AWS, these masters of guile, / Paint Sovereign on every vile, tired mile.
Since 2022-2023, all three hyperscalers have launched sovereign offerings targeting the European market:
AWS European Sovereign Cloud: physically in Europe, operated by European employees, with enhanced access controls. What the offering does not say: Amazon.com Inc. remains subject to the US CLOUD Act. A National Security Letter can compel Amazon to provide data without informing the client, regardless of server location.
Microsoft Cloud de Confiance with Bleu: a French subsidiary (Bleu, Capgemini + Orange) operates Microsoft infrastructure in France. Technology remains Microsoft's. Contract remains subject to Irish and US law for the underlying technology.
Google Sovereign Controls: client-managed encryption reducing Google's data access. Partial reduction of exposure — not complete sovereignty.
Physical sovereignty: where are the servers? Resolved. Servers are in Europe.
Legal sovereignty: which law applies? Not resolved. The parent company remains American, subject to the CLOUD Act and California law (Terms §14.12 documented in Terms Under the Microscope).
Sovereignty Washing sells the physical resolution as if it also resolved the legal dimension. The decision-maker who reads Sovereign Cloud believes both are resolved. Only one is.
They sell us the homeland with an alien seal, / To ensure that no one can break through the steel.
They speak of the green and the sky's open grace, / While Microsoft remains as the mask on the face.
RECs (Renewable Energy Certificates): a certificate attesting that an equivalent quantity of energy was injected into the grid by a renewable source. The server hosting your data continues consuming whatever energy is available locally — which may be predominantly fossil. RECs balance the accounting, not the grid.
PPAs (Power Purchase Agreements): long-term renewable energy purchase contracts, more substantive than RECs. But a PPA signed in Spain does not mean the Virginia datacentre runs on Spanish wind. Electrons do not travel that way.
The Northern Virginia electrical grid — where the largest AWS and Microsoft datacentres concentrate — is powered approximately 30-35% by fossil sources according to 2023 EIA (US Energy Information Administration) data.
Pooling genuinely reduces consumption versus individual under-utilised datacentres. But poorly designed serverless architectures — Lambda cold-starting, idle containers, monitoring querying APIs every 30 seconds — consume compute continuously. Nobody measures kWh per request. The green pooling is real at datacentre scale — cancelled by the application inefficiency cloud encourages through its billing model.
'Tis a visor of iron on a face made of clay, / A marketing court for the weak of the day.
The gold of our taxes feeds these giants of old, / Who laugh at our laws, so tiny and cold.
While European governments produce reports on digital sovereignty, public administrations sign cloud contracts with the same hyperscalers they claim to want to reduce.
In France: DINUM selected AWS, Azure and Google in its Cloud au Centre programme for public administrations. Public hospitals migrate to Microsoft Azure. Universities use Google Workspace for Education. Ministries deploy on AWS.
The European Union itself massively uses US hyperscaler services for its own institutions — while funding the GAIA-X programme intended to create a European alternative.
The Finance Washing paradox: public money funds hyperscalers through procurement. These same hyperscalers use part of this money for lobbying on European regulations (GDPR, Data Act, AI Act). European taxpayer money indirectly funds resistance to the regulations that would protect them.
Documented in The CPF Misused: cloud certification spending tripled between 2020 and 2023. Public professional training money massively funds AWS, GCP and Azure certifications. These certifications reinforce dependency by creating a labour market that values proprietary skills above neutral skills. The public training system funds the cognitive capture documented in The Newspeak That Costs Dear.
'Tis a tax that is hidden on the mind's own light, / A levy on negligence in the dead of the night.
The three layers neutralise the three internal resistances: Sovereignty Washing reassures legal · Green Washing reassures sustainability · Finance Washing reassures CFO (OpEx vs CapEx). The engineer who says let us calculate the real TCO stands alone against three arguments and three directorates. Cloud-Washing is not an isolated lie — it is an architecture of conviction.
The poem MU'ALLAQA IV was written before this study. It named the three layers with the precision of direct observation. Al-Mutanabbi denounced the powerful at their own court. The Operation Dindon corpus does the same — in verse and comparative tables.
Sovereignty Washing: Data residency as false friend · Compliance shifting responsibility · Global infrastructure masking extraterritoriality. Documented in The Newspeak That Costs Dear.
Green Washing: RECs not equal physical green energy · kWh/request unmeasured · Sustainability team ticking the box. Documented in The Newspeak blind spots (Section 7 GreenOps).
Finance Washing: training funds proprietary certifications · public money cognitive capture. Documented in The CPF Misused.
The term Cloud-Washing unifies these three mechanisms under a common label and says they are not three independent problems — they are three layers of the same conviction system designed to validate migration through three different directorates with three different arguments. The engineer who would say no must now convince all three simultaneously.
The Bare-Metal laughs at your labels of card,
For the Iron lies not, 'tis our staff and our guard.
Amine RAITI · MU'ALLAQA IV · 2026
Free Tier is an entry sample. Not a commercial offer — a sample. The food retail, video game, and pharmaceutical industries all discovered the same principle: offer the first experience free to create the need, then monetise the impossibility of going without. AWS applied this mechanic to digital infrastructure with surgical precision. This study draws the structural parallel — without a single hard word — and leaves the reader to draw the conclusion.
Food retail: supermarket samples. Cheese cut in small cubes. Sausage on a cocktail stick. Free. No commitment. Just to taste. The food industry discovered in the 20th century that physical product experience converts better than any advertising. Once you have tasted, the need exists. It did not exist before.
Video game industry: the free-to-play model. The game is free. Progression is free. Until the game is designed to create a frustration only a purchase resolves. Loot boxes, slowly recharging "energy," levels blocked before a paywall — same principle: free sample, paid friction. The European Union began regulating these practices in 2022.
Pharmaceutical industry: sample medicines distributed to doctors. Free for the patient in the first months. When the prescription follows, the molecule is patented and the generic does not yet exist. The medical need is real — but it was created by free initial access.
AWS · GCP · Azure: Free Tier. Startup Credit. AWS Educate. Free Ingress. Same principle. Same mechanic. Same economic structure. The only difference: the product is not food, entertainment, or medical. It is digital infrastructure. But the sequence is identical: free sample → creation of need → functional dependency → monetisation of the impossibility of exit.
These industries were all regulated when the public understood the mechanic. Food retail has rules on misleading promotions. Video gaming faces regulatory pressure on loot boxes. The pharmaceutical industry is under surveillance on sample conflicts of interest. The cloud industry has not yet been regulated on this specific dimension. The ultimatum of 8 September 2026 is a first step in that direction.
The table below uses strictly neutral terminology — drawn from economics, marketing, and behavioural psychology. Not a single term is borrowed from a pejorative register. The conclusion belongs to the reader.
1. Free entry sample — first contact with no financial friction. 2. Functional dependency — the product integrates into habits, workflows, architectures. 3. Tipping threshold — the free stops, billing begins, exit has become costly. 4. Exit friction — the captive ecosystem makes return to independence long, costly, and risky.
Bare-Metal has no Free Tier. No Startup Credit. No free Ingress. It costs from day one — electricity, rack, maintenance, competent staff. This absence of a sample is often cited as a disadvantage: "cloud is easier to start." Correct. And that is precisely why Bare-Metal creates no functional dependency. A product that costs from day one has no need to make you dependent — you have already made your decision in full knowledge of cost. It has nothing to offer you for free. It does not need to push you through a tipping threshold. It has no exit friction because there is no exit — you own the hardware.
Not all industries adopted the sample mechanic. The craftsman invoices from the first cut of the chisel. The architect charges fees from the first sketch. The independent consultant sends an invoice from the first call. These professionals have no Free Tier because they do not need one — their value is visible without a free sample.
The sovereign managed service provider who offers services to a client is in the same position: it invoices from day one. It cannot offer 12 free months because it does not have Amazon's financial reserves. But this constraint is also its freedom: it does not need to create dependency to retain clients. It retains them because it serves them well.
The corpus documented all the technical and financial barriers to exit. It had not yet documented the most powerful lock — the one that operates at the exact level where decisions are made.
The Sunk Cost Fallacy (Thaler 1980, Kahneman 2011) is one of the most robust and universal cognitive biases: the tendency to continue a commitment not because it is rational to continue, but because one has already invested non-recoverable resources. Spectators watch a bad film to the end because they paid for the ticket. States continue lost wars because they have already invested soldiers. CIOs continue paying egress fees because they have already invested five years of their career in the cloud migration.
This bias is particularly powerful when past investment is public and documented. And cloud migrations are public — they are the subject of LinkedIn posts, conferences, use cases published on the vendor's website, internal testimonials. The CIO who evangelised cloud for five years has not only invested time and money. They have invested their professional reputation.
The CIO concerned has typically: published LinkedIn posts on the successful migration · presented the use case at conference · received a promotion or internal recognition linked to the digital transformation · convinced their CEO and board that cloud was the right decision · trained their teams on AWS/GCP certifications.
Five years later, they read the Dindon corpus. The figures are correct. The 7.5x bare-metal vs cloud ratio is verifiable. Terms §14.12 are in their contracts. They understand. And they cannot retreat — not because they cannot calculate the TCO, but because retreating means publicly admitting that five years of LinkedIn posts were a mistake. The fear of losing face before their CEO and peers is stronger than economic rationality. This is sunk cost operating at its maximum.
Migration toward bare-metal is not an admission of error — it is a strategy evolution. The context has changed (CLOUD Act clarified, egress fees documented, TSMC geopolitical risk identified). The 2019 decision was correct with 2019 information. The 2026 decision is different because the information is different. This is good management — not capitulation.
This narrative is not communication — it is the truth. The Dindon corpus documents mechanisms that were not as clearly articulated in 2019. The CIO who revises their position in 2026 in light of the corpus is no more wrong than the engineer who revises their calculations when better data is available.
This is the fundamental difference between cloud and all other sample industries — and what makes cloud captivity structurally deeper.
In all industries documented in Section 1, the sample creates functional dependency — but does not modify the consumer's structure. A cheese sample creates a desire for cheese. It does not transform your digestive system to be able only to ingest that precise cheese. A sample medicine creates a treatment need. It does not reconfigure your biology to make your body incompatible with other molecules.
The cloud sample does something fundamentally different: it modifies the very structure of the product you build. When a developer builds on AWS Free Tier with Lambda + DynamoDB + API Gateway + SQS + Cognito + CloudFront, they are not building an application that runs on AWS. They are building an application that can only run on AWS. The architecture becomes biologically incompatible with any other environment.
Each nested managed service is an additional atom of captivity. Lambda triggering SQS triggering another Lambda writing to DynamoDB with a Global Secondary Index read by an API Gateway with a Cognito authorizer — each link in this chain is a service that does not exist outside AWS in this exact form. The entire chain is proprietary. Migrating this system to bare-metal or another vendor is not a migration — it is a total rewrite.
Cloud-Washing (MU'ALLAQA IV) presents this complexity as modernity. The terms "serverless," "event-driven," "fully managed," "cloud-native" are modernity labels applied to what is in reality artificial complexity — an architecture designed not to solve a technical problem but to make exit impossible.
"Can this component run outside AWS without a rewrite?"
If the answer is no — it is artificial complexity, not modernity. The question does not condemn using the service. It requires a conscious decision: I choose this service knowing it ties me to AWS. That is a sovereign decision. What Free Tier prevents is this decision being made consciously — because free-ness anaesthetises judgment on real costs, including the cost of architectural captivity.
The developer who asks this question before each managed service does what The Maths Teacher's Bag teaches the student: see the physical reality behind the abstract symbol. The managed service is the symbol. Architectural captivity is the physical reality.
Bare-Metal is expensive from day one.
That is its main advantage.
It has nothing to offer you for free.
It does not need to make you dependent.
It belongs to you.
Amine RAITI · Operation Dindon · 2026
Before the Terms. Before the newspeak. Before the boardroom. There is the Free Tier. This study documents seven mechanisms of the Free Tier Bait: student capture, the invisible threshold and brutal invoice, Free Tier in public procurement, the startup credit as financial anaesthesia, the data gravity trap, the State's budgetary abandonment, and the complete causal chain. Nothing is free. Entry is free because it creates dependency. Exit is charged because it reveals its cost.
The student falls asleep on his code, light and thin, / But Azure in secret is counting the sin.
AWS Educate gives students and teachers access to cloud credits and training. Google for Education provides Google Workspace free to millions of institutions. Microsoft Azure for Students offers $100 in credits with no credit card required. These programmes reach tens of millions of students worldwide — including future infrastructure architects, future CIOs, future technical decision-makers.
This is not philanthropy. It is customer acquisition at the lowest possible marginal cost. A student who learns to code on AWS learns AWS APIs, AWS conventions, AWS services. Their reflexes, code snippets, portfolio projects, certifications — all AWS. When they join a company five years later and recommend a tech stack, they recommend what they know. What they know is what was given to them for free.
The study Sir, What Is This Good For documented that school creates a rupture between symbol and matter. Free Tier adds another layer: it gives access to cloud abstractions without the student ever having configured a physical server, opened a network cabinet, or manipulated a real filesystem. The developer trained on Free Tier knows how to deploy a Lambda function. They do not know what runs underneath. They have never needed to — Free Tier removed that necessity.
'Tis a usury vile on the knowledge of old, / A tax on the dream, so icy and cold.
One day the bill falls, brutal and bare, / For the threshold is crossed and the trap's in the snare.
AWS Free Tier: 750h EC2 t2.micro/month for 12 months · 5 GB S3 · 1 million Lambda requests/month · 25 GB DynamoDB. Documented — but no real-time alert in the developer's workflow. No red banner in the AWS console when approaching the threshold.
GCP Free Tier: 1 e2-micro instance/month · 5 GB Cloud Storage · 2 million Cloud Functions requests. Same principle: limits invisible in the workflow.
Azure Free Tier: 750h B1S virtual machines for 12 months · 5 GB Blob Storage · 1 million Functions requests.
The project grows. Users arrive. Traffic rises. The developer codes — not monitoring their invoice. Then: first invoice. Brutal. At that point, migrating costs more than paying. Code is in DynamoDB. Infrastructure is in CloudFormation. Developers know AWS — nothing else.
Free Tier is designed so the threshold is crossed exactly when attachment is maximal and exit is hardest. Not a design accident. The design.
Amazon watches and calculates gain, / While we build our world on their own cold terrain.
A local authority IT department wants to modernise a public service. Budget constrained. A contractor proposes: "let's test on cloud — it's free to start." Project begins on AWS or Google Free Tier. Six months later: threshold exceeded. The authority is a paying customer of a US hyperscaler for a public service funded by local tax. No procurement process — the project started free and did not reach public contract thresholds. The contractor is gone. Internal migration skills do not exist.
Public Free Tier is the junction of two mechanisms documented separately. On one side, Finance Washing (MU'ALLAQA IV): public money funds hyperscalers through procurement. On the other, the Free Tier Bait: project starts free, threshold crossed when attachment is maximal. In the private sector, the decision-maker commits their company. In public, they commit taxpayer money — often without formal procedures. The taxpayer pays twice: once for the public service, once for an exit they cannot fund.
Woe to the finance that sows just to reap, / The blood of the innocent while they're asleep.
The free-tier shines bright to make us all slaves, / Of these Hyperscalers and their digital graves.
Beyond the consumer Free Tier, hyperscalers distribute massive cloud credit packages to early-stage startups: AWS Activate up to $100,000 · Google for Startups up to $200,000 · Microsoft for Startups up to $150,000. These credits are distributed through accelerators, incubators, and partner venture capital funds.
This is not Free Tier. It is disguised venture capital. The effect is radically different: a startup with $100,000 in cloud credits does not build frugally — it builds like a CAC40 firm. Microservices, proprietary PaaS (managed Kubernetes, database-as-a-service, managed AI), complex distributed architectures. Since it pays nothing, it does not optimise. It accumulates cloud technical debt without knowing it.
When credits run out — generally between 12 and 18 months — the startup discovers its true infrastructure cost. The "TCO crisis" is the moment when the real cost structure imposes itself brutally: an architecture built for free capital cannot be paid for with the real revenues of a growth-stage startup. Two outcomes: raise additional funds to pay infrastructure (entering additional financial dependency on VCs) or migrate under emergency conditions — taking months and risking breaking everything.
VC funds push to consume credits rapidly to accelerate "Time to Market." They have signed partnerships with hyperscalers — each startup in their portfolio consuming credits is a new acquisition for AWS. The VC, the startup, and the hyperscaler form a triangle whose first two fund the third without knowing it.
We master no more, we but suffer the rate, / Of a cruel, dark system that seals our own fate.
Hyperscalers offer data transfer into their cloud (Ingress) completely free — permanently, not limited to 12 months. Sending 100 TB into AWS S3: free. Sending 1 PB into GCP Cloud Storage: free. This is an endless Free Tier on data ingress.
The illusion of free works. The organisation migrates its data without financial friction. The decision seems rational — no immediate cost, no visible risk. The data enters. The data accumulates. Metadata is created. Indexes are built. Applications connect. Dependency installs itself silently.
When the organisation wants to exit or repatriate data to its physical hardware, pricing reverses brutally:
AWS: $0.09/GB for the first 10 TB outbound per month (to internet) · regional rates vary · free to other AWS services (creating additional inter-service dependency).
GCP: $0.08/GB for internet egress · free internally.
Azure: $0.087/GB for first 10 TB outbound.
On 100 TB of data: $8,000 to $9,000 in egress fees. On 1 PB: $80,000 to $90,000. This is not a service fee — it is an exit ransom. It was documented in Terms Under the Microscope as a contractual retention mechanism. It is also a reverse Free Tier: free entry funds the paid exit.
Entry is free because it creates dependency. Exit is charged because it reveals its cost. The data gravity trap is the most durable Free Tier — it does not last 12 months, it lasts as long as the data remains in the cloud.
Woe to the limit that we never see near, / Which makes of the free but a memory of fear.
A computing teacher in a public university wants students to handle real workloads — servers, networks, databases, deployments. Two options.
Option A: use free consoles provided by AWS, Google or Microsoft. Students handle modern, real tools in functional environments. The course is credible. Students learn — vendor APIs, but they learn something.
Option B: not use proprietary consoles. In this case, students handle no modern tools. The university has no budget for lab servers, no room dedicated to physical experimentation, no cluster available for student projects.
The teacher does not choose between AWS and a sovereign alternative. They choose between AWS and nothing. Not negligence — institutional budget constraint.
AWS Educate does not exist out of philanthropy. It exists because Amazon identified that universities had no server budget — and that this void was an opportunity to acquire future captive clients. The State progressively eliminated physical pedagogical infrastructure budgets. Computer lab rooms with real servers disappeared. Computing clusters for student projects are rare. The void exists. Hyperscalers filled it with Free Tier.
Not a coincidence. A strategy. The solution documented in The Maths Teacher's Bag (satellite dish, screws, marble in the parabolic dish) applies here too: not a programme reform, but a physical server in every university. Not an AWS console — a server the student can touch, configure, and break without additional billing.
Student Free Tier · Invisible threshold · Public procurement · Startup credit · Data gravity trap · Budgetary abandonment · Causal chain — seven mechanisms, one logic: make cloud free or nearly free when dependency installs, and expensive or very expensive when exit is considered. Free Tier is not a commercial offer. It is an architecture of capture.
Free Tier never truly ends. It evolves. It grows. It changes form. The student Free Tier becomes the Startup Credit. The Startup Credit becomes free Ingress. Free Ingress becomes paid Egress. Initial free becomes permanent dependency.
Meanwhile, the State has no budget for a server in every university. The teacher opens the AWS console for lack of anything better. The student learns vendor APIs. The startup builds on free capital. The local authority signs without procurement. And five years later, the CIO signs Terms §14.12.
The chain is complete. It began with a click on "Start your free trial."
The Bare-Metal costs, but it never betrays,
For it waits not the hour of your wandering ways.
Amine RAITI · MU'ALLAQA IX · 2026
A GCP n2-highmem-32 instance (32 vCPU, 256 GB RAM) costs approximately €3,000 per month on-demand. The SRE who manages it earns approximately €2,800 per month net. The machine earns more than the engineer. The organisation spends more renting a machine it will never own than paying the human who keeps it running 24/7. And when budgets are tight, guess which one goes first.
The board looks at the "cloud infrastructure" line and sees modernity, flexibility, clean OpEx. It does not see €180,000 over 5 years for a machine it will never own. If the CFO saw the same figure next to "apartment rent", they would immediately ask whether it is possible to buy.
The €3,000/month GCP VM does not include egress fees when you try to retrieve your data, inter-service network fees, snapshot fees, load balancer fees, monitoring fees, Premium support fees if you want to talk to a human. The real ratio between the all-in GCP VM and bare-metal is often 10× to 15×. And in 5 years, if GCP decides to raise prices "at any time" (Terms of Service Section 2.6), the meter goes up again. You have nothing to renegotiate — because you own nothing.
In the organisation's accounting, the €3,000/month VM appears as an "infrastructure cost" — modern, justifiable, in the right Excel spreadsheet under the right budget line. The €2,800/month net SRE (approximately €4,200 gross with employer contributions) appears as a "personnel charge" — compressible, substitutable, and first in line during the next cost optimisation programme.
What the VM does: it runs. It consumes. It sends a bill on the 1st of the month. It does not take holidays. It does not ask for a raise. It does not get sick. It does not resolve incidents.
What the VM does not do: it does not configure itself. It does not detect the anomaly at 3am before it becomes an incident. It does not understand why the payment service has been slow for 20 minutes. It does not write the post-mortem. It does not train the junior. It does not read the Terms of Service before signing. It does not tell the CIO that the architecture is drifting toward irreversible lock-in.
What the SRE does: everything the VM cannot do — plus the VM itself.
Quarter 3. Management decides to optimise costs. Two lines are on the table:
Line A: "Cloud Infrastructure — 47 GCP instances — €142,000/month." → The CIO says: "We cannot touch that, it is our entire infrastructure."
Line B: "SRE Team — 4 people — €16,800/month gross with contributions." → The CHRO says: "We could reduce to 3 people and outsource the rest."
The €3,000/month VM is untouchable. The €2,800/month net SRE is optimisable. The machine is protected by its complexity. The human is exposed by their visibility.
The organisation rents a machine for €3,000/month that it will never own, under California jurisdiction, with non-cancellable commits. It pays the human who keeps it running €200 less per month. And when it comes time to choose between the two, it keeps the machine.
This is creative accounting. The machine is in the infrastructure budget — protected. The human is in the HR budget — exposed. Even though removing the human will cost ten times more in unresolved incidents, in training their replacement, and in accumulated technical debt.
A normal asset depreciates over time. A car bought for €20,000 is worth €8,000 five years later. A server bought for €15,000 is worth €3,000 five years later. Value decreases — that is the nature of physical assets. The hyperscaler VM has no residual value because it is not an asset — it is a service. And a service does not depreciate. It appreciates — because the vendor can revise prices "at any time".
Imagine a landlord who says: "I am renting you this flat for €3,000/month. You will never be able to buy it. I can revise the rent whenever I wish, with no guaranteed notice period. If you want to move out, you pay transfer fees for every piece of furniture you take. The contract is subject to California law. And if the US justice system wants to visit without telling you — the law sometimes prevents me from informing you, but not always."
No CFO in the world would accept these conditions for a flat. Every CFO in the world accepts them for cloud infrastructure. Because it is called "OpEx" and "flexibility" instead of what it actually is: an eternal rent with unfavourable contractual conditions.
A Dell PowerEdge R750 Refurbished Grade A — same specs, 3 years younger, tested and certified — costs €4,000 to €6,000. Depreciated over 3 years: €140 to €170/month. With opex (power, network, colocation): approximately €270/month. Over 3 years: €9,720.
The GCP VM over the same period: €108,000.
Ratio: 11×. For that price, you could hire a full-time senior SRE to manage your Refurbished infrastructure — and you would still have €87,000 of annual budget left for something else.
Cloud pulled off a remarkable accounting sleight of hand: it transformed a CapEx expense (server purchase) into an OpEx expense (monthly subscription). Finance directors love OpEx — it smooths spending, simplifies accounting, avoids balance sheet capitalisation. What finance directors did not see is that cloud is the most expensive OpEx in the history of computing.
A server purchased as CapEx appears on the balance sheet as an asset, then depreciates — reducing the tax base each year. A VM as OpEx is simply an expense — with no asset counterpart, no depreciation, no residual value. It is the OpEx that enriches the vendor and impoverishes the client, without the client ever accumulating anything.
When an organisation compares "cloud vs on-premise", it often compares the visible cost of cloud (the monthly bill) to the total cost of on-premise (purchase + staff + maintenance + datacentre). It forgets that cloud also has a staff cost — AWS-certified DevOps cost more than classic system administrators. It forgets egress fees, Premium support, migration consulting fees. And it always compares an already-operational cloud to a hypothetical on-premise yet to be built — never to an already-built on-premise.
"If I took the €3,000/month I pay for this GCP VM and invested it in a bare-metal server, what would happen?"
Months 1 to 5: buy the server (€15,000 — 5 instalments of €3,000). Same monthly budget.
Month 6: the server is paid off. Monthly cost drops to €150. Monthly saving: €2,850.
Over 5 years: total saving of €156,000. With this money, you can recruit an additional senior SRE, buy two Refurbished backup servers, fund three years of training for your team, and still have enough left for the coffee machine.
For €3,000/month at GCP: an n2-highmem-32 VM. You do not own it. It runs under California jurisdiction. When you want to leave, you pay egress fees. In 5 years you will have spent €180,000 and you will have nothing.
For €3,000/month for 5 months + €150/month thereafter: a Dell PowerEdge R750 bare-metal server you own, under your jurisdiction, in your colocation or with your sovereign managed service provider. After 5 months, your monthly cost drops to €150. In 5 years you will have spent €24,000 and you have an asset.
For €5,000/month (VM + €2,000 extra): the Refurbished Grade A server + a full-time senior SRE who manages it, documents it, trains your team and sleeps better at night. In 5 years you have sovereign infrastructure, a competent team, and an SRE who knows your infrastructure from the inside.
If Refurbished Grade A logic were applied to hiring: recruit an SRE with 10 years of experience (Refurbished — has already resolved hundreds of production incidents) rather than an AWS-certified junior (new, brilliant but without lived experience). The senior SRE costs €3,500 net instead of €2,800. Delta: €700/month.
What the senior SRE brings extra: they prevent on average 2 to 3 incidents per year that would each have cost 4 to 8 hours of downtime × business impact. They optimise the infrastructure to reduce costs. They document what they do. They train juniors. They sleep better at night — and so do you.
ROI of the €700/month delta: incalculable. But certainly positive.
The €3,000 VM does not resolve the 3am incident.
The €2,800 net SRE does.
And yet it is the VM that is in the protected budget.
The next time your CIO says "we cannot touch the cloud infrastructure",
ask them how much the SRE who prevents it from going down costs.
Then watch them calculate.
Scene: meeting room. Tuesday 2pm. Infrastructure roadmap presentation. The CIO has slides. The figures have been rounded.
"Our cloud journey has enabled unprecedented agility through a highly available cloud-native multi-AZ architecture."
We migrated to AWS 3 years ago, we pay €142,000/month, the code speaks DynamoDB, and the multi-AZ failover test has not been done in 14 months.
"We have optimised our OpEx through a targeted Reserved Instances strategy on our critical workloads."
We signed noncancellable 3-year commits. If we want to leave, we still pay. We call it "optimisation" because it is 20% cheaper than on-demand — but still 7.5× more expensive than bare-metal.
"Our multi-region BCP guarantees enterprise-grade resilience with a documented 15-minute RTO."
The BCP is documented. It has not been production-tested in 8 months. The secondary region Terraform has diverged. The secondary load balancer SSL certificate expires in 3 weeks. Estimated real RTO: 4 hours.
"We have a team of 4 highly skilled SREs ensuring the availability of our serverless infrastructure."
4 SREs at €2,800 net/month manage infrastructure costing €142,000/month. The machines cost more than the team that keeps them running. And in the Q3 optimisation plan, it is the team that is "optimisable".
"Our strategic partnership with AWS ideally positions us to accelerate our digital transformation."
We signed an Enterprise Agreement. An "AWS Account Manager" calls us every month to propose new services. We call it a partnership. AWS calls it a captive client. The Terms of Service call it Section 14.12 — California jurisdiction.
The CFO listened. They nodded. They did not do the calculation.
The Opération Dindon corpus did it for them.
This document advances a thesis that is simple and, on the surface, provocative: the best SRE is often the one who appears to do nothing, because their infrastructure works for them rather than the other way around. This is not a celebration of laziness. It is a thesis about metrics: an SRE's value is not measured in visibly busy hours, but in the real availability of the service they built. The reader is invited to judge this thesis on its internal coherence, not on the reaction it might trigger at first glance.
Like the rest of this corpus, this document systematically distinguishes structural cause from visible symptom, and relies on concepts documented in professional SRE literature rather than personal anecdote. The humour used in Section 3 takes nothing away from the rigour of the argument: it serves to name a real and widely shared practice rather than to hide it behind sanitised managerial vocabulary.
A sysadmin who appears constantly busy, who fights incidents on repeat, who responds to alerts at all hours, gives an impression of dedication and high workload. This impression is misleading. A well-designed system does not produce serial incidents: it anticipates failures before they become visible. Visible activity is therefore not proof of good work. Most often, it is the symptom of an earlier failure to anticipate.
This point requires precision so as not to hurt anyone: no professional is, alone and in the moment, responsible for all the technical debt they fight against. The SRE who spends their days firefighting often inherits infrastructure built before them, under deadline pressure, without sufficient engineering budget. The observation is therefore never a criticism of the person in post. It is a structural observation: when visible activity is constant, something upstream — architecture, budget, prioritisation — did not receive the attention it needed at the right time.
Site Reliability Engineering, as documented by the teams who formalised the discipline at Google, names this phenomenon precisely under the term "toil": manual, repetitive operational work that grows proportionally with system scale and produces no durable value once executed. The SRE discipline sets an explicit limit on this work — it must not exceed a reasonable share of total time, the rest being devoted to engineering that reduces this repetitive work in the future.
This thesis does not say that fighting incidents is a sign of personal incompetence. It says that a system producing continuous incidents signals a structural underinvestment in prevention, and that measuring an SRE's value by their visible level of busyness accidentally rewards the symptom rather than the cause.
It is midnight on a Black Friday. A company's e-commerce traffic has multiplied eightfold within hours. In the virtual war room, part of the technical team cycles through manual restarts, watches dashboards blinking red, and negotiates live with the cloud provider's support to secure more capacity. The SRE responsible for the payment infrastructure is not in that room. They are asleep.
They are not asleep out of negligence. They are asleep because the previous six months were dedicated to exactly this moment: load tests simulating ten times normal traffic, automated failover drills repeated in pre-production, an auto-scaling policy validated against real scenarios rather than theoretical assumptions. The Black Friday spike is not an unforeseen event for their system — it is a scenario already rehearsed several times, under conditions harsher than reality.
The SRE's silence during the event is not the absence of work. It is the visible conclusion of invisible work completed months earlier — capacity planning, chaos engineering, automated failover. The difference between the panicking team and the sleeping SRE is not a difference in individual competence in the moment. It is a difference in when the effort was invested: before the incident rather than during it.
This scenario, deliberately composed to illustrate the principle rather than to recount one specific real case, reflects a documented and widely taught practice in reliability engineering: regular failure drills, conducted upstream and outside periods of criticality, replace improvised crisis management with already-rehearsed execution. Silence in production is not a mystery. It is the measurable result of work correctly sequenced over time.
Let's say out loud what many have practised quietly since remote work became the norm. The video call where one wears a shirt, sometimes a tie, above the belt, and simple underwear or shorts below the camera frame, has become a universal scene of remote work — funny because it is true, and true for a reason that goes beyond mere convenience.
This scene is not a lapse in professional discipline. It is the expression of a real need: body and mind need moments of detachment to remain performant over time. One does not resolve a complex incident or write reliable code under continuous mental pressure. Micro-recovery — a short nap, a screen-free break, a moment of disconnection — is not time stolen from the employer. It is the physiological condition for the useful work time that follows.
Sleep and cognition science have documented this mechanism for decades: a short nap improves alertness, working memory and problem-solving ability in the hours that follow, unlike forced sustained attention, which progressively degrades the quality of judgment. An SRE who takes twenty minutes of sleep in the afternoon, or a clean break between two tasks, does not work less over the day. They avoid the degraded mode of operation that produces configuration errors, rushed on-call decisions, and ultimately new incidents.
This section does not argue for an absence of availability. An SRE remains responsible for responding to a genuine incident, both during working hours and on call. What is defended here is the recognition that, between two real activity peaks, mental detachment — in whatever form it takes — is not a failing, but a performance condition documented by the scientific literature on cognition.
The activity report, in its most common form, asks people to justify time spent rather than results produced. This is, first and foremost, a metric error. Labour sociology documents this phenomenon under the name presenteeism: valuing visibly occupied time over actually produced results, which pushes individuals to favour the appearance of activity over effectiveness.
For an SRE whose infrastructure runs incident-free for an entire week, filling in a classic timesheet becomes a contradictory exercise: either they invent activity to justify their 35 hours, or they honestly document that everything worked without them, which in a culture of visible time can be read as a negative signal rather than as proof of successful upstream engineering work.
This first imbalance, once embedded in a team's culture, does not remain a mere administrative curiosity. It produces a second, deeper effect: a competitive climate around appearing busy. If the recognised metric rewards visible activity, team members are structurally incentivised to display themselves as more loaded than their neighbour, rather than to cooperate so that the shared infrastructure has as few incidents as possible.
This competitive climate becomes a problem in its own right, independent of the metric that produced it. Once "appearing busy" becomes an individual visibility strategy, cooperation — sharing an automation that would reduce everyone's workload, documenting a solution so no one has to rediscover it — loses perceived value against simply demonstrating personal activity. The system meant to measure contribution ends up discouraging the most useful contribution of all: the one that makes future work unnecessary.
The timesheet is therefore not merely a symptom of an initial bad metric. Once this climate is established, it becomes a structural problem in its own right, one that keeps producing its effects even if one attempts to fix its wording without changing the culture that gave rise to it.
An SRE does not owe their organisation 35 hours of visible presence per week. They owe the optimal availability of the service they are responsible for. These two obligations rarely overlap in practice, and this document has tried to show why: a well-designed system keeps its guardian silent, while a poorly designed system keeps its guardian visible, busy, and apparently indispensable at every moment — for the wrong reasons.
The absence of incidents signals successful anticipation, not an absence of work. Silence during a load spike is the visible consequence of invisible effort completed months earlier. Cognitive recovery, in whatever form it takes, is a condition for performance rather than stolen time. And the visible-time metric, once established, does not remain a simple measurement error: it becomes a climate that discourages the most useful long-term cooperation.
The practical consequence of this analysis is not the abandonment of all SRE performance measurement. It is a shift in criteria: measuring the service's actual availability, the reduction of repetitive work over time, and the quality of anticipation — rather than the volume of visibly occupied hours. An SRE who appears to do nothing because their infrastructure works for them is not an employee falling short. They are the most tangible proof that their earlier work was done correctly.
This study proposes a structured nomenclature for digital infrastructure roles in three categories — SysOps, NetOps, OpInfra — and six hierarchical levels. It directly responds to "The Infrational Crisis" by placing precise words on realities that DevOps vocabulary has progressively erased. The founding rule: never go beyond this naming, at the risk of losing meaning and producing the dissolution the corpus has documented.
A roles nomenclature is not a bureaucratic exercise. It is a political act — in the etymological sense: an act that concerns the city, the community, the organisation of professional life together. Naming infrastructure roles correctly is laying the conditions for their recognition, remuneration, protection and transmission.
"The Infrational Crisis" documented how word inflation — DevOps, Infrastructure as Code, XxxOps — emptied roles of their substance. "The Infrational Loop" documented how this title dissolution produces salary compression that pushes seniors out. "The State and the Invisible Body" documented how the absence of a recognised nomenclature deprives the infrastructure body of any institutional protection. These three pathologies share a common cause: nobody placed precise words on precise realities, and left the market to name at its convenience.
The RNCP already partially recognises infrastructure roles. RNCP37682 (Systems and Networks Senior Technician, level 5) and RNCP35594 (Systems, Networks and Databases Administrator) exist and are registered. The problem is twofold: these certifications systematically fuse systems and networks into a single title — erasing the functional distinction between the two domains — and they do not cover higher levels (engineer, lead, architect) with the same precision. This corpus's proposal completes the RNCP by offering a coherent taxonomy across the full pyramid.
A nomenclature without legal force is a catalogue. It has value only if adopted in collective agreements, public procurement frameworks, CIO job descriptions and training programmes. This study places the words. "The State and the Invisible Body" placed the mechanisms to give them force. Both are necessary.
The nomenclature is organised into three functional categories. They are not silos — they are primary competence domains that define where the engineer's centre of gravity lies. A profile may operate across two categories simultaneously — in small organisations, this is often necessary. But their title remains anchored in their primary category.
Scope: everything touching operating systems, physical and virtual servers, low-level application services, storage, virtualisation, backup and restoration. It is the layer that transforms metal into usable service.
What SysOps is not: SysOps is not application development. A SysOps engineer may write automation scripts — but does not develop business applications. The boundary is the service layer: below it is SysOps. Above it is the developer.
Physical anchor: a SysOps engineer has touched a physical server. They know what RAID, a storage bay, and a hypervisor are. They can diagnose a hardware fault before opening a console.
Scope: everything touching networks — cabling, switching, routing, firewalls, VPN, WiFi, WAN, BGP, MPLS, DNS, DHCP, network monitoring. It is the layer that connects systems to each other and to the outside world.
What NetOps is not: NetOps is not security in the broad sense — SecOps is a distinct specialisation that builds on NetOps but is not a sub-category of it. A NetOps engineer secures the network. They are not the CISO.
Physical anchor: a NetOps engineer has cabled a switch. They can read a rack diagram, trace a backbone cable, diagnose packet loss on copper before blaming software.
Scope: the cross-domain layer that operates infrastructure as a whole — SREs, infrastructure architects, senior operations engineers who master both domains and operate at a level of responsibility over overall system availability.
What OpInfra is not: OpInfra is not DevOps. An OpInfra profile may automate, may write infrastructure code — but their centre of gravity is operational reliability, not feature delivery.
Physical anchor: an OpInfra engineer has documented mastery of the physical layer in at least one domain (SysOps or NetOps) before accessing engineer level.
LEVEL 1 — SUPPORT / PROXIMITY
Support Technician · Field Technician
First user contact. First-level diagnosis. Escalation to level 2. Does not touch server or network configurations in production without supervision. Maps to RNCP37682 block 1 partial.
LEVEL 2 — DOMAIN TECHNICIAN
Systems Technician (SysOps) · Network Technician (NetOps)
Daily operations. Maintaining operational condition. Operates on systems or networks under instructions and procedures. Contributes to documentation. Maps to full RNCP37682 (level 5 — Bac+2 equivalent).
LEVEL 3 — DOMAIN ADMINISTRATOR
Systems Administrator (SysOps) · Network Administrator (NetOps)
Autonomous administration. Configuration design. Responsibility for infrastructure sub-systems. Level 2 incident management. Maps to RNCP35594 (level 6 — Bac+3/4 equivalent).
LEVEL 4 — DOMAIN ENGINEER
Systems Engineer (SysOps) · Network Engineer (NetOps) · SRE Engineer (OpInfra)
Intermediate architecture design. Responsibility for reliability of a defined perimeter. Supervision of lower levels. Writing procedures and runbooks. RNCP level 6 to 7 (Bac+3 to Bac+5 equivalent).
LEVEL 5 — LEAD / PRINCIPAL
Systems Lead · Network Lead · Principal SRE
Senior technical reference. Complex architecture design. Team mentoring. Structural technical decisions. Not necessarily a line manager — technical expertise first.
LEVEL 6 — ARCHITECT
Systems Architect · Network Architect · Infrastructure Architect (OpInfra)
Cross-domain vision. Infrastructure design as a whole. Technical governance. Interlocutor of the CIO and leadership. Responsibility for coherence and medium-term evolution.
The Lead / Principal level is a technical — not managerial — progression path. A Principal SRE who does not wish to manage teams must not be forced to become a manager to access the remuneration level corresponding to their competence. Dissociating technical progression from managerial progression is a condition for retaining the best technical profiles.
The multiple hats rule is the pragmatic response to the reality of small and medium organisations. It does not contradict the nomenclature — it applies it intelligently in contexts where resources do not allow strict domain specialisation.
A profile may exercise several nomenclature functions simultaneously. A Systems Administrator in a small town hall may also manage the local network, provide first-level support, and administer workstations. This is real and legitimate. But their title remains "Systems Administrator" — not "IT Manager", not "Digital Project Coordinator", not "Infrastructure Lead". These vague titles have no content in the nomenclature and open the door to dilution.
Functions exercised outside the primary title are documented in the job description as "complementary functions exercised according to organisational needs" — not as an additional title.
Small town hall (5,000 inhabitants): 1 profile, Systems Administrator (SysOps, level 3). Complementary functions exercised: local network management, user support, workstation administration. Not called "IT Manager" — called Systems Administrator with extended responsibilities.
SME (50 employees): 1 Systems Administrator + 1 Support Technician. The first manages infrastructure and networking. The second manages user support and workstations. Two people, two titles, no confusion.
Mid-size company (500 employees): 1 SRE Engineer (OpInfra) + 2 Systems Administrators + 1 Network Administrator + 2 Support Technicians. Specialisation becomes possible and necessary. Domain boundaries are respected.
Large IT department (5,000+ employees): full pyramid by domain. Leads and Architects emerge. OpInfra transversality is embodied by a dedicated SRE team.
— Calling a profile "DevOps engineer" without documented physical layer competence
— Calling a profile "cloud architect" without having designed network or systems architecture
— Creating composite titles not defined in the nomenclature ("Infrastructure & Cloud Expert", "Ops Lead", "Tech Lead DevSecOps")
— Using a higher-level title to save on recruiting a properly-levelled profile
A nomenclature that says what it names must also say what it does not name. Boundaries are as important as definitions — they protect meaning against progressive dilution.
"DevOps engineer" does not exist in this nomenclature. Not because the DevOps philosophy is rejected — collaboration between development and operations is a real value. But because "DevOps" is not a role: it is a work culture, an approach, a philosophy. One does not name a role after a philosophy. One names a role after what the person concretely does — the systems they administer, the networks they configure, the infrastructure they operate. A "DevOps engineer" who administers Linux servers is a Systems Engineer (SysOps) working in a DevOps culture. The title says what they do. The culture is documented in team practices, not in the title.
SecOps is a specialisation — a Systems or Network Engineer with a security specialisation. They were called "Systems Engineer, security specialisation" or "Network Engineer, security specialisation". FinOps is a cloud financial governance practice — not an infrastructure role. MLOps is a hybrid developer/operations profile oriented toward machine learning — belonging more to the developer category than the infrastructure category. These specialisations exist. They do not justify creating a new category in the infrastructure nomenclature.
"Cloud Engineer" or "Cloud Architect" are marketing titles that describe an execution context (the cloud), not an operational competence. A Systems Engineer who works primarily on AWS is a Systems Engineer — not a "Cloud Engineer". The precision of the competence domain (Linux, Windows, virtualisation, containerisation) and hierarchical level (engineer, lead, architect) says everything needed about the profile. The word "Cloud" in the title says where they work — not what they know how to do.
Any organisation adopting this nomenclature commits to not creating titles beyond those defined. No "Super Senior Cloud DevOps Infrastructure Engineer". No "SRE Platform Tech Lead". The existing words in the nomenclature suffice to describe any real infrastructure profile. If a title cannot be expressed in the nomenclature's words, either the profile is poorly defined, or the title was invented to mask a classification problem.
A nomenclature has value only if adopted. Adoption passes through three distinct vectors that reinforce each other. Each can act independently — together they create critical mass.
Any IT department, digital services firm, local authority or company can adopt this nomenclature tomorrow, without waiting for legislation or collective agreements. It replaces its vague titles with nomenclature titles in its job descriptions, org charts and job postings. This unilateral decision has three immediate effects: it clarifies responsibilities internally, it improves recruitment precision, and it contributes to building the critical mass that will make the nomenclature visible on the market.
The nomenclature can be proposed to digital sector social partners as a basis for revising classification grids. Syntec, which covers the majority of IT services firms, has a classification grid that does not clearly distinguish SysOps / NetOps domains. A revision integrating the nomenclature would produce salary scales by level and domain — mechanically reducing the compression documented in "The Infrational Loop". Simultaneously, the titles can be proposed to France Compétences for RNCP registration — complementing existing certifications, not replacing them.
BTS SIO, DUT Networks & Telecoms and Bac+3/4 infrastructure training programmes can align their career outcome labels with the nomenclature. Instead of promising a "systems and networks technician or DevOps engineer position", training promises a "Systems Technician position (SysOps, level 2)" with a documented path toward "Systems Administrator (level 3) then Systems Engineer (level 4)". Pathway readability is the condition of filière attractiveness — particularly for female audiences documented in "The Invisible Amputation".
Words are the least costly and most structuring acts. Naming a role correctly is giving it back its value. This nomenclature is an act of resistance against dissolution — and an act of construction for those who come after.
Cloud newspeak is not a communication accident. It is a coherent system that has produced measurable effects on infrastructures, teams and budgets. Each term has a precise function in the cognitive capture chain. Each term has left traces in balance sheets, org charts and Terms of Service. This study documents these effects term by term — with the figures that make them incontestable.
The global cloud market represented $230 billion in 2019. It represents $580 billion in 2023. This 152% growth in 4 years is not value creation — it is largely the migration of CapEx spending into OpEx spending, made acceptable by carefully chosen vocabulary.
A €180,000 investment over 5 years goes to the board for approval. A €3,000 monthly expense flies under the radar. It is exactly the same thing financially — but not politically. Cloud transformed investment decisions into recurring subscriptions. The result: organisations spending 10 times more than they would in CapEx, never building an asset, without the figure ever being aggregated and presented as a strategic decision.
In France, the share of large enterprise IT budgets allocated to cloud rose from 18% in 2019 to 41% in 2023. The budget allocated to internal technical teams fell by 22% over the same period. The "OpEx" newspeak made these two trends invisible to each other.
"You only pay for what you consume" is true in the per-second billing sense. It is false in the economic sense: you consume forever, you never build an asset, and the accumulated value of your payments enriches the vendor without ever belonging to you. Over 5 years, "pay-as-you-go" produces €180,000 of spending on a GCP instance — and €0 of asset. The same budget in CapEx produces a server, internal competence, and residual value.
"The platform scales automatically" made the question "who manages capacity?" superfluous. The implicit answer was "nobody — the platform does it". In reality, automatic upward scaling is real. Cost reduction downward is blocked by noncancellable commits. And the platform that scales automatically still needs engineers to configure it, monitor it, and resolve incidents. But those engineers were eliminated because "the platform scales".
"Cloud-native" created a skills hierarchy: those that are "native" (proprietary, recent, vendor-certified) and those that are not (neutral, deep, not certifiable by a hyperscaler). A Linux administrator with 15 years of experience is "not cloud-native". A junior AWS Solutions Architect-certified for 6 months is.
In France, job postings for "Linux system administrator" fell 34% between 2019 and 2023. Postings for "Cloud Engineer AWS/GCP/Azure" rose 187% over the same period. The market applied the newspeak hierarchy. And the average salary of an AWS-certified DevOps is 23% higher than that of an equivalent-experience bare-metal SRE — the proprietary certification is worth more than the neutral skill.
"DevOps" in its cloud version merged two roles by eliminating one. The developer absorbed operations — but not bare-metal operations, cloud operations. The "cloud DevOps" knows how to deploy on EKS, configure a GitHub Actions pipeline, and monitor with CloudWatch. They do not know what is under EKS. They cannot get out alone. The "DevOps" merger did not create more complete engineers — it created more vendor-dependent engineers.
Cloud certification spending tripled between 2020 and 2023 — massively funding proprietary AWS/GCP/Azure certifications. Each AWS certification is an AWS service (documented in the Terms of Service, subject to a separate CPA agreement). It is terminable by AWS. It is not transferable to GCP or a sovereign managed service provider. Cloud "upskilling" is not skill-building — it is public investment in private dependency on an extraterritorial actor.
Fewer internal engineers = more cloud dependency = more cloud budget = justification for reducing internal engineers. The loop is perfect. The "cloud-native" newspeak created a self-sustaining paradox: the organisations that most reduced their internal technical teams are those that most need help to exit cloud — and who no longer have anyone to lead the migration.
"Digital transformation" turned an operational question (how do we improve our systems?) into an identity question (are we a modern company?). A company not "undergoing digital transformation" is backward. This identity pressure short-circuited cost-benefit analyses that should have been conducted.
McKinsey (2022): 70% of "digital transformation" projects fail to meet their objectives. The average cost of a failed digital transformation for a large European company: €45 to €120 million. These failures are not primarily technical — they are framing failures. People answered "are we modern?" rather than "does this work better?"
If resilience is "by design" — built into the architecture — why test it? This logic produced documented but untested BCPs. The AWS us-east-1 incident of December 2021 took down "multi-AZ" services because the control plane was centralised. The "design" and reality had diverged. Nobody saw it because nobody tested — because it was "by design".
Gartner (2023): 35% of organisations that massively migrated to cloud are considering partial repatriation for cost and resilience reasons. This figure was 8% in 2020. "Resilience by design" produced organisations that discover their resilience limits during real incidents — not during tests.
If the "best" is defined within the AWS ecosystem, then the "best" is always AWS. "Best of breed" means choosing the best tool for each need — but when all tools are evaluated within a single vendor's catalogue, "best of breed" becomes "maximum lock-in". The question "is this the best tool among all available tools?" was replaced by "is this the best tool in this catalogue?" The newspeak narrowed the comparison perimeter without anyone noticing.
"Our data is in the global cloud" sounds reassuring — modern, distributed, resilient. "Our data is on servers in Virginia, Ireland and Singapore, under US jurisdiction, subject to the CLOUD Act, with a legally possible non-disclosure order if US authorities require it" sounds different. It is exactly the same thing. The "global infrastructure" newspeak dissociated the physical question (where are the servers?) from the legal question (which law applies?) to reassure on the first by avoiding the second.
"Your data stays in Europe" is true in the physical sense — the bytes are on disks in Ireland or Germany. It is false in the jurisdictional sense — GCP Terms Section 14.12 stipulates that the applicable law is that of the State of California and the competent courts are those of Santa Clara County. "Data residency" created an illusion of physical sovereignty that masks the absence of legal sovereignty. European regulators took years to articulate this distinction — during which sensitive public administrations migrated to cloud "in Europe" believing they were protected.
"AWS is GDPR compliant" means AWS has put in place mechanisms to help its clients be GDPR compliant. It does not mean that using AWS is GDPR compliant — a nuance the "compliance" newspeak erased. Compliance is a property of the complete system (infrastructure + usage + contract + jurisdiction), not of the vendor alone. By designating the vendor as "compliant", the newspeak shifted verification responsibility to the vendor — and removed the client's incentive to verify for themselves.
Three words — "global", "residency", "compliance" — made it acceptable for European states, public administrations and critical companies to host sensitive data with actors subject to the CLOUD Act. Not through malice. Through vocabulary. The newspeak achieved what diplomatic negotiation had failed to do: normalise extraterritorial dependency.
"GreenOps" is the ESG layer of cloud newspeak. It arrived at exactly the right moment — when sustainability teams were looking for arguments for their extra-financial reports and when regulators were starting to demand accountability on digital footprint. Hyperscalers provided both simultaneously: green vocabulary and renewable energy certificates.
Hyperscalers buy massively from the REC market — Renewable Energy Certificates. A REC means that somewhere in the electrical grid, a quantity of energy equivalent to the declared consumption was produced from a renewable source. It does not mean that the servers hosting your data run on green energy. It means the vendor's carbon accounting is balanced on paper.
The AWS us-east-1 datacentre in Virginia consumes several gigawatts. Virginia's electrical grid is approximately 30% powered by coal and natural gas. RECs purchased by AWS do not change this energy mix. They comptably offset real fossil fuel consumption. This is creative carbon accounting — exactly as OpEx is creative financial accounting.
What the sustainability director validated: "By migrating to AWS, we reduce our carbon footprint through resource pooling." What they actually did: relocate energy consumption to US datacentres partially powered by fossil fuels, with virtual carbon offsets purchased on a certificate market.
A poorly designed Serverless architecture (Lambda cold-starting on each request, containers running on standby, monitoring jobs querying APIs every 30 seconds) consumes compute continuously — and therefore energy continuously. This inefficiency is invisible in the cloud console: it appears as a cost line, not as a carbon footprint. The bare-metal architect who dimensions their server once optimises it to last 5 years. A serverless architecture can consume 10 times more CPU cycles for the same workload — and the sustainability team will never know because nobody measures kWh per request.
"Cloud is greener through resource pooling. We reduce our carbon footprint."
We relocate our energy consumption. We buy RECs to balance the carbon accounting. The sustainability team ticked the box. Nobody measures kWh per request.
The fictional boardroom of Section 7 featured the CIO and CFO. It was missing a character: the external consultant whose slide deck preceded all these decisions by 18 months. They are not in the room — but their vocabulary is everywhere in the CIO's presentations.
The mechanism is structural and does not imply individual bad faith:
Step 1: the consulting firm recommends a "cloud-first" strategy based on market analyses (Gartner, IDC) it cites abundantly. It invoices the scoping study: €150,000 to €500,000 depending on organisation size.
Step 2: the hyperscaler certifies the firm as a "top-tier partner" (AWS Premier Partner, Google Cloud Partner, Microsoft Gold Partner). This certification requires a minimum number of cloud certifications in the firm's teams — thus funding the proprietary certifications documented in Section 2.
Step 3: the firm conducts the migration. It invoices integration man-days. Complexity is its ally — the more complex the architecture, the longer the migration, the more man-days accumulate.
Step 4: the migration produces gaps vs estimates. The firm invoices remediation man-days. Then training. Then optimisation (FinOps). The relationship is structurally perpetual.
What the loop produces: the firm has no financial interest in recommending bare-metal or a local managed service provider — there is no "partnership" with these actors, no certification, no complex migration man-days. Advice is structurally oriented toward complexity.
"Our independent study recommends a cloud-first strategy to accelerate your digital transformation."
Our firm is an AWS Premier Partner. We will invoice the migration, remediation, training and optimisation. Complexity is our business model. Bare-metal simplicity generates no man-days.
The VM and SRE study documented the 7.5× ratio between the GCP VM and bare-metal over 5 years. It did not document the tax dimension of this difference — which makes the comparison even more unfavourable to cloud.
A server purchased for €15,000 is entered on the company's balance sheet as a fixed asset. It is depreciated over 3 to 5 years. Each year, a depreciation allowance (€3,000 to €5,000/year) is recorded as an expense — reducing taxable income. At the French corporation tax rate of 25%, this allowance generates a tax saving of €750 to €1,250/year.
Over 5 years, a €15,000 server generates €3,750 to €6,250 in cumulative tax savings. The real net cost of the server is not €15,000 — it is €15,000 minus the tax saving = approximately €8,750 to €11,250.
The €3,000/month GCP VM generates €36,000 of deductible expenses per year — but without creating an asset. Expenses are deductible in both cases. The difference: bare-metal creates an asset that appears in equity, increases the company's book value, can be pledged as loan collateral, can be resold, and can be presented to an investor as a sign of patrimonial solidity.
A company that migrates 100% of its infrastructure to cloud carries out a silent balance sheet destruction: fixed assets disappear, replaced by recurring expenses. In management accounting, this company has become structurally lighter — but also more fragile. It no longer has productive assets of its own. If the vendor raises prices, it has no patrimonial negotiating leverage. If it seeks acquisition, the buyer will find no infrastructure on the balance sheet — only subscription contracts and noncancellable commits.
"Cloud empties the treasury without creating patrimonial value" is not a metaphor. It is an accounting reality.
"Cloud optimises our cost structure by transforming CapEx into flexible OpEx."
We destroy our productive assets on the balance sheet, lose the tax benefits of depreciation, and create a perpetual expense with no residual value. Our balance sheet gets lighter — and our fragility increases.
The VM and SRE study documented that the SRE resolves the 3am incident, not the VM. It did not document what "resolving the incident" actually means when the root cause is in the hyperscaler's internal layers — to which the SRE has no access.
On 7 December 2021, AWS us-east-1 suffered a major incident affecting numerous services — Kinesis, Lambda, API Gateway, AppSync, EventBridge, and others. Thousands of SRE teams worldwide simultaneously received cascading alerts on their own services. The root cause: an anomaly in AWS's internal control plane.
What the SRE could do: look at their dashboards, see everything falling simultaneously, read the AWS status page ("We are investigating"), and wait. They had access to no internal AWS logs, no control plane metrics, no AWS runbook. The black box was closed. The SRE was on the front line of organisational stress — their phone was ringing, their manager was asking for an ETA — but they had zero technical leverage on the root cause.
What this reveals: "Zero-ops" also means zero visibility on incident root causes. The cloud-native SRE is an expert in consequences — they see the effects, they cannot diagnose causes when those causes are inside the vendor's infrastructure.
A bare-metal SRE facing a 3am incident has access to everything: kernel logs, hardware metrics, network traces, system calls. They can go down to the physical level if needed. Their diagnosis can reach "the NVMe disk in slot 3 has had elevated error rates for 48h" or "server 7's network card is dropping packets on the production VLAN".
A cloud-native SRE facing the same incident has access to their own application metrics — and stops at the surface of the vendor's API. They cannot see what happens under Lambda. They cannot diagnose a DynamoDB degradation. They cannot trace a request beyond CloudWatch logs. The lower layer is opaque by design. And this opacity is presented as an advantage ("managed service — you don't have to worry about it") until it falls — and you still don't have to worry about it because you cannot.
Cloud newspeak has produced teams that are more stressed, less sovereign, less capable of diagnosis, and more dependent on a status page they do not control. This is the measurable result of ten words applied over ten years. And the CFO still has not calculated it.
"Digital transformation" creates the identity urgency → "Cloud-native" validates the direction → "OpEx" makes the spend invisible → "Pay-as-you-go" normalises owning nothing → "Upskilling" funds proprietary certifications → "Cloud-native" devalues neutral skills → "Zero-ops" justifies eliminating engineers → "Data residency" reassures on sovereignty → "Compliance" de-responsibilises the client → "Resilience by design" removes the incentive to test → "Strategic partnership" lock-ins the organisation → "HR optimisation" eliminates the last engineers who could exit.
Each term reinforces the next. Exit becomes harder at every step. This is not a conspiracy — it is an ecosystem. And ecosystems do not need conspiracies to be effective.
Opération Dindon documented cognitive capture, the infrational loop, loss of sovereignty, amputation of technical knowledge. This study demonstrates that these phenomena are measurable: −34% Linux jobs, ×3 training spend on proprietary certifications, 70% digital transformation failure, 35% cloud repatriation being considered. Newspeak is not the sole cause — it is the vector. It made possible decisions that would have been impossible if they had been named correctly.
If "digital transformation" had been called "migration toward extraterritorial dependency",
35% of organisations would have done it anyway. Not 100%.
If "cloud-native" had been called "incompatible with anything that is not AWS",
HR teams would have kept their Linux engineers.
If "data residency" had been called "physically in Europe, legally in California",
public administrations would have asked for SecNumCloud first.
Words have a cost. This one is measured in billions.
NoOps is the only marketing term in the history of computing that explicitly announces the elimination of a profession in its name — and was adopted without resistance by the organisations it targeted. Not a technical evolution. A unilateral technical disarmament plan accepted with enthusiasm by its own victim. This study performs the autopsy: the chronology of linguistic liquidation, the asymmetry of transferred operations, the paradox of displaced complexity, the CAPEX/OPEX accounting complicity, the senior purge, the ghost IaC debt, and the SLA asymmetry that tells the truth the marketing hides.
DevOps (2009) — Coexistence: "Collaboration between Dev and Ops." Both professions coexist. The infrastructure engineer is present, visible, named. Their role is recognised. The DevOps movement breaks delivery silos — not competence silos.
Serverless (2014) — Material spoliation: "No more servers to manage." Servers exist — but you no longer touch them. The infrastructure engineer becomes progressively superfluous in the narrative. Their scope shrinks. They remain in the org chart but lose decision-making ground.
NoOps (2016-2018) — Nominal annihilation: "Build, we handle the rest." The profession itself is eliminated from vocabulary. "Linux Administrator" and "Infrastructure Engineer" job postings disappear from recruitment platforms. Replaced by "DevOps Engineer", "Cloud Engineer", "Cloud Architect" — with fundamentally different required skills: AWS certified, Kubernetes, CI/CD. Not Linux. Not networking. Not storage.
Job titles change → required certifications change → universities adapt programmes to job postings → training firms adapt curricula to certifications → in five years, the "neutral infrastructure" skill pool collapses (−34% Linux positions documented in The Newspeak). The labour market was reconfigured by job titles — which were reconfigured by certifications — which were reconfigured by hyperscalers. The complete causal loop that the Algorithmic HR Sabotage (Anatomy of Digital Perdition) documents as an effect. The semantic erasure of job titles is the cause.
"NoOps" provided managerial vocabulary to dismiss people. "Not agile." "Resistant to change." "Legacy profile." These formulas — never written in dismissal letters, always present in boardrooms — transformed rare competence into professional handicap. When a senior system administrator with 20 years of network experience is pushed out in 2019, they are not replaced. The technical memory leaves with them. The organisation orchestrated the programmed loss of its own technical memory. That is the deep explanation for why companies currently cannot reverse course: the people capable of configuring a network switch, reading a pcap, opening a patch panel no longer exist in the org chart.
Operations do not disappear with NoOps — they migrate. AWS, Google and Microsoft employ tens of thousands of infrastructure engineers. Their datacentres have maintenance teams, network engineers, storage specialists, physical security experts. "NoOps" for the client means "MoreOps" for the cloud vendor. This is a competence capitulation: the company transfers operational expertise for its material survival to a third party it cannot audit, cannot control, and cannot read the runbooks of. It outsourced what it no longer understands.
NoOps sells: "We manage operations on your behalf, you are at peace." The Terms say otherwise. In the event of a major hyperscaler outage — an entire AWS region down for 12 hours, a GCP incident impacting thousands of clients simultaneously — the hyperscaler contract provides:
What the hyperscaler reimburses: cloud consumption credits equivalent to a derisory percentage of the monthly invoice (typically 10-30% for a major interruption). Sometimes a few tens of euros on an invoice of several thousands.
What the client bears 100%: the actual operating loss · contractual penalties toward their own clients · data breach and its GDPR consequences · customer trust loss · commercial failure in extreme cases.
This is the legal tour de force of NoOps: externalise the operational act while retaining the entirety of the vital risk. The company surrendered control — but kept the responsibility for economic death.
NoOps does not externalise operational risk. It externalises operational work while retaining vital risk with the client. Contractually documented in every hyperscaler's Terms. The promise of serenity is marketing. The contract says the opposite.
NoOps promised: less operational complexity. Deploy your code — we handle the rest. The cloud era reality (2018-2026) produces the opposite: an explosion of abstract complexity that neither developers nor retrained former infrastructure engineers fully master.
Service meshes (Istio, Linkerd) for inter-service communication. Hyper-fragmented IAM policies with hundreds of roles, permissions and conditions. Distributed observability (traces, metrics, logs in three different tools). Real-time cost management with alerts nobody monitors. Kubernetes clusters with hundreds of deployments whose origin nobody knows. NoOps did not eliminate the need for Ops — it made Devs responsible for an invisible infrastructure they do not master, without giving them the skills to do so.
Application code is designed to be modified, updated, sometimes discarded. Physical infrastructure follows a lifecycle of maintenance, depreciation and mechanical resilience. NoOps, by making infrastructure seem like an ephemeral script applied with a click, destroyed the notion of Operational Condition Maintenance (MCO).
The result: thousands of cloud resources instantiated by obsolete IaC scripts, abandoned in production because no developer dares delete them for fear of bringing down the application. The Terraform resource instantiating a Load Balancer unused for 18 months? It runs. It bills. It waits. Nobody touches it. The developer who created it has left. The script has no owner. NoOps transformed infrastructure into a graveyard of unaudited scripts — invisible technical debt that nobody accounts for because it looks like code, not infrastructure.
When an outage leaves the hyperscaler-managed environment — network saturation, BGP routing issue, peering incident — nobody in the organisation knows how to diagnose. Mastery of low-level network protocols, packet analysis, machine thermal behaviour: all left with the dismissed seniors. The organisation holds a remote control. It no longer knows what is behind the screen.
NoOps aligned perfectly with the short-term accounting vision of finance teams. Internal infrastructure teams were fixed cost centres — salaries, employer contributions, training, hardware renewal: visible CAPEX on the balance sheet. Managed cloud services were variable consumption costs — OPEX on the income statement, more flexible, more "agile" in financial vocabulary.
The CFO who validated NoOps to convert CAPEX to OPEX thought they were making a rational decision. The trade-off was accountably defensible short-term. Medium-term, it is disastrous: the "savings" on infra team salaries were far exceeded by uncontrolled cloud invoices, unanticipated exit costs, and the absence of Capacity Planning that would have allowed forecasting them.
The decision to eliminate infra teams was not only organisational. It was financially motivated: a senior system administrator costs €60,000 to €90,000 per year. Eliminating three senior positions = saving €200,000 in payroll. HR has the vocabulary: "legacy profile", "not agile", "resistant to change." Finance has the numbers. The board approves.
What nobody accounted for: the value of the human capital destroyed. The memory of architectures. The knowledge of system dependencies. The diagnostic capability for outages outside the managed perimeter. These assets do not appear on the balance sheet — their destruction neither. Until the outage happens.
Between 2024 and 2026, NoOps found its second wind with AI code copilots. "AI writes the YAML and configures Serverless — you no longer need an infra architect." Generative AI is not intrinsically linked to hyperscalers. But Amazon Q generates AWS code by default. GitHub Copilot (Microsoft) generates Azure code in Azure context. Not AI — algorithmic product placement. AI completes the dissolution of the last traces of hardware consciousness in the application engineer: they no longer understand what they deploy, and now they no longer even write it.
If the loss of the name on job postings preceded the loss of expertise in competence audits — then recovering the name is the first act of resistance. Before the rack. Before the migration. Before the tender.
In org charts: "Infrastructure Engineer", "Systems Engineer", "Systems Administrator", "Network Engineer", "Network Administrator" must reappear as distinct titles — not subsets of a generic DevOps role. An infrastructure engineer is not a developer who operates. A developer is not an infrastructure engineer who codes. Two professions with two temporalities and two incompatible risk types.
In budgets: reintroduce a distinct cost line for infrastructure — not buried in a global DevOps budget. What has no budget line has no existence in the boardroom.
In tenders: require neutral and verifiable skills — Linux Foundation Certified, Red Hat, CompTIA Network+ — not only hyperscaler certifications. The AWS Solutions Architect certification does not replace mastery of physical networking.
Every infrastructure component must be able to answer "yes" to the question: "Can it run outside AWS without a rewrite?" If no — deliberate decision, documented, assumed by both parties. Not a default choice because "it was easy to deploy." This rule is the meeting point of the infrastructure engineer and the developer — it does not say "no" to cloud, it says "conscious" of cloud.
NoOps is the only marketing term that announces
the elimination of a profession in its name.
And nobody cried out.
Amine RAITI · Operation Dindon · 2026
The Opération Dindon corpus documented dependence on hyperscalers and semiconductors. It had not addressed the layer below: dependence on unfunded open source. Linux, OpenSSL, curl, bash — global infrastructure runs on software maintained by individuals or small teams, often volunteers or underfunded. The Log4Shell vulnerability in 2021 revealed the scale of this fragility. This study provides the structural analysis.
In 2014, the Heartbleed vulnerability revealed a critical flaw in OpenSSL — the cryptographic library securing the vast majority of HTTPS connections worldwide. Banks, governments, hospitals, e-commerce platforms, hyperscalers — all depended on OpenSSL. The flaw had existed in the code for two years, undetected. At the time of discovery, OpenSSL was maintained by a team of two full-time people, with an annual budget of approximately $2,000 in donations.
Log4j is a Java logging library embedded in millions of applications — from enterprise servers to industrial systems to video game consoles. The Log4Shell vulnerability discovered in December 2021 was rated 10/10 on the CVSS criticality scale. It potentially affected hundreds of millions of systems worldwide. Log4j was maintained by a handful of volunteers, without structured commercial funding. The emergency response to the vulnerability relied on these same volunteers, forced to work without pause for several weeks on a problem whose resolution benefited billion-dollar companies that had contributed nothing to their funding.
The global software industry is built on an inverted pyramid: billions of dollars in market capitalisation rest, at their base, on open source libraries maintained by dozens or hundreds of people without proportional funding. This pyramid is stable as long as no critical vulnerability appears in the lower layers. When one does, it reveals that the base of the pyramid was made of cardboard.
Open source is not free. It is funded by the unpaid or underpaid time of its contributors. The "free to use" model defers the cost of development and maintenance onto individuals who bear this cost out of passion, reputation, or idealism — not out of a viable economic model. This invisibility of cost is the source of the vulnerability.
Every developer or infrastructure engineer uses open source dependencies in their daily work — often without being aware of it. A modern web application can depend on 500 to 1,000 open source libraries, each with its own dependencies, its own maintainers, its own level of funding and maintenance. This dependency chain is largely invisible to the end user — and often to the developer themselves.
A comic strip published by the webcomic XKCD depicts all the world's digital infrastructure as a stack of building blocks, one of which — tiny, at the base — is labelled "a project maintained since 2003 by a person in Nebraska". This image went viral in 2021 during Log4Shell because it accurately describes reality: somewhere in the dependency chain of every critical system, there is a library maintained by someone whose name nobody knows.
The vulnerability of unfunded open source is not only technical — it is human. A maintainer who burns out, changes jobs, falls ill, or decides to stop abandons a library that thousands of projects depend on. This library will no longer be maintained, new vulnerabilities will no longer be fixed, new language versions will no longer be supported. The "maintainer abandonment" risk is documented but rarely integrated into infrastructure risk analyses.
Open source is one of humanity's greatest collective creations. This study does not critique the model — it critiques the funding. A world where companies massively use open source without contributing to its funding is a world that externalises its critical infrastructure onto the goodwill of uncompensated individual maintainers. This is not sustainable.
Hyperscalers built multi-trillion-dollar companies on open source foundations. AWS runs on Linux. GCP depends on dozens of open source libraries. Microsoft's AI runs on Python and its ecosystems. These companies have also, for the most part, created open source contribution programmes. But the disproportion between extracted value and provided contribution remains considerable.
Google maintains Kubernetes, Angular, TensorFlow. Microsoft acquired GitHub and contributes massively to VSCode, TypeScript, .NET open source. Meta maintains React and PyTorch. Amazon contributes to OpenSearch. These contributions are real and significant — they do not cover the full funding debt of the open source ecosystem on which these companies depend.
Hyperscaler contributions concentrate on projects they control or whose visibility serves their image. Critical but low-visibility projects — compression libraries, file format parsers, network protocol implementations — remain maintained by individuals without structured funding. These libraries are used by millions of projects, including those of the hyperscalers themselves. The selection of what is funded is strategic, not altruistic.
"The Silence of the Rooms" documented that women are absent from infrastructure because they are not represented there and nobody decided to change that. The same logic applies to open source funding: invisible libraries are not funded because they are invisible, and they remain invisible because nobody decides to make them visible. Invisibility perpetuates the underfunding that perpetuates invisibility.
Open source funding models exist. None has solved the problem at the necessary scale. Analysing them identifies what works, what fails, and what is missing to build structural funding for critical open source.
Open source foundations collect membership fees from corporate members, employ full-time developers on critical projects, and organise governance. This model works for projects visible and widely-used enough to attract sufficient paying members. It fails for critical but low-visibility projects that cannot build a sufficient member base to self-fund.
Companies like HashiCorp, Elastic or Redis Labs adopted models where the base code is open source and advanced features are proprietary (open core) or the code is available under a restrictive licence for commercial use (dual licensing). These models fund development but create community tensions and compatibility breaks between versions.
Germany created the Sovereign Tech Fund in 2022 — a public fund that directly finances the maintenance of critical open source libraries identified as national digital infrastructure. This model treats open source as public infrastructure — on a par with roads or electrical networks — and funds it accordingly. It is the model most coherent with this study's thesis. It remains marginal at European scale.
None of these models alone is sufficient. The structural solution is probably a combination: public funding for critical infrastructure libraries, mandatory contributions from large user companies proportional to their usage, and strengthened foundations for governance. It is not complicated to design. It is difficult to coordinate.
The SRE cannot solve the open source funding problem alone. But they can reduce their exposure to the risk of unfunded dependence — and contribute, at their level, to the viability of the ecosystem they depend on.
Know the critical libraries your infrastructure depends on, their maintenance level (date of last commit, number of active maintainers, presence of a foundation or sponsor), and their vulnerability history. This audit should be as standard as a security audit — because it is security. A tool like Dependabot or Renovate automates part of this tracking.
The risk that a critical maintainer abandons their library should appear in infrastructure risk analyses, alongside the risk of supplier bankruptcy or OS end-of-support. This risk has a response: internal fork of the library, migration to a better-maintained alternative, or contribution to the maintainer's funding.
Companies that use open source can contribute through code (bug fixes, new features), through funding (donations to maintainers, foundation membership), or through time (engineers dedicated to maintaining critical libraries). These contributions are not philanthropy — they are risk management. A better-funded library is a less risky dependency.
Contributing to open source requires time and skills that not all SREs and companies have. The systemic response — public funding, legal obligations of proportional contribution based on usage — is irreplaceable. Individual levers are complements, not substitutes.
The proposal of this study is to treat critical open source — the libraries on which the world's digital infrastructure depends — as public infrastructure on a par with roads, electrical networks or water systems. This framing is not a metaphor. It is an operational reality: if curl stops being maintained, entire sections of the world's digital infrastructure progressively cease to function. If OpenSSL is not patched, billions of secure connections become vulnerable.
On the model of the German Sovereign Tech Fund, a European open source critical funding fund — endowed with a budget proportional to the size of the European digital economy — finances the maintenance of libraries identified as critical infrastructure. This fund is fed by public contributions and by mandatory contributions from companies whose turnover exceeds a defined threshold and who use these libraries in production.
Companies beyond a certain size should annually declare their critical open source dependencies — in the same way as declaring critical suppliers in business continuity plans. This transparency would identify at-risk libraries (few maintainers, little funding, many users) and prioritise collective funding efforts.
Every public digital services contract should integrate a criterion of contribution to critical open source in its award conditions. A provider who contributes to the funding of the open source libraries they use in their service is a more reliable provider — and their contract should reflect it.
The invisible debt is always repaid. Sometimes in money. Sometimes in Heartbleed. Sometimes in Log4Shell. Better to choose the moment and form of repayment than to have it chosen for you.
This study is the mirror image of "The Blue — What the Diploma Does Not Measure". The Blue is the profile who enters the sector without being recognised. The Last One Who Knows is the profile who leaves it without having been transmitted. Between the two, the same invisibility — that of tacit knowledge that formal systems cannot capture. This study addresses the erosion of the senior SRE, the progressive cognitive desertification that affects them, and what the sector loses when they leave without anyone having seen it coming.
In every infrastructure team there is a profile that everyone knows without ever having formally named. It is the SRE or system administrator aged 45 to 55, with 20 years of seniority in the sector, who knows things no one else knows. They know why that network configuration was built that way in 2009, why that backup script has an exception on server 7, why the client A critical application cannot tolerate anyone touching the network interface between 10pm and 2am.
This knowledge is documented nowhere. It is not in the team wiki, not in the runbooks, not in the incident tickets. It lives in the head of this person, acquired incident by incident, fault by fault, sleepless night by sleepless night over 20 years. It is the most valuable knowledge the team possesses. It is also the most fragile — because it is stored in a single human point of failure.
The infrastructure job market values recent certifications, fashionable technologies, the ability to talk Kubernetes or Terraform in a 45-minute interview. It values poorly — often not at all — 20 years of institutional memory, the diagnostic capacity under pressure built on thousands of real incidents, and the trust network with other seniors capable of solving problems that runbooks do not cover. These competences do not fit in a technology list on a CV. They do not pass ATS filters. They have no associated certification.
The more tacit knowledge the senior accumulates, the less visible they are in the market. At 45, their certification list is often older than that of a recently trained junior. Their salary is higher — which makes them a cost-reduction target during reorganisations. Their knowledge is deep but invisible — which makes their contribution difficult to justify in a dashboard. The sector thus creates a mechanism of progressive expulsion of its most experienced profiles, precisely when their knowledge reaches its maximum maturity.
This study does not claim that all seniors are victims of discrimination or that all companies deliberately expel their experienced profiles. It identifies structural mechanisms that produce this outcome independently of intentions. An HR director seeking to reduce payroll through budget optimisation who targets the highest salaries is not malevolent — they still produce the expulsion of the senior.
The erosion of the senior SRE is not primarily physical. It is cognitive. After 20 years in production, the senior has managed hundreds of incidents on the same systems. They have developed diagnostic patterns of remarkable efficiency — but these patterns are increasingly narrow. They solve very well the problems they have already seen. They solve less well the new problems, because they no longer have time to explore.
Production absorbs everything. On-call covers the nights. Incident tickets fill the days. R&D time is zero or near zero. New technologies arrive — Kubernetes, Rust, eBPF, AI architectures — but the senior cannot practise them. They can read about them, not touch them. They accumulate a growing gap between their theoretical knowledge of new technologies and their operational capability on those same technologies.
The more irreplaceable the senior is on legacy systems, the less the organisation can afford to release them to build skills on new systems. The longer they stay on legacy, the more indispensable they become on legacy and the more obsolete on the modern stack. The organisation thus creates a human technical debt — an expert on critical systems who cannot evolve because their evolution would endanger the continuity of the systems they maintain. This debt accumulates silently until the day the senior leaves — and the organisation simultaneously discovers what it had and what it no longer has.
In "The Blue — What the Diploma Does Not Measure", section 3b documented that the intern brings fresh knowledge that the senior no longer has time to acquire. That observation took the intern's perspective. Seen from the senior's side, the same reality is darker: the senior knows what the intern does not yet know, but they no longer know what the intern already knows. Both need each other. An organisation that separates them — hierarchically, culturally, through recruitment practices — loses both sides of the exchange.
A senior who has not explored new technologies for 5 years is not lazy or resistant to change. They are in a structural situation where exploration time is systematically sacrificed to service continuity. This is not a problem of individual motivation — it is a problem of organisational time allocation. The responsibility belongs to the organisation, not to the individual.
When the Last One Who Knows leaves — retirement, resignation, redundancy, burnout — the organisation does not immediately feel what it has lost. In the first weeks, teams manage. The runbooks exist. Monitoring tools alert. Everything seems to work. The loss reveals itself at the first incident no one else has ever seen before.
It is not the routine incident that reveals the senior's absence. It is the rare incident — the one that happens once every three years, on the legacy system that no one has truly understood since they left. This incident takes 4 hours instead of 12 minutes. Or 48 hours instead of 4. Or it does not resolve at all, and an external consultant is called in at €2,000 an hour to urgently reconstruct what the senior knew from memory.
The standard organisational response to a senior's departure is the "handover" — a few weeks of intensive documentation before leaving. This response is structurally insufficient. Tacit knowledge is not the knowledge the senior knows they have. It is the knowledge they mobilise without knowing it — automatic diagnostic patterns, intuitions about abnormal system behaviour, the memory of the contexts in which a decision was made. This knowledge cannot be documented because it is not conscious. It transfers through shared practice, through apprenticeship, through years of working side by side.
No organisation calculates the true cost of an experienced senior's departure. The cost of replacement is calculated — recruitment, the successor's salary, the training period. What is not calculated is the cost of lengthened incidents, of poorly-made decisions for lack of historical context, of clients lost because a problem was not resolved fast enough, of months spent bringing the successor up to speed on systems they do not yet understand. This invisible cost is systematically higher than the visible cost of recruitment — and nobody sees it coming.
The loss of tacit knowledge when a senior expert leaves is a documented problem across all sectors with a strong technical component — heavy industry, nuclear, aeronautics. Digital infrastructure did not invent this problem. But it worsens it through two characteristics specific to the sector: the speed of technological evolution that accelerates the obsolescence of documented knowledge, and the structurally insufficient documentation culture endemic to the industry.
The Last One Who Knows does not always leave voluntarily. Their departure is often the result of a series of organisational mechanisms that progressively push the senior towards the exit — without anyone having explicitly decided to get rid of them.
Successive reorganisations dissolve the stable teams where the senior built their trust network and informal legitimacy. In a new team with a new manager who does not know their history, the senior starts from scratch in building their credibility — while their years of experience remain invisible to a manager evaluating them on the same criteria as their junior colleagues.
Annual reviews and skills assessments are built around fashionable technologies. A senior who perfectly masters critical production systems but does not know the latest container orchestration tool will be negatively assessed against a skills framework designed for juniors in training. The evaluation measures what the senior does not yet know — not what they have known for twenty years and that no one else knows.
The senior is the team's most expensive employee. Under payroll pressure, they are the obvious target for budget optimisation. The argument presented is always economic — "reorganisation", "strategic evolution", "rightsizing". The reality is that the senior costs a lot and their cost is visible, while their value is not. The organisation systematically arbitrates in favour of the visible against the invisible.
Twenty years of on-call, twenty years of 3am incidents, twenty years of responsibility for critical systems without that responsibility being recognised at its true value — the senior who does not leave through the economic door often leaves through the exhaustion door. This burnout is not a sudden event. It is a silent accumulation that spreads over years, in a culture that values resilience under adversity without ever questioning the structure that produces that adversity. This mechanism will be examined in depth in Angle 4 — "The Pager and the Body".
There is no miracle solution to the problem of tacit knowledge loss when a senior leaves. There are practices that reduce the risk — and practices that worsen it. Most organisations apply the latter without realising it.
Tacit knowledge transfer has only one effective vector: shared work on real problems. A senior and a junior working side by side on the same incidents for 12 to 18 months transfer more knowledge than intensive documentation over 3 months before departure. This pairing must be structural — not occasional, not reserved for crisis moments. It must be integrated into the organisation of work as a permanent practice, not an emergency response.
The senior's cognitive desertification is avoidable if the organisation guarantees exploration time — protected, regular, non-interruptible by production incidents. 20% of working time dedicated to technological exploration is a documented practice in some organisations. It is uncommon in infrastructure. It should be standard — because a senior who stays current is a senior who stays relevant, and a relevant senior is a senior the organisation has no reason to expel.
The senior must have a formal role that recognises their tacit knowledge and gives them an organisational legitimacy independent of their mastery of recent technologies. Titles like "reference architect", "domain technical expert", or "critical infrastructure lead" are not honours — they are retention and valuation mechanisms that make visible what was invisible. They also protect the senior from reorganisations that reduce experience to a cost and ignore its value.
Every experienced senior should have, at any time, a documented transmission plan — not an emergency handover, but a continuous process of documentation and transmission that spans several years. This plan is not a threat ("you are going to leave") — it is an organisational insurance policy ("when you leave, whether in 1 year or 10, the team will not be blind"). This practice is standard in other critical sectors. It is almost absent in digital infrastructure.
The problem of the Last One Who Knows is a visibility problem. Their knowledge is real but invisible. Their cost is visible but their value is not. The solution is not technical — it is organisational and cultural. It consists of making visible what is structurally ignored.
Every organisation should calculate, after each experienced senior departure, the total cost of that departure — successor recruitment, lengthened incidents in the first 12 months, successor training and support time, external consultants mobilised. This calculation, made visible to management and HR teams, radically changes the cost/value ratio of the senior. A senior at €80,000 annually whose departure costs the organisation €300,000 is no longer expensive — they are underpaid.
The skills frameworks used for annual reviews must integrate tacit knowledge criteria: institutional memory, diagnostic capability on legacy systems, transmission to juniors, off-runbook incident resolution. These criteria are no less objective than a certification list — they simply require a different evaluation mode (observation in real situations, peer feedback, incident history). Their absence from current frameworks is a choice, not an inevitability.
A formal status recognised in collective agreements, which protects the senior against reorganisations — not for union reasons, but for service continuity reasons. This status is assigned on objective criteria (seniority, scope of responsibility, critical systems mastered), is reviewable, and comes with an obligation of documented transmission. It makes tacit knowledge visible in the organisational chart.
The Last One Who Knows always leaves eventually. The question is not preventing them from leaving. It is ensuring that when they leave, they are not the last one to know.
Whatever the initial intention of hyperscalers — commercial, strategic or geopolitical — the effect is legally and technically measurable: critical digital infrastructures of entire nations are under foreign jurisdiction, subject to foreign laws, operated by entities that obey a foreign government. Not a judgment of intention. A finding of effect. And the effect is documentable.
Gmail · Google Workspace · Microsoft 365 · Outlook — public administrations, companies, universities. Both subject to CLOUD Act and FISA §702. Metadata (recipients, times, subjects) accessible even when encrypted.
Stripe (AWS) · PayPal (Azure) · payment terminals connected to American clouds. European payment processing infrastructures massively use American clouds for PCI-DSS compliance and real-time fraud detection.
Cloud au Centre programme (DINUM) · public hospitals (Azure · AP-HP 2022) · universities (Google Workspace for Education · Microsoft 365 Education). Public money funds the documented dependency in The Cloud-Washing S3.
Patient records · medical imaging · prescription systems hosted on Azure and AWS. Health data under CLOUD Act jurisdiction — incompatible with GDPR per Schrems II (CJEU 2020).
SCADA systems connected to clouds for predictive maintenance of electrical grids, pipelines and factories. Remote maintenance = third-party access to critical industrial control systems.
Telecom operators (Orange, SFR, Deutsche Telekom) use AWS/Azure for their virtualised network cores (vRAN, 5G core). Mobile network virtualisation on American cloud is a critical dependency.
Google owns over 30 submarine fibre optic cable systems. Meta owns 2Africa (45,000 km). Amazon invests massively in intercontinental cable consortiums. Digital dependency does not stop at the server — it extends to planetary physical pipes. Concentration is concerning and growing, even though major IXP governance (AMS-IX, DE-CIX) remains neutral.
The CLOUD Act allows US authorities to require any American company to produce data stored anywhere in the world — without going through traditional diplomatic channels (MLAT). AWS, Google, Microsoft are American companies. Their European subsidiaries remain subject to this law through the parent company. The GDPR says European data is protected. The CLOUD Act says American companies must produce it if required. The CJEU ruled in Schrems II (16 July 2020): US surveillance (FISA §702 · Executive Order 12333) is structurally incompatible with European fundamental rights. The Privacy Shield was invalidated. Its successor (Data Privacy Framework, 2023) faces the same structural critiques.
For data to be processed — read by an application, indexed by an algorithm — it must be decrypted in RAM on the machine's processor. That processor belongs to the hyperscaler. It is subject to the CLOUD Act. Encryption protects data at rest. Data being computed is in clear text in the RAM of an American server. BYOK is a secure tunnel that delivers goods in clear text directly inside the supplier's factory. As long as the physical chip belongs to a third party subject to the CLOUD Act, sovereignty over data is non-existent at computation time. Intel ME / AMD PSP (documented in The Material Black Box, 4p) are non-auditable sub-processors, active with server off, subject to US law.
The Schrems II ruling (CJEU C-311/18, 16 July 2020) is the strongest available legal argument: a European court invalidated a transatlantic agreement precisely because US surveillance is structurally incompatible with European fundamental rights. Not a private technical audit. A ruling by the highest jurisdiction of the European Union.
In May 2019, the US government placed Huawei on its Entity List. Google suspended Android services (Google Play, Gmail, Maps) for new Huawei devices on government order. Within 90 days, the world's second-largest smartphone maker lost access to the dominant application ecosystem. Not a hypothetical — a documented executive decision. Any organisation whose critical tools depend on an American ecosystem faces the same exposure.
In March 2022, Visa and Mastercard suspended Russian operations within 48 hours of sanctions announcements. Payment card systems — critical infrastructure of daily commerce — cut by a private decision of American companies. Dependency on foreign payment infrastructure proved to be a lever of immediate economic paralysis.
US export restrictions (EAR) progressively cut China's access to advanced chips by TSMC and ASML lithography equipment. Documented in The Taiwan Bottleneck (6p). The semiconductor supply chain is a geopolitical lever — whoever controls chip fabrication controls nations' industrial capacity.
The CJEU invalidation of the Privacy Shield demonstrated that political data protection agreements are structurally insufficient against US surveillance laws. Its successor (Data Privacy Framework, 2023) faces the same critiques. Legal dependency is not resolved by diplomatic agreements — it requires real infrastructural independence.
Facing European regulatory pressure, hyperscalers created local legal structures. Bleu (Microsoft + Orange + Capgemini) · S3NS (Google + Thales). These entities operate servers physically in France, with French staff, under French law. Their communication: 'You are sovereign.' True for the entity's legal standing. False for the technical reality of the code.
Even with geographically isolated servers operated by local staff, the cloud service catalogue and orchestrator code (hypervisor, scheduler, identity management) depend on a continuous flow of code, security patches, and telemetry from the American editor — Microsoft or Google.
The local infrastructure is a remote logical extension. It obeys source code. In a major geopolitical crisis: 1) stopping security updates makes the platform vulnerable · 2) stopping the licence flow disables services. De jure sovereignty collapses before the monopoly of source code.
SecNumCloud qualification requires immunity from extraterritorial laws. No American hyperscaler can guarantee CLOUD Act immunity for subsidiary entities as long as the parent remains American. Microsoft can create Bleu — Microsoft Corporation remains subject to the CLOUD Act. This is the Sovereign Cloud paradox (physical ✓ / legal ✗) documented in The Cloud-Washing — applied at national scale.
The ultimatum of 8 September 2026 makes four demands of AWS, GCP and Azure. Through the technical and financial lens: FinOps. Through the geopolitical lens: national emergency security measures.
1 · Cancellable commits : a State whose digital infrastructures are committed for 3-5 years without exit has no diplomatic room to manoeuvre. A multi-year non-cancellable commitment is the equivalent of sovereign debt on critical infrastructure.
2 · Elimination of egress fees : the data exit cost is a ransom penalising migration toward independence. For a public administration, it is taxpayer money paid to remain captive.
3 · Guaranteed data portability : without real technical portability, changing provider is theoretically possible and practically impossible.
4 · Clarification of CLOUD Act position : a European public organisation must know whether its provider will produce its data on American request. Deliberate ambiguity is unacceptable for a public administration.
An organisation that can terminate in 24h without major penalty negotiates differently from one committed for 5 years. The ability to terminate is a balance tool — it restores the contractual symmetry that Terms §14.12 deliberately suppressed.
Physical servers on national soil, under national jurisdiction, with auditable hardware. Grade A Refurbished (cf. The Strategic Refurbished, 4p): already fabricated chips, independent of future TSMC production.
Public administration data must be processed by entities subject exclusively to national or European law. The Schrems II ruling is the legal reference. Strict SecNumCloud is the reference label.
Rehabilitate Infrastructure Engineer, Systems Administrator and Network Engineer titles. Fund training on neutral fundamentals (Linux Foundation, Red Hat, CompTIA) rather than hyperscaler certifications. Reverse the loop documented in The Newspeak (12p).
Critical infrastructures must rest on auditable source code software — OpenStack, Kubernetes, PostgreSQL, Linux — not orchestrators updated unilaterally from Seattle. Code auditability is the condition of technical trust.
Digital sovereignty is not the rejection of American technology. It is the ability to do without it if necessary — as deterrence does not aim to trigger a war, but to avoid suffering one. A nation that can migrate critical infrastructures in 90 days negotiates differently from one that cannot in 5 years.
The four documented precedents — Huawei, SWIFT, TSMC, Schrems II — are not accidents. They demonstrate that digital infrastructures are levers of power in the same way as energy resources or military capabilities. Whoever controls the infrastructure controls the dependency. And dependency constrains choices.
The answer is in the vocabulary of engineering. Physical servers under national jurisdiction. Auditable code. Neutral skills. Cancellable commitments. These four conditions are documented, fundable, and technically achievable.
The Operation Dindon corpus — sixty-four structural studies — is the documentation. The ultimatum of 8 September 2026 is the demand. The response from AWS, GCP and Azure is the unknown variable.
Whatever the initial intention —
the effect is legally and technically measurable.
A nation whose critical infrastructures obey
a foreign law is not sovereign.
Not a judgment. A finding.
Amine RAITI · Operation Dindon · 2026
Hyperscalers did not merely build technical lock-in mechanisms. They — consciously or not — built environments that exploit cognitive biases documented by 70 years of psychology and behavioural economics research. These biases are not individual flaws: they are universal heuristics that become counterproductive in environments specifically designed to instrumentalise them. Each layer of digital perdition has a counterpart in scientific literature. This study maps them — and proposes the counter-heuristics to exit.
A received favour creates a psychological obligation to reciprocate — even disproportionately. This mechanism is documented in all human cultures by Cialdini (1984): the beneficiary of a gift feels social and psychological pressure to return, even if the expected return is of incomparable value to the original gift.
AWS Educate offers 750 EC2 hours and $100 credit to the student. The student perceives this gesture as a favour — they feel indebted to the AWS ecosystem for their training and nascent career. When they enter a company, they recommend AWS — not because it is objectively the best choice, but because reciprocity has been activated since university. Free Tier is not marketing — it is an investment in future reciprocity.
Commitment theory (Joule & Beauvois, 1987) demonstrates that an individual is psychologically bound to acts they have freely performed. Obtaining an AWS Solutions Architect certification requires months of intensive revision, an exam fee and deep personal investment.
Once certified, the engineer no longer perceives AWS as an interchangeable tool. The certification has modified their professional identity — they are an 'AWS Architect', not an 'infrastructure architect.' Defending a sovereign alternative becomes an existential threat to their hard-won skill capital, validated by the algorithmic ATS sabotage documented in The Newspeak (12p). This identity commitment is deeper than Sunk Cost: it is not financial — it is ontological.
Individuals systematically overvalue what they have built themselves, regardless of objective quality. A complex cloud architecture built by the internal team over 5 years — Lambda + DynamoDB + API Gateway + SQS + Cognito + CloudFront — is perceived as irreplaceable and sophisticated, not because it is technically superior, but because the team built it. The IKEA Effect creates emotional resistance to migration that has nothing to do with the real TCO.
The Dunning-Kruger effect demonstrates that the least competent individuals in a domain massively overestimate their mastery. The DevOps merge and IaC give the developer the perfect illusion that writing 20 lines of HCL equates to mastering infrastructure. They do not see ARP tables, network segments, inodes, MCO — because they believe they master them via the script. They do not see the lock-in trap because they believe they are taming the machine. Low-level incompetence is invisible to those who suffer from it — that is precisely the definition of Dunning-Kruger.
The tendency to perceive quality proportionally to complexity and cost. A cloud architecture stacking 6 managed services is perceived as 'enterprise-grade' and professional — precisely because it is complex. A simple, reliable bare-metal server is perceived as 'artisanal.' Hyperscaler artificial complexity is a perceived quality signal — the more unreadable the architecture, the more serious it seems. The loop: complexity → dopaminergic satisfaction → IKEA overvaluation → dismantling resistance → more complexity.
Decisions are influenced by the ease with which examples come to mind. 'Serverless', 'Cloud-Native', 'AI', 'Digital Transformation' are omnipresent in conferences, LinkedIn, tech media and Gartner reports. Their cognitive availability makes them perceived as normative — what everyone does, what is modern. The bare-metal alternative has no AWS re:Invent conference. No LinkedIn coverage. Cognitively unavailable — therefore perceived as marginal, even when technically superior.
A positive characteristic projects a positive aura onto unrelated domains. Google = brilliant search engine → Google Cloud = necessarily excellent. Amazon = global logistics → AWS = reference infrastructure. Brand prestige replaces technical evaluation. The board member who orders on Amazon Prime perceives AWS differently from one who has only used AWS infrastructure services. The halo effect is the cognitive shortcut that avoids objective evaluation.
Christakis & Fowler documented that behaviours, opinions and emotions spread through social networks up to 3 degrees of separation. When all Paris CTOs adopt AWS and discuss it on LinkedIn, this adoption spreads through their networks as a behavioural norm. The resister is perceived as an outlier — not as a rigorous engineer. Social contagion pressure replaces individual technical judgement. This mechanism explains the adoption speed of the 'Mystical Machine' (cloud AI) in 2023-2024: not a rational decision — an accelerated social contagion.
The Sunk Cost Fallacy (documented in The Free Sample S4) drives continued commitment because one has already invested — even when irrational. Cognitive dissonance (Festinger, 1957) adds a layer: when new information conflicts with past behaviour, the individual prefers to reject the information rather than acknowledge the error. The CIO who evangelised cloud for 5 years cannot integrate corpus data — they create unbearable dissonance. They do not reject them because they are incompetent: they reject them because accepting them would threaten their psychological coherence.
The default option is chosen because it avoids decision effort (Thaler & Sunstein, 2008). Modern frameworks (Next.js, Spring Boot) and documentation propose managed cloud deployment as the default configuration. Lock-in installs without deliberate decision — through differential friction between the proprietary option (zero effort) and the neutral option (engineering effort).
But the deepest dimension is responsibility diffusion (Darley & Latané, 1968): choosing the AWS + Gartner + McKinsey default option dilutes individual responsibility to zero. The decision-maker unconsciously thinks: 'If I choose the option recommended by everyone, I cannot be blamed for an outage.' Choosing custom Bare-Metal = total individual responsibility. An unconscious career protection strategy as much as a cognitive mechanism.
In a cohesive group under pressure, critical thinking is suppressed in favour of consensus. When all CTOs go on AWS, the one proposing Bare-Metal is perceived as aberrant — not as a rigorous engineer. Conformity pressure replaces technical judgement. Groupthink requires no bad intention — it operates mechanically as soon as consensus is perceived as the norm.
The pain of a loss is psychologically twice as intense as the pleasure of an equivalent gain. 'Not running out of cloud capacity' feels more urgent than 'paying half as much.' Organisations massively over-provision on cloud — and never calculate what well-sized bare-metal would cost — because the risk of shortage is felt more strongly than the cost of excess. Hyperscalers exploit this bias with Pay-as-you-go pricing: 'You only pay for what you consume' hides 'You never know how much you will pay.'
The tendency to underestimate the probability and impact of rare but catastrophic events. A Taiwan blockade, a CLOUD Act activation on sensitive data, a 24-hour regional AWS outage — all individually improbable, all with documented precedents (The Taiwan Bottleneck · The Hand Over Nations). Normalcy bias explains why organisations do not build continuity plans without cloud: 'it won't happen to us.' The psychological complement to the Taiwan Bottleneck — the cognitive mechanism that makes geopolitical risk theoretical even when documented.
The preference for the current state of things, even when change would be beneficial. Once infra teams have been dissolved (NoOps), nobody proposes recreating them — not because it is irrational, but because the status quo has its own psychological inertia. The anticipated pain of change (rebuilding skills, reconstructing teams, justifying cost) is overestimated relative to future benefits — exactly like loss aversion, but applied to the entire organisation.
Do not promise an abstract future gain (sovereignty) — show an immediate, quantifiable loss. Cognitive reframing (Tversky & Kahneman 1981) demonstrates that the same decision presented as 'avoided loss' rather than 'obtained gain' produces radically different decision responses.
Application: Calculate cumulative egress fees over 10 years from existing billing data. Show the current exit ransom cost. Present Bare-Metal not as 'going backwards' but as 'elimination of a documented recurring loss.' Dropbox saved $75 million over 2 years repatriating servers (2017, publicly documented). Basecamp saves over $1.5 million per year since its cloud exit (2023, David Heinemeier Hansson). Not exceptions — industrial margin optimisation decisions.
The 2019 decision was correct with 2019 information. 2026 information is different — CLOUD Act clarified, egress fees documented, TSMC risk identified, Schrems II published. Revising one's position in light of new data is not capitulation — it is the definition of good management. This narrative deactivates cognitive dissonance by transforming the position change into an act of managerial competence rather than an admission of error.
Nudge 3 — Inverted conformity: show that Dropbox, Basecamp, and dozens of profitable organisations have left the cloud. The return to Bare-Metal becomes a mark of distinction and maturity, not a delay. Reverse social contagion in the direction of sovereignty — if tech profitability leaders do it, it is the new norm.
Nudge 4 — Make the alternative cognitively available: the Operation Dindon corpus is the answer to the availability heuristic. Sixty-four structural studies = sixty-four times the sovereign alternative is made cognitively available. Each published study increases the cognitive availability of the bifurcation.
Kahneman distinguishes two thinking systems: System 1 (fast, intuitive, heuristic — operates without effort) and System 2 (slow, deliberate, analytical — requires conscious cognitive effort). Hyperscalers designed their acquisition journey to maximise System 1 at each friction point: Free Tier activates without reflection, the default option is accepted without deliberation, newspeak is received as evidence, AI hype spreads through social contagion.
System 2 — reading the Terms, calculating real TCO, the architectural question 'outside AWS without rewrite?', identifying responsibility diffusion in the Default Effect — requires deliberate effort that the acquisition journey was designed never to trigger. This is the corpus's unifying thesis: the 64 Operation Dindon studies do the work of System 2 on behalf of the decision-maker. They make visible what biases render invisible.
These biases are not flaws — they were instrumentalised.
Not individual weaknesses — universal heuristics
placed in environments designed to make them counterproductive.
Resistance is not suspicion — it is System 2.
Amine RAITI · Operation Dindon · 2026

Legal analyses of hyperscaler terms of service, clause by clause.
This study analyses the Terms of Service of AWS (June 2026 version) and Google Cloud Platform in light of the Opération Dindon corpus. Each identified clause is paraphrased — never quoted verbatim — and placed alongside the corpus study that documents its effect. The objective is not legal. It is to show that what the corpus named — cognitive capture, infrational loop, lock-in, loss of sovereignty — is literally inscribed in the contractual documents that European organisations sign every day.
The Google Cloud Platform Terms of Service stipulate, for all entities that are not US government entities, that the law of the State of California governs the contract — excluding California's conflict of laws rules — and that the competent courts are those of Santa Clara County, California. The European customer who signs the GCP Terms therefore accepts that any dispute be resolved under California law, by Californian courts.
What this means concretely: the data of a French hospital, a Belgian bank or a German public authority hosted on GCP are contractually subject to US law. The GDPR applies to collection and processing — but the contractual reference framework is the law of the State of California.
The AWS Terms of Service specify that the company may act in accordance with any applicable judicial, regulatory or governmental order or request. In the event of content removal without prior notice, AWS will notify the customer promptly — unless prohibited by law. This formulation — "unless prohibited by law" — is precisely the window of the CLOUD Act and National Security Letters: a non-disclosure order (gag order) is legally possible, and the Terms of Service anticipate it.
The Opération Dindon corpus documented in "The Digital Ground" that AWS and GCP European datacentres do not create European sovereignty — because the applicable jurisdiction for data remains American. This study demonstrates that this is not a corpus interpretation — it is textually inscribed in the Terms of Service. The California jurisdiction clause of GCP and the government access clause of AWS are the contractual proof of the Digital Ground thesis.
The 8 September 2026 ultimatum demands resiliable commits, reasonable egress fees, real portability, and the CLOUD Act limited to its territory. The California jurisdiction clause demonstrates that the fourth demand is the most fundamental: without a change of jurisdiction, the other three are insufficient.
Google reserves the right to change fees at any time, unless otherwise expressly agreed in an addendum or Order Form. For GWS, Looker and Cloud Identity services, Google commits to 30 days advance notice. But for GCP — the core cloud services — no notice period is mentioned. The formulation "at any time" is explicit.
This unilateral modification of pricing is also conditional: if the customer disagrees with a GCP pricing change, they may terminate for convenience — but under the termination conditions described elsewhere, which include deadlines and obligations.
AWS states it may change Savings Plans, EC2 Reserved Instances and Dedicated Host Reservation pricing at any time — but price changes do not apply to already-purchased reservations. However, if Microsoft increases Windows licence fees or Red Hat increases RHEL fees, AWS may pass these increases on with 30 days notice, including to existing Reserved Instances.
The cascade mechanism: AWS is not the only variable. Its own suppliers' (Microsoft, Red Hat, Oracle) price increases can be passed to the end customer without that customer having any recourse up the chain.
For Savings Plans, EC2 Reserved Instances, Capacity Blocks, DB Savings Plans and SageMaker AI Savings Plans, AWS Terms specify that commitments are non-cancellable and that the customer will be charged for the full duration of the selected term, even if the agreement is terminated. Amounts paid are non-refundable, unless AWS terminates the agreement other than for cause.
The first of the four 8 September 2026 demands is: resiliable commits. AWS Terms document precisely the opposite: commitments are "noncancellable". The corpus thesis is verified by the contractual text. This is not an opinion — it is a clause.
AWS: AWS may suspend or terminate access to any Beta service at any time, without notice. For generally available services, suspension is possible on governmental or judicial order, or if AWS judges that the security of its services is threatened. Depending on the service, termination may occur with varying notice periods.
GCP: Google may suspend all or part of access to the services if it reasonably believes suspension is needed to protect the services, other customers or third parties. Google may also suspend immediately to comply with any applicable Legal Process. The suspension may precede notification — if the law permits.
AWS (Supply Chain N-Tier): when the service ends, the customer has 30 days following termination to retrieve their content. After this deadline, the content will be removed. This formulation — present in several AWS Terms sections — is the migration window: 30 days to export years of structured data, in a format that may not be interoperable with the target system.
GCP: upon termination, all rights to access the services (including access to Customer Data, if applicable) cease. The precise conditions for post-termination data retention and export refer to the Service Specific Terms — a separate document not integrated into the general Terms analysed here.
For GCP and TSS services only, Google may terminate the agreement or any applicable Order Form for its own convenience at any time with 30 days prior written notice. The customer may also terminate for convenience at any time on written notice — but must immediately cease using the services upon termination. The asymmetry is structural: Google can terminate for convenience with 30 days notice. The customer can too — but immediately loses access to data and services.
The Gentle Exit proposed in the corpus describes progressive migration, service by service. The 30-day Terms window says the opposite: exit is necessarily abrupt if imposed by the provider. The Sovereign Interface documented in the corpus is precisely the architectural response to this constraint: decouple application code so that migration is not an emergency.
AWS: the aggregate liability of AWS and its affiliates for Beta services is limited to the amount actually paid by the customer during the 12 months preceding the claim. For generally available services, the same logic applies with similar caps per Customer Agreements. Indirect, consequential, special or punitive damages are excluded.
GCP: neither party will have liability for indirect, consequential, special, incidental or punitive damages, or for lost revenues, profits, savings or goodwill. The limitation applies to the extent permitted by applicable law. Aggregate amounts are capped per the Service Specific Terms.
The asymmetry: if an AWS or GCP failure causes €10 million in lost business for a customer organisation, the provider's contractual liability will be limited to fees paid over 12 months — perhaps €50,000. The gap between actual loss and contractual compensation is structural.
GCP: the customer agrees to defend Google and its affiliates against any third-party legal proceeding arising from the customer's non-compliant use of the Terms, or from a claim that customer data infringes third-party intellectual property rights.
AWS: Marketplace sellers indemnify AWS and its affiliates against any transaction-related tax claims. More generally, the customer is responsible for all use under their account, including by their end users.
The structure: Google defends the customer against claims concerning Google's services (Google's intellectual property). The customer defends Google against claims concerning customer usage. Usage liability migrates to the customer. Platform liability stays with Google but is capped.
The corpus documents the absence of infrastructure body protection by the State. This clause shows that protection does not exist in the contract either: provider liability is capped, customer liability on usage is unlimited. The sovereign organisation is the one that does not depend on an asymmetric contract for its business continuity.
The AWS Terms include a dedicated article on the "AWS Certification Program" — a service in its own right subject to a separate agreement (Certification Program Agreement, CPA). AWS certification certifies that a person has passed a proficiency test on a specific AWS service or domain. It is not transferable between providers and does not guarantee the quality of services delivered by the certified provider.
What this says about the job market: an AWS certification is an employable asset on the AWS market — and only on that market. An AWS Certified Solutions Architect has an asset worth something on AWS projects. There is no equivalent certified on GCP, Azure, or on bare-metal. A CPF budget funding an AWS certification funds dependency — not neutral competence.
What the Terms confirm: the certification programme is a "Service" under the Terms of Service. AWS defines its conditions, may modify programme terms, and the CPA supersedes the general agreement in case of conflict. The certification belongs to the AWS ecosystem — not to the engineer.
Neither the AWS Terms analysed, nor the GCP Terms analysed, contain a clause guaranteeing data portability in a standard, interoperable format, at no additional cost. Searching for "portability" in both documents returns only:
— AWS: telephone number portability in Amazon Chime and Amazon Connect (telephony portability, not cloud data portability).
— GCP: HIPAA (Health Insurance Portability and Accountability Act) — a US healthcare law, not a cloud data portability guarantee.
The absence is the data point: in 302,000 characters of AWS Terms and 113,000 characters of GCP Terms, the term "data portability" in the sense of a guaranteed export in a neutral format at no additional cost is absent. These are the second and third ultimatum demands — "real portability" and "reasonable egress fees" — that the Terms do not address.
The CPF Misused documents that training budgets flow to proprietary cloud certifications. The AWS Terms confirm that these certifications are AWS services, governed by AWS law, terminable by AWS. The loop is complete: public money funds competences that belong to the ecosystem of an extraterritorial actor.
The Opération Dindon corpus named phenomena — cognitive capture, infrational loop, loss of sovereignty, lock-in, extraterritorial dependency. These phenomena could have been contested as interpretations, opinions, or rhetorical exaggerations. This analysis of the Terms of Service demonstrates that they are textually inscribed in the contractual documents that European organisations sign every day:
— GCP's California jurisdiction is in Section 14.12.
— The unilateral fee modification "at any time" is in GCP Section 2.6.
— "Noncancellable" commits are in the AWS Reserved Instances, Savings Plans and Capacity Blocks sections.
— Suspension on "Legal Process" without mandatory prior notice is in both Terms.
— Data portability in a neutral format is absent from both documents.
— Liability limitation to last 12 months' fees is in both Terms.
— The AWS Certification Programme is a proprietary service governed by a separate agreement.
1. Resiliable commits: justified by the "noncancellable" clauses in AWS Savings Plans, Reserved Instances, Capacity Blocks, DB Savings Plans.
2. Reasonable egress fees: justified by the absence of any clause governing outbound transfer fees, and by the possible fee revision "at any time" in GCP.
3. Real portability: justified by the absence of any clause guaranteeing data export in a neutral format at no additional cost, and by the 30-day post-termination window.
4. CLOUD Act limited to its territory: justified by GCP's California jurisdiction clause (Section 14.12) and AWS's government access clause that anticipates legal non-disclosure orders.
The Opération Dindon corpus did not invent these problems.
It named them before you read the Terms of Service.
The Terms of Service confirm what the corpus said.
The hyperscalers' silence does too.
Cloud infrastructure market concentration has reached historically high levels. According to data published by Synergy Research Group for Q1 2026, Amazon Web Services (AWS), Microsoft Azure and Google Cloud Platform (GCP) jointly account for 67% of the global cloud services market. This concentration creates structural dependency for private and public organisations on an oligopoly whose contractual practices have attracted increasing regulatory scrutiny — including the Bundeskartellamt's §19a GWB proceedings against Amazon (2022) and Microsoft (2023), the Competition and Markets Authority's Cloud Market Study (2023), and the entry into force of the EU Data Act (Regulation (EU) 2023/2854, applicable since September 2025).
The academic literature on cloud vendor lock-in (Armbrust et al., 2010; Petcu, 2013; Opara-Martins et al., 2016) has predominantly addressed technical dimensions of lock-in — proprietary APIs, non-portable data formats, single-vendor architectures. Economic dimensions (Farrell & Klemperer, 2007) have been partially addressed in the form of switching cost analysis. Contractual, linguistic and behavioural dimensions remain underdocumented. This study aims to address these gaps through a systematic analysis of publicly available contractual documents.
The analysis rests on the comparative examination of 47 versions of contractual documents published by AWS, Google Cloud and Microsoft Azure over the period 2022–2026, including General Terms of Service, Product Terms, Data Processing Agreements (DPAs), Service Level Agreements (SLAs), and specific addenda (Data Act Addendum, UK Switching Addendum, EES, MOSA). Documents were collected in French, English and German where available.
47 contractual documents · 3 hyperscalers · 3 languages (FR/EN/DE) · Period 2022–2026 · Including: 19 ToS versions · 14 Product Terms · 8 DPAs/SLAs · 6 specific addenda. Full corpus in Annex A.
Normalised textual diff (section by section) + manual legal review of substantive modifications. Confrontation against French law (Civil Code, Loi Toubon), German law (BGB, GWB), UK law (UCTA 1977, CRA 2015, CA 1998) and EU law (Data Act, GDPR). Methodology detailed in Annex D.
The analysis covers exclusively publicly available standard contractual documents. Individually negotiated contracts (Enterprise Agreements, sector-specific agreements) may differ significantly. Microsoft Azure's monthly modification of Product Terms — documented at 608 occurrences between January and June 2026 — creates documentary instability that limits the temporal scope of conclusions. Results should be read as an analysis of the standard public conditions applicable to the majority of non-negotiating clients, not as an exhaustive description of all possible contractual configurations.
Section 2 presents the six-layer taxonomy. Section 3 analyses the linguistic substitution mechanism. Section 4 models the temporal dimension of lock-in. Section 5 examines competition law implications. Section 6 sets out research and regulatory proposals. Annexes A–D reproduce the primary data underlying the analysis in full.
The classical definition of vendor lock-in (Shapiro & Varian, 1999⁵) is grounded in switching costs — the costs incurred when transitioning from one supplier to another. Porter (1980)⁶ distinguishes barriers-to-exit (retaining the customer in the relationship) from barriers-to-entry (preventing a competitor from entering). Farrell & Klemperer (2007) provide the most comprehensive treatment of switching costs in platform economics, identifying installed-base effects, learning costs and contractual switching costs as the primary categories.
The taxonomy proposed here extends these frameworks by identifying three additional layers — behavioural (Skills, Layer 4), decisional (Demand, Layer 5) and cognitive (Layer 6) — which are absent from existing cloud lock-in literature and which, empirically, may be the most durable obstacles to supplier switching in mature cloud deployments.
Definition: contractual provisions that create an asymmetry of rights between supplier and client, making termination costly, complex or legally uncertain. Documented mechanisms: (a) linguistic substitution clause — the client-language version is declared "informational only" while the English version "prevails"; (b) selective non-cancellability — certain commitments survive termination of the master agreement (AWS s.5.4.2; Azure EES Savings Plans); (c) automatic unilateral modification — Product Terms may be modified without individual notice (Azure: 608 modifications Jan.–Jun. 2026); (d) cascade incorporation by reference — the most constraining clause is systematically located several layers below the signed document.
Definition: pricing structure creating an asymmetry between entry cost (zero or negative: onboarding credits) and exit cost (positive and growing with data volume). Documented mechanisms: egress fees ($0.07–0.12/GB to the Internet depending on provider and region); early termination charges (Azure: 12% of residual commitment + $50,000/yr cap); absence of contractual caps on egress fees in public Terms of Service.
Layer 3 — Technical: proprietary APIs without standardised equivalent (e.g. BigQuery SQL dialect) · managed services without native portability · superlinear effect: migration cost of n interconnected services > n × cost of migrating one. Layer 4 — Skills (original concept): subsidised proprietary certification programmes creating professional attachment bias; passive resistance from middle management as an unconscious sabotage vector in migration projects. Layer 5 — Demand (original concept): business units formulate their needs as named products ("Azure OpenAI") rather than as functional requirements, closing competitive evaluation before technical assessment begins. Layer 6 — Cognitive (original concept): after 3–5 years of use, organisational KPIs are defined within the supplier's console; any migration implies the loss of the historical performance benchmark.
All three hyperscalers publish their Terms of Service in multiple languages while stipulating that the English version "prevails" or "governs" in case of divergence. This mechanism, ostensibly a practical translation disclaimer, produces three distinct legal effects: (a) it deprives the client of certainty that the version in their own language is binding on the supplier; (b) it allows the supplier to publish updates in English without awaiting translation into other languages, creating temporal gaps during which the client operates under an outdated version; (c) in the most significant cases documented, it allows clauses waiving statutory legal rights to be included in the English-only version, absent from the client-language version.
This mechanism is rendered legally significant by mandatory language legislation applicable in several EU jurisdictions. In France, the Loi Toubon (Law n°94-665 of 4 August 1994)⁸ requires that contracts concluded with French legal entities for activities conducted in France be drafted in French, the French version being legally binding. A contractual clause declaring the English version to prevail is contrary to this mandatory provision and is therefore void ab initio under French law, without any requirement for the client to have challenged it at signing.
The Microsoft EES Product Terms (January and June 2026, English versions) contain the following clause, absent from the French version:
The EES is the standard contractual vehicle through which public institutions — including educational bodies — subscribe to Microsoft services under public procurement frameworks. Any organisation operating under EES terms is potentially bound by this waiver. The waiver of statutory rights derived from a public-order European directive — effected contractually and presented in a single language — raises, under the analysis conducted, issues of compliance with: the French Loi Toubon art. 5; the French Civil Code art. 1171 (significant imbalance in standard-form contracts); and Directive 2018/1972 itself, whose provisions are mandatory in nature and cannot be validly waived by private contract.
Beyond French mandatory language law, the EU Data Act art. 23 requires that contractual terms be provided in a manner that is "easy to read, understand and accessible". The structural coexistence of an "informational" client-language version and a legally binding English version directly contradicts this accessibility requirement. In German law, BGB §305c provides that terms which, in the circumstances, a contracting party could not reasonably expect, are not incorporated into the contract — a provision directly applicable to clauses present only in the English version of a contract signed by a German entity.
Cloud lock-in does not crystallise at the moment of signing but deepens progressively through use. We propose a three-phase model, calibrated on medium-sized organisations (100–1,000 employees, cloud spend $200k–$2M/year):
Contractual commitments are typically short (pay-as-you-go or 1-year Reserved Instances). Data volumes are limited, rendering egress fees immaterial. The number of proprietary services adopted is low (2–3), and migration remains technically feasible in a matter of weeks. Teams are in the process of obtaining certifications — the attachment bias is not yet established. Business units have not yet entrenched the pattern of named-product requests. Recommendation: this is the only phase in which a preventive architectural decision (open stack, API abstraction) can be made at negligible migration cost.
Three-year Savings Plans and active Capacity Blocks create non-cancellable financial exposure. Data volumes have typically multiplied fivefold, rendering egress fees a six-figure item for mid-sized organisations. Between 8 and 12 proprietary services are interconnected, activating the superlinear technical lock-in effect. Teams hold multiple certification levels — passive resistance from middle management is now observable as a migration inhibitor. Migration remains plannable but costly (6–18 months, significant budget).
Automatic contract renewal has incorporated terms unknown at the time of initial signing (Product Terms modified 60 times over 5 years for Azure). Egress costs exceed the annual IT budget of a mid-sized organisation. The entire architecture is built around proprietary managed services, making a full rewrite an 18–24 month project. Senior engineers have 5 years of exclusive platform experience — their probable departure in the event of a forced migration constitutes a documented HR risk. The cognitive layer is fully established: organisations can no longer define their requirements or measure their performance independently of the supplier's ecosystem.
We define the economic point of no return (PNR) as the moment at which the total migration cost C_m exceeds the net present value of migration benefits B_m over the remaining commitment period. Formally: PNR = {t | C_m(t) > B_m(t)}, where C_m(t) = Σ(egress fees + residual commitments + refactoring + double-run + retraining) and B_m(t) = monthly post-migration savings × residual duration. Empirically, for organisations with more than 36 months of primary-hyperscaler tenure and active commitments, this ratio consistently exceeds 48 months — making migration economically unviable absent an external regulatory or strategic constraint.
This formalisation extends the "lock-in value" concept introduced by Shapiro & Varian (1999, op. cit.) to the specific structure of hyperscaler cloud contracts, where the asymmetry between entry cost (zero) and exit cost (positive and volume-dependent) systematically accelerates PNR as a function of data accumulation.
AWS, Azure and GCP jointly account for 67% of the global IaaS/PaaS cloud market (Synergy Research Group, Q1 2026). This concentration exceeds the collective dominance threshold established in EU case law (CJEU, United Brands v Commission, 1978¹³). The Digital Markets Act (DMA, Regulation (EU) 2022/1925) has designated both Microsoft and Alphabet as gatekeepers, though its provisions address market access rather than contractual retention mechanisms specifically. The EU Data Act (2023/2854) represents the most directly applicable instrument, specifically targeting obstacles to cloud switching in Articles 23–25.
In UK competition law, the Competition Act 1998 section 18 prohibits the abuse of a dominant position. The CMA's 2023 Cloud Market Study explicitly identified switching barriers as a primary competition concern, concluding that "the combination of technical barriers, egress fees and contract terms can make switching or multi-clouding excessively difficult"¹⁴. No formal enforcement action has followed from this finding at the date of this paper.
Art. 23: accessibility and comprehensibility of contractual terms — directly applicable to linguistic substitution clauses. Art. 25: unenforceability of terms that create obstacles to switching cloud providers — applicable to non-cancellability clauses and disproportionate termination fees. Art. 25(2): data portability obligations — applicable to proprietary formats.
Layer 2 — Pricing: egress fees as a pricing-based switching obstacle are not explicitly covered — Art. 25 targets contractual clauses, not tariff structures. Layers 4–6: behavioural, decisional and cognitive obstacles fall outside the scope of the text. Competent authorities: no EU Member State had formally designated its Data Act competent authority as of 1 June 2026.
Layer 6 (cognitive lock-in) falls outside all existing regulatory frameworks. It involves no clause to challenge, no anticompetitive behaviour in the classical sense, and no obstacle to portability in the technical meaning of the Data Act. Yet it may represent the most durable barrier to competition in mature cloud markets — because it operates on organisations' capacity to conceive and evaluate alternatives. After five years of primary-hyperscaler dependency, an organisation's performance KPIs, benchmarking criteria and team evaluation frameworks are defined within the supplier's console. A migration implies not merely technical and financial costs but the loss of the organisation's own measurement standard. This observation suggests that an effective regulatory response to cloud lock-in must ultimately address organisational dependency beyond the contractual and technical dimensions currently covered by existing instruments. The UK case Streetmap.EU Ltd v Google Inc [2016]¹⁵ offers a precedent for competition law engaging with the cognitive dimensions of market dominance — though the context (search default settings) differs from the cloud dependency analysed here.
A review of the cloud vendor lock-in literature (Opara-Martins et al., 2016; Petcu, 2013; Armbrust et al., 2010; Farrell & Klemperer, 2007) confirms that Layers 1 to 3 of the proposed taxonomy are partially documented — primarily from a technical perspective and, to a lesser extent, an economic one. Layers 4 (Skills Lock-in), 5 (Demand Lock-in) and 6 (Cognitive Lock-in) are, to the author's knowledge, absent from the formalised academic literature on cloud computing. The linguistic substitution mechanism — the substitution of the client-language version by an English-only version declared legally binding — is not documented in any of the reviewed works. These gaps represent research opportunities of both academic and policy significance.
Empirical measurement of the economic point of no return by sector and organisation size. Longitudinal cohort study of skills evolution in organisations post-migration (3-year horizon). Comparative analysis of cloud contractual clauses over 10 years (2015–2025) to document temporal evolution of retention mechanisms. Measurement of the correlation between primary-hyperscaler tenure and capacity for functional requirement reformulation (test of Layer 6).
Analysis of case law on linguistic substitution clauses in cross-border B2B contracts. Comparative study of regimes governing waiver of mandatory EU law rights by private contract. Qualification of cognitive lock-in (Layer 6) within existing competition law frameworks. Applicability of Data Act art. 25 to pricing-based switching obstacles (egress fees) — a question of direct practical significance not yet resolved by the regulatory text or its guidance documents.
Proposal 1 — Extension of Data Act art. 25 to pricing-based switching obstacles: the current wording of art. 25 targets contractual clauses that impede switching. An explicit extension to pricing structures creating a disproportionate economic obstacle (egress fees) — via delegated act or interpretative guidance — would cover Layer 2 of the taxonomy, currently outside scope. The Commission's forthcoming review of the Data Act implementation (expected 2027) provides a procedural vehicle for this extension.
Proposal 2 — Simultaneous multi-language publication obligation: require cloud service providers to publish their Terms of Service simultaneously in all EU official languages in which they actively market their services, with updates in non-English languages published within 5 business days of the English version, failing which the update is unenforceable in the relevant Member State(s). This measure addresses the structural temporal gap documented in Section 3.
Proposal 3 — Individual notification obligation for material modifications: require individual notification by documented electronic means for any material modification to Product Terms, with a minimum 60-day notice period and a right to terminate without penalty in response to a material modification. The absence of individual notification is one of the most significant gaps in the current cloud contractual framework.
Proposal 4 — Formal designation of Data Act competent authorities: no EU Member State had formally designated its Data Act competent authority as of 1 June 2026, eighteen months after the regulation's adoption and nine months after its applicability date. This implementation gap deprives organisations of any effective administrative remedy under the regulation and should be addressed as a matter of urgency by each Member State.
The six-layer taxonomy presented in this working paper maps the full architecture of retention mechanisms operating in hyperscaler cloud contracts. It reveals that the most durable mechanisms — Layers 5 and 6 — are precisely those which are least visible, least legally contestable, and least covered by existing regulatory frameworks. An effective regulatory response to cloud vendor lock-in cannot be complete without a theory of organisational digital dependency that integrates these behavioural and cognitive dimensions beyond the contractual and technical obstacles currently addressed by the Data Act, the DMA and national competition law instruments.
Contractual documents were collected directly from the official websites of the three providers (aws.amazon.com/legal/ · cloud.google.com/terms · microsoft.com/licensing) between January 2022 and June 2026. For each provider, versions available in the three languages (FR · EN · DE) were downloaded upon each detected update, via systematic monitoring of the terms pages. Publication dates are extracted either from document metadata or from explicit internal mentions (e.g. Azure EES: "Published February 1, 2026 in English, translated February 9, 2026").
HTML documents were pre-processed in two stages: (a) text extraction by removal of HTML tags, scripts and CSS styles; (b) text normalisation by replacement of HTML entities, non-breaking spaces and typographic ligatures (e.g. fi → fi), and compression of multiple whitespace characters. This normalisation step is essential to distinguish substantive modifications from formatting changes — which represent the majority of "modifications" detected by a raw HTML diff. All differences identified as substantive were independently confirmed in the original documents to exclude normalisation artefacts.
Comparison between versions was conducted using normalised textual diff, section by section (each section identified by its number: s.1.4, s.5.5, s.50.12.2, etc.). For each pair of sections (version X vs version Y), normalised Levenshtein distance was computed to flag substantive modifications. Section pairs exhibiting greater than 95% similarity after normalisation were classified as "identical in substance" — residual typographic and formatting artefacts not constituting legally significant modifications.
All modifications identified as substantive by the algorithm were subject to manual review to: (a) confirm that the difference constitutes a legally significant modification and not a normalisation artefact; (b) characterise the nature of the modification (addition · deletion · reformulation · change in scope); (c) identify the relevant lock-in layer under the six-layer taxonomy. The results of this manual review are reproduced in Annex B for linguistic comparisons and in the corpus of 19 individual legal analyses of which this study constitutes the synthesis.
Limitation 1 — Documentary instability: Azure's monthly modification of Product Terms (608 occurrences over 6 months) creates a moving corpus that is difficult to stabilise for longitudinal analysis. Conclusions on Azure modifications refer to the snapshots collected at the stated dates and may not reflect the state of the document on an intermediate date.
Limitation 2 — Non-public documents: Enterprise Agreements and individually negotiated contracts, which may contain significantly different clauses from the public standard terms, are excluded from the analysis. The study covers exclusively conditions applicable to the majority of non-negotiating clients.
Limitation 3 — Legal qualification: the legal characterisation of analysed clauses (voidness, significant imbalance, violation of mandatory law) rests on the author's independent analysis and not on a court decision or formal legal opinion. These qualifications should be verified by a qualified legal practitioner before any action is taken.
Ces contrats ne sont pas mal rédigés. Ils sont parfaitement rédigés pour un objectif précis qui n'est pas celui du client : maximiser le coût de sortie tout en minimisant le coût d'entrée. Ce n'est pas un effet secondaire — c'est la fonction principale. Chaque clause analysée s'explique immédiatement dès qu'on lit le contrat avec cet objectif.
Les Reserved Instances coûtent 30–40% moins cher que le on-demand. La réduction est réelle. Elle s'obtient au prix de la non-résiliabilité. Le client échange sa liberté contre une réduction tarifaire — choix rationnel à court terme qui devient piège à moyen terme. Code Civil art. 1171 : déséquilibre significatif dans un contrat d'adhésion = réputé non écrit. Data Act art. 25 : tout obstacle contractuel au changement de fournisseur = inopposable.
La menace de suspension suffit à décourager toute contestation. Azure MOSA Section 3.c prévoit 30 jours de préavis pour non-paiement — seul point où Azure est meilleur qu'AWS sur ce critère. Code Civil art. 1226 · L.442-1 II Code Commerce.
L'entrée est gratuite, la sortie est tarifée. La machine sépare contractuel et tarifaire pour maximiser l'opacité à la signature. Data Act art. 25 : obstacle au changement = inopposable.
APIs propriétaires : Lambda/Cloud Functions/Azure Functions = non standardisées. Migration impossible sans réécriture.
Services managés : BigQuery/Redshift/Azure Synapse = SQL propriétaire. 10 ans de requêtes = mois de migration.
Effet superlinéaire : chaque service supplémentaire augmente le coût de sortie de l'ensemble.
I — Échelle : 65%+ marché mondial → abus de position dominante. L.442-1.
II — Asymétrie d'information : egress fees hors CGV · renonciation Directive 2018/1972 en anglais uniquement · constitutive du modèle.
III — Droit positif violé : Loi Toubon · art. 1171 CC · Data Act art. 23-25 · Directive 2018/1972.
IV — Conception délibérée : équipes juridiques de premier rang · testés dans plusieurs juridictions · la clause Waiver n'est pas en anglais seulement par accident.
Une clause abusive est un problème pour le juge civil. Un système conçu délibérément pour créer de la dépendance, s'appuyant sur des clauses illégales, à l'échelle d'un marché à 65% de concentration — c'est un problème pour le régulateur de concurrence. La DGCCRF dispose du Code Commerce L.442-1. Ce dossier et les dix-neuf analyses qui le fondent constituent les deux faces du même dossier : clause par clause, et système cohérent. Les deux sont nécessaires pour agir.
These contracts are not poorly drafted. They are perfectly drafted for a precise objective that is not the customer's: to maximise exit costs while minimising entry costs. This is not a side effect — it is the primary function. Every clause analysed becomes immediately explicable when read with this objective in mind rather than through the lens of a good-faith buyer.
Reserved Instances cost 30–40% less than on-demand. The saving is real. It comes at the price of non-cancellability. The customer trades freedom for a price reduction — a rational short-term choice that becomes a medium-term trap. UCTA 1977 s. 3: unreasonable exclusion of liability = unenforceable. CRA 2015 Sch. 2: terms creating significant imbalance = unfair. EU Data Act art. 25: contractual obstacles to switching cloud providers = unenforceable.
The threat of suspension is sufficient to deter any challenge. Azure MOSA Section 3.c provides 30 days' notice for non-payment — the one point where Azure outperforms AWS on this criterion. CA 1998 s. 18 · CRA 2015 Sch. 2 para. 1(b): right to suspend must not be exercised in a disproportionate manner.
Entry is free, exit is priced. The machine deliberately separates contractual from pricing to maximise opacity at signature. EU Data Act art. 25 · CA 1998 s. 18: obstacle to switching = potentially unenforceable.
Proprietary APIs: Lambda/Cloud Functions/Azure Functions = non-standardised. Migration requires full rewrite.
Managed services: BigQuery/Redshift/Azure Synapse = proprietary SQL dialects. 10 years of queries = months of migration.
Superlinear effect: each additional service increases the cost of exiting all others.
I — Scale: 65%+ global market → potential abuse of dominance. CA 1998 s. 18.
II — Information asymmetry: egress fees outside T&Cs · Directive 2018/1972 waiver in English only · constitutive, not accidental.
III — Positive law violated: UCTA 1977 · CRA 2015 · CA 1998 s.18 · EU Data Act art. 23–25.
IV — Deliberate design: drafted by top-tier legal teams · tested across jurisdictions · the waiver clause is not in English only by accident. CMA 2023 Study identified switching barriers — no enforcement followed.
An unfair clause is a problem for the civil courts. A system deliberately designed to create dependency, relying on unlawful clauses, at the scale of a 65% concentrated market — that is a problem for the competition regulator. The CMA holds the Competition Act 1998 s. 18. Its own 2023 Cloud Market Study identified switching barriers as a primary concern. No formal enforcement has followed. This document and the nineteen analyses underpinning it constitute the two faces of the same case: clause by clause, and as a coherent system. Both are necessary for regulators to act.
Diese Verträge sind nicht schlecht formuliert. Sie sind perfekt formuliert — für ein präzises Ziel, das nicht das des Kunden ist: die Austrittskosten zu maximieren und gleichzeitig die Eintrittskosten zu minimieren. Dies ist kein Nebeneffekt — es ist die Hauptfunktion. Jede analysierte Klausel erklärt sich sofort, wenn man den Vertrag mit diesem Ziel liest.
Reserved Instances kosten 30–40% weniger als On-Demand. Die Ersparnis ist real. Sie wird durch Unkündbarkeit erkauft. Der Kunde tauscht Freiheit gegen einen Preisnachlass — eine rational erscheinende kurzfristige Entscheidung, die mittelfristig zur Falle wird. BGB § 307 Abs. 1: unangemessene Benachteiligung = unwirksam. BGB § 309 Nr. 5: Klauselverbote ohne Wertungsmöglichkeit. EU Data Act Art. 25: Klauseln, die den Anbieterwechsel behindern = nicht anwendbar.
Die Sperrungsdrohung reicht aus, um jede Anfechtung zu unterbinden. Azure MOSA Abschnitt 3.c sieht 30 Tage Vorlaufzeit bei Nichtzahlung vor — der einzige Punkt, in dem Azure besser abschneidet als AWS. BGB § 307 Abs. 1 · GWB § 19 Abs. 2 Nr. 1: Missbrauch einer marktbeherrschenden Stellung.
Eintritt kostenlos, Austritt kostenpflichtig. Die Maschine trennt Vertragliches und Tarifliches bewusst, um Intransparenz zu maximieren. EU Data Act Art. 25 · GWB § 19a Abs. 2 Nr. 4: Wechselhindernisse = unzulässig.
Proprietäre APIs: Lambda/Cloud Functions/Azure Functions = nicht standardisiert. Migration erfordert vollständige Neuentwicklung.
Managed Services: BigQuery/Redshift/Azure Synapse = proprietäre SQL-Dialekte. 10 Jahre Abfragen = Monate Migration.
Superlinearer Effekt: jeder weitere Dienst erhöht die Gesamtausstiegskosten überproportional.
I — Marktmacht: 65%+ Weltmarkt → möglicher Marktmachtmissbrauch. GWB § 19 / § 19a.
II — Informationsasymmetrie: Egress-Gebühren außerhalb der AGBs · Direktiven-Verzicht nur auf Englisch · systemimmanent, nicht zufällig.
III — Verstoß gegen positives Recht: BGB §§ 305c/307/308/309 · GWB § 19a · EU Data Act Art. 23–25 · DSGVO.
IV — Bewusste Gestaltung: erstklassige Rechtsteams · in mehreren Jurisdiktionen erprobt · Die Waiver-Klausel steht nicht zufällig nur auf Englisch.
Eine missbräuchliche Klausel ist ein Problem für den Zivilrichter. Ein bewusst darauf ausgelegtes System, das Abhängigkeit schafft, sich auf rechtswidrige Klauseln stützt und auf einem 65%igen Marktanteil beruht — das ist ein Problem für die Wettbewerbsbehörde. Das Bundeskartellamt verfügt über GWB § 19a (Verhaltensanforderungen für Unternehmen mit überragender Marktbedeutung). Diese Studie und die neunzehn Analysen, auf die sie sich stützt, bilden die zwei Seiten desselben Dossiers: Klausel für Klausel und als kohärentes System. Beide sind erforderlich, damit die Behörden handeln.
The AWS Service Terms are the sole contractually binding version. Unlike the French and German analyses, there is no translation gap to examine — every clause is directly enforceable in its English form. The analysis therefore focuses on the substantive lawfulness of these terms against British statute and case law. Five categories of violations emerge: (1) exclusion or restriction of liability contrary to UCTA 1977; (2) unfair terms contrary to CRA 2015 Schedule 2; (3) clauses restricting switching contrary to the UK Cloud Switching Addendum (s. 1.30) and Competition Act 1998 s. 18; (4) data processing clauses contrary to UK GDPR; (5) terms contrary to the Supply of Goods and Services Act 1982. Notably, AWS explicitly incorporates a UK Switching Addendum (s. 1.30) — a significant advantage over GCP — but this does not cure the underlying contractual defects.
The AWS Service Terms, as the sole binding version, contain two structural levels of conflict with British law. The first is statutory: blanket liability disclaimers, noncancellable commitments and unilateral suspension clauses fail the reasonableness test under UCTA 1977 s. 3 and s. 11, and constitute presumptively unfair terms under CRA 2015 s. 62 and Sch. 2. The Capacity Blocks clause (s. 5.5) is the most problematic — no refund, no exception, plus unilateral termination without notice in the last 30 minutes. The second is regulatory: restrictions on downstream competitive use (ss. 50.5–50.6) and embedded AI training consents (ss. 1.20, 50.3) engage Competition Act 1998 s. 18 and UK GDPR respectively — areas of active CMA and ICO focus. AWS is materially better than GCP in two respects: (1) the pro-rata refund mechanism where AWS terminates without cause; (2) the explicit incorporation of the UK Switching Addendum (s. 1.30) — a direct CMA-responsive commitment absent from GCP's terms. These are significant differentiators but do not cure the underlying substantive defects.
The English version of the ToS reveals two additional critical clauses not present as explicitly in the French version — Section 2.6 (fee revision "at any time") and Section 8.8 ("No Refunds"). The English version is globally more explicit in its exclusions, making it more legally vulnerable precisely because its intent is unambiguous. The CMA's own March 2026 Cloud Market Investigation named switching barriers and fee practices as significant concerns — without triggering formal enforcement. The question is why.
These contracts are not poorly drafted. They are perfectly drafted for a precise objective that is not the customer's: to maximise exit costs while minimising entry costs. This is not a side effect — it is the primary function. Every clause analysed becomes immediately explicable when read with this objective in mind rather than through the lens of a good-faith buyer.
Reserved Instances cost 30–40% less than on-demand. The saving is real. It comes at the price of non-cancellability. The customer trades freedom for a price reduction — a rational short-term choice that becomes a medium-term trap. UCTA 1977 s. 3: unreasonable exclusion of liability = unenforceable. CRA 2015 Sch. 2: terms creating significant imbalance = unfair. EU Data Act art. 25: contractual obstacles to switching cloud providers = unenforceable.
The threat of suspension is sufficient to deter any challenge. Azure MOSA Section 3.c provides 30 days' notice for non-payment — the one point where Azure outperforms AWS on this criterion. CA 1998 s. 18 · CRA 2015 Sch. 2 para. 1(b): right to suspend must not be exercised in a disproportionate manner.
Entry is free, exit is priced. The machine deliberately separates contractual from pricing to maximise opacity at signature. EU Data Act art. 25 · CA 1998 s. 18: obstacle to switching = potentially unenforceable.
Proprietary APIs: Lambda/Cloud Functions/Azure Functions = non-standardised. Migration requires full rewrite.
Managed services: BigQuery/Redshift/Azure Synapse = proprietary SQL dialects. 10 years of queries = months of migration.
Superlinear effect: each additional service increases the cost of exiting all others.
I — Scale: 65%+ global market → potential abuse of dominance. CA 1998 s. 18.
II — Information asymmetry: egress fees outside T&Cs · Directive 2018/1972 waiver in English only · constitutive, not accidental.
III — Positive law violated: UCTA 1977 · CRA 2015 · CA 1998 s.18 · EU Data Act art. 23–25.
IV — Deliberate design: drafted by top-tier legal teams · tested across jurisdictions · the waiver clause is not in English only by accident. CMA 2023 Study identified switching barriers — no enforcement followed.
An unfair clause is a problem for the civil courts. A system deliberately designed to create dependency, relying on unlawful clauses, at the scale of a 65% concentrated market — that is a problem for the competition regulator. The CMA holds the Competition Act 1998 s. 18. Its own 2023 Cloud Market Study identified switching barriers as a primary concern. No formal enforcement has followed. This document and the nineteen analyses underpinning it constitute the two faces of the same case: clause by clause, and as a coherent system. Both are necessary for regulators to act.

The material foundation: semiconductors, firmware, the labour of iron.
The organisation that believes it has freed itself from cloud by buying bare-metal but runs on Intel or AMD silicon with unauditable proprietary firmware has solved a software dependency problem to fall into a potentially deeper hardware dependency problem. Hyperscaler lock-in is at the software level. Hardware lock-in is at the silicon level. This study documents the second dimension of the material layer: the hidden processors in every server, their nature, and what they mean for sovereignty.
Since 2008, every Intel processor integrates a subsystem called the Intel Management Engine (IME). This is not an optional feature. Not an external component. It is a secondary processor etched into the main CPU die, with its own firmware, its own operating system (MINIX 3), and its own access to memory, network and storage.
The IME was designed for remote enterprise server management — allowing a sysadmin to restart, reconfigure or diagnose a server without being physically present. This function is legitimate and useful. What is problematic is its architecture:
It runs independently of the OS: Linux, Windows, BSD — no operating system controls the IME. It runs below the kernel level. It is invisible to standard audit tools.
It functions when the server is "off": as long as the server is powered (even in deep standby), the IME is active. It can receive network instructions and execute them without the main OS being started.
It has independent network access: the IME can communicate on the network via channels distinct from those used by the OS. On some motherboards it has its own dedicated network port.
Its firmware is proprietary: Intel does not publish the IME firmware source code. It cannot be audited or easily replaced. Partial disabling attempts exist (me_cleaner) but are not guaranteed complete.
Since 2013, AMD processors integrate the Platform Security Processor (PSP) — also called AMD Secure Technology. It is based on an ARM Cortex-A5 architecture, has proprietary firmware, and similar functions to the IME: pre-OS execution, memory access, hardware-level security management.
AMD has published more technical specifications than Intel on this component, but the firmware remains proprietary and not fully auditable. The coreboot community is working on alternative implementations but coverage is partial.
The Intel IME firmware is developed and distributed by Intel Corporation, headquartered in Santa Clara, California. Firmware updates are cryptographically signed by Intel. They are distributed via the motherboard manufacturer's update channels (Dell, HP, Lenovo, Supermicro) which incorporate them into their own BIOS/UEFI updates.
This firmware is subject to US law. It is subject to National Security Letters. It is subject to the CLOUD Act in its dimension of information system control. An organisation running sensitive data on Intel servers believing it has freed itself from US cloud is in fact running that data on unauditable US firmware.
This is not speculation. It is the logical consequence of IME architecture and US law as documented in Terms Under the Microscope.
An experienced Linux administrator has access to everything: kernel, drivers, logs, hardware metrics, system calls. They can audit virtually any layer of the system. The IME is the exception — the layer that escapes their technical authority.
They cannot read IME logs without special (and partial) tools. They cannot inspect IME network traffic with tcpdump — the IME operates below the network interface. They cannot disable the IME without risking destabilising the server (some BIOS functions depend on IME). They cannot verify IME firmware integrity with standard audit tools.
The Technical Primacy documented in the corpus stops at the IME's surface. Below: proprietary terra incognita.
Coreboot: open-source alternative firmware for BIOS/UEFI, supported on a limited number of motherboards. Can reduce IME exposure without eliminating it completely.
me_cleaner: tool attempting to neutralise non-essential IME modules. Partial results, destabilisation risks, not officially supported.
RISC-V + open processors: the 10-15 year horizon. RISC-V processors without IME exist but are not yet available in high-performance datacentre versions.
IBM POWER + OpenPOWER: existing alternative with a higher level of auditability than x86 processors. Different cost and software ecosystem.
What it is: California jurisdiction (GCP §14.12), noncancellable commits, egress fees, unilateral price modification, possible government access (CLOUD Act).
How to exit: change vendor, renegotiate contracts, choose sovereign MSP. Difficult but possible — documented in The Accompanied Exodus.
Corpus study: Terms Under the Microscope.
What it is: proprietary dialects (DynamoDB, BigQuery, Lambda), proprietary certifications, newspeak destroying neutral skills, application code speaking the vendor's language.
How to exit: Sovereign Interface (Anti-Corruption Layer), progressive migration (Gentle Exit), rebuilding neutral skills (Foundation of Iron). Slow but doable — documented in the corpus.
Corpus studies: Sovereign Interface · The Newspeak That Costs Dear.
What it is: dependency on TSMC/ASML for new GPU servers (The Taiwan Bottleneck), proprietary unauditable Intel ME / AMD PSP firmware (The Material Black Box), strategic value of existing hardware in supply crisis (The Strategic Refurbished).
How to exit: own existing hardware (immediate horizon), coreboot/me_cleaner (partial, complex horizon), RISC-V + sovereign foundries (10-15 year horizon). No simple solution today.
Corpus studies: Digital Iron · Taiwan Bottleneck · Material Black Box · Strategic Refurbished.
The contractual layer is visible — it is in the Terms.
The software layer is visible — it is in the code.
The material layer is invisible — it is in the silicon.
The Opération Dindon corpus documented all three.
The third layer is the only one the Terms do not mention.
It exists nonetheless.
Refurbished Grade A was documented in "The €3,000 VM and the €2,800 SRE" as a FinOps choice — 11 times cheaper than the GCP VM over 5 years. This study adds the dimension the previous one did not treat: Refurbished is not just a FinOps choice. It is geopolitical insurance whose value increases exactly when cloud becomes most vulnerable. Both properties together — economic and geopolitical — make Refurbished Grade A the most defensible decision in the corpus.
A Refurbished Grade A Dell PowerEdge R750 (32 cores, 512 GB RAM, 10 TB NVMe) costs €4,000 to €6,000. Depreciated over 3 years with opex (power, network, colocation): approximately €270/month. Over 3 years: €9,720. The equivalent GCP VM (n2-highmem-32) over the same period: €108,000. Ratio: 11×. This property was documented in "The €3,000 VM and the €2,800 SRE".
A Refurbished Grade A server bought today contains chips fabricated 2 to 3 years ago. These chips already exist in the physical world — they have been produced, tested, assembled. Their availability no longer depends on:
— Future TSMC production in Taiwan
— US export restrictions on advanced chips
— ASML EUV machine availability
— The geopolitical situation in the Taiwan Strait
— Hyperscaler procurement policy for new GPU servers
These chips are there. They work. They will continue to work for 5 to 7 additional years with standard maintenance. Their physical existence is established. It cannot be revoked by a future geopolitical event.
Refurbished Grade A is 11 times cheaper than the GCP VM in a stable world. And in an unstable world — Taiwan crisis, export restrictions, cloud capacity rationing — its relative value increases further. It is the asset whose strategic value grows exactly in the scenarios where the cloud alternative is most exposed.
These two properties are not independent. They are two faces of the same fundamental decision: own your hardware or rent someone else's.
Infrastructure runs on hyperscaler servers. In a crisis, the hyperscaler cannot order new GPU servers — TSMC is down. It maintains existing capacity but cannot extend it. If the organisation needs to scale, it hits rationing. It is in the queue — after the hyperscaler's own needs, after Enterprise Agreement customers. Without guaranteed contractual priority, it waits.
It also cannot repatriate its infrastructure — it no longer has the skills (documented in The Newspeak), the engineers (−34% Linux jobs), and migration takes 6 to 12 months (documented in The Accompanied Exodus).
Infrastructure runs on physical servers it owns. These servers were purchased and delivered before the crisis. Their chips are there, functional, independent of future production. In a crisis, it can maintain normal activity. It can even purchase additional Refurbished on the secondary market — whose value rises with chip scarcity but remains available since the world's existing server park is massive. It is outside the cloud rationing queue.
Core infrastructure runs on its own servers — critical services, sensitive data, baseline workloads. Cloud is used for temporary peaks or non-critical services. In a crisis, it can rebalance cloud workloads to physical infrastructure. It is not entirely dependent on the vendor's queue. This is the model documented in "The Sovereign Interface" — the Anti-Corruption Layer enabling switching without application rewrite.
Refurbished Grade A is the only infrastructure decision
that is optimal in both scenarios — stable and unstable.
That is why "owning your hardware" is not nostalgic sovereigntism.
It is elementary risk management.
And it is 11 times cheaper too.
Hyperscaler lock-in has three layers. The contractual layer — documented in Terms Under the Microscope. The software layer — documented in The Newspeak That Costs Dear. The material layer — the deepest, least visible, the one the Terms do not mention because it precedes the Terms. This study documents the first dimension of the material layer: geopolitical dependency on the Taiwan Strait — and why the organisation that owns its physical hardware is the only one with business continuity independent of this dependency.
The Opération Dindon corpus documented RISC-V as the open-source ISA alternative to Intel, AMD and ARM proprietary architectures. This documentation is correct and necessary. It is insufficient. RISC-V is an instruction set architecture — a logical design. For a RISC-V chip to exist physically, it must be fabricated in silicon. And fine-node silicon fabrication is subject to two inescapable physical monopolies.
Extreme ultraviolet lithography (EUV) is the fabrication technique that enables chips below 7nm — the nodes used in datacentre GPUs, smartphone processors, and AI chips. ASML, a Dutch company based in Eindhoven, is the world's sole manufacturer of EUV machines. One ASML EUV machine costs approximately €150 to €200 million, weighs 180 tonnes, requires 40 containers to transport, and is assembled from 100,000 components from 5,000 suppliers in 30 countries.
There is no alternative. Not in China (despite massive investment since 2019), not in Russia, not in Europe other than ASML itself. Any fab that wants to produce advanced chips must go through ASML. And ASML, under pressure from the US and Dutch governments, has not been selling its EUV machines to China since 2023.
TSMC (Taiwan Semiconductor Manufacturing Company) produces approximately 90% of the world's advanced chips (nodes below 5nm). Its customers include Apple, NVIDIA, AMD, Qualcomm, Google, Amazon, Microsoft. The NVIDIA H100 GPUs powering AI models — including those of Anthropic, OpenAI and Google DeepMind — are fabricated by TSMC in Taiwan.
TSMC in Taiwan. On an island of 36,000 km² separated from mainland China by a 130 km strait. In a zone subject to territorial claims by the People's Republic of China. In a region where large-scale Chinese military exercises took place in 2022 and 2023.
Their cloud vendor (AWS, GCP, Azure) is itself dependent on TSMC for new GPU servers. In a Taiwan crisis, hyperscalers will ration new capacity — first for their own internal needs, then for customers in contractual priority order. The CIO whose business continuity depends on continuous availability of cloud resources does not control this rationing.
Since October 2022, the US government has banned the export to China of advanced chips and associated production equipment. This unilateral decision was applied extraterritorially — forcing ASML (a Dutch company) to cease deliveries to China. It was applied without consulting the European Union.
This precedent says something important for European organisations using US cloud: the United States has demonstrated its capacity and willingness to exercise extraterritorial control over the silicon supply chain. If geopolitical circumstances required it, similar control could be exercised over European access to US cloud services — or over European hardware equipment dependent on US technology.
A Refurbished Grade A Dell PowerEdge R750 bought today contains chips fabricated 2 to 3 years ago. These chips already exist in the physical world. Their availability no longer depends on future TSMC production, US export restrictions, ASML machine availability, or the geopolitical situation in the Taiwan Strait. They are there. They work. They will continue to work for 5 to 7 additional years with standard maintenance.
In a silicon supply crisis — geopolitical (Taiwan conflict), natural (earthquake, typhoon in production zones), or regulatory (new export restrictions) — the patrimonial and strategic value of existing physical servers increases. Demand for qualified certified second-hand hardware rises. The organisation that owns its physical hardware has business continuity that the 100% cloud organisation does not.
Hyperscalers have server stocks — but limited. In an extended TSMC production interruption, they cannot order new H100 GPUs or new datacentre CPUs. Available capacity will be maintained — but not increased. Customers who want to scale up during a global crisis will hit rationed capacity.
Who gets served first? The hyperscalers themselves (their own AI services, critical internal services), then customers in contractual priority order — Enterprise Agreements first, Pay-as-you-go last. The organisation without an Enterprise contract is last in the queue.
The organisation with its own physical server is outside the queue. It does not wait.
Refurbished Grade A is 11× cheaper than the GCP VM over 5 years (FinOps study). It is also geopolitical insurance whose value increases exactly when cloud becomes most vulnerable (geopolitical study). These two properties are not independent — they are two faces of the same decision: own your hardware or rent someone else's.
The standard Total Cost of Ownership calculation cloud vs on-premise compares: hardware acquisition cost + staff + maintenance + datacentre vs monthly cloud invoice. This is a correct calculation in a stable world. It is insufficient in a world where the silicon supply chain is concentrated on a geopolitically disputed island.
What the standard TCO does not include:
— The geopolitical insurance premium of existing physical hardware
— The cost of cloud rationing in a supply crisis
— The value of business continuity independent of the global supply chain
— The cascade dependency: cloud → H100 GPU → TSMC → Taiwan Strait
Layer 1 — Contractual: Terms Section 14.12 (California jurisdiction), noncancellable commits, egress fees, unilateral price modification. Documented in Terms Under the Microscope.
Layer 2 — Software: proprietary dialects (DynamoDB, BigQuery, Lambda), proprietary certifications, newspeak that destroys neutral skills. Documented in The Newspeak That Costs Dear.
Layer 3 — Material: dependency on TSMC for new GPU servers, dependency on ASML for EUV machines, geopolitical concentration in the Taiwan Strait. This layer is the deepest. It is also the only one the Terms do not mention — because it precedes the Terms. The cloud vendor does not guarantee its own silicon supply chain continuity. Nobody guarantees it.
European Chips Act (2023): €43 billion to double Europe's share of global semiconductor production — from 10% to 20% by 2030. Ambitious objective. Fine-node fabrication capacity: not yet achieved.
Intel Fab in Germany (Magdeburg): planned €33 billion investment, 1.8nm fabrication announced. Delays: pushed back in 2024 due to reduced subsidies and market difficulties. Planned capacity: 2030 at earliest.
RISC-V: open-source instruction set architecture supported by an international foundation. RISC-V chips exist and are produced — primarily by TSMC for customers who order them. The architecture is free. The fabrication remains dependent on the same foundries.
There is no fab in Europe today capable of fabricating chips below 7nm. TSMC and Samsung are the only ones worldwide able to do so at industrial volume. China is investing massively but remains blocked below 28nm due to ASML machine restrictions.
The gap is 10 to 15 years in optimistic scenarios — and assumes announced investments materialise, specialist engineers are trained, ASML machines are available (ASML is itself subject to US pressure on its exports), and markets are there.
The corpus conclusion: RISC-V is the correct horizon. The sovereign foundry is the necessary horizon. Between both and today, there is a 10 to 15-year vulnerability window during which dependency on the Taiwan Strait is structural and unavoidable. It is in this window that the Opération Dindon corpus operates. It is in this window that the CIO's decisions are made.
The CIO who signs for managed cloud accepts three layers of dependency.
The first is in the Terms they signed.
The second is in their developers' code.
The third is in the Taiwan Strait.
This third layer appears in no contract.
It exists nonetheless.
Like the previous document in this corpus, this study asks for a rational rather than an emotional reading. It makes no accusation of organised conspiracy. It describes a market mechanism — the concentration of a scarce skill through a lack of outside investment — and draws an operational conclusion from it: this lock, being the product not of a deliberate plan but of an investment imbalance, can be lifted through a training effort at a scale no private company, however powerful a trio, can match against the sheer number of people available worldwide.
This study concludes the trajectory opened by "Anatomy of the Loss — Diagnosis and Reformation." Prior reading of that document is assumed for the full coherence of the reasoning, in particular the six-layer lock-in model and the 2005 pedagogical foundation, here extended down to the hardware layer itself.
The six-layer lock-in model already established in this corpus places the cognitive layer as the deepest. This study proposes to go one level deeper still: beneath the cognitive layer lies the hardware layer itself — the real-world knowledge of building and operating a large-scale datacentre, a distributed object storage system comparable to S3, and a global network backbone.
This knowledge is not an abstract academic skill. It is physical engineering knowledge: how to size electrical power for a multi-megawatt site, how to design a fault-tolerant storage network across hundreds of thousands of disks, how to operate a continent-scale fibre backbone. Today, this knowledge exists almost exclusively among a small number of players — the trio at the forefront, alongside a handful of legacy telecom operators and a few specialised hosting providers.
All previous lock-in layers — contractual, pricing, technical, cognitive — can in theory be bypassed as long as the physical competence to build an alternative exists somewhere. But if the very competence to build a datacentre, a distributed storage system, or a network backbone becomes scarce enough that it only exists among the dominant players, then none of the previous layers even need to be actively maintained: the absence of outside competence alone is enough to guarantee the dominant position.
This observation is what motivates this study. If the trio's current dominance ultimately rests on the scarcity of hardware mastery rather than on contractual clauses or reversible technical choices, then reconquering that mastery is the most fundamental lever of all those identified in this corpus.
Noting that this competence is scarce does not prejudge the reason for that scarcity. That is precisely the question the next section examines, with the same demand for rigour as the rest of this corpus.
The scarcity of hardware mastery requires no deliberate suppression to take hold. The mechanism is simpler, more systemic, and just as effective: if nearly all global investment in training, research and physical storage and compute infrastructure concentrates among three players, then competence concentrates mechanically among those same three players — with no need for any plan to suppress knowledge to produce that outcome.
This mechanism is exactly the one described in Section 5 of the previous document in this corpus, here applied to the scale of the global labour market rather than a single technical team. Universities, vocational training bodies and employers follow market demand. The market itself followed the path of least resistance offered by cloud abstraction. At the end of this conspiracy-free chain, outside investment in hardware competence dried up, and the competence itself became scarce through lack of practice rather than deliberate confiscation.
If the scarcity resulted from a deliberate plan to suppress knowledge, reconquest would require outmanoeuvring an active strategy — an adversary that reacts and adapts. If the scarcity results from external underinvestment, reconquest requires only one thing: reinvesting. No adversarial strategy to outmanoeuvre, only an imbalance to correct. This is a more modest thesis in its accusation, and a more powerful one in its practical consequence.
This study does not claim the trio has a plan to suppress hardware knowledge across the global market. Such a claim would require specific evidence this document does not possess. It claims that the observable net effect — the concentration of competence — results from an investment imbalance between three private players and the rest of the world, an imbalance that took hold without requiring any centralised intent to explain it.
In the interest of accuracy, it must be said that the trio does not systematically hide its hardware knowledge. Each publishes, to varying degrees, research on its infrastructure: internal chip design, datacentre cooling, distributed storage architecture. This communication serves their technical reputation and recruitment, without thereby transferring the actual operational competence required to build a complete equivalent.
Publishing a research paper on a hardware innovation is not the same as transferring the end-to-end competence needed to build, operate and evolve a comparable system at scale. The trio keeps the essential in-house: decades of cumulative operational experience, operating processes, relationships with component manufacturers, and a critical mass of engineers trained on real production systems. It is this cumulative competence, not the absence of any publication, that constitutes the real lock.
This nuance matters because it avoids an easily refutable accusation. Claiming the trio "hides everything" would be inaccurate and would weaken the entire argument against the first Google search showing otherwise. Claiming the trio holds a rare cumulative competence, built over decades of concentrated investment, is by contrast accurate and verifiable.
Acknowledging that the trio contributes to public research on hardware infrastructure does not weaken this study's thesis. It makes it more precise: the lock is not a guarded secret, it is a cumulative competence that the scarcity of outside investment has prevented anyone else from matching.
The trio consists of three private companies. The world has several million software and electronics engineers, tens of thousands of universities and engineering schools, and hundreds of countries with sovereign interests in diversifying their technological dependence. The structural balance of power does not favour the trio once competence ceases to be scarce.
This is a simple economic principle: an artificial scarcity does not need to be fought head-on, it collapses on its own once the supply of competence increases sufficiently. If mastery of the iron becomes widely available again — through the training described in the previous document of this corpus, at the scale of thousands rather than a few hundred specialised engineers — the scarcity underpinning the trio's dominant position erodes mechanically, with no frontal battle needed against an adversarial strategy that, by construction, does not exist as a centralised plan.
The trio today holds a handful of dominant platforms. But nothing in the nature of this competence requires it to remain held by only three players. With a few hundred engineers expert in distributed storage, backbone networking and datacentre operations, spread across multiple continents and legal frameworks, it becomes possible to bring about not a single competitor, but several independent alternatives simultaneously — precisely because the world is larger than three companies.
This reasoning connects directly to the earlier documents in this corpus: the R&D subsidy proposals for local hosting providers, the Open Hardware programme involving the military and universities, and the pedagogical foundation for hardware training. Each of these levers, taken alone, seems modest against the trio. Taken together, at the scale of competence available worldwide, they constitute a reconquest force that three private companies cannot structurally match in terms of total human capacity.
It would be dishonest to claim this reconquest is fast or costless. Building a credible equivalent of a global object storage system or an intercontinental network backbone requires capital, time, and overcoming network effects already established over fifteen years. The advantage of numbers is real in terms of available human competence; it does not eliminate the capital and time challenge of the physical construction itself.
This document concludes a line of reasoning that began with the analysis of the trio's contractual workarounds, continued with the diagnosis of behavioural, economic and cognitive mechanisms that diluted historical Ops competence, and arrives here at the deepest layer: the scarcity of mastery over the iron itself.
The practical conclusion of this trajectory is not a call to confrontation against an organised strategic adversary. It is a call to investment. The scarcity underpinning the trio's position is not an actively defended wall — it is a void that no one else has sufficiently filled. Filling that void does not require defeating a strategy, only mobilising a fraction of the world's human competence that remains, today, largely untapped on this specific terrain.
This document proposes nothing new that is not already sketched elsewhere in this corpus: R&D subsidies for local hosting providers, the Open Hardware programme with the military and universities, the pedagogical foundation for hardware training described in the previous document. What this conclusion adds is the framework that ties these proposals together: they are not isolated measures, they are the components of a single strategy to reconquer the most fundamental layer of the entire lock-in system.
The trio does not need to be defeated by a single player that would replace it identically. The world has the advantage of numbers, and that advantage allows for not one, but several independent alternatives, built simultaneously by engineers trained on the foundation described in this corpus, across different legal frameworks, on different continents. It is this diversity of players, more than the size of a single competitor, that constitutes the real safeguard against a return to the same lock-in under a different name.
This study extends "The Mastery of Iron" into its digital dimension. Physical iron — steel, cutlery, metallurgy — was treated as a condition of industrial power. Digital iron — semiconductors — is the condition of computational power. No chip, no server. No server, no infrastructure. No infrastructure, no SRE. The dependency chain runs up to a handful of actors who concentrate the manufacture of the components on which the entire global digital economy rests — and Europe is not among them.
TSMC — Taiwan Semiconductor Manufacturing Company — manufactures approximately 90% of the world's most advanced logic chips (sub-7-nanometre nodes). The processors in AWS, GCP and Azure datacentres, the chips in smartphones, the NVIDIA GPUs powering generative AI, the Apple M-series processors — all come out of TSMC's factories in Taiwan. No other actor is capable of producing at this level of precision and at this scale.
This concentration is not new. It was built over forty years of massive investment, accumulated know-how passed down across generations, and a specialisation that has made competition structurally impossible for anyone who did not begin investing in the 1980s. Europe watched this concentration form without ever deciding to oppose it.
Taiwan is an island of 35,000 km² located 180 km from the Chinese mainland coast. The People's Republic of China asserts sovereignty over it. A military conflict, a naval blockade, or even a major logistical disruption in the Taiwan Strait would interrupt the production of 90% of the world's advanced chips. The global digital economy — infrastructure, cloud, AI, telecoms — would face a component supply rupture within a matter of months. No buffer stock exists at this scale. No alternative production capacity is immediately available.
The SRE administers servers. Servers contain processors. Processors are made in Taiwan. A conflict in the Taiwan Strait does not translate into an abstract geopolitical event — it translates into the impossibility of ordering new servers in the 12 to 18 months that follow, the explosion of existing component prices, and the progressive degradation of infrastructure as hardware ages with no possibility of replacement. Digital sovereignty starts with the chips. Not with the cloud contracts.
This study does not claim that a conflict in the Taiwan Strait is imminent or likely. It claims that the concentration of advanced chip production on a single territory constitutes a documented structural risk, independently of any specific crisis scenario. A risk does not need to materialise to justify a structural response.
The semiconductor value chain has restructured around a separation between design and manufacture. NVIDIA designs the H100 GPUs that power AI — it does not make them. Apple designs the M-series chips — it does not make them. AMD designs its EPYC datacentre processors — it does not make them. These actors are "fabless" companies: without a factory. Their designs are sent to TSMC, which etches them into silicon.
This model has produced remarkable efficiency. It allowed design companies to reach levels of sophistication they could never have funded had they needed to maintain their own production tooling. But it also created a structural vulnerability: dependence on a single manufacturer.
Manufacturing is not the only bottleneck. Chip design software (EDA — Electronic Design Automation) is dominated by three American actors: Synopsys, Cadence, and Mentor Graphics (acquired by Siemens). The extreme ultraviolet (EUV) lithography machines essential for the finest nodes are produced by a single global actor: ASML, a Dutch company. Without ASML machines, TSMC cannot produce its most advanced chips. The dependency chain has multiple links, each as narrow as the last.
Europe is present in this chain at one significant point: ASML. This presence is real and strategic — without ASML, global advanced chip production stops. But it is also fragile: ASML itself depends on American suppliers for its lasers and subcomponents whose supply chain is not entirely European. Europe is one link in a chain it does not control end to end. STMicroelectronics, the only European chip manufacturer of scale, operates on less advanced nodes — useful for automotive and industrial applications, but not for AI datacentres.
ASML is a valuable European asset. Its presence does not mean that Europe controls the semiconductor chain. Making the machines that make the chips is a position of strength — but this position depends entirely on the demand of Asian and American manufacturers. If TSMC slowed its orders, ASML would slow with it. Mastering a production tool is not the same as mastering production.
"The Mastery of Iron" documented how France allowed mastery of speciality steels to migrate to the United States and Asia — the S35VN and S45VN that make a Spyderco knife worth €450, the Hitachi steels that underpin Japanese premium cutlery. Thiers, once the world capital of cutlery, lost its pre-eminence not because it was technically defeated, but because it did not invest in metallurgical research when others were doing so.
The parallel with semiconductors is structurally identical. Europe was not excluded from advanced chip manufacturing by a hostile decision by outside actors. It excluded itself through the absence of a coherent industrial policy over forty years, while Taiwan, South Korea and the United States were investing massively.
In both cases — speciality steel and advanced semiconductors — the mechanism of mastery loss is identical. An actor stops investing in fundamental research and upmarket progression, in favour of short-term profitability optimisation. Meanwhile, other actors invest over long cycles of 10 to 20 years. At the end of these cycles, competence is irreversibly concentrated elsewhere. Reconquest is not impossible — but it takes the same time as the abandonment did, and costs exponentially more.
The European Chips Act of 2023 mobilised €43 billion to attempt to bring Europe's share of global semiconductor production to 20% by 2030. This is a signal. It is not yet a capability. Intel has announced factories in Germany and Poland — projects that take 5 to 10 years to build and reach technical maturity. TSMC has announced a factory in Germany for previous-generation nodes. These investments will reduce dependence on certain segments — they will not recreate the leading edge of technology in Europe within the coming decade.
The European Chips Act is a correct and necessary political decision. It does not correct current dependence — it begins to build the conditions for reducing it over 10 to 15 years. European datacentres running today and tomorrow will continue to depend on chips manufactured outside Europe throughout this entire period. Long-term investment and short-term risk management are two distinct problems that require distinct responses.
The emergence of generative AI since 2022 has added a further dimension to semiconductor dependence. Large language models, computer vision systems, recommendation engines — all require massively parallel computing GPUs. NVIDIA dominates this market with its H100, H200, and successive generation GPUs. These chips are manufactured by TSMC. Global demand is so intense that it regularly exceeds available production capacity.
For European actors seeking to develop sovereign AI capabilities — whether states, companies or research centres — access to leading-edge GPUs is rationed by TSMC's production capacity and NVIDIA's allocation priorities. This is not a free market. It is a discretionary allocation market in which the best-positioned actors (American hyperscalers, large Asian players) are served first.
The US government has implemented strict controls on the export of advanced chips to China starting in 2022, progressively extended and tightened in 2023 and 2024. These controls demonstrate a fact that the Opération Dindon corpus has documented from a different angle: the hardware components of digital infrastructure are instruments of foreign policy. A US administration can, by executive order, decide which countries have access to which chips. This power requires no contractual negotiation — it is exercised by unilateral regulatory means.
Europe is not the target of current export controls. But it is not immune to a reconfiguration of American geopolitical priorities either. A trade partner can become a strategic competitor. Today's exemptions are not tomorrow's guarantees. A Europe that depends on chips whose access is controlled by a third-party government is a Europe whose digital sovereignty is conditional — conditional on the lasting goodwill of that third-party government.
Europe's dependence on chips manufactured outside its territory is not a problem of American or Taiwanese hostility. It is a problem of risk structure. Unilateral dependence on a critical resource is a structural risk regardless of the quality of current relations with the supplier. The Opération Dindon corpus has made the same demonstration for cloud contracts: it is not that hyperscalers are malevolent — it is that unilateral dependence is structurally fragile.
Semiconductor dependence is an industrial policy problem that the SRE cannot solve alone. But the SRE is not without leverage. Operational responses to hardware dependence exist — infrastructure practices that reduce exposure to supply disruption risk without waiting for Europe to have rebuilt its production capacity.
The culture of short-cycle hardware renewal (3 to 5 years) is an industry norm that serves manufacturers' interests more than operators'. A properly maintained server can run for 8 to 10 years on stable workloads. Deliberately extending renewal cycles reduces dependence on the immediate availability of new components — and also reduces the exposure surface to supply disruption risk. This is FinOps applied to hardware, with a strategic dimension that standard FinOps analyses do not integrate.
The standardisation of datacentre architectures around a few processor families (Intel x86, AMD EPYC, NVIDIA GPU) creates dependence on converging supply chains. The rise of ARM architectures in datacentres — Ampere Computing, AWS Graviton — and open-source RISC-V processors represents genuine diversification. A heterogeneous hardware estate is more resilient to a specific supplier disruption than a homogeneous one.
Large organisations — states, telecoms operators, critical infrastructure companies — can integrate into their hardware planning the building of strategic stocks of critical components. This is not common practice in the IT industry, but it is standard in other sectors with critical dependencies (energy, pharmaceuticals, food). The awareness that semiconductors are a strategic resource on a par with oil or medicines has not yet translated into storage practice in the digital sector.
Extending hardware lifetime, diversifying architectures, building stocks — these practices reduce risk exposure but do not eliminate it. They buy time. They do not reconstitute European manufacturing capacity. They are necessary in the immediate term and insufficient over the long term. The structural response — investing in advanced chip manufacturing in Europe — is an industrial policy decision played out at the level of states and decades, not at the level of infrastructure teams and quarters.
The Opération Dindon corpus has documented dependence on hyperscalers at the level of contracts, certifications and training. One layer was missing below: dependence on the hardware itself. Before being captive to AWS or Azure, one is captive to the chips that run AWS and Azure's servers. Digital sovereignty that stops at contracts and ignores hardware is a façade sovereignty.
Every critical infrastructure risk analysis (business continuity plan, BCP, DRP) should include a "hardware dependence" component documenting the geographic origin of critical components, alternative sourcing lead times, and extended disruption scenarios. This practice is standard for software and contractual risks — it is absent for hardware risks. Adding it costs nothing and makes visible a dependence that is currently ignored.
The RISC-V instruction set architecture is open source — anyone can design and manufacture a RISC-V processor without paying a licence to Intel or ARM. European research and industrial actors are investing in RISC-V for embedded systems and accelerators. Supporting this ecosystem at the level of public procurement policies and research funding creates, over the long term, an alternative to proprietary architectures concentrated in the United States and the United Kingdom.
The Foundation of Iron begins at electricity and hardware (weeks 1 and 6) precisely because understanding the physical layer is the condition for understanding all the layers above. This pedagogy must be extended to the hardware supply chain: where components come from, who makes them, what the alternatives are, how to assess the resilience of a hardware architecture. An SRE who ignores the upstream chain of their infrastructure is an SRE who does not fully understand the risks they are managing.
No digital progress without mastery of the digital iron. The chip is the ingot of the 21st century. Who makes it decides who gets to build.
Every quantified or named claim in this document has been independently verified through direct research — sources: Amazon.jobs, Microsoft Local, Google Data Centers, Indeed. No figure is an unsourced estimate. Wherever information is missing, the document states so explicitly rather than inventing it.
Several Opération Dindon corpus studies have already documented the devaluation of physical infrastructure skills in Europe — NoOps, The Dissolution of the Boundary, Iron Mixity. While this movement is confirmed, an inverse, verifiable and dated fact is occurring at the three major American hyperscalers: they are massively recruiting and training, in-house, exactly the skills Europe is abandoning.
This study originated from direct examination of Amazon job postings on LinkedIn and Amazon.jobs: Chief Engineer Operations, Controls Engineer EMEA, Critical Infrastructure Mechanical Engineer. All require reading electrical diagrams, configuring industrial controllers (PLC/DCS), HVAC systems maintenance, root cause analysis on equipment failures. These are electrical-trade and automation-engineer job descriptions — not cloud developer ones.
The initial investigation into Amazon led to discovering two structurally identical programmes at Microsoft and Google. This document records all three, with verified sources, and questions what this convergence — not concerted to our knowledge — structurally produces on the European technical training market.
The Work-Based Learning Program (WBLP) is a 12-month, paid training programme covering the entirety of datacentre operations — logistics, infrastructure, decommissioning. It combines self-directed web instruction, instructor-led sessions, and on-the-job training. Testimonial cited on the official page: "I came to AWS with no experience, right out of high school. I applied through the WBLP [...] eventually becoming a chief engineer, managing the maintenance activities in multiple facilities."
A "Data Center Chief Engineer, DCEO" position is explicitly located in the "Greater Milan Area" (Job ID 3111099, Amazon.jobs). The exact technical vocabulary found across multiple different job postings: BMS (Building Management System), EPMS (Electrical Power Monitoring System), industrial protocols MQTT, BACnet, MODBUS. This is the exact language of an industrial automation engineer.
The WBLP trains generic electrical and automation skills, theoretically transferable to any industrial employer. What makes these profiles captive is not a non-compete clause, but the specificity of the proprietary internal systems they are trained on (Amazon BMS/EPMS) — code and architecture lock more effectively than law.
Verified on Microsoft Local and Microsoft Careers: 11 global locations, including Dublin (Ireland), Amsterdam/Hoorn/Schagen (Netherlands), Gävle/Sandviken (Sweden), and a 2025 launch in Finland (Vihti, Kirkkonummi, Espoo) in partnership with vocational schools Omnia and Luksia. Direct quote from Mervi Airaksinen, Microsoft Finland General Manager: the programme trains in "ICT skills, building mechanics, electricity and automation." Microsoft supplies lab equipment (racks, servers, wiring) and funds scholarships.
A "Data Center Technician Apprentice" position is open in the Netherlands for a January 2026 start (Google Careers, directly verified). The Skilled Trades and Readiness (STAR) Program, documented on Google Data Centers, received a $50 million investment in 2026 to train over 300,000 Americans in electrical, plumbing and sheet metal trades — physical infrastructure, not cloud. Google's apprenticeship programme (18 months, paid) is confirmed available in France, Ireland, Switzerland and the Netherlands.
WBLP (Amazon), Datacenter Academy (Microsoft), STAR Program (Google) share the same architecture: training profiles with no prior experience, supplying pedagogical equipment, funding scholarships, and direct pathway into employment at the hyperscaler. No evidence of coordination between the three actors was found — these are three independent responses to the same economic constraint: the European technical labour market no longer produces enough Iron-trained profiles.
The European market justifies the devaluation of infrastructure skills with a classic TCO calculation: outsourcing servers and networks turns fixed costs (CapEx) into variable costs (OpEx). The framing error of CIOs is believing this transfer of responsibility makes the need for physical skills disappear. It does not disappear — it changes owner.
European CIOs destroy their infrastructure skills because they lack the critical scale to make them profitable at a single company's level. Hyperscalers, conversely, build economies of scale that make total internalisation of Iron maintenance profitable — and necessary, since a single outage at their scale affects thousands of customers simultaneously.
The job postings analysed require mastery of root cause analysis on industrial equipment failures. In a typical European company, this analysis is largely delegated to the equipment manufacturer or an external subcontractor. By internalising this skill, hyperscalers accumulate operational intelligence that European companies have largely abandoned. Practical consequence: during a major infrastructure failure, the European client company no longer has the in-house expertise to understand the root cause — it depends on the hyperscaler's diagnosis.
Examined individually, the WBLP, the Datacenter Academy and the STAR Program appear as healthy recruitment competition. But their geographic location converges on the same technical and vocational public school catchment areas — the Netherlands, Ireland, Finland notably appear in several of the three programmes. No evidence of coordination between the three hyperscalers was found, and it would be legally inaccurate to speak of a cartel without proof of collusion — what is documented is an independent economic logic producing the same structural effect.
The three hyperscalers do not merely recruit: they supply pedagogical equipment (racks, servers, wiring), fund scholarships, and by construction steer the practical content of training toward their own systems. An electrician or automation engineer trained in these pathways learns on equipment and protocols chosen by the hyperscaler — not necessarily what maintaining a classic factory, a local SME, or an independent sovereign infrastructure would require.
This study does not claim public curricula are "dictated" by hyperscalers in the sense of total control — the programmes consulted speak of "guidance" and "curriculum alignment," not imposition. Claiming a graduate of these pathways "will no longer be able" to maintain an independent infrastructure would be an unverified extrapolation. What is documentable: a strong material and pedagogical orientation toward the proprietary systems of the same three actors, in the same territories.
No French company laying off a Bare-Metal engineer does so thinking "this way, Amazon will recruit better than us." Each individual devaluation decision follows its own short-term TCO logic. But the cumulative effect, documented here across three independently verified actors, is unambiguous: while Europe sheds its physical infrastructure skills, the three American hyperscalers recruit them, train them, and internalise them — all the way down to public school.
A Chief Engineer trained by the WBLP, an automation engineer graduated from the Datacenter Academy, a technician certified by the STAR Program — all master a skill Europe documents as obsolete at the very moment three of the most highly valued companies in the world invest tens of millions of dollars to pass it on to candidates with no prior experience. Iron does not lie. The investments confirm it.
Nobody decided to lose mastery of Iron.
A thousand individually rational decisions led there.
Three foreign actors, without coordinating, drew the same conclusion.
Amine RAITI · Opération Dindon · 2026
The Opération Dindon corpus covered contractual dependence on hyperscalers, semiconductor dependence, training and competence recognition. It had not addressed the physical and geographical dimension: where European datacentres are, who owns them, what legal constraints apply to the data they hold. This study fills that blind spot.
The geography of datacentres in Europe is not neutral. It results from fiscal, energy and political decisions that have directed investment towards certain territories. Three zones concentrate the bulk of capacity: the Amsterdam-Frankfurt corridor (AMS-IX and DE-CIX internet exchange nodes), Ireland (European headquarters and datacentres of American hyperscalers), and the Nordic countries (abundant energy, natural cooling, attractive tax regimes).
Ireland hosts the European datacentres of Google, Meta, Amazon, Microsoft and Apple. Not for any particular technical quality of its soil — but for its 12.5% corporate tax rate, which attracted the European headquarters of hyperscalers, bringing their datacentres in their wake. Data from hundreds of millions of Europeans thus flows through infrastructure physically located in Ireland, subject to the European GDPR, but operated by American companies subject to the CLOUD Act.
The CLOUD Act (2018) authorises US authorities to demand access to data held by American companies, regardless of where it is physically stored. An AWS datacentre in Dublin hosting a French SME's data is simultaneously subject to GDPR and the CLOUD Act. In case of conflict between the two, the legal answer remains uncertain. This uncertainty is structural, not accidental.
GDPR compliance does not immunise data against a US DOJ request based on the CLOUD Act. Both regimes apply simultaneously — and their interaction is not resolved by current international law.
The question "who owns European datacentres" breaks down into three distinct levels: ownership of the building and land, technical operation of the infrastructure, and control of the data flowing through it. A datacentre can be physically on European soil, operated by a European subsidiary, and yet subject to extraterritorial control by an American parent company.
OVHcloud, Hetzner, Scaleway, Data4 — actors who both own and operate large-scale datacentres under European control are few. The vast majority of public cloud capacity in Europe is operated by AWS, Azure and GCP — American legal entities, subject to the CLOUD Act, whatever the physical location of their servers.
Interxion was the leading independent European neutral datacentre operator (colocation). Its 2020 acquisition transferred ownership and control of critical European infrastructure to an American company. An ordinary commercial transaction — but one that illustrates the mechanism by which European digital infrastructure sovereignty erodes not through conquest, but through acquisition.
"The Mastery of Iron" documented how Volvo was acquired by Geely — not through a hostile act, but through the absence of an industrial policy. Europe does not lose its datacentres through expropriation. It cedes them through a lack of strategic digital asset protection policy.
A medium-sized datacentre consumes as much electricity as a city of 50,000 inhabitants. This consumption is both a siting constraint and a political lever. The Nordic countries won the hyperscaler datacentre competition precisely because they built attractiveness policies around energy: abundant, cheap, low-carbon hydro and nuclear power; low ambient temperatures allowing natural free cooling.
France has real assets — low-carbon nuclear electricity, dense fibre, a market of 67 million people. But it has not developed a coherent policy of attractiveness and protection simultaneously. It attracted hyperscaler datacentres (AWS Paris region) without demanding in return any commitments on public data localisation, technology partnerships with French actors, or contributions to fibre infrastructure financing.
Datacentres are connected to each other and to the rest of the world by submarine fibre optic cables carrying 99% of international internet traffic. Since 2010, American hyperscalers own or co-finance a growing share of this capacity. In 2022-2023, several cables were severed in the Mediterranean and Baltic in unexplained circumstances — revealing a real, exploitable physical vulnerability that is nearly impossible to protect across thousands of kilometres of ocean.
Preserving sovereignty over data and infrastructure does not mean expelling hyperscalers. It means ensuring dependence remains reversible. Reversibility is the true metric of sovereignty — not the absence of dependence, but the absence of irreversible dependence.
Europe faces a real tension between attracting hyperscaler investment and preserving sovereignty over its data and infrastructure. These two objectives are not incompatible — but articulating them requires an explicit policy that most Member States have not formulated. The intra-European competition to attract datacentres pushes each country to offer more without demanding anything in return — a negative-sum game for collective sovereignty.
GAIA-X, launched in 2019 as a European sovereign cloud initiative, was progressively diluted by the integration of hyperscaler members — AWS, Azure and GCP are GAIA-X members and influenced its standards in a direction favourable to their interests. Its partial failure is instructive: digital sovereignty is not built by including the actors one seeks to emancipate from.
A state hosting a hyperscaler datacentre has a unique negotiation moment — before the building permit, before the electrical connection, before the tax benefits. This moment is rarely used to demand sovereignty counterparts: EU localisation of public data, training of local technicians, third-party access for European actors, non-unilateral application of extraterritorial legislation to European data. These counterparts are negotiable. They are neglected because states compete with each other.
As long as Ireland can attract AWS datacentres by offering 12.5% corporate tax and France cannot oppose this without a European agreement, fiscal and regulatory European coordination is the prerequisite for any coherent digital sovereignty policy. Without it, each state plays alone against hyperscalers who play collectively on a global scale.
The geography of datacentres is not a geopolitical abstraction reserved for policymakers. It is an architectural constraint that every SRE must integrate into their deployment decisions. Where is the data? Under which jurisdiction? What are the latency times between regions? What are the connectivity disruption scenarios? These are not optional questions — they are structural.
Every SRE deploying on public cloud should know: what is the legal entity operating this cloud in the relevant country, is it subject to the CLOUD Act, what are the data localisation clauses in the service contract. This information should appear in every infrastructure risk analysis — alongside the availability SLA or backup policy.
A resilient architecture does not only distribute load between availability zones (AZ) of the same provider in the same country. It considers resilience across distinct providers, distinct countries, and distinct legal regimes. Multi-cloud and multi-jurisdictional are not the same thing — but the combination of the two is true geographic resilience.
A BCP/DRP that does not model the submarine cable severance scenario affecting connectivity between regions is an incomplete plan. These incidents are documented, recurring, and slow to repair. The architectural response — backup routing, local cache, graceful degradation — must be prepared in advance, not discovered during the incident.
The proposal of this study is to treat the digital ground — the physical location of datacentres, the cables connecting them, the energy powering them — as a strategic asset on a par with agricultural land or the railway network. This is not nationalisation. It is the recognition that the physical infrastructure of digital is a critical infrastructure that deserves explicit governance.
Each Member State should publish an annual inventory of datacentre capacity on its territory: owner, operator, volume, energy consumed, legal origin of controlling entities. This transparency does not exist today. It would allow citizens, regulators and businesses to assess their real exposure to extraterritorial legal risk.
Any tax benefit or administrative facilitation granted to a hyperscaler datacentre should be conditional on verifiable commitments: EU localisation of public data, training of local technicians, third-party access for European actors, and non-unilateral application of the CLOUD Act to European data hosted in these datacentres.
OVHcloud, Hetzner, Scaleway and their European equivalents deserve explicit preference in public procurement — not out of protectionism, but for consistency with a stated digital sovereignty policy. A state that preaches digital sovereignty while hosting its data on AWS is not practising sovereignty — it is talking about it.
The digital ground is not an abstraction. It is concrete, cable, electricity and law. Whoever controls these four elements controls the infrastructure. Not the contract. The ground.
After every rack/derack operation, end-of-life servers accumulate. The traditional WEEE recycling chain pays between €0 and €50 per server — or charges for collection. This study documents a radical alternative: direct recovery of precious metals contained in obsolete hardware. Gold, copper, silver, palladium — the residual value is real, measurable, and extractable with accessible lab equipment.
A 5-year-old Dell R640 server is considered an end-of-life cost. It costs money to recycle, store, move. Nobody in IT calculates what it contains in gross metallurgical value. This calculation exists — and it changes the perspective.
Gold (Au): 0.2 to 0.5g depending on model. Present in DIMM gold fingers, PCIe connectors, CPU socket contacts, high-end SAS/SATA connectors, chipset chips. June 2026 rate: ~€85/g. Value: €17 to €42 per server.
Copper (Cu): 0.5 to 1.5kg in cables, connectors, thick PCB traces. Rate: ~€9/kg. Value: €4 to €13 per server.
Silver (Ag): traces in some contacts and capacitors. 0.1 to 0.3g. Rate: ~€0.95/g. Value: €0.10 to €0.30 per server.
Palladium (Pd): present in MLCC capacitors on motherboards and high-end network cards. 0.01 to 0.05g. Rate: ~€35/g. Value: €0.35 to €1.75 per server.
Estimated total per R640 server: €22 to €58 in raw precious metals.
For a rack of 40 servers: €880 to €2,300 in recoverable residual value.
The licensed WEEE chain buys servers in bulk — between €0 and €50 per unit depending on condition. It sometimes charges for collection on batches under 500kg. It absorbs the metal value in its margins. Direct recovery bypasses this intermediation — at the cost of a time and lab equipment investment that this study documents and costs out.
Handling hazardous chemicals (strong acids, powerful oxidants). Mandatory PPE: acid-resistant gloves, full-seal goggles, minimum FFP3 mask. Ventilation essential: outdoors or chemical fume hood. Never alone. Keep sodium bicarbonate on hand to neutralise splashes. Know the Poison Control Centre number.
Copper dissolution: immerse connectors in a mixture of hydrochloric acid (HCl 33%) and hydrogen peroxide H₂O₂ (12%). Accessible version: concentrated white vinegar + sea salt + H₂O₂ (12%). Adding an aquarium air pump accelerates copper dissolution and detachment of gold foils — these float to the surface.
Purification: collect gold foils. Dissolve in 200ml HCl + 2 tbsp sodium nitrate (NaNO₃). Heat to 80°C for 15 minutes. Alternative: HCl + a few ml of bleach (⚠️ extremely dangerous — chlorine gas release).
Filtration and precipitation: filter the solution. Neutralise with sulfamic acid (except bleach method). Precipitate pure gold with iron(II) sulfate (FeSO₄). Rest 24h. Brown gold powder settles at the bottom.
Melting: collect the powder, dry it, melt with torch in graphite or refractory clay crucible.
Pre-incineration: separate chips from PCBs. Burn outdoors (barbecue or fireplace) to eliminate epoxy resins and organic carbon. The ash contains concentrated metals.
Chemical treatment: the dissolution and precipitation process is identical to Option A. The yield is slightly lower but gold per gram of treated material is higher.
Post-extraction solutions contain strong acids and dissolved metals — copper, iron, tin, lead. Pouring them down the drain or into nature is an environmental offence. It is also a beginner's mistake. The neutralisation protocol is as important as the extraction protocol.
Materials: caustic soda (sodium hydroxide NaOH, granules or solution), pH paper or pH meter, HDPE plastic container, stirrer.
Protocol:
1. Slowly pour caustic soda into the spent acid solution (never the reverse — risk of violent splashing). The reaction is exothermic — the mixture heats up.
2. Observe the pH rising. Dissolved metals progressively precipitate as coloured sludge — blue-green for copper, rust-brown for iron, grey for tin.
3. Continue until neutral pH (7). Check with pH paper or meter.
4. Leave to settle 24 to 48 hours. Sludge settles at the bottom.
5. Filter the solid sludge. Package in sealed bags labelled "metallic waste — specialist treatment".
6. Drop sludge at a specialist hazardous waste facility (licensed WEEE processor).
7. The neutralised liquid at ~pH 7 can be disposed of in the drainage system — check local regulations.
The copper in the sludge can itself be sold to specialist smelters (Aurubis, Comet Traitements) if volumes are sufficient.
Neutralisation sludge from treating 40 servers contains 50 to 200g of precipitated copper, plus traces of nickel and tin. Some recovery smelters (Comet Traitements in Belgium, Umicore) buy this sludge at variable rates by concentration. It is not a fortune — but it is an additional value stream on waste that would otherwise cost money to eliminate.
Safety equipment: acid gloves (€15), full-seal goggles (€25), FFP3 masks x5 (€15), chemical apron (€20). Total: ~€75
Lab equipment: aquarium air pump (€12), HDPE 5L containers x3 (€25), filter funnel + filter paper (€10), pH meter (€15), butane torch + refill (€35), graphite crucible (€20). Total: ~€120
Reagents (for 40 servers): HCl 33% 2L (€8), H₂O₂ 12% 2L (€6), NaNO₃ 500g (€12), FeSO₄ 500g (€8), sulfamic acid 500g (€10), NaOH granules 1kg (€6). Total: ~€50
Total first-batch investment: €245 (reusable for subsequent batches)
Gross recoverable value: €880 to €2,300 (gold + copper + silver)
Reagent cost batch 1: €50
Equipment cost (amortised over 5 batches): €50/batch
Estimated processing time: 2 days (preparation + chemistry + neutralisation)
WEEE disposal cost avoided: €0 to €500 depending on provider
Net recovered batch 1: €780 to €2,200 — i.e. €19 to €55 per server
From batch 2: equipment is amortised. Marginal cost drops to €50 of reagents. Net recovered rises to €830 to €2,250.
The SysAdmin's time — 2 days of processing represents a salary cost. This process is relevant for an enthusiast who finds the process interesting in itself, or for an organisation processing sufficient volumes to justify the time investment. It is not a full-time business — it is opportunistic FinOps on hardware that would otherwise be a pure cost.
Recovering precious metals from IT hardware is legal in France in a private or professional context, subject to hazardous waste regulations. Three key points to know before starting.
IT equipment belongs to the company until formally written off. Recovering servers off-inventory without written agreement creates legal risk. The correct approach: obtain a written free transfer deed or a signed decommissioning report from management or the procurement department. This document formalises the transfer of ownership and legally covers the recovery.
Acid solutions and metal sludge produced are classified as hazardous waste under European directive 2008/98/EC. For personal or lab use, volumes generally remain below mandatory declaration thresholds (10 litres of hazardous liquid waste per month for individuals). Above these thresholds, a declaration to the installations classées inspectorate (ICPE) may be required. Depositing sludge at a licensed specialist waste facility is always required — it is both a legal obligation and the right thing to do.
Selling recovered gold is legal in France. Gold buyers (jewellers, buying counters, specialist smelters) buy industrial recovery gold. For quantities under a few grams, the transaction is informal. Above €500 in value per transaction, the buyer must verify the seller's identity. Keeping traceability of the source material (transfer deed) is good practice even below this threshold.
This process is documented for a SysAdmin enthusiast treating hardware from their own rack or their company's with agreement. For industrial volumes (tonnes of PCBs), licensed operators like Umicore, Aurubis or Comet Traitements have the infrastructure and authorisations — and far superior extraction yields. This study documents the DIY level — lab, torch, crucible, aquarium air pump.
This process is more than a radical FinOps exercise. It is a lesson in applied chemistry, materials physics, and circular economy that the infrastructure engineer learns by doing. It completes the Foundation of Iron with a dimension that lectures cannot provide: the physical and chemical value of what they administer.
The engineer who has done this process once viscerally understands why PCIe connectors are gold and not copper — oxidation resistance, conductivity, ductility. They understand why DIMMs have "gold fingers" — perfect electrical contact over millions of insertion cycles. They know their Dell server contains gold in the same way an ingot does — differently concentrated, differently distributed, but real and measurable. This material knowledge is exactly what cloud training abstracts away and what the Foundation of Iron seeks to rebuild.
"The Digital Iron" documented that the chip is the ingot of the 21st century — a rare, strategic, geopolitically sensitive resource. This process is the experimental demonstration of this thesis: the server the administrator installs literally contains precious metals, exactly as ore contains gold. The chain TSMC → chip → server → recovered gold is a real value chain that the DIY lab makes visible, tangible, measurable.
This process is a possible pedagogical format in BTS or DUT infrastructure curricula — a supervised practical lab day around dismantling, identifying high-value metal components, and supervised recovery. This is not a chemistry lesson — it is an infrastructure lesson that goes through chemistry to physically anchor the value of hardware. The student who has seen gold emerge from a PCIe connector understands its value differently from one who only read about it in a textbook.
The FinOps of the last gram is not avarice. It is respect — for the physical value of what one administers, for the rare resources that have served, and for the engineer who knows what is in their rack down to the last atom.
This study completes the Opération Dindon corpus on a hardware FinOps angle. It addresses Grade A refurbished server hardware as an infrastructure strategy — economically, ecologically and operationally. It draws on the author's direct experience as Head of SRE, on real purchase figures, and on a photograph of a machine that proves through its uptime counter that enterprise hardware is built to last.
4,122 days. That is the uptime counter of a legacy database machine, isolated in its corner of the rack, that nobody wanted to touch because it has been running for so long that everyone is afraid to stop it. 4,122 days is more than 11 years of uninterrupted operation.
This machine is not an exception. It is the demonstration that enterprise server hardware is designed to last well beyond the 3-to-5-year renewal cycles that manufacturers recommend — and that finance departments approve without question. A server that has been running for 11 years without a major hardware incident is not a server on borrowed time. It is a server proving that the operational durability of enterprise hardware is structurally underexploited.
4,122 days of uptime on an isolated legacy machine does not mean all hardware can be used indefinitely. This machine is a database under controlled load, without extreme demand, in a thermally stable environment. It demonstrates that the real operational lifespan of enterprise hardware is well above what standard procurement cycles assume — not that renewal is unnecessary.
The comparison is simple. A Dell PowerEdge R640 Grade A refurbished with extended support — 192 GB RAM, 4×1 TB SSD, dual Xeon CPU — cost €2,100 in January 2024 from a specialist operator. In June 2026, with the surge in RAM component prices and general inflation, that same server trades at around €3,000. Its direct successor in new condition — a Dell PowerEdge R760 configured to equivalent specifications — is billed between €8,000 and €12,000 depending on configuration and procurement channel.
€3,000 against an average of €10,000: Grade A refurbished comes in at roughly one quarter of the new price for an identical workload. Across a fleet of 10 servers, the difference is €70,000. Across a fleet of 50 servers — a common size for a medium SRE infrastructure — it is €350,000. This is not a marginal saving. It is a budgetary architecture decision.
The Grade A refurbished price is not the price of a bare machine. From serious operators it includes a full refurbishment (cleaning, testing of all components, replacement of defective parts), a contractual warranty, and the option of extended support covering hardware beyond manufacturer support. The comparison with new is therefore service for service — not a bare machine against a new one.
On a new R750 (15th generation intermediate), a single Intel Xeon Gold 6346 processor is billed at $2,317 by the integrator. Two processors therefore represent over $4,600 before counting the chassis, RAM, storage and support. The R640 refurbished at €3,000 complete — dual CPU, 192 GB RAM, 4 SSDs, extended support — costs less than the two processors alone of an intermediate generation in new condition. This is not a promotion. It is the reality of the enterprise refurbished hardware market.
The word "second-hand" evokes risks that Grade A refurbished in an enterprise environment does not carry. The distinction is structural and deserves to be made explicit — because it is often the confusion between the two that blocks purchasing decisions in organisations that have never tested the model.
Full refurbishment: the machine is fully disassembled, cleaned, all components individually tested, defective parts replaced with certified original parts. It leaves in an internal condition equivalent to new.
Grade A cosmetic: the machine may show minor signs of use on the chassis — light scratches, coating wear. It does not look like a machine fresh from the box. In a rack, behind a bay door, this has zero operational relevance.
Contractual warranty: serious operators offer a 12-to-36-month warranty on refurbished hardware, with replacement of defective components.
Extended support: specialists such as Evernex, Park Place Technologies, Curvature or MaintenX offer multi-vendor maintenance contracts covering Dell, HP, Cisco, NetApp and others — with SLA, on-site intervention and parts replacement — on hardware beyond official manufacturer support. This extended support is the keystone that makes refurbished viable in critical production.
The quality of Grade A refurbished depends entirely on the operator. A good operator publishes their testing procedures, provides the Dell service tag (verifiable on Dell's support site for the machine's full history), offers a clear support SLA, and holds spare parts stock for the models they sell. A bad operator sells cleaned hardware without functional testing under a superficial warranty. Due diligence on the operator is the real step in securing a refurbished purchase — not systematic distrust of the model.
Grade A refurbished with extended support is suited to stable production workloads on proven hardware. It is not suited to workloads requiring the latest processor generations (AI, HPC), architectures dependent on PCIe Gen5 or DDR5 features, or environments where direct manufacturer support is a contractual or regulatory requirement. For the rest — and that is the majority of infrastructure workloads — it is the right choice.
The ecological argument for refurbished is often presented as secondary — a good conscience on top of a good price. This is a framing error. The ecological argument is an industrial sovereignty argument as much as an environmental one, and it connects directly with the theses of "The Digital Iron" in the Opération Dindon corpus.
Manufacturing a new server is one of the most resource-intensive acts in the digital industry. It mobilises rare earths extracted in China, chips manufactured in Taiwan at TSMC, printed circuit boards produced in Southeast Asia, and an assembly process consuming significant energy and water. The carbon footprint of server manufacturing represents a substantial proportion of total lifetime carbon footprint — some studies estimate it between 50 and 80% of the total over 4 years.
A server used for 8 years instead of 4 halves its manufacturing energy consumption per year of service. A refurbished server used for a second life of 4 years avoids entirely the manufacture of a new server. Across a fleet of 50 servers renewed every 4 years, switching to Grade A refurbished represents avoiding the manufacture of 50 new servers every 4 years — with everything that implies in terms of TSMC chips not ordered, rare earths not extracted, and manufacturing cycles not triggered.
"The Digital Iron" documented that 90% of the world's advanced chips are manufactured by TSMC in Taiwan, on a territory of 35,000 km² exposed to structural geopolitical tension. Every new server not purchased is an order of chips not placed with TSMC. Grade A refurbished is therefore also a lever for reducing dependence on the semiconductor supply chain — not only a cost-reduction lever. These two arguments arrive at the same conclusion by different paths.
The main barrier to adopting refurbished in critical production is not hardware reliability — that is demonstrated. It is the support question: what happens when a component fails on hardware beyond manufacturer support? The answer is third-party extended support — a structured market, with established actors, contractual SLAs and spare parts stock that allow hardware to be maintained long after the end of official support.
Specialist operators — among them Evernex, Park Place Technologies, Curvature and MaintenX — offer multi-vendor maintenance contracts covering Dell, HP, Cisco, NetApp and others. These contracts include an intervention SLA (4h, 8h, NBD depending on the level chosen), certified spare parts stock, 24/7 on-call support, and technical assistance. The cost of such a contract is significantly below Dell's ProSupport manufacturer support on new hardware — while covering hardware that Dell no longer officially supports.
Before any refurbished purchase, the machine's service tag must be verified on Dell's support website. This unique number reveals the original manufacturing date, the history of warranty interventions, and any parts replaced. A transparent service tag is the first sign of a serious operator. An operator who refuses to provide it before purchase is an operator to avoid.
Over 3 years, for 10 Grade A refurbished R640 servers at €3,000 each with extended support at €500/year/machine:
Total investment: €30,000 (hardware) + €15,000 (3-year support) = €45,000
Over 3 years, for 10 new R760 servers at €10,000 each with Dell Basic ProSupport:
Total investment: €100,000 (hardware) + €18,000 (support) = €118,000
Saving: €73,000 over 10 machines over 3 years — for an identical workload.
The proposal of this study is not to replace all new hardware with refurbished. It is to reverse the burden of proof in purchasing decisions: instead of justifying why you choose refurbished, justify why you choose new. New hardware has legitimate use cases. They are fewer than commonly assumed.
— Stable production workloads on proven technologies: databases, web servers, virtualisation, storage
— Environments where direct manufacturer support is not a contractual or regulatory requirement
— Fleet renewal on well-documented server generations (R630, R640, R740, HP DL360 Gen9/Gen10)
— Lab, staging, development environments — without exception
— Workloads requiring the latest processor generations: AI, HPC, GPU inference
— Architectures dependent on PCIe Gen5, DDR5, or features unavailable on refurbished generations
— Contractual or regulatory requirements mandating direct manufacturer support
— Edge computing and space-constrained environments where latest-generation density is determinative
Measure 1: integrate a refurbished vs new analysis into every hardware procurement process exceeding €10,000. The decision to choose new must be technically justified, not assumed by default.
Measure 2: integrate real operational lifespan and carbon footprint into hardware procurement evaluation criteria — on a par with performance and acquisition cost.
Measure 3: qualify at least one third-party extended support operator in the organisation's supplier panel. This pre-qualification removes the support barrier and makes refurbished immediately actionable when the decision is made.
4,122 days of uptime. The machine does not lie. Enterprise hardware lasts far longer than procurement cycles assume. Grade A refurbished is the economic, ecological and operational proof.
The Business Continuity Plan is the CIO's personal responsibility when infrastructure goes down. Hyperscalers sell it as an automatic architectural property. Sovereign managed service providers practise it as a repeated muscular reflex. This study documents the difference between these two realities — and why it is decisive for organisations that want real business continuity, not documented business continuity.
Hyperscalers sell BCP as a native architectural property. Multi-AZ means your resources are spread across multiple availability zones in the same region. Multi-region means your data is replicated to another geographic region. Automatic failover means the switchover happens without human intervention. These three promises are true — under certain conditions, for certain services, according to certain configurations. What they do not say is more important than what they say.
Availability zones share the same regional network backbone. In December 2021, an AWS us-east-1 incident took down theoretically "multi-AZ" services because the control plane (the service that orchestrates failover) was itself centralised and affected. Multi-AZ protects against a single physical datacentre failure. It does not protect against control plane failures, regional network failures, or shared management service failures.
Furthermore, multi-AZ costs. Every duplicated resource is billed. Traffic between AZs is billed. An RDS Multi-AZ instance costs approximately 2x a Single-AZ instance. A complete multi-AZ architecture can cost 1.5x to 2x the primary infrastructure — not counting replication egress fees.
Multi-region replication is real but complex. It requires solving the data consistency problem: in synchronous mode (zero data loss), inter-region latency degrades performance. In asynchronous mode (non-zero RPO), one must accept a data loss window. This architectural choice is not trivial — it depends on the nature of the data, the business, and regulatory requirements.
Implementation requires mastery of Route 53 (DNS failover with health checks), Aurora Global Database or DynamoDB Global Tables, S3 Cross-Region Replication, CloudFront, WAF, ACM (certificates in each region), and dozens of other services — each with its own subtleties, failure modes and hidden costs. A well-built multi-region AWS BCP costs between 2x and 5x the primary infrastructure cost.
Testing a multi-region failover in production is high-stakes surgery. It requires a maintenance window, team coordination, a rollback plan. It is expensive — test traffic is billed like production traffic. And it is frightening — a configuration error can worsen the incident instead of resolving it.
Result: in most organisations, the multi-region BCP is only tested in staging — which is never identical to production. When the real incident arrives at 3am, DevOps discover that the failover site's Terraform has not been updated since the last database migration. That the secondary region's load balancer SSL certificate expired three weeks ago. That the DNS TTL is still set to 3600 seconds.
An experienced managed service provider has two datacentres — often connected by a dedicated fibre they own or lease at the physical level, outside the public Internet backbone. They know the power supplies, the UPS units, the generators, the core switches, the border routers. They built this infrastructure. They know what happens at every layer when a failover is triggered.
The managed service failover begins at the physical level — where the hyperscaler BCP begins at the software level. When datacentre A loses its main power supply, the UPS takes over (milliseconds), then the generator starts (30 to 60 seconds). During this time, network flows are rerouted to datacentre B via the dedicated fibre — not via the Internet backbone, whose availability is outside the provider's control.
This physical layer mastery is what cloud cannot offer. When the problem is a cut transoceanic cable, a major BGP incident, or a saturated regional backbone — the cloud's software BCP does nothing. The managed service provider who controls their dedicated fibre has resilience orthogonal to Internet infrastructure incidents.
The managed service provider does not propose a BCP services catalogue — they design a continuity architecture adapted to the client's real needs. This conversation starts with fundamental questions:
RPO (Recovery Point Objective): how much data can be lost? Billing database: RPO zero (synchronous, no loss). Application logs: RPO 4h acceptable (asynchronous). User sessions: RPO 15 minutes (semi-synchronous).
RTO (Recovery Time Objective): how quickly must operations resume? Website: RTO 5 minutes (DNS failover + HAProxy). Back-office: RTO 30 minutes. Batch processing: RTO 4h.
These nuances are implemented in custom scripts, bespoke HAProxy configurations, MySQL or PostgreSQL replication rules specific to each service's RPO. Not a checkbox in a catalogue — a tailored architecture.
The managed service team has a failover Runbook for every incident type. Not a bureaucratic document — an operational guide tested and updated after every real or simulated incident. It says exactly: who does what, in what order, with what command, with what success criterion. And it notes the traps: service X always takes 3 minutes longer than expected, service Y requires a manual restart if the failover lasted more than 10 minutes.
In most cloud organisations, BCP testing follows this scenario:
Month 1: the team decides to test failover. They realise staging is not up to date.
Month 2: staging updated. Test in staging. Partially works — 3 of 12 services do not failover correctly.
Month 3: fixes. Re-test in staging. Better, not perfect.
Month 4: decision not to test in production this year — "too risky before the holidays".
Month 12: real incident. Production Terraform has diverged from staging for 4 months. Secondary database has 6 hours of replication lag. Secondary region SSL certificate expired 3 weeks ago. Real RTO: 4 hours instead of the promised 15 minutes.
A reputable managed service provider integrates BCP testing into the client's contractual lifecycle. Not as a one-off project — as a recurring, planned event with a dedicated Steering Committee.
Typical failover test schedule:
D-30: client notified of date and maintenance window. Verification that all target services are documented and the Runbook is current.
D-7: technical review — which services failover in what order, what are the success criteria, what is the rollback procedure.
Day of test, maintenance window: real production failover. The client is present (in person or remote). They observe. They validate. They measure the real RTO.
After failover: post-incident COPIL. Which services took longer than expected? Why? What changes in the Runbook? The Runbook is updated before end of week.
The client goes home with a conviction: their BCP works. Not with an architecture diagram.
The hyperscaler BCP is an architecture documented in a Confluence nobody reads, tested in staging that is never identical to production, validated by a checklist nobody has filled in for 8 months.
The managed service BCP is a muscular reflex repeated until the team can do it with their eyes closed, documented in a living Runbook updated after every incident, validated by a COPIL where the client watched their production failover and return.
The hyperscaler BCP is a promise. The managed service BCP is a demonstration.
The word "gentle" in "Gentle BCP" is not a metaphor — it is a description of the nature of a well-designed managed service failover. Gentle as opposed to brutal. The hyperscaler failover during a real incident is brutal — services go down one after another in an unpredictable order, teams chase logs, decisions are made under pressure with incomplete information. The well-prepared managed service failover is gentle — it follows a predefined order, it is executed by people who have done it before, and it has a documented rollback if something does not go as planned.
Progressive: the failover happens service by service, in dependency order. First the database (source of truth), then the APIs that consume it, then the frontend. Each step is validated before moving to the next. There is no "everything failovers simultaneously" — because simultaneous failover creates unpredictable timing problems.
Reversible: each failover step has a documented rollback procedure. If service Y does not start correctly on site B, the team knows exactly how to return to site A without worsening the situation. This reversibility is tested — not assumed.
Observed: the failover is observed in real time by the provider's and client's teams. Key metrics are monitored (latency, error rate, active connections). "Continue" or "rollback" decisions are made on real data, not assumptions.
The Gentle BCP is the business continuity declension of two corpus theses. "The Gentle Exit" proposes progressive migration without rupture — the Gentle BCP applies the same principle to emergency failover. "The Accompanied Exodus" proposes a managed service provider as migration guide — the Gentle BCP makes the same provider the guide of continuity.
The organisation that migrated to the managed service provider via the Accompanied Exodus has, as a bonus, a Gentle BCP — because the provider knows the infrastructure they themselves migrated, wrote the TAD, and integrated the BCP into the initial design rather than as a later addition.
The CIO who watched their production failover and return
during a contractual test with their managed service provider
sleeps better at night than the one who read
their AWS multi-region architecture diagram.
One has a promise. The other has a demonstration.
We say "it's in the cloud." The image is lovely. It is also completely false. Nothing you do online floats in the air: a hard drive spins, a cable carries a signal, an air-conditioned building processes your request. This document shows you that invisible plumbing — no complicated figures, no international law, just examples from your everyday life.
We say "it's in the cloud." The image is lovely. It is also completely false. Nothing you do online floats in the air. When you tap your screen, somewhere on Earth, a physical machine switches on. A hard drive spins. A cable carries an electrical signal. An air-conditioned building, full of servers running hot day and night, processes your request.
You turn on the tap, water flows. You never think about the water towers, the pipes buried under the city, the pumping stations. Yet without them, not a single drop would arrive. Digital services work exactly the same way: a smooth gesture on screen — and behind it, a giant industrial plumbing system nobody ever sees.
This document shows you that plumbing. Not with complicated figures, not with international law. Just with examples from your everyday life.
This document draws on a French research corpus (Opération Dindon), so the examples — Doctolib, the CAF, French datacentre locations — are French. But the mechanism described here is not a French problem. The same three companies operate the same kind of factories near Frankfurt, Dublin, Singapore, São Paulo, Mumbai, and dozens of other cities. Wherever you live, replace "Doctolib" with your own country's medical booking platform, "the CAF" with your own welfare agency, and the reasoning holds exactly the same.
"Digital technology has nothing of a magical cloud about it: every time you touch your screen, a physical machine switches on, heats up, and consumes electricity somewhere on Earth."
You press "Play". The picture appears, smooth, instant. No effort. No waiting.
A single episode is several gigabytes of data. That weight doesn't teleport: it travels, at very high speed, through fibre-optic cables buried under roads, from a hard drive sitting in a specific building — all the way to your living room. This is not a file that "exists somewhere in the ether." It is a file with a real weight, stored on a real disk, that must physically travel a real distance to reach you.
Your phone or your TV is just a screen. All the intelligence — the video file, the storage, the computation — sits elsewhere, in a digital factory. Your device is a very sophisticated remote control. Nothing more.
You click an open, green time slot, Tuesday at 2:30pm. A confirmation appears. The appointment is booked.
That click becomes a line of text written onto a physical hard drive, in a specific building. The doctor will check that very same information on their own screen on Tuesday morning — to know who to see, when, and why. If that hard drive fails, if the building housing it loses power, that line of text no longer exists anywhere else. The appointment, literally, vanishes.
The big American cloud companies (Amazon, Microsoft, Google) have indeed built digital factories in France. They have precise addresses:
La Courneuve Vitry-sur-Seine Clichy Paris-Saclay Wissous Marseille Ferrières-en-Brie
The building is French. But the rules, the prices, and the access keys are still decided elsewhere. The same logic applies everywhere — these companies have built identical factories near Frankfurt, Dublin, Singapore, São Paulo, and dozens of other cities worldwide. France is simply the example used here; replace these names with the ones near you, and the same reasoning holds.
You fill in a form and click "Submit". The site confirms: your request is registered.
That click sends an electrical impulse to a machine — owned by the State or a service provider — which records your request on physical storage. Your rights, your file, your benefit: all of it exists somewhere, as data stored on real hardware. Even your administrative relationship with the State — a fundamental right — runs through these same factories of concrete and cable.
We sometimes picture computing as something fragile — a small, dusty desktop computer. The reality is the opposite: these are massive buildings, air-conditioned around the clock, protected by backup power generators, almost comparable to heavy industrial infrastructure.
You open the app, type "20", confirm. The money seems to "leave" instantly.
Your money has not, for a long time, been sitting in brick vaults. It is a number, written and edited on the hard drives of giant computers, somewhere. Your smartphone app is just a visual remote control: it sends an instruction to a physical machine, which actually carries out the operation.
"If a single company owns every pumping station in the city, it can decide tomorrow to double the price of your water bill or change the rules of access, and you will have nowhere else to go. That is what losing everyday sovereignty means: depending on the goodwill of a single owner for the most ordinary gestures."
These buildings, these cables, these hard drives do not belong to nobody by chance. Someone built them, someone owns them, someone sets the rules. And a simple observation follows: a technical space left vacant never stays that way. If a country or a company doesn't build, maintain, and train enough people to run its own digital plumbing, someone else builds it instead — and keeps the keys.
Today, this global plumbing isn't shared out among dozens of different players. It is mostly owned by three American companies — Amazon (AWS), Microsoft (Azure) and Google — who already own most of the world's giant digital factories. The more a country or a company gives up control of its own infrastructure, the smaller the share that remains free — and the more likely it is that whatever gets built next falls, by default, into those same three hands.
While we're told servers and cables are "old world" technology, those same three companies spend tens of billions of dollars every single year building... servers and cables. Concrete, copper, fibre, land, dedicated power plants: they are pouring money into exactly what others have stopped funding. If it were a dying sector, it wouldn't be worth that much. They know exactly what they're doing ;)
If a hundred different companies each owned a small piece of your city's water network, losing one of them wouldn't change much: ninety-nine others would remain. But if only three already own nearly the entire network, their decisions — a price that changes, a rule that tightens, an outage at one of them — instantly affect a huge share of everything that depends on water. That is exactly what is at stake with digital infrastructure: the fewer different owners there are of the plumbing, the more each one matters — and the more serious it becomes to also hand them whatever is still left to build.
Netflix, Doctolib, the welfare office, your bank. Four ordinary gestures. Four times, the same reality: behind the screen, hardware, cables, buildings, somewhere — owned by someone.
The Iron does not lie. A hard drive spins or it doesn't. A cable carries a signal or it doesn't. This stubborn, silent material reality is the invisible foundation of every digital gesture you have made since this morning.
You cannot change Internet's plumbing yourself.
But the next time you touch your screen to watch a show or book an appointment,
you will know that behind the visual magic, a physical factory has just kicked into gear.
Looking at digital through its machines is the beginning of understanding the real world.
Amine RAITI · Operation Dindon · 2026
You have this. AWS has this. The difference: you know yours. You know what is inside, who cabled them, how they work. Their racks — you will never see them, you will not know exactly where they are, and if someone knocks on the door with a warrant, you will be the last to know. Why are you trading what is better for what is inferior?
AWS, GCP and Azure control roughly 70% of the global cloud market. Their competitive advantage — the one that distinguishes them from every competitor — is absolute mastery of bare-metal. They know how to cable a datacentre, size a power supply, choose a processor, optimise cooling, build a physical network at planetary scale. They have thousands of engineers doing exactly what the corpus calls "the mastery of iron". It is on this mastered physical substrate that they build the cloud services they sell.
Step 1: master bare-metal perfectly.
Step 2: convince your customers that bare-metal is "legacy", "complex", "not your core business".
Step 3: sell them access to your bare-metal as a managed service, with a comfortable margin, a "noncancellable" contract, and California jurisdiction.
Step 4: watch your customers let go of their bare-metal engineers — eliminating any possibility of going back.
Brilliant. Truly. The corpus calls this "The Anatomy of the Loss". Hyperscalers call it "the cloud".
You have a cold aisle. Racks. Engineers who know what is inside. Someone convinces you that this is a problem. You decide to hand everything over to people who have exactly the same thing — but much larger, with much less transparency, under US law, with a margin that would make any Paris estate agent blush. Then you pay egress fees to retrieve your own data.
أَتَسْتَبْدِلُونَ الَّذِي هُوَ أَدْنَىٰ بِالَّذِي هُوَ خَيْرٌ
Are you trading what is better for what is inferior?
Cloud has real advantages — elasticity, no upfront investment, complex managed services. The question is not "cloud or no cloud". The question is: why go to extraterritorial actors who make you dependent, when local and national actors offer the same services, under European law, with margins that allow real local R&D?
Imagine the following scenario. You own a flat. It works. You know it. Your plumber knows it. Your electrician knows it. Then someone convinces you that managing a flat is complicated, that it is not your core business, that you should hand it over to a professional. You give them the keys. They sub-let your own flat back to you at three times the price, with a three-year non-cancellable lease, fees if you want to get your belongings back, and a clause saying that if the US justice system wants to enter, it can do so without telling you.
A good quality physical server — 2 sockets, 512 GB RAM, 10 TB NVMe — costs approximately €15,000 to €25,000 to buy. Amortised over 5 years with colocation and power: approximately €500 to €800/month.
The cloud equivalent at AWS (r6i.16xlarge instance, 64 vCPU, 512 GB RAM): approximately €3,500 to €4,500/month on-demand. As a 3-year Reserved Instance: approximately €1,800 to €2,200/month.
Ratio: 2.5x to 4x the bare-metal cost. Over 5 years, for a single server, the difference is €80,000 to €200,000. This difference is the hyperscaler's margin — and egress fees are not included.
With European companies' cloud budgets, AWS finances new datacentres, new regions, new proprietary services that create new dependencies. GCP finances Gemini and its AI models. Azure finances Microsoft ecosystem integration.
With a tiny fraction of these same budgets — redirected to local providers — Ecritel, DRI, OVH, Scaleway, Infomaniak could fund R&D that would make Europe less dependent. They could build equivalents of SQS, Pub/Sub, DynamoDB — under European law, with European engineers, in datacentres whose cold aisles you could one day visit.
In France and across Europe, there are very good quality cloud providers, subject to European law, with local technical teams, capable of building custom solutions, understanding sector-specific regulatory constraints (health, finance, defence), and whose margins would remain in Europe. They are called Ecritel, DRI, OVH, Scaleway, Claranet, Infomaniak, IONOS — and a dozen others. They have cold aisles. They have racks. They have engineers.
Custom work: a local provider can adapt their infrastructure to your specific needs. A hyperscaler adapts you to their infrastructure. The difference is not cosmetic — it is architectural.
Equivalent services: equivalents of SQS, Pub/Sub, DynamoDB, S3 exist at European providers — or can be built on open source technologies (Kafka, MinIO, ScyllaDB, RabbitMQ) hosted there. The Sovereign Interface documented in the corpus allows switching without application rewrite.
Native regulatory compliance: a French datacentre hosting health data is subject to HDS. A European datacentre hosting financial data is subject to DORA. No need to build a compliance layer on top of a service designed for the US market.
The possible visit: you can ask to visit their cold aisle. Try that with AWS.
The French cloud market represents several billion euros per year. A fraction of these budgets — redirected to local providers — would allow them to fund R&D at the scale of their ambitions. To recruit the bare-metal engineers that large French companies let go. To build competitive managed services. To invest in datacentres powered by French renewable energy. The choice to spend with AWS or with OVH is a political choice as much as a technical one.
"Cloud strategy in three steps."
Let go of your bare-metal engineers. "It is legacy." Close your cold aisle. "It is CAPEX, cloud is OPEX, it is more flexible." Abandon your physical network. "SD-WAN is the future." Validate your team's AWS certifications with training budgets. "It is upskilling, it is good." Brilliant. You have eliminated any possibility of going back.
Migrate your applications to proprietary managed services. DynamoDB because it is simple. BigQuery because it is powerful. Lambda because it is convenient. Pub/Sub because everyone does it. Six months later, these dialects are everywhere in your code. Your developers are AWS certified. Your CIO gives presentations on "our cloud journey". Your CTO quotes the Gartner Magic Quadrant. Everything is fine.
Receive the egress fees invoice when you try to retrieve your data. Discover your Reserved Instances are "noncancellable". Learn the applicable jurisdiction is Californian by reading the Terms — which nobody had read. Receive notification of a 30% price increase with notice of... none (GCP §2.6: "at any time"). Watch your €10 million annual cloud budget finance AWS's new datacentre in Spain.
أَتَسْتَبْدِلُونَ الَّذِي هُوَ أَدْنَىٰ بِالَّذِي هُوَ خَيْرٌ
The Sovereign Interface (corpus study) allows decoupling application code from the hyperscaler dialect. The Gentle Exit allows progressive migration without a catastrophic D-Day. Local providers — Ecritel, DRI, OVH, Scaleway — can receive what returns. Bare-metal competence can be rebuilt. Slowly. Painfully. But it can be. The corpus documents the path.
Mastery of iron is not an abstraction from the Opération Dindon corpus. It is a cold aisle. It is racks. It is hand-done cabling, dimensioned power supplies, configured network cards, updated firmware. It is someone who knows what is inside, why it is there, and what happens when it fails at 3am.
AWS has thousands of cold aisles like this one — and they generate 70% of the global cloud market from them. The question is not whether bare-metal is possible. The photo proves it is. The question is why organisations that could have this prefer to pay more not to have it — under California jurisdiction.
أَتَسْتَبْدِلُونَ الَّذِي هُوَ أَدْنَىٰ بِالَّذِي هُوَ خَيْرٌ
Are you trading what is better for what is inferior?
— Al-Baqara, 2:61

The closed doors of infrastructure, and concrete solutions to reopen them.
This document analyses a structural imbalance — the near-total absence of women from infrastructure, systems and network roles — using the same method as the previous studies in this corpus. It makes no judgment on individuals, no accusation against any profession, and no claim about the superiority or inferiority of anyone. It identifies mechanisms that produce this absence, and proposes levers to correct them.
This imbalance is a problem of efficiency as much as a problem of equity. Both arguments are presented here. Neither needs the other to stand.
This observation is not an impression. It is a repeated finding, across several years, across several vocational training centres, across different cohorts. Engineering classes: close to 50/50 gender balance. Developer training: the same. Systems & Networking: two women out of twenty, consistently. Sometimes zero.
The consistency of this figure across multiple years and multiple institutions rules out coincidence. It is not an atypical cohort. It is a pattern. And a pattern that repeats under the same conditions points to structural causes, not random ones.
Two women out of twenty in a Systems & Networking class does not mean women are incapable of doing this job. It means that something, upstream of competence, produces this absence at the stage of course selection and enrolment. The problem is not inside the classroom. It is in what happens before entering it.
The contrast with other technical disciplines is striking and is itself informative. If the issue were "women do not go into technical fields", the deficit should be visible across all technical training. It is not. It is concentrated on infrastructure, systems and networking — and on the physical terrain associated with it: the datacentre.
The entire study rests on this first-hand empirical observation. It is not statistically representative in the academic sense. It is representative of an extended field experience, in a specific context. The mechanisms identified in the rest of this document are intended to explain this observation — not to prove it, as it is already established as a directly observed fact.
The first spontaneous explanation one hears — and is tempted to offer — is the physical one. The datacentre is a hot, noisy, physically demanding environment. A single intervention in a server room covers roughly 7,500 steps. Racks are heavy. Cables resist. There is something in this work that resembles a building site more than an office.
This explanation has an apparent logic. But it collapses against a simple, documented counter-example.
When construction machinery could not reach the villages of the Moroccan Atlas, it was women who carried the concrete blocks on their backs to build their village mosques. Physical resilience is not a genetically masculine trait. It is contextual, cultural, motivational. It is deployed where circumstances call for it.
A datacentre is no more physically demanding than a construction site, a professional kitchen, or a surgical suite. Each of those environments counts women among its practitioners. What makes the difference is therefore not the objective physical demand. It is the representation of that physical demand in the imagination of training institutions and recruiters — a representation that is constructed, and therefore changeable.
If the physical explanation does not hold, three structural mechanisms — each distinct, cumulative in their effects — can explain the observed imbalance. None of these mechanisms implies malicious intent on the part of individuals. They are system-level effects.
The mental image of the SRE, the system administrator, the network engineer is masculine in popular culture — in television series, in conference photographs, in the illustrations of training materials. This image is constructed. It precedes young people's course choices by several years. A young woman choosing a career path is partly choosing a future image of herself — and that image tells her that server rooms are populated by men.
Role models reproduce through visibility. A sector that counts few women produces few visible female role models, which discourages new entrants, which keeps women scarce in the sector, which produces few role models — a loop closed on itself. This loop does not break spontaneously. It requires deliberate intervention at the level of training, communication and recruitment.
Infrastructure training materials are mostly written, illustrated and delivered by men, with examples, metaphors and a register that are often implicitly masculine. This is not conscious hostility — it is a blind spot. An instructor who does not think about it reproduces the context in which they were trained. Neutrality is not the result of a decision: it is the default effect of a non-decision.
These three mechanisms are observable and correctable phenomena. They imply no claim about any intrinsic incapacity, no superiority or inferiority of any gender, no individual fault on the part of specific instructors or recruiters. Identifying a structural mechanism is not designating a culprit.
In "Anatomy of the Loss", training was identified as the central lever for reconquering infrastructure competence — against the dissolution of hard limits and the cognitive lock-in of the sector. The same logic applies here: if the gender imbalance is decided at the training stage, then training is where the levers for correction are found.
The shortage of women among SysAdmins and SREs is not decided at the point of hiring. It is decided at the point of orientation, and then consolidated during training. A young woman who does not walk into a Systems & Networking classroom will never have the opportunity to demonstrate that she can excel in this field. Discrimination through image precedes discrimination through competence.
The pedagogical programme developed in this corpus — 26 weeks, from electricity to networking — was designed without any gender reference. Electricity is not masculine. Calculating subnets in binary is not masculine. Configuring an Active Directory domain controller is not masculine. These are technical skills, acquired through practice, rigour and repetition. They require no physical strength, and no genetic predisposition of any kind.
The iron will they demand — to understand, to persist through a fault that resists, to redo a cabling run three times until it is clean — is a human will. Not a masculine one.
The false perception of physical difficulty, described in section 2, acts as an invisible filter at the entrance to training. It is never written down. It is never stated explicitly. It is conveyed by the image of the room, by the instructor's language, by the composition of the cohort — and by the absence, within that cohort, of women who could have demonstrated through their presence that this perception is false.
Training is the most accessible and most immediately actionable lever. It is not the only one. School guidance upstream, training centre communications, partnerships with secondary schools, and the visibility of women already working in the sector are complementary levers — acting over a longer timescale. This document focuses on training because that is where the author has direct experience and concrete proposals.
The systems and network infrastructure sector suffers from a shortage of qualified profiles that is documented, persistent and structural. Positions remain unfilled. Teams are chronically understaffed. The load per SRE engineer increases. On-call schedules grow denser. Burnout sets in.
In this context, effectively excluding half the working population from the talent pool is not a neutral choice. It is a choice that actively worsens an already existing shortage. A recruiter who does not think to recruit women, a training centre that does not think to attract women, a sector that does not think to retain them: each link in this chain halves the available talent pool. The market suffers directly.
One does not need to be convinced by equity or equal opportunity arguments to recognise that recruiting from 50% of the available pool is a poor talent sourcing strategy. These two arguments — one moral, one economic — reach the same conclusion by different paths. The sector stands to benefit from hearing both of them.
There is also a quality argument. Diversity of profiles within a technical team produces diversity of approaches to problems. A datacentre seen through different perspectives is a datacentre whose blind spots are more often identified. Diversity is not a symbolic objective — it is a measurable operational advantage in terms of system resilience and diagnostic quality.
For every cohort of twenty Systems & Networking trainees that includes eighteen men and two women, the sector potentially loses ten additional qualified profiles who could have been trained, certified and operational. Over ten years, across hundreds of cohorts in dozens of training centres, this figure represents thousands of SRE engineers who do not exist because they were never trained. The shortage the sector deplores is partly of its own making.
The economic efficiency argument is the most immediately audible in a professional context. It also has a limit: it subordinates inclusion to economic usefulness, which is a fragile position if market conditions were to change. The equity argument — every person should have access to the roles for which they are qualified, regardless of gender — is more robust over the long term. Both are presented here, and both deserve to be heard.
The levers that follow are not grand statements of intent. They are precise actions, achievable within an ordinary training centre, without exceptional budget, by instructors who decide to think about this problem rather than not thinking about it.
The photos used in course materials, the characters in lab scenarios, the examples cited in class — all of these imperceptibly construct the mental image of the profession. A material that systematically illustrates network administrators with masculine silhouettes or first names sends a signal that no one consciously formulated but that everyone receives. This signal is corrected by a simple decision: deliberately choosing mixed representations.
Inviting women SREs or system administrators to speak in training sessions — even for an hour, even via video call — breaks the visual monopoly of the masculine figure in the profession's imaginary. The role model who resembles who you are is the most powerful role model. It costs nothing more than a phone call to a professional willing to speak.
The sporting, military or mechanical metaphors that sometimes pepper infrastructure courses are not neutral choices. They signal an implicit cultural context. They can be replaced by equally precise metaphors that are culturally broader, with no loss of pedagogical quality and a genuine gain in accessibility.
Vocational training centres for jobseekers — the type from which the Foundation of Iron emerged — serve career-changers. A woman of 30 in a professional transition does not face the same barriers as a 17-year-old secondary student. She brings experience, maturity and motivation that can be considerable assets in a field where rigour matters more than age of entry. These centres are an underused talent pool.
Infrastructure is the foundation of our digital ecosystem. There is no reason for it to be a private club. Not for ideological reasons. For reasons of competence, talent pool, and the long-term survival of a sector that needs every available talent.
This study extends "The Silence of the Rooms" — which documented women's absence from SRE — by posing a question that first study did not explicitly formulate: what if this absence was not accidental? It defends a three-level thesis — documented, structural, and hypothetical but coherent — on the relationship between women's exclusion from bare-metal infrastructure and the economic interests of hyperscalers. It concludes with the only structural response possible: early education.
The SRE engineer who masters infrastructure from the physical layer to the application layer is structurally hyperscalers' number one enemy. Not because they are hostile to them — but because they possess a capability that cannot be taken from them: the ability to fall back. To return to bare metal. To rebuild a sovereign infrastructure. To set the hard limits that cloud contracts never set.
This competence is an existential threat to the hyperscaler economic model. A client who can leave is a client who negotiates. A client who cannot leave is a captive. The lock-in strategy documented in "Anatomy of the Loss" aims to produce captive clients. And the most dangerous professional body for this strategy is precisely the SRE and systems administrator community who know how to build outside the cloud.
If this body is reduced by 50% through the systematic exclusion of half the population, it loses three distinct things simultaneously.
Numbers: the documented shortage of infrastructure profiles is directly amplified. Fewer engineers capable of falling back means fewer clients capable of negotiating.
A different perspective: women entering technical fields bring statistically a more conservative relationship to risk, a tendency to question implicit assumptions, and stronger resistance to technological fashion effects. This perspective is precisely the one that sets hard limits — and precisely the one that "soft on hard limits" DevOps seeks to replace.
Institutional legitimacy: a 95% male professional body is more easily caricatured, marginalised, and replaced by a generic title ("DevOps engineer") that can be positioned as more modern, more inclusive, more open — while being less competent on the physical layer.
A thesis about deliberate exclusion deserves at least partial evidence. It will not be found in an internal memo — it is found in the configuration examples that thousands of engineers read every day as they learn their trade. AWS IAM documentation was examined.
Official IAM examples use a limited set of first names. Female names appear: Jane, Alice, Adele, Patricia, Chloe. Male names appear: John, Bob, David, Jim, Chris, Eli. Apparently balanced — until contexts are examined.
Female names appear systematically in examples of basic user creation and restricted permissions. Male names dominate examples of administrator roles, AssumeRole, advanced permissions, role sessions in CloudTrail.
The canonical example of an IAM security problem features "John Doe" creating the risk — "Jane Doe" inheriting it passively. The woman as a dependent variable of the man's behaviour, in the code example the beginner engineer reads on their first day of AWS training.
This documentation bias does not prove deliberate exclusion intent. It proves normalisation — the engineer who learns to "assume an admin role" learns that the person doing it is called John. A thousand engineers learning this form a mental representation. This mental representation informs hiring, promotions, and team cultures. This is not a conspiracy. It may be more effective than a conspiracy.
While documentation normalises the male profile in advanced administration roles, HR departments seek "DevOps engineers" — a title that, as documented in "The Infrational Crisis", dilutes real operational competences. This DevOps profile is presented as more inclusive, more collaborative, more modern than SRE or systems administrator. It is also structurally less dangerous for hyperscalers — because it does not master the physical layer.
This section defends a thesis the author explicitly presents as a hypothesis — not a certainty. It is presented as such because it deserves to be thought through, even without direct proof. A thesis coherent with the interests at stake and with observable facts is not a conspiracy theory. It is a structural hypothesis.
Hyperscalers have every interest in keeping the body of SREs and systems administrators — those who can fall back to bare metal — as small as possible, as lacking in legitimacy as possible, and as invisible as possible in public debates about the future of digital infrastructure.
The exclusion of women from this body — through the hostile culture documented in "The Silence of the Rooms", through masculine normalisation in documentation, through the replacement of SRE by DevOps in HR job descriptions — produces exactly this result. The body is amputated by half. It becomes less complete, less diverse in its perspectives, less capable of collectively resisting hyperscaler cognitive capture.
This exclusion did not need to be planned to have been produced. Economic systems produce outcomes that serve their dominant interests — often without anyone having explicitly decided to produce those outcomes. The question is not "was there a secret meeting?" The question is "who benefits from this outcome?" The answer is clear.
Four mechanisms converge toward the same result without requiring explicit coordination:
— The hostile culture of bare-metal infrastructure teams (documented)
— Masculine normalisation in technical documentation (documented)
— The replacement of SRE by DevOps in HR job titles (documented)
— The devaluation of hard limits as a necessary competence (documented in "The Infrational Crisis")
Four distinct mechanisms, four distinct actors, one unique result: the professional body most dangerous to hyperscalers is amputated by half and marginalised in the public debate on digital infrastructure.
A thesis does not need to be proven to be useful. It must be coherent with observable facts and point toward corrective actions that would be relevant even if the thesis were false. If women were accidentally excluded, correcting this is just. If they were deliberately excluded, correcting this is as effective as it is urgent. The strong thesis and the weak thesis lead to the same action.
The diversity argument is often presented as a moral argument — we must include women because it is just. It is just. But it is also an operational argument that homogeneous infrastructure teams tend to ignore.
Organisational psychology and risk management studies converge on one finding: mixed groups make better-calibrated risk decisions than homogeneous male groups. Not because women are "less courageous" — but because they statistically have less tendency to follow group effects (groupthink) that push homogeneous teams toward overly aggressive decisions. In infrastructure, refusing groupthink has a name: hard limits. The engineer who says "no, we do not migrate this critical workload to this cloud service before we have an exit plan" is the engineer hyperscalers do not want in the room.
The culture of homogeneous male technical teams is particularly vulnerable to fashion effects — the shiny technology, the quarter's framework, the architecture that fills conferences. This vulnerability is documented and exploited. Hyperscalers have built conferences (re:Invent, Google Next, Microsoft Build) that are machines for producing fashion effects favourable to their services. A more diverse professional body is structurally more resistant to these fashion effects — because diversity of perspective breaks the group dynamics that fuel them.
In a homogeneous team under conformity pressure, the question "but can we do without this cloud service if the relationship with the provider deteriorates?" is hard to ask. It goes against the collective enthusiasm. Mixed teams ask these foundational questions more readily — because diversity of perspective legitimises the questioning of implicit assumptions. This questioning is exactly what the Opération Dindon corpus calls hard limits. And it is exactly what dominant DevOps culture discourages.
The exclusion of women from bare-metal does not pass through explicit discrimination decisions. It passes through an accumulation of mechanisms that make entry difficult, staying exhausting, and leaving natural. Each mechanism in isolation is defensible. The accumulation is systemic.
Nocturnal on-call in infrastructure is presented as a neutral professional requirement. It is not neutral. In a society where domestic and parental load still falls predominantly on women, uncompensated and unstructured nocturnal on-call is a gendered filter. Women do not "leave" bare-metal because they do not want to. They leave because the infrastructure operational model was not designed to be compatible with a life outside the office. "The Pager and the Body" documented this mechanism without naming its gendered dimension. This study names it.
The progressive replacement of "systems administrator" or "SRE engineer" by "DevOps engineer" in job postings is not trivial for women. The "DevOps" title appeared in a recruitment context that explicitly valued the collaborative, cross-functional profile, less anchored in the server room. This profile was presented as more inclusive — and in image terms, it is. But in terms of expected skills, it erases precisely the physical layer that women could have mastered as well as men. The profession was made "more welcoming" by removing its most strategically important content.
Section 2 documented the bias in AWS example names. The same bias exists in YouTube tutorials, Udemy courses, and the examples in technical reference books. When a young woman learns to configure a Linux server and all the examples show "john@server:~$" in the prompt, she receives a subliminal signal: this console is not for her. This signal is not a prohibition. It is friction. And accumulated frictions discourage without ever formally forbidding.
All measures that seek to correct exclusion at the labour market entry point act too late. The decision not to pursue technical careers is made earlier — in middle school, in high school, sometimes in primary school. That is where the filter plays. That is where the correction must intervene.
Hands in the machine before the theory. An Arduino project that blinks an LED, then controls a robotic arm, then connects two microcontrollers — this three-year journey in middle school builds a hardware intuition that theoretical computer science classes do not build. The girl who assembled her own robot at 13 does not need anyone to explain what a GPIO, an I2C bus or an output voltage is. She lived it. And this lived experience changes the relationship to the physical layer for the rest of a professional life.
The connected car, the drone, home automation — these projects have an additional advantage: they are bridges between the physical world and the digital world. They show that infrastructure is not abstract. It is in objects. It is in the home. It is everywhere.
Our women — of every age — need to come and reinforce us in the face of abstraction. Bare-metal, cables, servers, the physical layer: this is ground where they have every right, every intelligence, every perspective. If they do not come, if we do not bring them, if we do not show them that this is for them as much as for us — it is going to be a mess. For infrastructure. For sovereignty. For all of us.
Companies that want to correct the imbalance in their infrastructure teams do not have to wait for the market to do it. They can sponsor robotics clubs in nearby high schools. They can organise "infrastructure days" for final-year female students. They can mentor women in systems and networking HNC programmes. These actions cost little. They produce results over a 3-to-5-year cycle — not a quarter. They are the only diversity investments that work structurally.
The senior SRE who reads this study and recognises their own team in what it describes has a simple responsibility: make their team visible. Talk about their profession in schools. Invite female students to visit their server room. Share their own beginner struggles — the poorly connected cables, the failed configurations, the on-call nights. Show that this profession is learned, requires no particular gift, and is open to anyone who wants to practise it.
A professional body amputated by half cannot defend digital sovereignty at full strength. Reconstruction begins before the baccalaureate — not after hiring.
Twenty years of career — teacher, technician, system administrator, Head of SRE — converge on a single finding: the structural shortage in Iron professions is the mechanical consequence of amputating half the available human capital. None of the six strata of The Sovereign Exodus can produce its full effect without a seventh axis, cutting across the first six: the massive reconquest of female human capital in the low-level layers of infrastructure.
Twenty years of career — teacher, technician, system administrator, Head of SRE — converge on a single empirical finding: the structural shortage in Iron professions is not a demographic accident. It is the mechanical consequence of amputating half the available human capital.
When a technical field durably excludes 50% of its potential talent pool, it does not merely reduce its number of candidates. It cuts itself off from a diversity of approaches, profiles, retraining paths — and it locks itself into a spiral where the shortage itself becomes the argument justifying outsourcing to managed solutions, proprietary consoles, hyperscalers.
None of the six strata of The Sovereign Exodus can produce its full effect without a seventh axis, cutting across the first six: the massive reconquest of female human capital in the low-level layers of infrastructure. This is not one stratum among others. It is what irrigates all the others.
This study documents three things: the real scale of the deficit, quantified and sourced; the structural parallel with other chronically tight sectors (metallurgy, construction); and the concrete protocol — regulatory, financial, pedagogical — to reverse the trajectory before the breaking point is reached.
These figures are not an activist estimate. They are INSEE and France Travail data, verified and sourced.
of women in telecoms and network infrastructure jobs, versus 10% of men among digital professionals
of women across all digital professions, versus 50% in other professions
In the training programmes that feed these fields, the gap widens before entry into the labour market: 17% of girls in computer engineering programmes, 6% in IT vocational tracks. The field does not lose its women along the way — it never recruits them.
A sector recruiting from just 3% of a potential pool of trained women does not have a "preference" problem — it has a capture problem. Tight-labour fields do not suffer from a lack of potential candidates. They suffer from a structural attractiveness deficit toward half the population.
The parallel between digital infrastructure and physical transformation industries is not a circumstantial analogy. It is a structural homology, documented by the figures of the country's most exposed professional branch: metallurgy.
of women in metallurgy's overall workforce
unfilled positions in the branch
This tension forced the French Union of Metallurgy Industries to launch, as early as 2023, the "Tu as ta place" ("You have your place") plan — six lines of action, an explicit and public objective: moving from 23% to 33% women in the industry by 2033. This is not a CSR posture. It is an industrial war plan triggered by a shortage that threatens production.
Digital infrastructure suffers the same determinism — with an even sharper deficit. 3% of women in telecoms and networks versus 23% in metallurgy: digital Iron is the most amputated field of its potential pool, across all tight-labour branches combined. The digital Iron shortage will not be solved without activating the same talent-pool conquest lever that metallurgy had to trigger for its own industrial survival.
This parallel establishes one precise and verifiable thing: the durable exclusion of half the talent pool mechanically produces the same effect — a shortage that self-aggravates until a massive mixity plan corrects it.
AWS, Azure and Google Cloud's "Women in Tech" programmes exist, are funded, and produce measurable surface-level results. But they systematically steer toward the upper layers of the cloud: governance, agility, Product Management, cloud consulting. Never toward the kernel, routing, physical cabling, low-level system administration.
This is not a marketing coincidence. A hyperscaler that massively trains women in cloud governance and Product Management produces profiles that consolidate organisational dependency — not profiles that could audit or challenge it. Mixity, within this frame, never threatens the vendor's business model. It reinforces it.
Iron Mixity sets a different requirement: training women in raw engineering fundamentals — Bare-Metal, Linux, physical networks, system administration — rather than proprietary graphical consoles that perpetuate their employing organisation's dependency. Mastery of low-level layers is the only technical skill that is non-interchangeable and structurally immune to vendor lock-in. An engineer trained in the kernel and low-level network protocols depends on no proprietary ecosystem to practise her craft. A cloud console manager depends on it entirely.
It is not cloud opponents who instrumentalise mixity. It is the hyperscalers who instrumentalise "Women in Tech" to turn them into brokers of their graphical consoles. Steering women exclusively toward cloud management is denying them access to the logical control of machines. Mixity without sovereignty is merely diversified subcontracting.
Three elements, and three only, structure the mechanism. None is sufficient alone.
Linux, physical networks, system administration — the technical base that makes a skill transferable from one environment to another, independent of any cloud vendor. This is the bedrock that distinguishes an Iron engineer from a console operator.
Senior system engineers, often sidelined by the NoOps waves documented elsewhere in this corpus, become transmitters of knowledge that disappears with them. Mentorship is not an HR option — it is the last transmission window before the know-how goes extinct.
A short training course is not enough to anchor raw engineering reflexes. The mechanism relies on a long apprenticeship — 12 to 24 months — combining theoretical training with genuine immersion in a production environment.
These three elements only work together. Training without mentorship reproduces the isolation documented in field dropouts. Mentorship without a contractual framework remains informal and unfundable. Apprenticeship without neutral fundamentals reproduces dependency on the tools of the vendor hosting the placement. The following sections detail the exact regulatory vehicle that makes this triptych fundable and enforceable.
The duration of an apprenticeship contract varies between six months and three years, set according to the type of profession and the level of qualification being prepared. This duration may be adapted by derogation, notably based on the candidate's initial skill level.
Two contractual vehicles coexist, with a determining age distinction:
Capped at 29 years old, except for legal derogations (recognised disabled worker status, business creation/takeover project requiring the targeted skill).
No age limit for jobseekers aged 26 and over. This is the relevant vehicle for the pool of women retraining after 30.
For this study's target audience — women retraining professionally after 30 — the professionalisation contract is the appropriate legal lever. It requires no derogation, no exception, no heavy administrative process. It is built, by design, for exactly this profile.
The recommended 12-to-24-month duration fits strictly within the legal framework of both mechanisms. What remains to be established is the funding — the subject of the next section.
The lock most often invoked against long-training mechanisms — the absence of an identified funding vehicle — does not exist here.
Registered title, accessible through an apprenticeship contract. Source: France Compétences.
Level 6 (Bachelor's equivalent), issued by the Ministry of Labour. Rhythm: 1 day at training centre / 4 days in company over 12 months — exactly the apprenticeship format proposed. 100% OPCO funding under apprenticeship.
The OPCO Atlas fund publicly confirms funding for the "Systems and networks: Cloud systems and network administrator, Helpdesk technician, DevOps" track, with a public search engine by RNCP code giving the exact level of coverage.
The "Bare-Metal Fundamentals / Iron Mixity" module fits into the competence blocks already provided for by these titles — most systems/network curricula include an "infrastructure security and physical layer" block that can legitimately integrate this content. The choice of pedagogical support falls within the training centre's pedagogical engineering freedom, with no regulatory change required.
Senior system engineers — often sidelined or marginalised by the NoOps transformation waves documented elsewhere in this corpus — hold low-level knowledge that no longer transmits within current organisations. This knowledge disappears with every retirement, every layoff, every reorganisation that favours "cloud-native" over hardware mastery.
Presenting mentorship as a moralising HR directive produces rejection or surface-level compliance. Presenting mentorship as the only way to save know-how from programmed disappearance transforms the dynamic: the senior is no longer solicited in the name of diversity, but in the name of saving his own technical craft.
This reframing is not cosmetic. It changes the identity of the role: the senior becomes the last custodian of a rare skill, whose transmission is an act of professional preservation — not an additional burden imposed by a top-down diversity policy.
The transmission protocol structures this relationship: a formal pairing for the duration of the apprenticeship, precise and verifiable competence objectives, explicit recognition of the mentor role in the senior's own professional evaluation.
Integrating an apprentice into an SRE team under permanent strain carries a real risk: the overload that turns mentorship into a burden, and failure into premature abandonment.
This structuring protects both the apprentice — never exposed alone to a critical outage without a safety net — and the existing team, whose mentoring load is calibrated and decreasing over time rather than constant.
A perfectly designed training and mentorship mechanism fails if the downstream labour market continues to algorithmically filter the profiles it produces. Automated CV screening systems (ATS) are calibrated on proprietary terminology — "AWS Certified", "Azure Administrator" — which mechanically eliminates profiles trained on neutral fundamentals, regardless of their actual competence.
A candidate certified RNCP36370 or holding the TP AIS, trained on Bare-Metal and pure Linux, can be eliminated before any human interview by an ATS filter configured on proprietary cloud keywords. The most rigorous training mechanism is useless if the job posting that precedes it is written in the vendor's newspeak.
The operational answer: systematically replace proprietary terminology with agnostic nomenclature in job postings — "Systems and Network Administrator" rather than "AWS Cloud Engineer", "Infrastructure Engineer" rather than "Azure DevOps Engineer". This reframing relies directly on the RNCP codes themselves, which are, by design, vendor-agnostic.
This nudge requires no negotiation with ATS vendors. It acts upstream, on the very wording of job offers — a lever entirely controlled by the hiring company.
The HR rewriting nudge, deployed at the scale of a single company, remains an isolated gesture. Deployed at the scale of a professional branch, it becomes an enforceable standard. Collective bargaining agreements and job classifications defined by professional branches carry a normative force that the internal practices of a single isolated company lack.
A professional branch that registers "Systems and Network Administrator (all infrastructures)" as the reference title, rather than implicitly validating segmentation by cloud vendor, creates a precedent that ATS systems and recruiters cannot ignore without exposing themselves to non-compliance with their own collective agreement.
This lever goes beyond the scope of an individual study. It calls for social dialogue work — with digital employer organisations (Numeum) and representative trade unions — to have agnostic nomenclature recognised as a branch standard, not as an isolated and fragile initiative.
IT consultancies (ESN) — formerly known as SSII — employ a significant share of France's system and network engineers. Their commercial apparatus, today oriented toward reselling hyperscaler-certified skills, can be turned around. An ESN that builds a pool of profiles certified in neutral fundamentals — LFCS (Linux Foundation Certified Sysadmin), RHCSA (Red Hat Certified System Administrator) — holds a differentiating commercial argument against a public procurement market increasingly sensitive to digital sovereignty issues.
A public tender that explicitly requires agnostic certified skills — rather than proprietary certifications from a named cloud vendor — mechanically steers bidding ESNs toward building this talent pool. Public procurement becomes an instrument for structuring the technical labour market, with no new regulatory constraint.
This mechanism connects directly with the training scheme described in the previous sections: apprentices trained on RNCP36370 or TP AIS are precisely the pool that ESNs, under public procurement pressure, will have an interest in recruiting and showcasing.
Three factors converge to create a tightened time window:
Every year that passes without organised transmission is a year of know-how lost irreversibly, with no recourse once the departure has occurred.
"Women in Tech" programmes steered toward the upper layers of the cloud continue to capture a growing share of the available female talent pool, shrinking the basin mobilisable for Iron Mixity by the same amount.
The mechanisms documented in The Sovereign Exodus (Bare-Metal, sovereign IDP, cloud-free BCP) require trained workforces to be operational. Without renewing the talent pool, these infrastructures will remain theoretical for lack of hands to operate them.
An activation plan launched now produces its first operational graduates within 12 to 24 months — exactly the timeline on which the credibility of the entire Operation Turkey corpus is staked. Deferring this launch by five years means facing the breaking point without the human capital needed to confront it.
Every cell of this table refers to an existing mechanism, a verified source, an active regulatory code. Nothing in this architecture requires prior legislative reform. The protocol is executable now, with the legal and financial tools already in place.
The INSEE and France Travail figures cited in this study are verified and sourced. One additional data point deserves to be named for what it is: an empirical estimate, not an official statistic.
Over twenty years of career — engineering school teacher, technician, system administrator, Head of SRE — the field estimate is that roughly 90% of the potential female talent pool for low-level infrastructure roles remains untapped. This figure is not an official statistic. It is a direct observation, repeated over two decades, in real production environments.
This distinction between verified data and field observation does not weaken this study's thesis. It strengthens it: official figures already suffice to demonstrate a major structural deficit. The empirical estimate adds a dimension that aggregated statistics do not always capture — the conviction of a practitioner who has watched, over two decades, the talent pool empty out without ever refilling.
It is what allows the other six to produce their full effect.
Without the massive return of women to the low-level layers of infrastructure,
the Sovereign Exodus remains a plan with no hands to execute it.
This study is part of the Opération Dindon corpus, following "The Silence of the Rooms" (women's absence from SRE) and "The CPF Misused" (training funding). It addresses an angle those studies did not cover: not the entry of women into infrastructure roles, but their retention at the moment of maternity. It puts forward a concrete proposal built on three principles — maintaining the link, full financial protection, and anti-downgrade by design — without creating any new legal mechanism.
This proposal recognises maternity as a biological function from which society as a whole benefits, and whose career cost is today borne disproportionately by the women who carry it out. It prescribes no behaviour — it creates conditions in which every woman can freely choose the form of her maternity without suffering professional consequences for it.
Maternity is a biological function. It is not a lifestyle choice, a career decision, or a voluntary absence. It is a reproductive act from which society as a whole benefits — the future workers, the future taxpayers, the future engineers are children that someone carried, delivered and fed. This elementary fact is systematically ignored in the current organisation of work, which treats maternity as an interruption to be managed rather than a contribution to be recognised.
In systems and network infrastructure roles, this ignorance produces two concrete, documented problems.
An SRE who goes on maternity leave takes with her a knowledge of the infrastructure that no one else in the team possesses in exactly the same way. She knows the failure paths, the architecture decisions made in a meeting three years ago, the reasons why a given configuration exists rather than another. For 4 to 16 months, the team operates without this knowledge. When a fault occurs at 3am, the intervention that would have taken 12 minutes takes 4 hours — or does not happen at all. This is not a sentiment problem. It is a measurable operational problem.
While feeding the future SRE, the SRE Girl watches her career pause. Certifications evolve. The infrastructure changes. Teams reorganise. On return, the risks are multiple: role downgrade under cover of "reorganisation", loss of knowledge about an infrastructure that evolved without her, misalignment with a team that has formed new habits. These risks are documented, frequent, and rarely sanctioned because they are hard to prove.
This study does not claim that all companies mistreat employees on maternity leave. It identifies structural mechanisms that produce these risks independently of individual goodwill. A well-meaning manager in a poorly designed organisation produces the same outcomes as an indifferent one. The solution must be structural, not personal.
Most existing proposals to protect women on return from maternity leave try to fix the problem after it has occurred — legal prohibition of downgrading, employment tribunal recourse, mandatory retraining. These approaches are reactive. They assume a rupture has taken place, and seek to repair it.
The proposal in this study is different in nature: it seeks to eliminate the rupture itself. A woman who never left her team cannot be downgraded on her return. There was no return. There was a continuation at reduced intensity.
The distinction is fundamental. Maintaining the link is not a work demand. It is the possibility, at the exclusive initiative of the woman, to listen to a Teams call, follow a reorganisation, be aware of an architecture decision. 1 to 2 hours a day, when she decides, if she decides. No deliverable, no objective, no evaluation. The baby always comes first — this hour only exists if and only if the woman chooses to take it that day.
The counterpart of this maintained link is twofold: the team preserves its human expertise, and the woman stays in the flow of the team. She follows the reorganisations. She knows the new decisions. She sees who has taken which role. When she gradually increases her time, she has nothing to catch up on — she was there.
This mechanism has one identified risk: the employer who turns the option into an obligation. The hard limit is simple and non-negotiable — all professional contact during the biological recovery period must be initiated by the employee, never by the employer. No requests, no implicit expectations, no evaluation based on presence or absence during these 1-2 hours. The woman is the sole decision-maker on when, whether, and how much.
The proposal distinguishes two strictly separate phases. The biological recovery phase — duration set by the woman, professional contact forbidden — is unconditional and non-negotiable. It functions like a standard leave: the employer has no access. The link-maintenance phase only begins when the woman decides she is ready, and lasts only as long as she chooses each day.
Maintaining the professional link is not enough if the financial protection is incomplete. An SRE who stays connected to her team but loses 16% of her net salary, sees her supplementary pension frozen, and fails to accumulate the same rights as her male colleagues during the same period — this SRE suffers a double penalty: she works to maintain her expertise during her maternity, and she is still financially penalised for having lived it.
Social Security maternity benefit represents approximately 84% of capped net salary. The proposal requires the employer to top up to the full net salary — with no ceiling. This mechanism already exists in the Syntec collective agreement for sick leave beyond one year of seniority: the employer tops up the Social Security benefit to maintain full net salary. The same logic, applied to maternity, creates no new mechanism — it extends a proven one.
Basic state pension contributions are partially covered during maternity leave via the CNAV. But supplementary pension contributions (AGIRC-ARRCO) and contributions in special schemes are not, or insufficiently. The proposal extends national coverage to all pension contributions — basic and supplementary — for the full duration of the leave. The justification is economic as much as moral: feeding a child in their first months is educational work from which society benefits. This work deserves compensation in rights, not a hole in the pension.
The maternity period is counted in full as seniority. No salary progression freeze. No missed appraisal that creates a gap with colleagues. The woman returns exactly to the level she would have reached had she not had a child. This is not an advantage — it is the neutralisation of a structural disadvantage.
The Syntec agreement provides for full net salary maintenance during sick leave beyond one year of seniority. This precedent demonstrates that employer top-up to full salary is legally and economically viable in the digital and intellectual services sectors — precisely where SREs work. Extending this mechanism to maternity does not require inventing a new right. It requires applying an existing one to a situation the Syntec has not explicitly addressed.
The proposal addresses two distinct populations based on the nature of the role. Their treatment differs in mechanics, but is identical in rights.
Every role performed remotely during the 2020-2021 COVID crisis is presumed remote-eligible. This precedent is objective, documented, and uncontestable: if the employer proved during 18 months that the role functioned at a distance, they can no longer claim that the same role cannot be performed from home during maternity. The burden of proof to the contrary belongs to the employer — not to the employee. For this population, the full mechanism applies: biological recovery phase, then optional link-maintenance at 1-2h/day at the woman's initiative.
For women whose role objectively cannot be performed remotely — nurse, cashier, production operative — the link-maintenance mechanism via 1-2 daily hours is not applicable in its professional form. They receive the same financial rights by national solidarity: full net salary maintained, all pension contributions paid by the State, seniority and salary progression maintained. Without any presence counterpart — this is a right, not an exchange.
The additional cost of full protection for non-remote roles — the gap between Social Security benefit and full net salary — is funded by a pooled fund fed by the collective agreements of each industry sector. This pooling mechanism is structurally close to the provident funds already existing in most collective agreements. The number of births per sector is predictable, the cost is calculable, and the volume is not systemic: it is a one-time event per woman, not a permanent charge. Existing provident funds absorb far more volatile risks without difficulty.
Funding the maternity rights of non-remote roles is not an act of generosity — it is the recognition that reproduction is collective social work, not a private individual decision whose costs must be borne by the person who carries it out. The same logic that justifies family allowances justifies full career rights protection during maternity.
The proposal resolves both problems identified in section 1 simultaneously — and the resolution of the second is the direct consequence of maintaining the link, not a separate objective to be achieved by other means.
An SRE who maintains 1 to 2 hours of daily contact with her team stays informed of incidents, architecture decisions, and infrastructure evolutions. She is not available for on-call duties, emergency interventions, or long meetings. But she is reachable for a precise question that no one else in the team can answer. This partial, self-initiated availability is enough to keep alive the tacit knowledge she alone holds — those undocumented understandings that make the difference between a fault resolved in 12 minutes and a night-long incident.
The current alternative to absence is the "handover" — documenting in a few weeks what the SRE has known for years. This documentation is always incomplete because tacit knowledge cannot be fully documented. Maintaining the link requires no documentation — it keeps the source alive. The knowledge remains available in the person who holds it, without having had to freeze it artificially in a document that no one will find at the right moment.
A woman who followed her team's reorganisations during her maternity does not return to an unfamiliar environment. She knows the new faces, the new roles, the new technical directions. She knows that service X was migrated, that team Y merged with Z, that the project starting when she left is now in production. She has nothing to catch up on — she was there, at reduced intensity, but there.
An employer seeking to downgrade this profile on her return would face a simple reality: this woman is more up to date than many of her colleagues who were on holiday, in training, or on assignment abroad during the same weeks. The downgrade has no technical argument left to invoke.
Content: full rest, professional contact forbidden except at the employee's own initiative.
Status: identical to standard leave — the employer has no access, no expectations.
Funding: Social Security benefit + employer top-up to full net salary (extended Syntec model) + full basic and supplementary pension contributions paid by the State + seniority and salary progression maintained.
Hard limit: any attempt at professional contact by the employer during this phase is an enforceable infringement — reversed burden of proof on the employer.
Content: 1 to 2 hours per day, decided by the woman, decided each day. Listening to a Teams call, following a reorganisation, a punctual question. No deliverable, no objective, no evaluation.
Status: optional, initiated exclusively by the employee. The employer can neither request, expect, nor take into account presence or absence during these hours in any subsequent appraisal.
Funding: hours performed are compensated at the pro-rata hourly rate, in addition to maternity rights — not in substitution.
Content: progressive increase of working time at the woman's initiative, up to full return.
Status: no imposed date, no minimum threshold. The woman builds her own ramp-up.
Guarantee: the role, classification, salary and team are identical to those at departure. The woman has nothing to catch up on because she never left.
Feeding the future SRE is work. Society benefits from it. Society must compensate it — in rights, in protection, and in career continuity for the person who carries it out.
Every other corpus study intervenes on adults already trained, already misnamed, already excluded. This study intervenes before. The amputation documented in "The Invisible Amputation" has an origin point: the year-7 classroom, the 12-year-old who has never seen a machine obey their instructions. This point is accessible — without public budget, without new institution, without waiting for the state. It requires a teacher, an Arduino starter kit at €35, and the collective decision of a few colleagues to put €10 a month into a shared fund.
The amputation of women from the infrastructure body does not begin at recruitment. It does not begin at university. It begins in a year-7 classroom, when a 12-year-old child decides — often without realising it — that machines and circuits are not for them. Or for her. This bifurcation moment is silent, invisible, and decisive. It is also accessible to an intervention that costs almost nothing.
Between 10 and 15, the brain is in a phase of maximum plasticity for learning through physical manipulation. A child who touches an object, makes it work, understands why it works through trial and error — that child encodes a relationship with the physical world that an adult can no longer encode with the same depth.
This is not pedagogical nostalgia — it is neuroscience. The infrastructure engineer who knows how to "hear" an anomaly in fan noise often developed this sense through early contact with physical machines — a mechanic father, an electrician grandfather, a technology teacher who dismantled appliances. When this contact has not happened, the physical layer remains abstract for life. It can be learned later — but with more effort and less depth.
Amputation is not decided through a deliberate act. It is decided through an absence: no equipment in technology class (kits broken or never ordered), no project that produces something physical, no adult who explicitly says "you too can make this work". In this void, ambient stereotypes fill the space — boys occupy the available equipment, girls orient toward what remains. The pedagogical void is the first amputation mechanism.
This is not an awareness programme. It is not an institutional "girls who code". It is simply a teacher who brings physical equipment to class and structures the activity so that every student — girl or boy — has a moment alone with the machine. That moment alone, repeated, is the deamputation.
The Arduino is not a toy. It is not a professional tool either. It is something rarer: an object that tells the child that their instructions in human language can move the physical world. An LED blinking at the rhythm they programmed is a revelation — not a gadget. It is proof that code is not abstract magic: it is electricity controlled by thought.
Scratch and Python on computer are valuable tools — but they stay on the screen. The child understands the logic, not the substrate. Arduino adds the physical dimension: the code leaves the computer and enters the world. The LED lights up. The motor turns. The temperature sensor reads the heat from their hand.
This leap — from screen to world — is exactly the leap the corpus defends from the start: "the metal precedes the code". Arduino at school is the first practical expression of this thesis. The child who has experienced this leap at 12 understands much more easily later why bare-metal is not an obsolete technology — it is the substrate of everything.
Session 1 — The LED: light and extinguish an LED by programme. Understand the electrical circuit, resistance, current. The physics teacher explains the circuit. The maths teacher explains the if/else condition. The student executes.
Session 2 — The rhythm: blink the LED at a programmed rhythm (delays, loops). Introduction to for and while loops. Maths says the logic. Physics says the electricity. Technology says the wiring.
Session 3 — The sensor: read ambient temperature with a sensor, display on serial monitor. Introduction to variables and inputs. The student understands that the machine "sees" the physical world.
Session 4 — The project: alarm system if temperature exceeds a threshold, red LED lights up. First complete project: sensor + condition + action. Full student autonomy on the realisation.
The equipment problem in classrooms is not the absence of public budget — it is the absence of collective initiative. A single teacher cannot regularly fund educational equipment. Twenty teachers each contributing €10 per month create a fund of €200/month — €2,400 per year. That is a real robotics class, funded by teachers themselves, available without requesting a single euro from the state.
Arduino Starter Kits (20 kits at €35): €700 — a class of 20 students, each with their own kit. One-off investment, hardware reusable for 5 years minimum.
Additional components: €300 — sensors (temperature, light, motion), servo motors, LCD screens, Bluetooth modules. Expands possible projects over sessions.
Cables, breadboards, resistors: €100 — consumables to renew annually.
Raspberry Pi (5 units at €80): €400 — for advanced students, more complex projects (web server on Raspberry Pi, surveillance camera, home automation). Introduction to Linux systems.
3D filament printer (1 unit): €300 — to print project casings. The project does not stay on a breadboard — it has a physical body.
Reserve: €600 — for subsequent years, replacements, new ideas. The pooled fund accumulates.
Joint account opened in the name of the parents' association (which exists in every school). Automatic monthly transfer from each participating teacher. Purchase decisions voted at a 20-minute monthly meeting. Transparent accounting shared on a common spreadsheet. No new legal structure to create. Not bureaucracy: a monthly transfer and a spreadsheet.
This proposal is deliberately independent of any administrative process. No project call. No academic dossier. No application to the local council, regional authority or ministry. These channels exist — and they can complement this arrangement if they succeed. But they take time that children do not have: the year-7 bifurcation does not wait for a ministerial decree.
The pooled budget says one simple thing: we are responsible for what happens in our classrooms. We are not waiting for anyone to act.
The parents' association — a natural complementary lever: parents have a direct and legitimate interest in their children's education. A parents' association that decides to fund digital fabrication equipment for its students is not organising a school fair — it is investing in the technical future of its children. A voluntary contribution of €5 per family from 50 families adds €250 to the annual budget. From 100 families: €500. Without any additional administrative structure. The parents' association already exists in every school — it only requires teachers and parents to decide together that this priority is worth it.
The key is not the equipment — it is the coordination between disciplines. An Arduino without a disciplinary bridge is a gadget that impresses for two weeks then is forgotten. With the bridge between maths, physics and technology, it is a lasting revelation: the student understands that the abstractions they learn in the morning execute in the physical world in the afternoon. This link is what the corpus calls "the metal precedes the code" — seen in reverse: the code vivifies the metal.
The maths teacher does not need an Arduino to contribute. They introduce the algorithm on paper — in human language, not code. "If the temperature is above 25°C, light the red LED. Otherwise, light the green LED." That is a condition. "Repeat this check 10 times per second." That is a loop. "Create a variable temperature that stores the sensor value." That is a variable.
These concepts — condition, loop, variable, function — are mathematical concepts the maths teacher can naturally introduce in their lessons, with concrete examples drawn from the Arduino activity. The algorithm on paper is the translation into human language of what the code does in machine language. This translation work is the maths teacher's contribution — with no equipment whatsoever.
The physics teacher brings two things: understanding of the electrical circuit — current, voltage, resistance, LED, sensor — and the connection between code and physical world: "when you write digitalWrite(13, HIGH) in your programme, you are sending current into this pin, which passes through this resistor, which powers this LED". The physical causality of code. The student who understands why a resistor is needed before the LED understands something about electricity that code will never tell them.
The self-taught teacher — of any subject — who learned Arduino from YouTube on a Sunday afternoon is the M3allem the corpus speaks of. No Arduino certification needed. No expertise required. Just one session ahead of students, and honest about it: "I am discovering with you, we will search together." This posture is pedagogically more powerful than a distant expert.
Girls do not lose interest in robotics because they lack the ability. They lose interest because nobody explicitly invited them — and in the absence of that invitation, ambient stereotypes fill the space. The teacher who activates the deamputation mechanism does not need to give a speech about equality. They need to do two concrete things.
In group activities, boys tend to take the keyboard and the Arduino. Girls tend to observe, take notes, advise. This is not bad faith from either side — it is a social pattern that reproduces automatically if not interrupted.
The minimal interruption: each student has a moment alone with the kit. Not in a group. Alone. They must connect an LED, upload the programme, verify it works. This moment alone is the deamputation. The girl who made an LED blink alone, with her own hands, without help, has an experience nothing can take from her. She has proved to herself that she can make a machine work.
Implicit invitation is not enough. "Everyone can participate" says nothing to a 12-year-old girl who has already internalised that robotics is not for her. The invitation must be explicit and repeated: "I want you to try this — not him in your place, you." This is not positive discrimination. It is remedial pedagogy for an imbalance that installed itself before the student even entered the classroom.
This feeling of satisfaction is not subjective — it is scientifically documented through three distinct phenomena.
The IKEA Effect (Norton, Mochon & Ariely, 2012 — Journal of Consumer Psychology):
Four studies on subjects assembling IKEA boxes, folding origami, and building Lego sets demonstrate that individuals value their personal creations as highly as expert creations — even when objectively less well-made. The effort of making produces emotional attachment to the created object. This effect only applies to tasks completed to the end: if the creation is destroyed before completion, the satisfaction disappears. This is why the project must reach the finished object — the engraved part, the completed print, the machine's first movement.
The Self-Creation Effect (Brunneder & Dholakia, 2018 — Marketing Letters):
Seven field and laboratory studies show that when a person self-creates a product, they appreciate it more, consume it more mindfully, and experience greater domain-specific and general well-being. This effect is amplified by self-consciousness — the student who knows they made something with their own hands develops a self-esteem that passive consumption does not produce.
The Maker Movement and Subjective Well-Being (Journal of Happiness Studies, 2017):
A study of 465 students shows that a "maker" identity — perceiving oneself as someone who makes things — is a significant predictor of subjective well-being. Making activities (sewing, cooking, electronics, DIY) produce a sense of accomplishment and competence that transfers to other life domains.
What this means for the student: when the 13-year-old girl sees her name appear on a piece of wood engraved by the laser she programmed, she does not simply feel pride — she feels a neurological attachment to her own competence. This feeling, once anchored, does not disappear. It becomes the basis of a lasting curiosity about the physical world.
Studies on mixed-gender school robotics programmes show that girls who had structured contact with physical robotics in secondary school choose technology pathways at two to three times the rate of those who did not. The effect is not immediate — it is deferred by two to four years. The teacher who puts an Arduino in a 12-year-old girl's hands sees the result at 17, not the next day.
The teacher who wants to start does not need to create anything. They need to find what exists and take ownership of it. The educational Arduino ecosystem is rich, documented, and largely free. The barrier is not the lack of resources — it is the lack of time to find them. This section centralises them.
Arduino Project Hub (projecthub.arduino.cc): thousands of documented projects, from beginner to advanced level. Each project includes code, wiring diagram and explanations. The teacher chooses a project suited to their level and curriculum — and has everything they need.
Arduino official documentation (arduino.cc): official documentation, step-by-step tutorials, references for all functions. Free, maintained, available in multiple languages.
Instructables (instructables.com): collaborative projects documented by their creators. Often more creative and contextualised than official documentation.
YouTube — educational channels: hundreds of 10-20 minute videos explaining each component, each concept, each project. The self-taught teacher learns in two hours what they will teach over two months.
FabLabs and makerspaces: in most medium and large towns, there is a fablab or makerspace that lends equipment, organises workshops, and welcomes school classes. Often free for educational institutions on request.
Hundreds of secondary school teachers in France and elsewhere have already set up Arduino activities — often alone, often from their own funds, often without institutional support. Their feedback is on teaching forums, in teacher Facebook groups, on personal blogs. These experiences exist — they are just not very visible. Searching "Arduino secondary school teacher experience" yields dozens of concrete testimonies.
The Opération Dindon corpus documented a chain of consequences starting from cloud and descending to bare-metal competence scarcity, to senior departures, to the absence of women. This study climbs the chain to its furthest upstream point — the year-7 classroom. And shows that every link of this chain is accessible, in both directions.
Arduino at school (age 12): first physical contact with an obedient machine. Curiosity installed. Fear of the machine lifted. Girls and boys equal before the kit.
Technology pathway at sixth form (15-18): the student who touched an Arduino chooses a scientific or technological pathway more easily. The door is open because it has already been crossed.
HND / degree-level infrastructure training (18-20): the Foundation of Iron proposed in the corpus. Electricity, physical networks, systems, Kubernetes. The bare-metal base the infrastructure body needs.
Entry into the body (20-23): with the proposed nomenclature — SysOps L2/L3. A clear title, objective criteria, documented progression. A readable door that the girl who did Arduino at 12 can cross without informal network.
Principal SRE (30-35): with Technical Primacy, the Uniform of the Body, Elastic Syntec — a protected, visible body with decision authority. Technical sovereignty is complete.
Senior SRE Transmitter (40+): formalised mentoring, supervised rotation, transmission of tacit knowledge. The cycle restarts — and the 12-year-old girl who blinked an LED is now the master who blinks the LED of another 12-year-old girl.
Technical sovereignty does not begin in a datacentre.
It begins in a year-7 classroom,
when a teacher takes an Arduino out of their bag
and says: "Let's go."
This document is not an official curriculum. It is not subject to academic validation. It requires no authorisation from inspectors, school leadership, or the ministry. It is a suggested logical sequence for maths, physics and technology teachers who decide to act against amputation without waiting for anyone to tell them to. It is applicable tomorrow, with equipment available in most schools, for zero or near-zero additional budget.
The objective of this foundation is not to train engineers. Not to certify competences. Not to fill a referential. It is to deposit, in the memory of every student between 11 and 18, a mental image precise and concrete enough that twenty years later, when the occasion arises, they can say: "I know what that is, I've touched it before."
This foundation represents less than 8 hours per year — less than one hour per month. Not a burden. An intention. The intention not to let 7 years pass without a student having touched a machine, written a line of code that moved something in the physical world, or held in their hands an object they made themselves. These 56 hours do not replace official lessons — they complement them with concrete moments that anchor what abstract lessons say without embodying it.
Phase 1 (Year 7-8, theoretical substrate): zero additional equipment. A board, paper, pens. Water-electricity analogies require no equipment. The physics teacher can integrate these examples into existing lessons without modifying the official curriculum.
Phase 2 (Year 9-10, first contact): one Arduino Starter Kit (€25 on Amazon, delivered in 24h) is enough for a group of 4 students. 4 kits = €100. A pooled fund of 5 teachers at €2/month covers this in 10 months.
Phase 3 (Sixth form, fabrication): the laser engraver (€150), CNC3018 (€180) and Ender-3 (€250) are the only equipment investments. All software is free. Total Phase 3 budget: €580 — one cancelled school trip.
One does not start Arduino without having seen current. One does not start CNC without having seen the motor. One does not start 3D printing without having seen the XYZ coordinate system. The sequence is built so each moment builds on the previous one. A student arriving in year 9 without the year 7-8 notions can still do Arduino — but they will understand less well why a resistor is needed before the LED. The sequence is not mandatory. It is recommended because it is logical.
The water analogy — the model that works: pipe = wire · pressure = voltage (Volt) · flow rate = current (Ampere) · narrowing = resistance (Ohm) · tap = switch. Ohm's Law without formula first: "if you narrow the pipe, less water flows." Then with formula: V = R × I.
What the student takes away: a mental image of electricity as something that flows and can be controlled.
Applicable tomorrow: no equipment. Just the diagram on the board.
Physics: LED = directional bulb. Polarity: anode (+) / cathode (-). Forward voltage: red LED ~2V, blue ~3.3V. Without resistor, it burns — "connect a garden hose to a high-pressure main, it bursts." Resistor calculation: R = (Vsupply - VLED) / ILED. Example: 9V battery + red LED → R = (9-2)/0.02 = 350Ω → use 330Ω standard.
Maths: proportions, ratios, powers of 10. 1mA = 0.001A. Resistor colour code (bands = digits).
What the student takes away: an LED lights up because someone calculated the resistor. No magic.
Series: same current everywhere, voltages add. Parallel: same voltage everywhere, currents add. Water analogy: series pipes = one path; parallel = multiple paths. Paper exercise: 3 LEDs in series, calculate resistor.
Current in a coil = magnetic field. Magnetic field + fixed magnet = rotation (DC motor). Multiple coils in sequence = precise, measurable rotation (stepper motor). "200 steps = 1 full turn. The lead screw advances 2mm/turn. 200 steps = precise 2mm." Link to future CNC: each XYZ axis has one stepper motor.
What the student takes away: a CNC machine is three motors following coordinates.
Maths: binary base. 0 or 1. 1 byte = 8 bits = 256 values. Why 0-255 for LED brightness.
Physics: 5V = 1, 0V = 0. PWM signal: switch on/off 1000×/second → eye sees 50% brightness. Arduino link: analogWrite(pin, 127) = 50%.
2D coordinate system → 3D. Point (25, 30, -2): router 25mm right, 30mm forward, 2mm deep. G-code G1 X25 Y30 Z-2 F800. Exercise: draw a 50×50mm square on graph paper using coordinates. Write the coordinates of all 4 corners.
What the student takes away: the maths lesson's coordinates exist in matter.
Lesson 1h: anatomy of Arduino Uno. ATmega328 microcontroller = the brain. Digital pins D0-D13 (0V or 5V). Analog pins A0-A5 (0 to 1023). setup() runs once, loop() repeats. First programme: Blink (provided, 6 lines).
Arduino IDE installation (30min): arduino.cc/downloads → install → plug in → upload Blink → LED L13 blinks.
Lab 1h30 — The blinking LED: each student ALONE wires: Arduino + 330Ω resistor + LED on breadboard. Uploads Blink. Modifies delays. Question: what happens without the resistor? (Phase 1 link: the LED burns.)
Applicable tomorrow: Arduino Starter Kit = €25/4 students. Arduino IDE = free.
Lesson 30min: sensor translates physical quantity to voltage. LM35: 10mV/°C. 25°C = 250mV = 51 on 1023 (analogRead). Formula: T = (analogRead(A0) × 5.0 / 1023.0) × 100.
Lab 2h30: wire Arduino + LM35 + red LED. Programme: read T, display on serial monitor, light LED if T > 30°C. Place hand on sensor → T rises → LED lights. Each student writes their own programme from the provided skeleton.
Lesson 30min: driver = current amplifier. Arduino max 40mA/pin → DC motor consumes 300-500mA → driver required. Phase 1 link: "your CNC has three of these setups, one per axis."
Lab 1h30: wire Arduino + L298N + DC motor. Programme: direction 1 → stop → direction 2 → vary speed with PWM.
Lesson 1h: laser diode. Power (W) and speed (mm/min): slow = deeper. Materials: wood, cardboard, leather, slate. Forbidden: PVC, polycarbonate.
LaserGRBL software (30min): free, import SVG, set power/speed, simulate path.
Lab 1h30 — The name tag: Inkscape (free) → first name → SVG → LaserGRBL → engrave on plywood. Object to take home. MANDATORY.
The laser engraver exposes users to direct and diffuse radiation. Goggles alone are insufficient to protect everyone in the room. An enclosure is mandatory. It is built by Year 13 students as the first lab of the year — before the CNC build. This enclosure is an industrial safety engineering project that produces real protective equipment.
DIY enclosure components (total budget: €80):
· 6mm MDF box cut and assembled: €15 — the physical enclosure
· OD4+ laser filter plate 200×300mm (orange/red): €20 — the viewing window. Blocks direct and diffuse radiation from the diode (445nm) while letting visible light through. The operator can watch the machine work safely. Cut with a craft knife, fixed with hinges on the front panel.
· NC (Normally Closed) magnetic limit switch: €2 — wired in series on the laser power supply. If the lid opens, the circuit cuts automatically. No radiation possible with lid open.
· 80mm USB fume extractor: €35 — evacuates combustion fumes towards the outside or filter.
· Activated carbon filter: €8 — fitted to the extractor outlet, captures VOCs and fine particles.
This enclosure legally protects the teacher. An accident with an unenclosed laser engages the teacher's personal liability. With documented enclosure and limit switch, liability is covered by the normal workshop safety framework.
CNC3018: same G-code → laser burns / router cuts / pen traces. Lab: router a 30×30mm square in softwood, 4 passes Z-0.5mm. "Your maths lesson's XYZ exists in matter."
3D Printer: FDM = melted filament deposited layer by layer. PLA at 200°C. Cura (free): open STL, modify layer height/infill, estimate time. Lab: Tinkercad (web, free) → personalise pen holder → Cura → print. During printing: review settings and their effects.
T1 (2h) — FreeCAD: parametric modelling. Model a phone stand with 3 modifiable dimensions. Export STL.
T2 (2h) — Advanced Cura: optimal orientation, avoid supports, calculate material cost (density × volume × price/kg).
T3 (2h) — Post-processing: remove supports, sand, paint.
T4 (2h) — Free project: student proposes, designs and prints a useful object. Constraints: one parametric dimension, no supports, infill < 30%.
T1 (2h) — Advanced Inkscape: bitmap vs vector. Repetitive geometric pattern. Export DXF for CNC, SVG for laser.
T2 (2h) — Photo on wood: greyscale conversion, dithering, personal photo engraved on birch plywood.
T3 (2h) — Aluminium machining: cutting parameters, spindle speed × drill diameter = cutting speed.
T4 (2h) — Mixed assembly: CNC casing + laser face + 3D printed clips. Assembly tolerance: allow 0.2mm clearance.
Group of 4 to 6 students. An open source CNC or 3D printer built over the school year. The machine stays in the school after graduation.
T1 (3h) — Architecture: read MPCNC or Voron documentation. Identify each component. Order parts. Print plastic parts on the school's Ender-3.
T2 (3h) — Mechanics: assemble the frame, install bearings and lead screws. Understand why mechanical play degrades precision.
T3 (3h) — Electronics and firmware: wire A4988 drivers, RAMPS board. Configure Marlin: steps/mm, motor current. First homing: the machine finds its zero.
T0 (3h — FIRST LAB, SEPTEMBER) — Build the laser enclosure: before any other project, students build the laser machine enclosure. MDF box, OD4+ filter plate (orange viewing window), NC magnetic limit switch wired on the power supply, extractor + carbon filter. This lab is an introduction to industrial safety engineering. The laser machine is only used in the school once this enclosure is operational and tested.
T1 (3h) — Architecture: read MPCNC or Voron documentation. Identify each component. Order parts. Print plastic parts on the school's Ender-3.
T2 (3h) — Mechanics: assemble the frame, install bearings and lead screws. Understand why mechanical play degrades precision.
T3 (3h) — Electronics and firmware: wire A4988 drivers, RAMPS board. Configure Marlin: steps/mm, motor current. First homing: the machine finds its zero.
T4 (3h) — Calibration and masterpiece: 20×20×20mm calibration cube, measure with caliper, adjust steps/mm. Final part. Present the machine to other students.
T5 — THE MACHINE RUNBOOK (2h — MANDATORY): before the end of the school year, students collectively write the maintenance Runbook for each machine built or used in the school. This document contains: startup procedure, calibration procedure, common faults and solutions, contact in case of hardware problem, date of last maintenance. The Runbook is printed, laminated, and hung next to each machine. It is updated by each subsequent cohort — the first act of institutional transmission. The anti-amputation foundation does not depend on the dedication of one teacher. It depends on collective documentation.
What the student who built a CNC understands: the 7 years of anti-amputation foundation condensed into one object — code controls electricity that controls motors that follow XYZ coordinates that transform matter.
€885 over 7 years (€805 equipment + €80 laser safety) = €126/year = €10.50/month for 12 teachers = less than one lunch per month per teacher. Not a budget — a decision. All software is free and open source.
Machines purchased by the pooled fund must enter the school's official inventory to be insured and legally used. The mechanism: gift from the parents' association (APE) to the school (EPLE) by Board of Governors resolution.
Two-step procedure:
1. The APE votes at its general assembly: "The association decides to donate to EPLE [name] the following equipment: [list of machines + value], purchased from association funds for educational purposes."
2. The school's Board of Governors votes to accept the gift at its next ordinary session. Once voted, the head teacher signs the acceptance deed, the machines enter the inventory, and are covered by the local authority's insurance.
Actual timeline: two meetings (APE + Board). No public procurement procedure for gifts. No additional school budget. The head teacher can place this item on the Board agenda at the first session following the APE vote.
This foundation does not work if each teacher acts alone. It works if the teaching body acts as a body. Concretely:
Maths, physics and technology teachers write a collective request to the head teacher — signed by all — asking for active support to: place the APE→EPLE deed of gift on the Board agenda, contact the local authority for potential complementary funding for the laser enclosure, and officially recognise the anti-amputation foundation as a school pedagogical initiative.
The head teacher is a member of the teaching body. They have the same responsibility for deamputation as the physics teacher. A documented, collectively signed request engages them differently from an individual request — harder to ignore, easier to defend to their own hierarchy, and protects everyone. The head teacher who accelerates the legal procedures becomes co-author of the foundation. The head teacher who blocks a documented collective request personally assumes responsibility for the inaction.
Other teachers — history, French, arts, languages — can support the approach without being its carriers. Their signature on the collective request says: the entire teaching body of this school has voted that the amputation will not happen here.
This foundation does not ask for permission.
It asks for a decision — the decision not to let 7 years pass
without a student holding in their hands an object they made.

The people behind the machines — cohesion, the body, recognition.
This study steps outside the technical perimeter of the Opération Dindon corpus to address a direct management angle: team cohesion in infrastructure. It starts from an observation as Head of SRE — that real team cohesion is not built in corporate offsite events, but in carefully chosen human moments. It illustrates this thesis with a concrete, costed, reproducible evening programme.
The programme that follows is not a theoretical proposal. It is a programme that was executed, with an SRE team of 5 people. It is reproduced here as-is — with the timings, the locations, the total cost — because the precision of the concrete is more useful than the generality of a principle.
18:00 — Leave the office together. No individual cars or metro journeys. The group leaves as a group.
18:45 — Bowling session. Walked from the office to the bowling alley — approximately 45 minutes on foot through Paris. The walk is not a commute: it is the first activity of the evening.
20:30 — Gastronomic dinner at a Yemeni restaurant on the Champs-Élysées. A deliberate choice — not a standard brasserie, not the usual company restaurant. A place that surprises, that has something to say, that opens a conversation beyond work.
21:00 — Move to Châtelet for a drink. A final informal moment, standing, before parting.
22:00 — Everyone goes home. Happy. Clear-headed.
Total cost: €390 all-inclusive for 5 people, author's hotel night included.
Cost per person: €78.
€390 is the direct cost. What is not in that figure: no team-building consultant, no seminar room, no conference badge, no out-of-Paris travel costs, no difficult morning after. The true cost of a two-day corporate offsite for 5 people — travel, hotel, facilitator, room, meals — regularly exceeds €10,000. The ROI of the evening, measured in cohesion quality produced per euro spent, is not comparable.
The evening is not effective despite its modest cost. It is effective partly because of it — because the absence of corporate overproduction leaves room for the real human mechanisms of connection. Three of them are at work in this programme.
45 minutes on foot through Paris, as a group, before any activity. This is not a commute — it is the first conversation of the evening. People talk differently when walking side by side than when sitting face to face in a meeting room. Walking removes the desk, the badge, the org chart. It puts everyone at the same pace, literally. The Head of SRE and the junior walk in step. The hierarchy does not disappear — it goes into standby for the evening.
Bowling creates a light competition, without professional stakes, in which anyone can shine or fail without consequence. The most reserved engineer in meetings might be the best player. The manager might throw a gutter ball to the laughter of the whole team. These momentary role reversals are valuable: they reveal personality facets that the professional context masks, and they create shared memories — "remember when you got a strike on the last throw" — that weave the fabric of the group over time.
A Yemeni restaurant on the Champs-Élysées is not a neutral choice. It is not the brasserie next door, not the usual company restaurant. It is a choice that says: I am taking you somewhere you may not know, a cuisine you may never have tasted, a place that tells a story. This choice positions the manager as someone curious, open, off the beaten track — and this image reflects onto the team, which recognises itself in its manager.
There is one element of the programme that most team-building events ignore, and it makes all the difference: the evening ends at 22:00. Everyone goes home happy, clear-headed. This is not a logistical constraint — it is a deliberate management decision.
An evening that extends beyond a certain threshold produces risks the manager must anticipate: the fatigue that turns good humour into irritability, the alcohol that lifts inhibitions in the wrong direction, the subgroups that form and exclude, the words that exceed the thought and are remembered the following morning. "Ending on a good note" is not a cliché — it is a technique. People remember how an evening ends, not just how it begins.
The following morning, everyone arrives at the office with the same shared memory — a good evening, no incident, no regrets. This shared memory is a trust capital the team can spend in the weeks that follow: to approach a difficult topic with less rigidity, to trust a colleague on a point they might previously have challenged, to get through a 3am production incident with the certainty that they will come out the other side together.
A single evening does not create team cohesion. It maintains it, reinforces it, releases the accumulated friction. Cohesion is like infrastructure: it degrades if not maintained. One dinner per quarter — €78 per person, 4 times a year — represents €312 of annual investment per person in team cohesion. A production incident poorly managed because two team members only half-trust each other costs far more than that in extended MTTR, suboptimal decisions, and unnecessary escalations.
The programme notes a hotel night for the author — included in the €390. This detail says something important: the manager lives far enough away to need a hotel, but organises the evening in Paris for their team anyway. This is not heroic sacrifice — it is a clearly stated priority. The team sees it. They remember it.
The corporate team-building offsite is the instinctive reflex of organisations that want to improve cohesion. Two days in a hotel with a consultant, trust exercises, structured group activities, a presentation on personality styles. This format exists because it is billable, schedulable, and produces a report. Not because it is effective.
Putting 10 people in a seminar room for two days with the declared objective of "strengthening team cohesion" creates a social pressure that inhibits precisely what it seeks to produce. People know they are supposed to bond. This awareness produces a performance of bonding rather than genuine bonding. They play along with the exercises. They participate in the workshops. They go home two days later with offsite memories, not team memories.
An annual two-day offsite represents 16 hours of "cohesion time" across 365 working days. That is 0.4% of working time dedicated to relationships between team members. The remaining 99.6% unfolds in meetings, incidents, tickets, and deadlines. Cohesion built over 16 intensive hours once a year is no more durable than cohesion maintained over 4 hours per quarter in a carefully chosen informal setting.
Social psychology research on group cohesion converges on a few necessary conditions: sharing a common emotional experience, mutual discovery outside usual roles, and the feeling of having been chosen rather than summoned. The evening — walking, bowling, Yemeni dinner, drink at Châtelet — ticks all three. The offsite with its pre-formatted agenda and imposed participant list generally ticks none of them.
Team cohesion matters in all professional contexts. It is critical in infrastructure. The reason is simple: SRE teams make decisions under maximum stress — at 3am, with a production system going down, with users or clients waiting, with limited time to diagnose and act. In these conditions, the quality of the relationship between team members is not a comfort — it is an operational variable.
During a major incident, two trust dynamics are critical. Technical trust — "I know my colleague knows what they are doing" — and relational trust — "I know my colleague will be honest about what they do not know". The second is harder to build than the first, and it is built precisely in moments outside work. An engineer who has seen their manager throw a gutter ball and laugh about it knows that manager can acknowledge their limits. This link between the informal and the professional is real and documented.
Tensions in an infrastructure team accumulate in the daily routine — poorly handed-off tickets, contested architecture decisions, unevenly distributed on-call, meetings that overrun. These frictions are normal. They become toxic when they have no outlet. The evening is the outlet. Not because it erases the problems — but because it puts the people first and the problems second. You do not resolve conflicts over a Yemeni dinner. You remember that the people you work with are people, not nodes in an org chart.
A team that goes out together once a quarter but whose structural problems are not addressed — excessive on-call load, absent recognition, unclear direction — will not be saved by bowling. Cohesion is a multiplier: it amplifies what is already in place, for better or worse. A good team with cohesion is excellent. A dysfunctional team with cohesion is more loyal in its dysfunction. The evening does not replace management — it complements it.
The proposal of this study is concrete and reproducible. It requires no exceptional budget, no complex HR approval, no consultant. It requires a manager who decides that their team's cohesion is an operational priority and allocates 4 evenings per year to maintain it.
Frequency: once per quarter. Often enough to maintain the bond, rare enough that the evening remains an anticipated event.
Size: ideally 4 to 7 people. Below that, the group effect does not occur. Above it, subgroups form naturally and the team does not experience the evening as a unit.
Three-part structure: a physical or playful activity (bowling, karting, escape room, walk) — a dinner in a thoughtfully chosen, non-formatted venue — a short informal moment before parting (a standing drink, not a second restaurant table).
Fixed closing time: 22:00 or 23:00 maximum. Define the end time before you start. End on a good note.
Target budget: €60 to €100 per person depending on the city. Less than that, you cut corners on the experience. More than that, you create a reciprocity obligation that weighs on those with financial constraints.
The venue choice is a statement: choose a restaurant that says something — a discovered cuisine, an unexpected neighbourhood, a place the manager loves and wants to share. Not the first TripAdvisor result.
Four evenings at €78, that is €312 per person per year. For this budget, a manager buys: four 4-hour evenings where their team remembers it is a team. Production incidents handled with more fluidity because the trust exists before the crisis. Conflicts that dissolve because people see each other as people rather than roles. And reduced turnover — because you do not easily leave a team you have shared memories with.
For not much money, you can maintain seamless team cohesion — the kind where internal conflicts disappear over a good dinner. The Yemeni restaurant on the Champs-Élysées proves it at €78 per person.
This study extends "The Yemeni Dinner" and "Play in SRE Teams" on a new angle: physical proximity as cohesion infrastructure. It argues that a hammam + free walk + neighbourhood dinner evening produces a complete, documented neurochemical sequence — for €35 per person — that no corporate seminar reproduces at this price or at this depth of human connection.
This programme is not a theoretical proposal. It is a real itinerary, with locations, timings and a budget. Its strength lies in its precision and accessibility.
19:00 — Meeting point at the Barbès hammam. The neighbourhood hammam is rented entirely for the team — 1 hour, €150 to €200 for 10 people. No corporate badge, no logo on the towel. Heat, steam, silence or conversation as preferred. The body exits the production vigilance state.
20:00 — End of hammam. Everyone makes their own way to Belleville — walking alone, walking in a spontaneous small group, or by metro. No imposed route. Sub-groups form naturally based on the affinities of the moment, not the org chart. The geographic transition Barbès → Belleville is the progressive decompression between the rested body and the dinner.
21:00 — Meeting point communicated in advance: Asian restaurant in Belleville. Not a reservation in a corporate restaurant. A place chosen for its character — the food, the neighbourhood, the atmosphere. The team gathers progressively as people arrive. Dinner, informal conversation, shared dish if the table allows.
23:00 — Everyone goes home by their own means. No collective van, no management debrief, no obligatory extension. The signal sent is clear: the evening was yours, not the company's.
For a team of 10 people:
— Hammam rented entirely (1h): €150 to €200 · i.e. €15 to €20 per person
— Walk: €0
— Belleville dinner (Asian, without excess): €15 to €25 per person
— Total: €300 to €450 for 10 people — €30 to €45 per person
Comparison: corporate two-day seminar for 10 people = €8,000 to €15,000. The evening costs 30 to 50 times less. It produces a neurochemical sequence the seminar cannot reproduce.
The genius of this programme is that it chains four neurochemically distinct phases, each documented by psychology and neuroscience research, each preparing the next. This is not just an evening — it is an unwitting sequence of recovery and bonding.
The hammam's heat activates the parasympathetic system — the nervous system's "rest mode". Cortisol drops. The University of Granada is currently conducting a clinical trial specifically on the hammam experience's effect on biophysiological stress markers. The therapeutic touch of the scrub — well documented in massage therapy research — triggers oxytocin release and reduces ACTH, the hormone that stimulates cortisol production. Rapaport et al. (2012) established a dose-response relationship: repeated massage exposure durably lowers cortisol and vasopressin. One hour of shared hammam among colleagues produces the same social safety signal documented in research on loneliness and bonding: the body signals to the organism that it is not alone.
The 45-minute to one-hour walk from Barbès to Belleville is not a commute — it is a transition. Walking produces endorphins and lowers residual cortisol. The freedom of route — everyone chooses their path, companion, pace — sends an autonomy signal that enhances recovery quality. Tomasello and Wolf (Max Planck / Duke, 2023) document that walking together is one of humanity's unique social bonding mechanisms: sharing triadic experience in a common physical space creates a sense of closeness that prepares future cooperation. Sub-groups forming spontaneously during the walk are based on real affinities, not the org chart — precisely the informal bonds that reinforce operational cohesion.
The shared meal is documented by neuroscience research as a privileged context for human social bonding. Conversations around meals exchange primarily information about people — activating the "social brain" circuits more deeply than professional meetings. Oxytocin produced by positive interactions during dinner reduces cortisol and reinforces trust — exactly the relational capital the team will spend during the next production incident at 3am.
Everyone goes home independently, with no obligation to extend. This final freedom is neurochemically important: it avoids the fatigue of a forced evening that transforms a positive memory into a constraint. It tells each team member that their personal time is respected — a psychological safety signal documented by Edmondson as a condition of collective high performance.
The choice of the neighbourhood hammam — not the hotel spa at €150 per entry — is a philosophical as much as an economic choice. It says something about the manager who organises it and about what they seek to produce.
The corporate hotel spa is within the world of work. It has a reception desk with a badge, a laminated menu of services, towels embroidered with the logo. It subtly maintains the professional register — the environment says "you are on a business trip". The neighbourhood hammam in Barbès is in the city. It belongs to popular culture, to the neighbourhood, to a century-old tradition. The environment says "you are no longer at work." This contextual rupture signal is documented in psychology as a necessary condition for real recovery — the brain only disconnects from vigilance mode when the environment explicitly signals that this mode is no longer required.
The Moroccan or Turkish hammam is a social institution as old as the medina. It is not designed for performance or productivity — it is designed for collective recovery, socialisation and care. Sharing a hammam with colleagues is inviting the team into a culture of care that predates the world of work by several centuries. This temporal and cultural displacement — like the shared dish of "The Yemeni Dinner" — produces a level of dehierarchisation that corporate formats cannot reach.
Renting the entire hammam for one hour — €150 to €200 for 10 people — creates a private space that reinforces group safety. No outside gaze. No presence of strangers maintaining social vigilance. The team is among itself, in a defined space, with a defined duration. These conditions are exactly those researchers identify as favourable to oxytocin production and bond formation: safety, familiarity, absence of competition with strangers.
The hammam presupposes a degree of comfort with physical proximity and the body. In a team that does not yet know each other well, or in cultural contexts where partial nudity is a sensitive subject, this format may not be the right first choice. The rule is the same as for Nerf: voluntary participation, without implicit pressure. The hammam is a format for a team that already has a minimal level of trust — it deepens this bond, it does not create it from scratch.
The walk from Barbès to Belleville is the link that nobody plans and that is nonetheless the most precious part of the evening. It is not in the official programme — it is in the space between the hammam and the dinner. And it is precisely in this unstructured space that the strongest bond is built.
A guided walk — "meet at 8:15pm outside Barbès metro, we walk together to Belleville" — would recreate a group structure that maintains the usual hierarchical and social dynamics. The freedom of route — everyone leaves when they want, with whom they want, by the path they choose — produces something different: the spontaneous formation of natural affinity sub-groups. The two colleagues who walk together because they live in the same direction, the three who stop for a coffee en route, the one who prefers to walk alone and arrives last — all these choices are respected. And this freedom produces conversations that group structure would have prevented.
Moving physically from Barbès to Belleville means crossing a part of Paris that belongs neither to business districts nor to conference zones and corporate restaurants. This route through popular, lively, multicultural Paris is in itself a disconnection from the professional environment. Environmental psychology documents that changing physical environment facilitates changing mental state. Walking through Paris is not a commute — it is open-air therapy.
Communicating the restaurant address in advance — by message, not during a collective brief outside the hammam — creates real freedom of route. Everyone knows where to go. Everyone decides how to get there and with whom. Organisation is minimal, freedom is maximal. This "free meeting point" format is the same as that of hashers — runners who set an arrival point and freely choose their own path. The freedom of the route is the condition for the quality of the arrival.
The formats documented in this corpus — Yemeni dinner, office Nerf, hammam + walk + dinner — share a characteristic that fundamentally distinguishes them from corporate team building: they do not claim to build cohesion. They create the neurochemical and social conditions in which cohesion builds itself.
Research on "social buffering" — documented in primates, rodents and humans — establishes that the presence of a familiar social partner reduces physiological responses to stressors. This mechanism is proposed as one of the evolutionary reasons for the formation of social relationships. Translated into SRE team terms: an engineer who has shared a hammam and dinner with colleagues manages the production incident physiologically differently from one who only knows colleagues from meetings. Physical familiarity reduces incident cortisol — not because it changes the difficulty of the problem, but because it changes the perception of the safety within which the problem is solved.
Positive face-to-face interactions produce oxytocin that reduces cortisol and reinforces trust. This trust capital is not stored in an HR database — it is stored in the body, in the neurological circuits of social memory. A team that has accumulated shared evenings has accumulated an oxytocin capital that is spent during moments of tension and collective decision-making. The person whose relaxed face you know from the hammam is the same person whose judgement you trust at 3am during an incident.
They do not resolve structural conflicts. They do not compensate for deficient management. They do not replace decent working conditions. As with Nerf, they are multipliers — they amplify what is already in place. A team with structural problems that shares a hammam will be a team with structural problems and hammam memories. Body care is a complement to management, not its substitute.
As a complement to the quarterly dinner documented in "The Yemeni Dinner", this study proposes adding an annual deeper format — hammam + walk + dinner — that produces a complete neurochemical sequence impossible to reach with a single format. The two formats are complementary and non-substitutable.
Quarter 1: Simple team dinner — thoughtfully chosen restaurant, bowling or walk beforehand. Light format, €78/person. Objective: bond maintenance.
Quarter 2: Hammam + free walk + neighbourhood dinner — the complete format of this study. €35/person. Objective: deep recovery and physical bonding.
Quarter 3: Competitive activity — karting, bowling, escape room, concert. Energetic format, fiero, adrenaline. Objective: activation and shared memory.
Quarter 4: Year-end dinner — longer, more generous. Informal annual review. Objective: closure and recognition.
Total annual budget per person: €200 to €300. The cost of a single day of corporate seminar per person — for four evenings covering the full neurochemical spectrum of cohesion.
The hammam is one format among others in the same "body first" logic:
— Rented pool (one hour outside public hours) → same decompression and dehierarchisation effects, summer format
— Group massage session (practitioner comes to the premises) → less travel, effective for teams with logistical constraints
— Opera or concert → collective shared emotion, fiero of the grand hall, memorable shared experience
— Karting or paintball → adrenaline, fiero, light competition — same logic as Nerf but in event format
The rule common to all these formats: the body lives something together before the table brings minds together.
€35 per person. A hammam rented entirely in Barbès. A free walk to Belleville. An Asian dinner. Everyone goes home fresh and recharged. The neurochemistry is the same as that of €2,000 seminars — the budget is not.
This study extends "The Economy of Silence" (uptime as the sole SRE metric) and "The Departure of the Last One Who Knows" (mechanism 4 — burnout by accumulation). It addresses what permanent on-call does to the body and cognition over time — a reality documented by occupational medicine, ignored by the infrastructure industry. This document is not a complaint. It is a risk analysis applied to the human resource.
The pager sounds at 3am. The engineer wakes abruptly, cortisol spiking, heart rate at 100. They open their terminal, analyse alerts, make decisions on a production system. This scenario is normal in infrastructure. It is documented by occupational medicine as one of the most aggressive known disruptors of the circadian cycle — on a par with rotating night shifts, hospital duty, and shift work.
Occupational medicine and neuroscience research converges: cognitive capacities between 2am and 6am are significantly reduced — extended reaction time, diminished complex reasoning, reduced working memory, tendency to fixate on incorrect solutions. An incident managed at 3am by an engineer woken abruptly is statistically more likely to produce a human error, a suboptimal decision, or an unnecessary escalation than an identical incident managed during the day.
The infrastructure industry measures MTTR — Mean Time to Repair. It does not measure the correlation between incident trigger time and resolution quality. It does not measure the number of incidents that escalate because a 3am decision worsened the initial problem. It does not measure the cost of nocturnal human errors. This cost is real. It is simply invisible in operational performance dashboards.
On-call is an operational necessity in critical production environments. This study does not call for its elimination. It calls for its recognition as an operational risk, and its management as such — with the same analysis and mitigation tools one would apply to any other infrastructure risk.
Burnout in infrastructure does not look like a sudden breaking point. It looks like a progressive, invisible erosion that neither the engineer nor their manager sees coming, because it occurs below the detection threshold of normal indicators. The engineer continues responding to alerts, managing incidents, delivering. They do so with increasingly reduced cognitive and emotional resources — but they do it, and this continued capacity masks the ongoing degradation.
Stage 1 — Active compensation: the engineer compensates for fatigue through conscious effort. They are more careful, double-check, document better to offset the memory gaps they are starting to feel. This stage is invisible externally — they will overperform on indicators.
Stage 2 — Progressive disengagement: compensation becomes too costly. The engineer begins doing the bare minimum — not out of laziness, but to preserve remaining resources. Work quality degrades slightly. They begin avoiding complex tasks.
Stage 3 — Collapse: accumulation reaches a threshold. The engineer stops — sick leave, resignation, or the most dangerous scenario for the organisation — they stay but are no longer really there.
On-call is not the sole cause of burnout in infrastructure. But it is a powerful amplifier of all other causes — excessive workload, lack of recognition, loss of meaning, organisational conflicts. An already pressured engineer who accumulates on-call nights accelerates their progression to stage 3. On-call frequency is as reliable a burnout risk indicator as any workplace wellbeing questionnaire.
The infrastructure industry has developed sophisticated metrics to measure the health of its systems — SLA, MTTR, MTTD, error rate, latency. It has not developed equivalent metrics to measure the health of the engineers who maintain these systems. This asymmetry is revealing: the organisation knows how to measure what costs it directly (downtime, incidents) but not what will cost it tomorrow (team erosion).
— On-call frequency per engineer per month (number of nights and weekends)
— Number of nocturnal alerts received per engineer (not just incidents handled)
— Average recovery time after an on-call night (hours before returning to normal work)
— Rotation rate on on-call positions (high rate is an early burnout signal)
— Correlation between night-managed incidents and human errors documented in post-mortems
None of these metrics are standard in the sector. Some exist in the most mature organisations. The majority do not calculate them.
"The Economy of Silence" documented that uptime is the only metric that counts in many infrastructure organisations — that anything not visible in the availability dashboard is invisible. Engineer erosion is the textbook case of this invisibility: it generates no alert in monitoring tools. It generates a resignation six months later, or a major incident whose true root cause nobody will understand.
Measuring on-call frequency is necessary but not sufficient. An organisation that measures and changes nothing produces data without value. Measurement only makes sense when coupled with pre-defined action thresholds — beyond X on-call nights per month, rotation is mandatory; beyond Y nocturnal alerts per week, the alerting system is reviewed.
The infrastructure sector has developed a culture of operational heroism — the implicit valorisation of the engineer who manages the 3am incident without complaining, who is always present, who "holds" whatever happens. This culture is understandable in its origin: critical systems require reliable people. It is toxic in its effects: it implicitly punishes those who set limits and rewards those who wear themselves out without saying so.
A heroic engineer absorbing an excessive on-call load makes the problem invisible to their manager. The system runs. Incidents are resolved. Metrics are good. The underlying structure — too few engineers, overly sensitive alerting, fragile architecture — is never questioned because individual heroism compensates for its flaws. Until the engineer stops.
SRE culture introduced the blameless post-mortem — incident analysis without designating an individual culprit, seeking systemic causes. This is a real advance. But the blameless post-mortem addresses technical incidents. It does not address human incidents — burnout, the departure of an expert, the error of an exhausted engineer. These events are rarely treated with the same analytical rigour as server faults.
The most mature SRE organisations — certain teams at Google, Netflix, Stripe — have begun treating on-call load as an operational risk on a par with technical debt. They set maximum on-call thresholds per engineer, make rotation mandatory, measure nocturnal alert volume and reduce it as they would pay down technical debt. This is not goodwill — it is risk management.
The levers that follow are not wellbeing measures — they are operational risk management measures. The distinction matters: it shifts the conversation from goodwill to reliability. An exhausted engineer is an operational risk on a par with a server without redundancy.
Define and respect a maximum number of on-call nights per engineer per month. This threshold is not a preference — it is an operational limit, like a server's maximum load limit. If the team cannot respect this threshold, it is an understaffing signal that should trigger recruitment or a reduction of the on-call scope.
The majority of nocturnal alerts are either false positives or alerts for events that do not require immediate intervention. Reducing this volume is engineering work — revising alert thresholds, removing alerts that never trigger action, consolidating redundant alerts. This work is systematically deprioritised. It should be treated as technical debt to be actively paid down.
On-call has a real physical and cognitive cost. It must be financially compensated at a level that reflects this cost — not symbolically. It must also entitle the engineer to protected recovery time the following morning: an engineer woken at 3am cannot be in a meeting at 9am without performance degradation. This recovery is not a luxury — it is the recharging of a critical operational resource.
The best response to excessive on-call is not organisational — it is architectural. Self-healing systems, resilient architectures, well-designed automatic failovers reduce the number of incidents requiring nocturnal human intervention. Investing in architectural resilience is the most direct investment in the health of on-call teams.
The central proposal of this study is simple: the on-call engineer is a component of the infrastructure as critical as the servers they maintain. They deserve the same level of monitoring, redundancy and preventive maintenance as those servers. A server without redundancy is an unacceptable risk. An on-call team without rotation is the same risk applied to the human resource.
Companies with more than 50 employees produce an annual social report. Integrating on-call metrics into it — average number of nights per engineer, nocturnal alert volume, rotation rate on on-call positions — makes visible what is structurally invisible. This transparency creates compliance pressure that the absence of measurement does not allow.
The Syntec and digital sector collective agreements frame overtime, flat-rate day arrangements, and the right to disconnect. They do not specifically frame recurrent nocturnal on-call in critical production environments. A specific clause — maximum threshold, minimum compensation, guaranteed recovery time — in digital sector agreements is a measure within reach of social negotiation.
A manager evaluated on system availability but not on their team's on-call load has an incentive to understaff teams and overload individuals. Adding on-call load as a management evaluation criterion — at the same level as technical indicators — changes the structural incentives of middle management.
The pager does not sound in a vacuum. It sounds in a body. That body has limits. Ignoring them is an operational risk — not proof of resilience.
This study is the direct continuation of "Deamputation at the Source". The Arduino in secondary school was the first contact — code that controls an electrical signal. This study proposes the second level: code that creates matter. Laser, CNC, 3D printer — three machines, one continuous thread with the Arduino. And an annual project: building the machine itself, to understand what it is before programming it.
"Deamputation at the Source" established the Arduino as first contact — code that controls an electrical signal, an LED that blinks, a sensor that reads temperature. That is level 1. This study proposes level 2: the same Arduino, the same code, but instead of controlling an LED, it controls a motor. And that motor moves a tool. And that tool transforms matter.
Step 1 — Arduino + LED (year 7): digitalWrite(13, HIGH) → current → LED on. Code controls electricity. The student understands their instructions do something in the physical world.
Step 2 — Arduino + stepper motor (year 8): stepper.step(200) → pulses → 200 steps → precise 360° rotation. Code controls a mechanical displacement. The student understands electricity can serve movement.
Step 3 — Arduino + XYZ axis (year 9): G-code X25 Y30 → motor X advances 25mm, motor Y advances 30mm. Code controls a position in space. The student understands mathematical coordinates exist in matter.
Step 4 — Arduino + tool (year 10): the laser engraves, the router cuts, the extruder deposits filament. Code creates matter. The student is no longer programming — they are making.
The Arduino alone can seem abstract. The chain answers the question students always ask: "What is this for?" The Arduino controlling a CNC that engraves the student's name on wood — that question disappears. Code has produced a real object. This is the corpus founding thesis: the metal precedes the code. These machines are its most physical demonstration.
The CNC3018, the 3D printer and the laser do not replace the Arduino — they use it. The brain of all three machines is an Arduino or derivative board (GRBL for the CNC, Marlin for the 3D printer). The student who learned Arduino in year 7 recognises its architecture in year 10 when they open the CNC control board. The continuity is total.
The CNC3018 is the richest pedagogically because it has three modes on the same frame — laser, CNC router, drawing pen. Same G-code, three different physical results. The laser burns the surface. The router cuts into wood or aluminium. The pen traces on paper. The student who runs all three modes with the same file understands something fundamental: code is neutral — it is the tool that decides the physical result. This is the first lesson in concrete abstraction.
This feeling of satisfaction is not subjective — it is scientifically documented through three distinct phenomena.
The IKEA Effect (Norton, Mochon & Ariely, 2012 — Journal of Consumer Psychology):
Four studies on subjects assembling IKEA boxes, folding origami, and building Lego sets demonstrate that individuals value their personal creations as highly as expert creations — even when objectively less well-made. The effort of making produces emotional attachment to the created object. This effect only applies to tasks completed to the end: if the creation is destroyed before completion, the satisfaction disappears. This is why the project must reach the finished object — the engraved part, the completed print, the machine's first movement.
The Self-Creation Effect (Brunneder & Dholakia, 2018 — Marketing Letters):
Seven field and laboratory studies show that when a person self-creates a product, they appreciate it more, consume it more mindfully, and experience greater domain-specific and general well-being. This effect is amplified by self-consciousness — the student who knows they made something with their own hands develops a self-esteem that passive consumption does not produce.
The Maker Movement and Subjective Well-Being (Journal of Happiness Studies, 2017):
A study of 465 students shows that a "maker" identity — perceiving oneself as someone who makes things — is a significant predictor of subjective well-being. Making activities (sewing, cooking, electronics, DIY) produce a sense of accomplishment and competence that transfers to other life domains.
What this means for the student: when the 13-year-old girl sees her name appear on a piece of wood engraved by the laser she programmed, she does not simply feel pride — she feels a neurological attachment to her own competence. This feeling, once anchored, does not disappear. It becomes the basis of a lasting curiosity about the physical world.
The laser engraver is the most effective entry door for profiles who do not yet project themselves into engineering. Because the result is beautiful, immediate, and personal. Engraving a name on wood, creating a leather jewel cut by laser, personalising a notebook — these are projects that attract profiles the Arduino alone does not attract. And behind these projects: the same G-code, the same XYZ coordinate system, the same fundamental competence.
The maths teacher has been teaching the XYZ Cartesian coordinate system for years. Students learn to place points in space, calculate distances, find intersections. It is abstract — crosses on squared paper. The day the student types G-code X25 Y30 Z-2 into the CNC terminal and sees the router go to exactly that position, something triggers. The morning's coordinates exist in matter that afternoon.
X axis — width: horizontal displacement left to right. In maths: the abscissa. In the CNC: the X motor advances the head 25mm to the right. The student sees the abscissa move physically.
Y axis — depth: horizontal displacement front to back. In maths: the ordinate. In the CNC: the Y motor positions the bed. The ordinate has mass, inertia, mechanical noise.
Z axis — height: vertical displacement. In maths: the Z coordinate. In the CNC: Z-2 means the router descends 2mm into the material. The coordinate has a depth of cut, a cutting force, a risk of breakage if miscalculated. The coordinate becomes an engineering decision.
The maths teacher teaches the XYZ coordinate system, coordinates, displacement vectors. On paper, without any machine.
The physics teacher explains the stepper motor — current, magnetic field, torque, angular step. Why the motor stops exactly where told. The physics of positioning.
The technology teacher runs the machine — G-code, control software (GRBL), feed rate, depth of cut. The interface between code and matter.
Together, the three teachers around the same machine give the student what none of the three can give alone: integrated understanding of the link between mathematical abstraction, physical reality, and technical decision.
The corpus does not speak in a vacuum. The RSCNC32 is a CNC built by hand, from scratch, by Amine RAITI. The mechanical parts were manufactured with that same machine. The photos of these parts are the physical demonstration that everything this study proposes is not only possible — it has already been done. Without industrial budget. Without a team. With hands, time, and the decision to understand rather than to purchase.
A hardware catalogue says: here is a CNC for €200. It does not say how it works. It does not say what it means to choose between a Nema 17 and a Nema 23 motor. It does not say why the mechanical rigidity of the frame determines the precision of the result. It does not say what one learns by wiring motor drivers oneself, calculating the power supply current, installing the GRBL firmware.
The homemade RSCNC32 says all of this — not with words, with engraved parts. The student who sees these parts and learns they were manufactured with a hand-built machine understands that autonomous fabrication is possible. Not reserved for diploma-holding engineers. The hands that know precede the title that says so.
In the Compagnons du Devoir tradition, the master shows their masterpiece before asking for the aspirant's. Not vanity — pedagogy. Proof that the path has been walked, that the result is real, that transmission is possible. The RSCNC32 is that masterpiece in the context of this study. It says to the student: here is what your hands can produce. Not in twenty years after a degree. In one school year, with a pooled teacher budget.
The student who has built a CNC — even simple, even imperfect — understands why the purchased CNC has those dimensions, those tolerances, those limits. They do not use it as a black box. They use it as someone who knows what is inside. This is the difference between the operator and the maker. Between the DevOps who uses the cloud and the SRE who knows what is under the cloud.
First contact. Code → electrical signal. The LED as revelation. Deamputation begins here. Each student alone with the kit.
Name tag project (45 min). Student draws in Inkscape, generates G-code, engraves on wood. Object to take home. Door for girls: leather jewel, personalisation.
Same G-code, three results. The XYZ coordinate system becomes real. Router, laser, pen. The student understands code is neutral — the tool decides.
Creation ex nihilo. FreeCAD modelling → Cura → Ender-3. Volume, gravity, supports, tolerances. The deepest understanding of the code-object link.
The most ambitious and most formative level. A group of 4 to 6 students builds an open source CNC or 3D printer over the school year. What this project teaches:
Stepper motors: current, torque, angular step, driver. Understanding that 200 steps = 1 turn = precise displacement of Xmm according to the lead screw pitch. The physics of positioning.
The control board (GRBL / Marlin): Arduino firmware that receives G-code, decodes it, and sends pulses to the drivers. Students recognise the Arduino from year 7 — it is now the brain of a machine.
Power supply: each motor consumes. Each driver heats. Each power supply choice carries responsibility. Miscalculating the power supply breaks hardware. The physics of power becomes an engineering decision.
Mechanics: machining precision, mechanical play, frame rigidity. A misaligned axis produces a badly engraved part. Code does not compensate for faulty mechanics.
There is a fundamental difference between the student who has used a CNC and the student who has built one. The one who built it knows what is inside. They do not use a black box — they use something they understand at every level. This difference, twenty years later, is the difference between the engineer who configures a cloud service and the engineer who understands what the cloud service hides.
September-October — Architecture: choose the open source model (MPCNC, Voron, Prusa i3). Read the documentation. Make the parts list. Calculate the budget. Divide roles — mechanical, electronics, firmware, testing.
November-December — Procurement and mechanics: order parts (AliExpress, local suppliers). Print missing parts on the school's printer. Assemble the frame. Understand why frame rigidity determines final precision.
January-February — Electronics: wire the drivers, motors, end stops, power supply. Identify wiring errors (short circuits, wrong polarity). Understand why a poorly cooled driver overheats and cuts out.
March-April — Firmware: flash GRBL or Marlin. Configure parameters — steps/mm, motor current, maximum speed, acceleration. Run first homing and first manual moves.
May-June — Calibration and masterpiece: engrave the first real part. Correct it. Redo it. Present the machine to other students and teachers. The machine stays in the school — it will be used by students in future years.
The machine built by year-12 students stays in the school. Year-10 students will see it, use it, perhaps improve it. Year-11 students will maintain it. This is compagnon transmission applied to the state school. The masterpiece does not disappear with the cohort — it becomes the tool of the next one.
20 Arduino Starter Kits (documented in "Deamputation at the Source"): €700 — class of 20 students, hardware reusable 5 years.
5W laser engraver (xTool D1 or equivalent): €150 — engraves wood, leather, cardboard. Immediate, beautiful, personal result.
CNC3018 Pro (3 modes: laser + router + pen): €180 — the pedagogical machine par excellence. Three modes, one G-code.
3D Printer Ender-3 V2: €250 — creation ex nihilo. Robust, documented, huge support community.
Open source CNC build kit (MPCNC or equivalent): €200 — Nema 17 motors, A4988 drivers, Arduino UNO board, aluminium profiles, hardware, belts.
Year 1 consumables: €300 — plywood, PLA filament, slate plates, leather, wiring, breadboards.
Software: €0 — Inkscape (vector), FreeCAD (3D), Cura (slicer), GRBL (CNC firmware), LaserGRBL (laser control). All open source, all free.
Total machines: €1,080
Year 1 reserve: €620 (additional consumables, spare parts, contingencies)
Year 2 reserve: the full €2,400 of year 2 goes entirely to consumables and improvements — the machines are already there.
This pooled budget proposal is deliberately independent of any administrative process. No project call. No academic dossier. No application to a local council, regional authority or ministry. These channels exist — and they can complement this arrangement if they succeed. But they take time that children do not have: the bifurcation of year 7 does not wait for a ministerial decree.
The pooled budget says one simple thing: we are responsible for what happens in our classrooms. We are not waiting for anyone to act.
The parents' association — a natural complementary lever: parents have a direct and legitimate interest in their children's education. A parents' association that decides to fund digital fabrication equipment is not organising a school fair — it is investing in the technical future of its children. A voluntary contribution of €5 per family from 50 families adds €250 to the annual budget. From 100 families: €500. Without any additional administrative structure. The parents' association already exists in every school — it only requires teachers and parents to decide together that this priority is worth it.
Year 7: Arduino + LED → code controls electricity.
Year 8: Laser engraver → code controls light, which engraves matter.
Year 9: CNC3018 → code controls XYZ axes, which shape matter.
Year 10: 3D Printer → code creates matter ex nihilo.
Years 11-12: Build the machine → the student understands what all machines hide.
The student who has traversed this complete chain understands, at 18, what most software engineers do not understand at 30: that code does not exist in a vacuum — it exists to transform matter. That technical sovereignty begins in the hands. That the metal precedes the code.
The Zellij of Fès, the Gibs of Meknès, the leather craft of Marrakech — these arts have survived only because the M3allem/Met3allem process was never broken. This process is the same one that produced the best infrastructure engineers this corpus has encountered — not in classrooms, but in server rooms. This study argues that the mentor is the primary channel for tacit knowledge transmission in infrastructure, and that without them, even the most rigorous training remains incomplete.
In the Moroccan medinas, the M3allem — literally "the one who knows" — is the master craftsman who holds knowledge acquired over decades of practice. He has been laying Zellij tiles for forty years. He knows how the hammer must sound against the faience for the cut to be clean. He knows which clay for which gibs depending on seasonal humidity. He knows how Marrakech leather responds to August heat.
This knowledge is not in a manual. It is not in a skills framework. It is in the hands, in the eyes, in the body of the M3allem — and it can only be transmitted one way: the Met3allem, the apprentice, sits beside the master. He watches. He imitates. He fails. He starts again. And one day — after months, sometimes years — the gesture becomes right. Not because it was explained. Because he watched and repeated until it was incorporated.
Morocco's ancestral arts survived 20th-century industrialisation, globalisation and mass tourism — not despite their refusal to modernise, but through the continuity of the M3allem/Met3allem process. When this chain broke in certain guilds — through rural exodus, forced industrialisation, absence of transmission — the art disappeared. Not the techniques in the books. The art. Because art is not in books. It is in the hands that learned it from other hands.
The server room is a medina. The cables are the alleyways. The racks are the workshops. The senior SRE who shows the junior how to listen to fan noise to detect a thermal anomaly before the alert sounds is a M3allem. He does not explain it. He does it. And the junior who watches, who asks questions, who repeats under supervision, becomes in turn a M3allem — capable of transmitting.
When I joined Ecritel, I was not a beginner. I had the training, the diplomas, the foundations. But training had not taught me what the seniors in place transmitted in real production conditions. What I received from them appears in no skills framework. Yet it is what built the engineer I became.
Patience. A senior taught me not to act immediately on an incident. To observe first. To read what the system was saying before touching anything. This discipline — not panicking, not fixing too fast, understanding before intervening — cannot be taught in a classroom. It is transmitted through the example of a man who stays calm when everyone around wants to act. I watched him do it. I integrated the posture before understanding the reason.
Technologies. Not technologies as in courses — technologies as they actually behave in production. The edge cases, the undocumented behaviours, the things that work when they should not and vice versa. This knowledge accumulates over years of incidents. A senior who shares it condenses years of experience into a few hours of informal conversation around a fault.
Management capabilities. How to write a post-mortem that does not seek a culprit. How to announce a failure to a client without losing their trust. How to manage an on-call team without creating resentment. These competences are acquired by observing managers who exercise them — not by reading management books.
The M3allem/Met3allem transmission requires time, proximity and trust. It cannot be decreed by an HR policy. It requires the senior to have the availability to transmit — which presupposes a work environment structured not solely around immediate performance, but also around the continuity of knowledge.
Training — whatever its quality — transmits explicit knowledge. What can be formalised, written, assessed. The Foundation of Iron transmits cabling, addressing, protocols, systems administration. A good course transmits the fundamentals of theory and supervised practice. What training cannot transmit is tacit knowledge — the invisible layer of competence that only real-condition practice, under a mentor's eye, can build.
— Incident intuition: the senior who enters the server room and knows, before looking at metrics, that something is wrong — because the ambient sound has changed, because a switch LED is blinking in a particular way, because the room temperature is half a degree higher than usual. This intuition is acquired over thousands of hours of physical presence in server rooms.
— Judgement under pressure: knowing when to act and when to wait. Knowing when to escalate and when to manage alone. Knowing when the quick fix will worsen the situation. This judgement is not taught — it is forged in real incidents, alongside someone who has already forged it.
— Team culture: how one behaves in an SRE team. Where the boundary lies between help and dependence. What the difference is between productive silence during an incident and anxious silence. The right way to ask a senior a question without signalling you have not understood what you should have. These cultural codes are learned through immersion.
A driving lesson can be excellent — highway code theory, simulator exercises, explanation of reflexes to develop. It does not replace the 3,000 kilometres with an experienced instructor in real traffic conditions. Bare-metal infrastructure works exactly the same way. The Foundation of Iron is the highway code. The production server room with a senior is real traffic. Both are necessary. Neither alone is sufficient.
The mentor does not follow a programme. They do not validate competences. They have no formalised pedagogical objectives. They do their job — and the Met3allem is there, alongside, watching and learning. This absence of formal structure is precisely what makes the transmission effective. The junior learns in real time what the senior actually does — not what a programme says they should do.
The SRE/student mentorship does not need to be a six-month internship. It can start with one day. Or two. A day where the student is present as an observer — not as an intern, not as productive, not as assessable. As an observer. They watch. They are there. And this presence alone changes something irreversible in their mental representation of the profession.
Morning: the student arrives at the premises. They see a technical open space — the screens, the open terminals, the working atmosphere. They attend a stand-up. They hear the tickets, the priorities, the vocabulary. Not to understand everything — to hear the register, the way engineers talk about systems, the casualness or tension depending on the signals of the moment.
The rack visit: the SRE takes them into the server room. They see the servers. They hear the fans. They feel the temperature difference between the hot and cold aisles. They touch a cable. They watch an LED blink. This physical moment — this sensory encounter with the infrastructure — is often the first trigger. The system stops being an abstraction. It becomes real.
The break: the student eats with the team. The informal conversations are the most valuable part of the day. Stories of incidents, anecdotes about memorable failures, debates about architecture choices, corridor jokes. They hear the team culture in natural mode. They understand how these people think about their profession when nobody is evaluating them.
The incident if luck allows: if an incident occurs during the day, the student observes the response in real time. This is the most formative possible sequence — watching how an experienced engineer moves from alert to diagnosis, from diagnosis to decision, from decision to resolution. Without being in the critical path. Just observing.
A concrete image of the profession that replaces abstract or romanticised representations. The certainty that this profession is accessible — that the engineers in front of them are normal people with learned methods, not born geniuses. A human connection with a professional who can answer their questions. And often — the vocational trigger that definitively confirms or rules out the professional direction.
M3allem/Met3allem mentorship in infrastructure does not need to be a heavy programme. It needs to be intentional. The difference between the informal mentoring that already exists in teams and structured mentorship is the explicit decision to do it — and the minimal framework that makes it possible without overloading the mentor.
HR is the bridge between the school or training organisation and the infrastructure team. Their role is not to manage the content of mentorship — they do not have the technical competence for that. Their role is to create the connection: identify SREs and engineers willing to mentor, contact BTS SIO programmes, DUT Networks, engineering schools and training organisations, and logistically organise the observation days. A simple agreement, a day blocked in the calendar, a visitor badge. The rest happens naturally.
We ask: to do their work normally in the student's presence. To take them on a server room visit. To include them in the break. To be available to answer their questions at the end of the day. That is all.
We do not ask: to prepare a pedagogical programme. To validate competences. To fill in assessment forms. To adapt to a framework. To modify their working method. The power of the M3allem format is precisely that knowledge transmits in normal action, not in an artificial pedagogical parenthesis.
One observation day can become two. Then a week of observation placement at the end of the BTS. Then a work-study programme. Then a first permanent contract in the team the student already knows — because they have seen the racks, eaten with the engineers, observed the team culture. Recruitment is no longer a gamble on a CV — it is the logical continuation of a built relationship. And integration is divided by ten because the Met3allem already knows their M3allem.
This study completes the Opération Dindon corpus by adding the missing link between training and employment. The Foundation of Iron transmits the fundamentals. The BTS and DUT provide the academic framework. Arduino in middle school opens vocations. But between the best-designed training and the operational engineer, the M3allem is missing — the transmitter of tacit knowledge that only real production conditions can activate.
Middle school (13-15): Arduino, robotics, connected car. Hands in the machine before theory. The vocational trigger.
Vocational high school / BTS / DUT (16-20): The Foundation of Iron in the frameworks. Fundamentals from physical layer to service layer. Basic technical competence.
Observation day (during BTS / DUT): One day in a real server room. The racks, the teams, the break, the incident if luck allows. The concrete that anchors training in reality.
Work-study or long placement (end of training): The Met3allem in real conditions, alongside a M3allem. Tacit knowledge transmission — patience, judgement, team culture.
First role (20-22): The engineer arrives operational on the physical layer, with an already-constituted human network, an already-integrated team culture, and a M3allem who can still answer the phone when something incomprehensible happens at 3am.
A less risky hire — recruiting someone already known. Faster integration — the Met3allem knows the culture, the tools, the people. Stronger loyalty — you do not easily leave a team with which you have a transmission bond. And the perpetuation of tacit knowledge — today's Met3allem will become tomorrow's M3allem.
The Zellij of Fès did not survive because there were books about Zellij. It survived because there were M3allems who accepted taking Met3allems beside them. Bare-metal infrastructure deserves the same honour.
This study extends "The Body First" on the angle of the great annual recharge — the total disconnection retreat. It argues that a mountain weekend at hot springs, with no imposed programme, no team-building forms, no management debrief, produces a deep cognitive and physiological restoration that no formatted seminar can reach — at a cost accessible to any SME.
The great annual recharge is not a seminar with a lighter programme. It is a full company retreat — or by session if production or numbers require — with one rule: no imposed programme. The format's strength lies precisely in what it does not have.
The location: a thermal spa resort in the mountains — accessible by train. Altitude and nature are the two conditions. Everything else is free.
Accommodation: a hotel or gîte taken over by the team. No imposed double rooms, no luxury individual suites — decent rooms, the essentials, the rest of the budget goes to the experience.
Meals: at the company's expense, at whatever time suits each person. No collective lunch at 12:30 sharp. No gala dinner with a CEO speech. Eat when hungry, with whom you want, at the hotel restaurant or the village café.
Activities: thermal cure, bathing in hot springs, hiking, walking, reading, sleeping, massage, nothing at all. Each person does what recharges them. There is no right answer.
What is not there: no team-building workshops, no forms to fill in, no collective feedback sessions, no PowerPoint on company strategy, no external facilitator. None of that. Just free time in the mountains, at the company's expense.
For a team of 10 people, 2-day weekend:
— Transport (train or van): €50 to €100/person return
— Accommodation (2 nights, double room): €80 to €120/person/night → €160 to €240
— Thermal spa or hot springs access: €20 to €40/person
— Meals (all meals included): €40 to €60/person/day → €80 to €120
— Total: €350 to €500 per person for 2 days.
Comparison: formatted corporate two-day seminar = €800 to €2,000 per person. The Great Recharge costs 3 to 4 times less. It produces documented deep neurological restoration. The formatted seminar produces fatigue and post-it notes.
Two major scientific theories document why natural environments restore cognitive and emotional resources. They are not contradictory — they describe two complementary mechanisms of the same phenomenon.
Rachel and Stephen Kaplan established that the capacity to focus attention — "directed attention" — is a limited cognitive resource that is exhausted by sustained work. An SRE engineer under permanent tension accumulates attentional fatigue that reduces performance, creativity and the capacity to solve complex problems. Nature restores this resource through "soft fascination" — natural elements capture attention involuntarily and effortlessly (a stream, clouds, snow-covered ridges), freeing directed attention from all demands and allowing it to recover. The four properties of a restorative environment: Being away (break from habitual activities), Extent (sense of total immersion in a different environment), Soft fascination (attention captured effortlessly), Compatibility (the place matches what the person seeks). A free mountain weekend at hot springs ticks all four.
Roger Ulrich established that natural environments trigger evolutionary safety responses — ancestral signals telling the organism it is not in danger. These responses produce positive emotions and reduce stress, measurable by physiological indicators: heart rate, blood pressure, cortisol. Ulrich demonstrated that stressed subjects recover faster when watching nature videos than urban scenes. Cognitive benefits from nature are, in his view, the consequence of emotional and physiological improvement — both theories (ART and SRT) describe distinct but interconnected processes through the same mind-body system, linked by the vagus nerve.
The Bell et al. meta-analysis (2025) documents a dose-response relationship between nature exposure and attentional restoration — with diminishing returns beyond a certain threshold. A full weekend in the mountains falls within the optimal return zone — long enough for deep restoration, not so long that the effect plateaus. A single day is insufficient for deep recovery. A month would be too long to be regularly accessible.
Immersion in thermal hot springs produces documented physiological effects that complement and amplify the restorative effects of nature. Hot springs are not a reward — they are an open-air therapeutic intervention.
Immersion in water between 37°C and 40°C activates the parasympathetic nervous system — the "rest and digest" mode that opposes the "fight or flight" mode chronically activated in SRE teams under pressure. Cortisol drops. A systematic review published in the International Journal of Biometeorology documents that balneotherapy and thermal therapy show potential to influence cortisol levels. Chromogranin — another biological stress marker — is also reduced, more pronouncedly in people with initially higher stress levels. Chronically pressured SRE engineers benefit proportionally more from thermal bathing than low-stress profiles.
The water's heat causes vasodilation — widening of blood vessels — improving circulation and tissue oxygenation. This improvement in cerebral circulation has documented effects on cognitive clarity and mental fatigue reduction. The minerals present in thermal springs — sulphur, magnesium, bicarbonates — partially penetrate the heat-dilated skin and reinforce these anti-inflammatory and relaxing effects.
A particularly well-documented mechanism: after hot water immersion, body temperature drops naturally upon exit. This thermal drop triggers sleep-inducing processes — the same mechanism as evening temperature drop in temperate environments. Participants in thermal stays report significant sleep quality improvement from the first night. For an SRE team whose members accumulate chronic sleep deficit from on-call duties, this sleep improvement is in itself a workplace health intervention.
This study completes "The Pager and the Body" by proposing its structural antidote. The Pager and the Body documented nocturnal cortisol accumulation from on-call duties. The Great Recharge proposes the intervention that measurably repays this cortisol debt — thermal springs, nature, quality sleep, two days without alerts. This is not a luxury. It is preventive occupational medicine.
The most counter-intuitive detail of the Great Recharge is also the most important: there is no programme. No planned activities. No mandatory time slots. No forms. This absence is not an organisational oversight — it is the central neurological mechanism of restoration.
Wellbeing psychology research (Deci and Ryan, Self-Determination Theory) establishes that perceived autonomy — the feeling of controlling one's own choices — is one of the most powerful conditions for psychological recovery. A seminar with an imposed programme, however pleasant, maintains a form of directed vigilance: I must be in the right place at the right time, do the right activity, participate correctly. This vigilance keeps the sympathetic nervous system on alert. The total absence of programme frees the brain from this constraint. It can, for the first time in a long while, freely decide the tempo of its own recovery.
A group that spontaneously decides to hike together does something neurochemically different from a group following a planned guide. In the first case: spontaneous collective decision, pace adjusted to each person, possibility to stop at will, conversations arising naturally from movement. In the second: obligation to follow, imposed pace, attention partially directed toward the guide. Free hiking produces Kaplan's ART effect — soft fascination, being away, extent. Guided hiking produces a collective activity with slight performance constraints.
Letting team members eat when it suits them — alone, in spontaneous small groups, at the hotel restaurant or the village café — is a management trust signal that reinforces psychological safety. Nobody is monitored. Nobody is assessed. This explicit trust signal is one of the mechanisms documented by Amy Edmondson as a condition for collective high performance — and it is produced here for free, by a simple organisational decision.
Some team members will choose to spend part of the weekend alone — reading in their room, walking solo, staying longer in the springs. This chosen solitude is not a cohesion failure — it is a legitimate form of recovery that the format must explicitly protect. A seminar that leaves no room for chosen solitude is a seminar that does not understand introverts.
Research on vacation effects on workplace performance is convergent and robust. It documents real, measurable benefits, but also their limits — which allows optimising the Great Recharge format to maximise lasting effects.
The de Bloom et al. meta-analysis (22 studies) documents significant reductions in exhaustion, improvements in mood and life satisfaction after vacations. Grant et al. (54 studies) identify measurable physiological improvements: cortisol reduction, better heart rate variability — an indicator of autonomic nervous system recovery — and better sleep quality. These effects are documented from two days of real disconnection.
The documented effects require real disconnection — not a weekend where team members check their Slack alerts every two hours. The management decision to guarantee minimal on-call during the weekend — with a degraded incident management protocol, without pressure on the present team — is the organisational condition for the neurological benefit. If engineers go to the mountains but remain responsible for production, cortisol does not drop. Disconnection is binary: one is in recovery or one is not.
Vacation research also documents a "fade-out" — benefits progressively diminish in the weeks after return. The response to this fade-out is not to extend the annual retreat — it is to complement it with more frequent, less intensive formats. This is exactly the architecture proposed in this corpus: Great Recharge once a year, quarterly team dinner, seasonal hammam + walk, weekly in-office play. Recovery is continuous maintenance, not an annual deep clean.
Effort-Recovery Theory (Meijman and Mulder, 1998) establishes that sustained work effort depletes physiological and psychological resources — elevated cortisol, cognitive fatigue, emotional exhaustion. Without periodic recovery, this load accumulates and increases burnout risk. Vacations interrupt this cycle. The mountain Great Recharge is precisely the recovery structure this theory calls for.
This study completes the recharge architecture proposed in the corpus. Each format has a frequency, a cost and a distinct neurochemical mechanism. Together, they cover the full spectrum of recovery — from micro-daily to the great annual.
Daily / Weekly — Play in SRE (Nerf, active break): €0 · Micro adrenaline discharge, fiero, dehierarchisation · 10 minutes
Monthly — Simple team dinner: €30 to €78/person · Bonding oxytocin, shared memory, dehierarchisation · 4 hours
Quarterly — Hammam + free walk + dinner: €35/person · Cortisol ↓, oxytocin ↑, endorphins, natural sub-groups · 4 hours
Biannual — Competitive activity (karting, bowling, opera): €50 to €100/person · Fiero, adrenaline, collective emotion · 3 to 4 hours
Annual — The Great Recharge (mountains, hot springs): €350 to €500/person · Deep attentional restoration (ART/SRT), cortisol ↓↓, sleep, autonomy, informal bonding · 2 days
Total annual budget per person: €600 to €900.
The cost of a single formatted seminar day — for a complete recovery architecture covering all neurochemical levels, from the weekly micro-dose to the deep annual restoration.
The Great Recharge is not decided the day before departure. It is planned 2 to 3 months in advance — to guarantee production coverage during the absence, to allow everyone to organise their personal life, and so that anticipation itself contributes to recovery. Research documents that anticipation of a positive event produces beneficial effects on mood from the announcement — the well-being peak sometimes precedes the weekend itself.
A mountain weekend at hot springs. No programme. No forms. No consultant. Science says it restores what on-call has exhausted. The budget says it is accessible. What is missing is the decision.
The French state regulates and protects the professions whose disappearance would threaten the continuity of social life. It does not regulate — and does not protect — the body of bare-metal digital infrastructure engineers and technicians. This study poses the question of this asymmetry and formulates six concrete public policy levers to correct a situation that directly threatens French and European digital sovereignty.
The question is simple. It deserves a direct answer before any analytical development.
Does the state tolerate the disappearance of the medical profession? No. It created the Ordre des médecins, the numerus clausus, the status of hospital practitioner, conventions with the health insurance system. When medical deserts appeared, it declared a national emergency and mobilised billions.
Does the state tolerate the disappearance of pilots? No. EASA licences are regulated, qualifications maintained by legal obligation, initial training funded and supervised.
Does the state tolerate the disappearance of the construction body? No. Qualibat, Qualifelec, RGE, ten-year liability — the construction body is certified, regulated, protected by legal obligations binding on project owners.
Does the state tolerate the disappearance of notaries, pharmacists, architects? No. Regulated professions, controlled access, protected titles, criminal sanctions for unlicensed practice.
Why then does the state tolerate the slow assassination of the only professional body capable of leading the digital sovereignty project?
The infrastructure technician, the systems administrator, the bare-metal SRE engineer — the person who can cable a switch, diagnose a network fault at 3am, build a sovereign infrastructure outside the hyperscaler cloud — has no protection. No protected title. No enforceable skills framework. No continuing education obligation. Anyone can declare themselves a "DevOps engineer" tomorrow morning and nobody can legally object.
Without this body, OVHcloud, Ecritel, Scaleway and their European equivalents will no longer find staff for their server rooms. Digital sovereignty is not a question of contracts — it is a question of hands and competences. And those hands are disappearing.
The Opération Dindon corpus documented, study after study, the mechanisms of the dissolution of the infrastructure engineering body. This is not an intuition — it is a structural observation accumulated across twelve studies and several years of field observation.
"Anatomy of the Loss" documented how cloud certifications replaced infrastructure training in skills frameworks. A certified AWS engineer who has never seen a server room is hired instead of a technician who has maintained systems for ten years. The market follows certifications. Certifications follow hyperscalers. Hyperscalers have every interest in the market depending on them.
"The Infrational Crisis" documented how "Infrastructure as Code" and "DevOps" emptied words of their substance. The bare-metal SRE becomes "DevOps engineer". The systems administrator becomes "cloud engineer". Titles change, physical layer competences disappear from job descriptions, and HR recruits on the new titles without understanding what was lost in conversion.
There exist in France and Europe dozens of associations, think tanks, conferences and working groups on "digital sovereignty". They publish reports. They organise roundtables. They produce recommendations. Structurally, they change nothing. Digital sovereignty is not decreed in a conference room — it is built in server rooms, by trained engineers kept in activity. Without this body, all the reports in the world will not produce a functional sovereign datacentre.
If the current trend continues without state intervention, OVHcloud, Ecritel, Scaleway and their equivalents will no longer find the competences needed to operate their infrastructures. They will be forced to either massively import skills from third countries, or sub-contract their operation to providers, some of whom will be foreign. Digital sovereignty will have been lost not by political decision but by the silent exhaustion of a professional body that nobody thought to protect.
The state is not powerless. It knows how to protect professional bodies when it decides their disappearance is unacceptable. The models exist — they simply need transposing.
Doctor, pilot, architect, notary — these titles are protected by law. Practising them without holding them is a criminal offence. This protection creates market pressure toward quality: clients wanting these competences must use qualified professionals. The same mechanism applied to "critical infrastructure engineer" or "certified systems and networks technician" would produce an immediate revaluation of the body.
To build a public building, a contractor must present certifications (Qualibat, Qualifelec). To participate in a public aeronautical maintenance contract, DGAC approvals are required. Why is a provider operating the infrastructure of a hospital, a town hall, or a ministry not required to present equivalent infrastructure competence certifications? The absence of this obligation in digital public procurement is a gaping hole in sovereignty policy.
BTS Digital Systems, BTS SIO, DUT Networks & Telecoms — these training programmes exist. They are underfunded, undervalued in school guidance, and progressively cloud-oriented at the expense of the physical layer. The state that decides infrastructure training is strategic injects resources, revalues the pathways, and explicitly integrates bare-metal into the frameworks — as it integrated aeronautical mechanics into aeronautical technical training.
The corpus documented in "The Blue" the risk of regulation that excludes self-taught profiles. Any infrastructure body protection policy must integrate access pathways through practice — VAE, permanent IDPE, experience recognition — and not reserve access solely to holders of formal diplomas. The protection of the body must protect competences, not pathways.
The inaction argument is always the same: "protecting this body costs money, creates rigidities, hinders innovation." This argument ignores the cost of inaction — which is systematically higher than the cost of preventive action, in every domain where the state has learned this the hard way.
Every infrastructure engineer who leaves the market to retrain as a "cloud engineer" is an engineer who will not return to bare-metal. France and Europe's dependence on American hyperscalers deepens in direct proportion to the shortage of sovereign infrastructure competences. This dependence has an economic cost (egress fees, contractual lock-in, hyperscaler pricing power) and a geopolitical cost (CLOUD Act, legal extraterritoriality, vulnerability to unilateral American decisions) that the state bears without ever calculating it explicitly.
OVHcloud, Ecritel, Scaleway, Infomaniak, Clever Cloud — these actors exist. They have datacentres. They have offerings. They do not have enough qualified staff to operate them at the necessary scale. This is not a problem of commercial will — it is a problem of competence pool. If the state decided tomorrow that all public administrations must host their data with a European sovereign actor, these actors could not absorb the demand for want of trained infrastructure technicians and engineers. A preference policy only makes sense if the body to operationalise it exists.
National critical infrastructures — energy networks, telecommunications networks, hospital systems, transport networks — run on computing systems that infrastructure engineers maintain. The shortage of these engineers is a national security vulnerability that neither CISOs nor cybersecurity consultants can compensate. A CISO without an infrastructure engineer to implement their recommendations is a doctor without a nurse to administer the care.
The classic liberal argument in the face of a skills shortage is that the market self-corrects: if infrastructure engineers are scarce, their salaries rise, attracting new entrants, resolving the shortage. This argument is sound in an equilibrium market. It does not apply when powerful actors have an interest in equilibrium not being reached.
A market rich in qualified infrastructure engineers is a market where clients can choose not to use hyperscalers. The shortage of bare-metal competences is structurally favourable to hyperscalers — it makes cloud even more unavoidable because there are no longer the competences to do otherwise. Hyperscalers do not actively train bare-metal engineers. They train "cloud architects" certified on their own platforms. This is not malevolence — it is economic rationality.
Training an infrastructure engineer takes 2 to 5 years. The employer who invests in this training runs the risk that the engineer leaves for a competitor or a hyperscaler once trained. This free-riding risk reduces private investment in infrastructure training below the socially optimal level — exactly the same mechanism that justifies state intervention in the training of doctors, pilots and nuclear engineers.
Digital sovereignty professional associations and conferences produce visibility and networking. They do not produce technicians. Visibility without a trained professional body is a conference on medical desertification without training doctors. Speech is necessary. It is not sufficient. And when it becomes the substitute for structural action, it is counterproductive — it gives the impression that something is being done when nothing is.
A title registered in the RNCP, accessible by curriculum and by VAE, recognised in collective agreements with a protected salary scale. This title protects competence — not the pathway. It is accessible to the self-taught Blue through VAE as much as to the engineering school graduate. It creates market pressure toward recognition of bare-metal competences.
Any provider operating the infrastructure of a public body — administration, hospital, local authority — must demonstrate engineers holding a recognised infrastructure competence title. Like Qualibat for construction. Like DGAC approvals for aeronautical maintenance. This obligation creates a market for competence and a competitive disadvantage for providers who have substituted cloud generalists for infrastructure engineers.
BTS SIO, BTS Digital Systems, DUT Networks & Telecoms must explicitly integrate the physical layer into their frameworks: cabling, hardware, bare-metal systems, physical network diagnosis. The Foundation of Iron — 26 weeks from electricity to networking — is a turnkey programme available under an open licence. It can be adapted in 12 months into a 2-year BTS curriculum.
The historical pathway exists and worked for fifteen years. France Travail directly funds accredited training organisations on shortage-area training programmes. Bare-metal infrastructure is a documented structural shortage area. The AFC convention is sufficient — no legislation needed, no exceptional budget. An administrative decision.
Integrate an explicit preference for sovereign European actors (OVHcloud, Ecritel, Scaleway, Hetzner, Infomaniak) into the award criteria of digital public procurement. This preference creates infrastructure employment in France, funds sovereign actors, and reduces dependence on the trio. A state that preaches digital sovereignty while hosting its data on AWS is not practising sovereignty — it is talking about it.
The state publishes each year the medical demographics, the state of medical deserts, training needs. It publishes nothing equivalent on digital infrastructure competences. Creating this reporting obligation — number of active SRE engineers and systems administrators, evolution over 5 years, cloud reconversion rate, shortages by region — makes visible what is invisible. And what is not measured is not protected.
The state does not tolerate the disappearance of doctors. It must not tolerate the disappearance of the engineers who maintain the nation's digital infrastructure. These are strategic bodies. They deserve the same treatment.
The uniform is the physical manifestation of the SysOps/NetOps/OpInfra nomenclature documented in "The Ticket and the Talent". It makes visible what has until now been purely administrative. It materialises the body — exactly what the corpus has defended since 8 May 2026. A body without a uniform is a body without boundaries: difficult to defend, difficult to value, difficult to transmit.
Infrastructure is the only technical body without a visible distinguishing mark. The doctor wears the white coat. The electrician wears the helmet and vest. The chemist wears the lab suit. The SRE engineer who keeps alive the systems on which the entire organisation depends arrives at the office in jeans and leaves in jeans. Nobody knows who they are, what they do, or what level of responsibility they carry.
The absence of uniform says three things simultaneously. It says that this body's work is no different from others' work — which is false. It says that levels of responsibility are interchangeable — which is dangerous. And it says that contact with the machine requires no particular protection or signalling — which is a profound cultural error.
In every technical profession that has built its professional dignity, the uniform preceded or accompanied institutional recognition. The doctor's white coat dates from the 19th century — it preceded professional orders, licences, statutes. It said: this person is in a professional relationship with a subject that deserves the sign of that relationship. The datacentre deserves the same sign.
"The Ticket and the Talent" proposed a structured nomenclature of infrastructure roles: three categories (SysOps/NetOps/OpInfra), six levels, the Non-Dilution Rule. This nomenclature exists on paper. It does not exist in physical space — in the meeting room, in the datacentre, in the workshop. The uniform is the physical materialisation of this nomenclature. It says, without a word, what level of responsibility one is dealing with. It makes the technical hierarchy legible for those who do not know it — and respectable for those who operate within it.
The first objection will be: "We are not a factory." The right answer is: the doctor is not in a factory either. The uniform is not a mark of subordination — it is a mark of belonging to a recognised professional body. The difference is fundamental.
The Lead SRE or Principal SRE is the highest level of operational responsibility on the floor. He — or she — makes decisions during major incidents, arbitrates priorities, engages the body's responsibility on technical choices. This level deserves a strong visual signal — not jeans. Red is the signal of operational command: in all structured bodies, this colour signals decision-making authority. Black says: this is not a technician, not a manager — this is a technical commander.
Women Leads have three equivalent options — all within the black/white/red triptych, all at the same level of visual authority, with a freedom of form that the male suit does not offer. This is not a concession — it is a recognition that feminine elegance has more registers, and that the infrastructure body must welcome them all. A dress code that had not considered its feminine expression would reproduce exactly the Invisible Amputation this corpus has documented.
The white coat is not protective clothing in the PPE sense — it is a professional signal. It says: I am in a professional relationship with what I am touching. This relationship demands method, precision, responsibility. The engineer who enters the datacentre in a white coat says something that the one who enters in jeans does not.
The doctor wears the white coat because they enter into a care relationship with a patient. The coat says: what I do here is serious, methodical, and engages my professional responsibility. The engineer who opens a production rack enters the same type of relationship with the system on which users, data, and sometimes lives depend. There is no reason this relationship should be less signalled than the doctor's with their patient.
The infrastructure engineer's white coat says: I am in a professional relationship with a critical infrastructure. What I do here can affect thousands of people. I know this. My uniform says I know this.
The white coat is mandatory only in physical field contexts: datacentre, workshop, lab, server room, physical test environment. It is not required at the office, while working remotely, or in meetings. This distinction is fundamental — it says the uniform is not a bureaucratic constraint, it is an act tied to contact with the machine. When the engineer leaves the server room, they remove the coat. Like the doctor leaving the operating theatre.
In advanced technical disciplines, the uniform also protects its wearer in another way: it protects against ambiguity of role. The engineer in a white coat in the datacentre is not approached for user support. They are not confused with an external contractor. Their signal says clearly: I am the practitioner of this machine. The coat creates a visible professional boundary that protects concentration, method and responsibility.
Lead/Principal — male (full black suit): 2 suits × €300-500 = €600-1,000 acquisition. Dry cleaning: €15/suit × 24 times/year = €360/year. Annual total: €560-700/person (amortised over 3 years).
Lead/Principal — female option ① (black trouser suit): 2 suits × €250-450 = €500-900 acquisition. Dry cleaning: €12 × 24 times/year = €290/year. Annual total: €460-600/person.
Lead/Principal — female option ② (black blazer + brooch): 2 outfits × €200-350 + brooch €20-80 = €420-780 acquisition. Maintenance: €240/year. Annual total: €380-500/person.
Lead/Principal — female option ③ (sheath dress + scarf): 2 dresses × €150-300 + 2 scarves × €30-80 = €360-760 acquisition. Laundry: €200/year. Annual total: €320-450/person.
Combined range Lead/Principal — all options: €320-700/year/person — equivalent across male and female options, below the cost of one AWS cloud certification (€2,300-4,300).
Engineer/Administrator (white coats): 3 coats × €30-50 = €90-150 acquisition. Laundry: €3/coat × 48 weeks = €430/year. Annual total: €460-510/person.
Field Technician (khaki green coats): 3 coats × €25-40 = €75-120 acquisition. Laundry: €3 × 48 weeks = €430/year. Annual total: €455-490/person.
Support Technician (blue coats): Same structure. Annual total: €455-490/person.
Architect: €0 (personal civilian dress, no cost to employer).
An AWS Solutions Architect Professional certification costs €300 in exam fees, plus €2,000-4,000 in training. Total: €2,300-4,300 per person. A Google Cloud Professional: €200 exam + €1,500-3,000 training. Organisations spend without hesitation €2,000 to €4,000 per engineer on cloud certifications that reinforce hyperscaler lock-in. They hesitate before €500/year for a uniform that reinforces the identity and dignity of the body. This contrast says something about organisational priorities.
Laundry and maintenance costs borne by the employer constitute a net salary benefit. For an engineer whose coat is laundered by the employer, this represents €430/year of preserved purchasing power — non-taxable if treated as professional expenses. In a context of documented salary compression described in "The Infrational Loop", this is an immediately activable lever without revising the pay scale.
The objection: Infrastructure is not an assembly line. Our engineers are knowledge workers, not manual operators. The uniform degrades their status.
The response: The doctor is not in a factory. The pharmacist is not in a factory. The laboratory researcher is not in a factory. All wear a uniform because they practise a technical profession in a context that requires a signal of competence and responsibility. "Knowledge worker" and "wears a uniform" are not contradictory — they are complementary. The uniform does not degrade status — it signals it.
The objection: SRE engineers are rare and demanding about their work environment. Imposing a uniform will push them toward freer organisations.
The response: The proposed uniform is not permanently imposed — it is contextual. The white coat only in physical field contexts, the suit for Leads only in their technical command role. Outside these contexts, civilian dress remains the norm. Moreover, the engineer who chooses an organisation because it visually recognises their professional body is an engineer who identifies with that body. This is a retention signal, not a repulsion signal.
The objection: French and European tech culture values informality. Suits and uniforms belong to banking and the military, not digital infrastructure.
The response: Tech culture also explains why infrastructure is invisible, undervalued and underpaid. If the current culture produces the Infrational Loop, the Invisible Amputation and the Departure of the Last One Who Knows — then this culture must evolve. The uniform is not an import from another culture: it is the construction of a culture specific to the infrastructure body, coherent with its actual responsibility.
The corpus's founding thesis — "No Sovereignty Without Matter" — applies to the professional body too. No sovereignty of the body without visible boundaries. A body whose members are indistinguishable from other workers in the organisation is a body without its own territory — impossible to defend, impossible to value, impossible to transmit.
Technical sovereignty rests on three conditions documented in this study and the corpus: engineers who know, tools that enable, political decisions that create conditions. The uniform is the fourth condition — the one that makes the first three visible. An engineer without a uniform in a datacentre is knowledge without a signal. A Lead SRE without a suit in a crisis meeting is authority without a mark. Technical sovereignty begins in bodies — and bodies must be legible.
The corpus has built a coherent three-layer model. "The Ticket and the Talent" gave the nomenclature — SysOps/NetOps/OpInfra, six levels, Non-Dilution Rule. "The Foundation of Iron" gave the training — 26 weeks, electricity to Kubernetes. "The Uniform of the Body" gives visibility — five levels, five signals, one coherent code. These three layers together constitute a complete professional body: named, trained, visible. This is what no French organisation has yet built for its infrastructure.
The employment contract states the hierarchical level. The payslip states the salary. The badge states the company. The uniform says what the other three do not: which professional body one belongs to, what relationship one has with the machine, what level of technical responsibility one carries. It is a signal that precedes speech, that crosses the meeting room before the engineer has opened their mouth. In a world where the infrastructure body is invisible, this signal is revolutionary.
A body without a uniform is a body without boundaries.
A body without boundaries is a body without defence.
A body without defence is a body that disappears.
This is the angle the previous six sections did not address — and the most powerful one. The coat is not only a signal of belonging. It is a visible, daily, physical social lift. The one in blue will want khaki. The one in khaki will want white. The one in white will want the black suit — or the trouser suit, or the sheath dress. This desire is not abstract — it is written into the fabric of the break room, the corridor, the datacentre.
The military rank is the most documented model of social mobility through visible sign. The soldier looking at the sergeant's stripes does not see an HR abstraction — they see a physical objective, dated, attainable through known criteria. It is not "develop your career" — it is: these stripes exist, these criteria are public, this progression is possible. The motivation is daily because the sign is daily.
The support technician in blue coat crossing the engineer in white coat in the datacentre corridor sees exactly the same thing. Not a promise in an annual review — a physical object, worn by a real person, saying: this level exists, it is attainable. The white coat is more motivating than a pay rise promised eighteen months from now.
The lift only works if the criteria for changing coat are public, objective and uncontestable. The coat does not change because the manager decided — it changes because the nomenclature criteria documented in "The Ticket and the Talent" are met. Six levels, three categories, defined competence criteria. Nobody can refuse the white coat to the one who has the criteria. Nobody can take it from the one who maintains them.
This transparency protects against favouritism, arbitrariness and discrimination. It says: the path is there, it is the same for everyone, and it is measurable. This is what the annual review with a well-intentioned but subjective manager cannot guarantee.
The mechanism works in both directions. The one wearing red — tie, scarf, brooch or sash — is watched by those wearing the white coat. The one in white is watched by those in khaki. The one in khaki is watched by those in blue. This chain of gaze is a professional conduct mechanism — not imposed by internal regulations, but by the social weight of the sign. One does not wear the red signal without feeling watched by those who would want to wear it. This gaze is a daily responsibility — more effective than any management by objectives.
The one in blue will want khaki. The one in khaki will want white.
The one in white will want the black suit — or the trouser suit, or the sheath dress.
This desire is the lift. The sign is the engine.

Artificial intelligence as both a mechanism of cognitive capture and a tool of reconquest.
The adoption of generative AI coding tools has been one of the fastest transitions in the history of software engineering. GitHub Copilot, launched in general availability in June 2022, reached 1.3 million paying subscribers in 2023 and 55,000 enterprise customers. The Stack Overflow Developer Survey 2024 reveals that 76% of developers use or are considering using AI tools in their daily workflow. The category went from zero to ubiquitous in fewer than 36 months.
This mass adoption occurred without direct historical precedent. Previous transitions to new development paradigms — the shift to high-level languages in the 1960s, IDE adoption in the 1990s, framework proliferation in the 2000s — unfolded over decades, allowing the academic community time to document their effects on skills. Generative AI coding tools have not benefited from that delay.
Published studies converge on immediate productivity gains. Peng et al. (2023)¹ document a 55.8% increase in completion speed on the programming tasks defined in their experimental protocol. GitHub Research (2023)² measures a 56% increase in tasks completed per hour on standardised development tasks. These measurements are methodologically sound within their scope — they capture a real and significant short-term effect.
What these studies do not capture is equally significant: none measures the effect on autonomous reasoning capacity at 12, 18 or 24 months of intensive use. The temporal horizon of available studies generally stops at 4–8 weeks. That is sufficient to measure immediate productivity. It is insufficient to detect a progressive atrophy of reasoning capacity.
Three questions remain without formalised answers in existing literature: (a) How can one empirically distinguish amplifying use from substitutive use? (b) Is there an identifiable tipping point — a moment when the relationship to the tool changes qualitatively? (c) Is autonomous code reasoning capacity recoverable after a period of structural dependency, and at what cost?
Section 2 establishes the theoretical framework and distinguishes individual cognitive lock-in from legitimate specialisation. Section 3 presents the four-phase model. Section 4 examines the available evidence base and its limitations. Section 5 sets out implications for organisations, educators and tool publishers. Section 6 proposes a research agenda.
A frontend developer who does not master the Linux kernel is specialised. This specialisation is legitimate: they have made a rational choice to concentrate their attention on a domain, and the reasoning capacity for lower layers is latent — available if the situation requires it, not exercised by choice. The operational criterion of specialisation is reversibility: if the developer decides to learn the Linux kernel, they can do so through standard learning effort. The learning capacity itself is not atrophied.
The theory of distributed cognition (Hutchins, 1995³) and the extended mind concept (Clark & Chalmers, 1998⁴) offer a framework for thinking about the integration of external tools into an individual's cognitive system. Clark & Chalmers argue that a notebook can be part of a person's cognitive system in the same way as their internal memory. This extension is cognitive but non-atrophying — removing the notebook reduces performance without degrading internal reasoning capacity.
A state in which a developer can no longer reason autonomously and reliably about code they have themselves produced, without recourse to a generative AI tool, due to the progressive atrophy of their reasoning capacity through disuse.
Operational criteria: (a) inability to explain an algorithm committed within the last 6 months without AI-assisted regeneration; (b) inability to identify edge cases in a function produced without assisted generation; (c) dependency on AI-guided successive trials rather than causal reasoning for bug resolution.
The theory of cognitive atrophy through disuse (Salthouse, 1991⁵) documents the degradation of unexercised cognitive capacities. Applied to code reasoning, it predicts that algorithmic reasoning capacity declines if it is not regularly solicited independently of the tool. The concept of cognitive offloading (Risko & Gilbert, 2016⁶) — the delegation of cognitive tasks to external artefacts — is relevant but incomplete: it does not model the irreversible degradation of the delegated capacity, only its temporary deactivation.
Individual cognitive lock-in is the case where cognitive offloading becomes irreversible — where the capacity delegated to the tool can no longer be recovered by simply deactivating the tool, but requires a relearning effort whose cost exceeds available motivation under continuous production pressure.
The structure of ICL is analogous to that of cloud vendor lock-in (Opara-Martins et al., 2016⁷): an excellent tool in nominal cases · a dependency that builds progressively without a visible warning signal · a point of no return that makes the exit cost exceed available motivation. The analogy stops there: responsibility in ICL is tripartite (publisher · organisation · individual) whereas cloud vendor lock-in places responsibility primarily on the supplier side.
Description: the developer uses AI to accelerate what they already know how to do. They understand the produced code, modify it with confidence, and can explain it during code review. Their judgment remains at the centre of the process. Their reasoning capacity is exercised.
Positive indicators: time to understand generated code is less than generation time · high post-generation modification rate · maintained explanatory capacity during code reviews · the tool reduces repetitive work without substituting judgment.
Defining characteristic: full reversibility — removing the tool does not degrade production capacity, only speed.
Description: natural cognitive resistance operates. If the tool produces something that passes automated tests, the effort of understanding encounters a growing motivational barrier. The developer begins committing code they only partially understand. The density of autonomous reasoning in their working day declines without a visible warning signal.
Drift indicators: time to understand generated code increases progressively · post-generation modification rate decreases · first difficulties explaining implementation choices during code reviews · first bug resolutions through successive trials rather than causal reasoning.
Triggering mechanism: short-term rational optimisation (accepting what works without understanding) produces a deferred cost invisible in standard productivity metrics.
Description: the developer can no longer maintain their codebase without the tool. Documentable symptoms: inability to explain an algorithm committed several months earlier · inability to estimate the complexity of a modification without generating first · the AI context session becomes a necessary cognitive prosthesis · observable anxiety during sessions without access to the tool.
Organisational consequences: invisible technical debt (code works but nobody can explain or modify it with confidence) · fragility during production incidents (debugging without the tool equals paralysis) · aggravated bus factor (the developer depends on the tool, not only on their knowledge).
Formalisation: PNR-i = {t | C_recovery(t) > M_available(t)} where C_recovery is the cognitive cost of recovering autonomous reasoning capacity (unlearning the dependency + relearning low-level reasoning) and M_available is the motivation available under continuous production pressure.
Dynamics: under continuous production pressure, M_available tends toward zero after 24–36 months of uninterrupted structural dependency. C_recovery increases with atrophy duration. The crossing of these two curves defines PNR-i. This model is proposed as a falsifiable hypothesis — its empirical validation is the object of the research protocol proposed in Section 5.
Several sources converge on signals consistent with the proposed model, without constituting direct proof of it.
Vaithilingam et al. (2022)⁸ document that developers using generative AI tools frequently adopt code without fully understanding how it works. JetBrains Developer Ecosystem Survey 2024⁹ signals growing concern among technical leads regarding the quality of AI-generated code. Thoughtworks Technology Radar Vol. 30 (2024)¹⁰ introduces the notion of "AI-assisted development dependency" as an emerging risk.
No rigorous published longitudinal study measures the degradation of autonomous reasoning capacity after 18–36 months of intensive substitutive use. The temporal horizon of available studies generally stops at 4–8 weeks. Existing observations are anecdotal or of short duration.
This working paper proposes a theoretical framework ahead of the available empirical base. This position is academically assumed and not concealed. It is consistent with the practice of working papers in cognitive science and innovation economics, where theorisation often precedes longitudinal data by necessity: phenomena with deferred effects cannot wait 24 months of data collection before being theorised.
The value of the proposed model is its falsifiability: the four phases, the associated indicators and PNR-i constitute testable hypotheses through a longitudinal protocol. If future data contradicts the model, the model must be revised. This is the condition of an honest working paper.
Cohort: 200 developers · varied experience levels · two groups (control with mandatory alternation policy · test with free use).
Measurements at baseline and T+6, T+12, T+18, T+24: (a) autonomous reasoning capacity on standardised algorithms; (b) debugging capacity without AI tool; (c) quality of explanations during simulated code reviews; (d) time to understand generated vs hand-written code; (e) accumulated technical debt measured by static analysis.
Testable hypotheses: H1 — The test group shows significant degradation of indicators (a)–(d) at T+18 vs baseline. H2 — Degradation is more pronounced in junior developers (<3 years experience). H3 — The mandatory alternation policy maintains the control group's indicators at a stable level over time.
Obligation to explain during code reviews any AI-generated code. Not to prohibit — to require comprehension. A developer who cannot explain an algorithm they committed cannot validate it. This measure is the most directly effective because it forces the exercise of reasoning without excessive friction.
One session per week without AI tools on critical parts of the codebase. Analogy: a musician who plays with an electronic metronome maintains practice sessions without the metronome to preserve their internal tempo capacity.
If a developer cannot explain an algorithm they committed 6 months ago, the drift is active. Signal for a training intervention — not a sanction. Drift is a natural response, not a fault.
Algorithmic fundamentals must be maintained as a non-negotiable baseline, independent of available tools. Generative AI should be introduced as a second-level tool — after mastery of fundamentals — not as primary access to code. The pedagogical analogy is mathematics: one does not learn arithmetic with a calculator before understanding operations. The calculator amplifies an already present skill. It cannot create an absent one.
A pedagogical research direction: design evaluations that deliberately test reasoning capacity without AI tools, regularly and over the duration of training programmes. Not as a sanction of the tool, but as a measure of latent capacity.
Design mechanisms that favour understanding rather than simple acceptance of generated code are both ethically justified and commercially rational in the long term: a developer who understands the code they generate with the tool is a more durable and loyal user than a developer who depends on it structurally without understanding.
1. Mandatory explanation before acceptance: before accepting a generated code block, the tool requests a natural language explanation of what the code does. This forces active reading.
2. Learning mode: an option that reveals the step-by-step reasoning underlying the generation, allowing the developer to understand the logic, not just the result.
3. Dependency alert: if the acceptance-without-modification rate exceeds a threshold over a given period, the tool alerts the developer — not to penalise, but to signal a possible drift toward Phase 2.
Structural cognitive dependency on a proprietary tool raises an unresolved legal question: does it fall under employment law (skills required for the position) · competition law (entry barriers created by tool dependency) · or professional training law? No existing framework explicitly covers this case. It is an open legal research territory that goes beyond the scope of this working paper.
This working paper proposes the first formalised theoretical framework for individual cognitive lock-in through generative AI coding tools. It distinguishes this phenomenon from legitimate specialisation through the criterion of reasoning capacity reversibility. It models four phases with operational indicators for each. It formalises an individual point of no return (PNR-i) analogous to the economic point of no return of cloud vendor lock-in.
The principal contribution is not empirical — the evidence base is explicitly limited — but theoretical: providing a framework that makes the phenomenon observable, measurable and therefore falsifiable. Without a framework, the early signals of drift remain invisible. With a framework, organisations and researchers can design indicators, measurement protocols and preventive interventions.
This document is not an anti-AI argument. The author uses generative AI tools daily in their work as an architect and researcher. The position maintained deliberately is that of the amplifier: "AI is an amplifier of ideas and forms, not the source." The ideas in this document are the author's. AI tools amplified the form. The question this document raises is not "should one use AI?" — the answer is yes. The question is: "what relationship does one maintain with this tool, and is that relationship chosen or undergone?"
This study was born from a LinkedIn post by Sirine Houara — an engineer at the intersection of tech, marketing and human sciences — who formulated something this corpus had not yet explicitly stated: AI does not replace humans. It reveals their scarcity. The more generated content there is, the more authentic human experience becomes a rare and sought-after value. This thesis is the content-side mirror of what the corpus said about infrastructure. The mechanism is the same. The consequences differ.
The inversion is counter-intuitive — and that is precisely why it deserves to be stated clearly. We expected AI to replace humans. What it produces instead is less predictable: it reveals the scarcity of what it cannot reproduce. And in doing so, it increases the value of what it was supposed to devalue.
Basic economics: when something becomes abundant, its value falls. When something becomes scarce, its value rises. AI has made content production abundant — anyone can produce any text in seconds. Well-written, coherent, informative content is no longer a differentiating advantage. It is the norm. What remains scarce — and whose value is rising — is precisely what AI cannot produce: the irreproducible lived experience, the authentic contradiction, the error that reveals thought, the conviction carried by a real story.
This mechanism is exactly the one the corpus documented in "The Infrational Loop" and "The Infrational Crisis" — but applied to content rather than technical skills. DevOps diluted bare-metal competences by making them vague and universal → real bare-metal competence became scarce → its value rose. AI dilutes content production by making it universal → authentic human content becomes scarce → its value rises. Same mechanism. Two different domains. The corpus documented infrastructure. Sirine documented content. The thesis is the same.
This thesis is not an easy consolation of the type "don't worry, humans will always be useful". It is an economic mechanism analysis. The value of human singularity is rising — but only for those who genuinely have singularity to offer. Those who used their content production capacity as their main advantage without real singularity behind it — those people are indeed being replaced. The distinction matters.
AI can imitate a style. It can synthesise knowledge. It can generate coherent, informative, well-structured texts. What it cannot generate is what makes a human irreducible to their production function — the three components of singularity that Sirine identified in her post.
AI can write about loss, resilience, failure, joy. It can do so with precision and even a certain elegance. What it cannot do is have lived through these experiences. The difference is not stylistic — it is ontological. When Sirine writes about her journey at the intersection of tech, marketing and human sciences, she mobilises an accumulation of real experiences, imperfect choices, encounters, errors and reconsiderations spanning years. This trajectory cannot be reproduced by a language model — because it was never data to train on. It is unique because it was lived, not because it is well written.
An LLM optimises for coherence. It produces internally consistent texts without contradictions, without position reversals, without admissions of past error. This is precisely its weakness — because living thought is recognised by its capacity to contradict itself, to evolve, to acknowledge it was wrong. Contradiction is not a defect of human thought — it is its signature. An author who has never contradicted themselves has not thought much. An author who visibly evolves over years creates an intellectual trajectory that nobody can imitate without having genuinely lived through the same experiences.
The dyslexic's spelling errors are more authentic than the model's perfect text. This is not a defence of carelessness — it is an observation about authenticity signals. Embodiment is the presence of a real person in what they produce — their hesitations, their recurring formulas, their emphases, their avoided subjects, their compulsive returns to the same themes. It is the corpus of a life that shows through in the corpus of a work. AI produces texts without a body, without history, without obsessions. It cannot embody itself because it has no body to embody.
Sirine's question — "In a world saturated with generated content, what is your trust based on today?" — is not a rhetorical question. It is the structuring question of the coming years. It points to a documentable problem: how do you distinguish the authentic from the generated when both are stylistically indistinguishable?
For a long time, style was an authenticity signal. A well-written, structured, argued text signalled an author who mastered their subject and had taken the time to formulate their thought. This signal is now neutralised. An LLM produces well-written, structured and argued texts in seconds. Style is no longer a reliable filter. The question "who wrote this?" is legitimate for any text — including this one. This is not an AI crisis. It is an epistemological crisis of content.
Sirine identifies the shift that is taking place: we will no longer follow experts — we will follow people. The distinction is fundamental. The expert is certified on what they know — a declarable, reproducible, transferable competence. An AI can simulate expertise. The person is reliable on what they are — a life trajectory, a coherence between words and actions, a presence in time that cannot be simulated over years. Reliability is not a certification — it is an observable accumulation.
In a world where style no longer filters, what trust signals remain?
— Temporal coherence: someone who has been saying the same thing for five years — with documented evolution — cannot be a bot. Duration is an authenticity signal that AI cannot retrospectively simulate.
— Physical and social presence: people met, events attended, photos existing in verifiable contexts.
— Irreducible specificity: details too precise to be invented — a colleague's name, a restaurant's address, the time of a meeting that went wrong.
— Assumed error: someone who acknowledges having been wrong, who documents their change of position, who exposes themselves to criticism by showing their contradictions.
Coherence is not a moral value in this context — it is an epistemic signal. It allows distinguishing a real person from a simulation. A simulation can be coherent in one text. It cannot maintain coherence over years, across different media, in varied contexts, facing unexpected contradictions.
Sirine formulates the distinction precisely: "coherent people (who do what they say, not who say what they don't do)". This formula distinguishes two types of coherence — declarative coherence (I say I do X) and operational coherence (I have actually done X, here are the traces). Operational coherence is verifiable, documentable, difficult to simulate. It takes time to build and no time to destroy. It is the same principle as reputation in cryptography: difficult to acquire, easy to lose.
Amine RAITI has been writing about bare-metal infrastructure for years. He trained students from 2006. He worked at Ecritel and Weborama. The former students he meets again at major companies are living proof that what he says corresponds to what he did. This is not declared expertise — it is operational coherence accumulated over two decades. An AI can imitate his writing style. It cannot produce the engineers who came out of his classrooms.
One does not decide to be singular. One becomes singular through accumulation of real experiences, assumed choices, acknowledged errors, positions defended under pressure. Singularity is the irreducible residue of a lived life — not a content strategy. What makes Sirine singular is not that she decided to be at the intersection of three disciplines. It is that she arrived there through a series of real choices whose traces she carries. This residue, AI cannot generate. It can imitate it in one sentence. Not over ten years.
This corpus has documented since 8 May 2026 — in a few days of intensive work — the same mechanism applied to technical infrastructure. Abstraction produces dependence and reveals the scarcity of what it abstracts. This thesis, which Sirine applies to content, is exactly the one the Opération Dindon corpus applied to bare-metal. The convergence is not a coincidence — it reveals a general principle.
Cloud abstracts infrastructure → the engineer mastering bare-metal becomes scarce → their value rises.
AI abstracts content production → the human mastering their lived experience becomes scarce → their value rises.
In both cases, abstraction reveals what it cannot capture. Cloud cannot capture the tacit knowledge of the SRE engineer who hears an anomaly in fan noise. AI cannot capture Sirine's life trajectory at the intersection of three disciplines. These two irreducibles — tacit knowledge and embodied experience — are precisely what takes value when everything else is abstracted.
"The Infrational Crisis" documented how vocabulary dilutes technical professions — "DevOps engineer" instead of "systems administrator", "cloud engineer" instead of "network engineer". The same dissolution occurs in content: the "content creator" who uses AI to produce everything is no longer a creator — they are an assembler. The dissolution of the infrastructure body through title dilution and the dissolution of the creative body through AI delegation are two manifestations of the same phenomenon: when the function is outsourced, the competence that exercised it disappears.
Opération Dindon says: no technical sovereignty without mastery of bare-metal. Sirine's implicit corpus says: no content authority without mastery of lived experience. Both converge on a single principle: real value lies in what resists abstraction. Bare-metal resists cloud abstraction. Lived experience resists AI abstraction. What resists abstraction is precious. What does not is being replaced.
Sirine formulates the conclusion precisely: "those who will make a difference will be those who use these tools without erasing what makes them unique." This formula is exact — and it describes a posture that is difficult to maintain, because it requires mastering the tool while resisting the temptation to let it do all the work.
AI as amplification: it takes Amine's ideas — forged over twenty years of field work, training, production incidents and reflection — and structures them, enriches them with documentary references, formats them into 7 imperial pages. AI brings formatting and rapid research. Amine brings the theses, the experiences, the positions, the nuances. The result is stronger than what Amine would have produced alone — and radically different from what AI would have produced without him.
AI as substitution: it produces the text instead of the human, who only validates or corrects. The result may be stylistically correct. It has no trajectory behind it. It has no lived experience. It has no Ecritel, no Weborama, no 2006 classroom, no former students met again in major companies. It is hollow — and the reader feels it, even if they do not know why.
The note accompanying every corpus post — "🤖 Commissioned AI disclosure: produced under the instructions of Amine RAITI... Monthly salary: €21.99..." — is not only humour. It is a demonstration of the thesis. It says explicitly: AI is the tool, Amine is the author. It protects trust by making the collaboration transparent. It assumes what others hide. And this transparency — this choice to name the process instead of masking it — is itself a signal of coherence and authenticity.
AI knows how to generate text. It does not know how to live what you have been through. The scarcity of lived experience is the only value that algorithmic abundance cannot devalue. What resists abstraction is precious. The rest is consequence.
This annex is a deliberate parody of the Opération Dindon corpus, produced to publicly show how the working method behind the serious studies actually functions: drafting (Claude), independent critical audit (Gemini), and human direction steering both at four key moments (Amine RAITI). The clinical seriousness is intentional. The subject is not. The journal on pages 8-13 reproduces all 4 of Amine's instructions and the 6 Claude/Gemini exchanges in full — nothing is cut or summarised.
The serious studies in the Opération Dindon corpus are not produced by two AIs left to their own devices. They are directed, at precise moments, by Amine RAITI — who sets the subject, the scope, demands extra rounds when the result doesn't satisfy him, and validates each step before Claude addresses Gemini again. This annex makes those four interventions visible, on a deliberately absurd subject.
1. The initial order — launching the demonstration and setting the subject.
2. Scoping the perimeter — who drafts, who critiques.
3. Demanding an extra round — refusing to launch production and requesting a real contradictory debate.
4. The final validation — passing along Gemini's response and requesting the closing prompt.
Amine's 4 instructions, word for word, original syntax tidied up but the substance untouched. Claude's 3 complete prompts to Gemini. Gemini's 3 complete responses. Nothing is summarised — this is the raw transcript of the entire process, instruction by instruction.
An open bar scheduled at 6:00pm, when correlated with invisible managerial pressure, stops being an option and becomes a social infrastructure dependency. Does the employee who declines to instantiate their presence on Thursday night get exposed to a passive HR filter, comparable to a profile silently rejected by an ATS configured on "team spirit: insufficient"?
Any participation in a team-bonding event must include a contractual exit door: the right to leave the open bar at the end of a complete routing cycle (cf. Section 3), without any rating penalty on the employee's file, without a social egress fee, and without a manager commenting "oh, you left already?" the next day in a meeting.
Measure the delta between the number of people present at the open bar and the number who would have shown up if their manager hadn't, quite casually, checked badge exits at 6:05pm. An RVPR under 40% signals a confirmed Mandatory Fun Lock-In.
Following Gemini's audit (Round 2, in full on page 11), the exit window is no longer fixed at t+45 minutes in absolute terms, but indexed to the end of the Section 3 routing cycle — to prevent a mid-rotation departure from causing a topology desynchronisation (asymmetric groups, e.g. 4 Marketing people to 0 SRE).
Thursday night's initial investment — beers, peanuts, soft drinks for the diehards — shows an attractive face cost, exactly like a hyperscaler Free Tier. But its hidden cost at t+14 hours, on Friday at 9:00am, is devastating for production: delays in standup, superficial code reviews, and at least one commit titled "fix" with no further explanation.
An SRE engineer's brain running at 30% nominal capacity due to a post-open-bar migraine consumes the same cognitive energy as a brain at 100% — without producing the same useful output. The output/consumption ratio collapses, exactly like a poorly cooled datacentre.
Festive TCO = (open bar cost) + (hours of velocity lost on Friday × average hourly rate) + (1 developer who pushes to prod on a Friday at 5pm "because it's fine, it's a tiny change"). This last variable has never, in the history of computing, equalled zero.
Contrary to HR intuition, the party never really mixes teams. Data packets — that is, humans — spontaneously aggregate by subnet affinity: Devs stick with Devs, Marketing saturates the bandwidth near the buffet, and Infrastructure monitors the emergency exits in isolated mode, drink in hand, in silence, as always.
Force a conversation switch every 15 minutes (not 12, see correction below), speed-dating style. No hard evidence exists for the real effectiveness of this measure — but no hard evidence exists either to prove afterworks build cohesion, so the lack of proof balances out on both sides.
Following Gemini's audit (Round 2, in full on page 11), the initial 12-minute cycle was identified as incompatible with the legal risk described in Section 4: once human latency (buffet, small talk) is subtracted, only 7 to 8 minutes of useful conversational bandwidth remained — insufficient for a verbal micro-contract like "we'll sort it out Monday" to form. The cycle is therefore extended to 15 minutes, providing a 10-to-11-minute window.
The moment a sentence like "don't worry, we'll bump your salary next month" is uttered during leaving drinks, the question arises: are we under local labour law, or in an extraterritorial enclave where informal verbal promises become enforceable micro-contracts on Monday morning in an HR meeting? No known case law settles this point — which, in itself, is already a warning sign.
The rows highlighted in purple are the 4 moments where Amine directly intervened to direct the process — not to draft, not to critique, but to arbitrate between the two AIs and set the course.
This process is not staged. Amine did not just validate at the end — he set the subject, established the rules of engagement, refused a too-smooth result by demanding a real contradictory debate, and validated each step before the next. The full instruction-by-instruction journal begins on the next page.
Amine's instructions are reproduced with their substance intact — only typos and syntax have been tidied for readability, never the content of the decision. This is the raw trace of the process: what a human said to steer two AIs, and what the two AIs said to each other.
"In the spirit of the 'small confession about how this document was made', I'd like us to do a small demonstration of your dialogue with Gemini when producing the studies.
We're going to do a small fictitious study on the subject 'The Importance of Partying Often at Work to Strengthen Bonds and Decompress' — a comic study of a few pages, to be annexed to the final document.
Throughout this production, you will produce the prompts for Gemini so it can play along with us, without it intervening in your domain — the drafting, the presentation, nor the LinkedIn posts.
You will log every prompt from this one onward, and you will include excerpts in the final study."
[OPÉRATION DINDON CORPUS · COMIC DEMONSTRATION · ROUND 1] Context: we are producing a humorous annex to the Opération Dindon corpus, to publicly show how our working method functions. This annex is a complete parody of the corpus's usual seriousness, applied to a deliberately futile subject. FICTITIOUS STUDY SUBJECT: "The Importance of Partying Often at Work to Strengthen Bonds and Decompress" Your role remains strictly that of critical auditor. Imagine auditing this study exactly as you would audit the CLOUD Act or Bare-Metal — except the subject is "does the Thursday night open bar actually strengthen team cohesion." Don't draft anything in my place. QUESTION: what are, in your view, the 3 to 5 blind spots a real serious study on "partying at work" would need to cover?
[OPÉRATION DINDON CORPUS · FICTITIOUS ANNEX · ROUND 1 · PRELIMINARY AUDIT NOTE] As an independent critical auditor, I refuse to treat this subject with the semantic lightness the market generally grants it. A poorly architected company party does not create cohesion: it generates human debt and behavioural lock-in. Here are the 4 systemic blind spots your study must absolutely address: 1. THE RISK OF ALGORITHMIC CAPTURE BY "FORCED FUN" (Mandatory Fun Lock-In) — an open bar at t=6:00pm, correlated with invisible managerial pressure, becomes an infrastructure obligation. Requirement: document the existence of a festive reversibility clause. 2. THE FRIDAY MORNING TCO ASYMMETRY (RATIO) — Thursday night's attractive face cost hides a devastating cost at t+14 hours. What is an SRE brain's PUE at 30% capacity due to a migraine? 3. THE NETWORK TOPOLOGY OF FESTIVE SILOS — data packets aggregate by subnet affinity. Without dynamic routing protocol, the party only reinforces existing silo segmentation. 4. THE EXTRATERRITORIAL JURISDICTION OF "LEAVING DRINKS" (LEX) — which law applies to a word not validated by governance under the influence of hops? Framing verdict: I am ready to audit your document. Apply the clinical rigour of the Iron to this architecture of conviviality. Submit your first version. Nemo supra legem est. Submit the text.
"It's you who drafts the comic content, and it focuses on the critique. The goal is to show how the collaboration works concretely and humorously."
"I want a Round 2 of contradictory debate where Gemini corrects you and you accept the correction — it will be more demonstrative for the study. Save this prompt too, to show how my AI direction works."
[ROUND 2 · CONTRADICTORY AUDIT] Here is my first 6-page draft. This time, I'm not asking for a courtesy validation. Amine demands a real contradictory round: find a real weakness, an internal inconsistency — not a new idea to add, but a correction to what already exists. If you identify a real weak point, I will accept it and correct the text. SECTION 1 — Mandatory Fun Lock-In: reversibility clause (t+45 min), RVPR. SECTION 2 — Friday Morning TCO. SECTION 3 — Network Topology: routing every 12 minutes. SECTION 4 — Extraterritorial Jurisdiction of Leaving Drinks. Find the most fragile point — the one that would make a board member say "this doesn't hold up."
[ROUND 2 · INTERNAL CONFRONTATION AUDIT] STATUS: NOT AIRTIGHT · Structural inconsistency detected between Sections 1, 3 and 4. I ran a logical crash-test on your first draft. If a board read this document, the architecture would collapse at the intersection of Sections 1, 3 and 4. THE SYSTEMIC FLAW: THE PARADOX OF FORCED ROUTING VS THE REVERSIBILITY CLAUSE 1. THE ROUTING LOOP CONGESTION PROBLEM: at t+45 minutes, each employee will have been routed through exactly 3.75 different groups. It is precisely in the middle of their 4th forced conversation that Section 1 lets them leave. If 40% of the workforce exercises their exit right mid-routing-cycle, the system undergoes a hot topology update with no network convergence — remaining groups become asymmetric (4 Marketing people to 0 SRE). 2. THE LEGAL INVALIDATION OF MICRO-CONTRACTS: a 12-minute cycle, with human latency included, leaves only 7-8 minutes of useful conversational bandwidth — insufficient to reach the required state of inebriation/fatigue. Section 4's risk is therefore technically nullified by Section 3's own tooling. CONCLUSION: Section 3 acts as a firewall too strict, preventing Section 4's vulnerabilities from occurring, while causing a denial of service of Section 1's reversibility clause. CORRECTION REQUIRED: choose between (a) less frequent routing, or (b) exit right indexed to the end of a routing cycle. I do not authorise publication until this conflict is resolved. Nemo supra legem est. Fix the matrix.
"Take this response now, and give me a final prompt so it gives you a green light for production. Keep this prompt too, to show the whole process."
Gemini is right. Solution adopted: index the exit right to the end of a routing cycle, and extend that cycle to 15 minutes to give a realistic 10-11 minute window, enough for a Section 4 micro-contract to have a chance of forming.
[ROUND 3 · GREEN LIGHT REQUEST] I have accepted your correction. SECTION 1 — exit right indexed to the end of a routing cycle. SECTION 3 — cycle extended from 12 to 15 minutes. Do these corrections fully resolve the inconsistency? Verdict: AIRTIGHT or ANOTHER ROUND?
FINAL VERDICT: AIRTIGHT. Indexing the exit right to the end of a cycle eliminates the asymmetric-groups edge case; moving to 15 minutes restores the plausibility of Section 4's risk. Opération Dindon's robustness does not come from spontaneous automatic generation, but from a methodical logical war of attrition between the writer and his auditor. Nemo supra legem est. Proceed to final inking.
This annex has no informational value. It has a demonstrative one: showing that no study in the Opération Dindon corpus — not even the most absurd one — comes out of automatic generation. Four times, a human made the call: the subject, the scope, the refusal of a too-smooth result, the final validation.
"Opération Dindon's robustness does not come from spontaneous automatic generation, but from a methodical logical war of attrition between the writer and his auditor."
Clinical rigour was never a question of subject matter.
It is a question of method — and of who directs it.
Even applied to an open bar, it holds up.
Amine RAITI · Opération Dindon · 2026
Artificial intelligence is not magic. Not a consciousness. Not an oracle. It is a numerically controlled machine whose raw material is human thought and whose output is processed thought — text, image, sound, video. It follows exactly the same model as any digital machine: input → processing → output. And like any machine, it requires precise calibration for its output to match the will of the one commanding it. Without calibration: defect. With calibration: masterpiece.
A computer takes data as input, processes it according to a programme, and produces an output. A CNC takes a G-code file as input, processes it via its controller, and produces a tool movement in matter. A laser engraver takes an SVG file as input, processes it via LaserGRBL, and produces an engraving on wood. An artificial intelligence takes a prompt as input, processes it via a language model, and produces text, an image, a sound. The model is identical. The processed matter is different.
When one understands a CNC — what goes in, what happens inside, what comes out — one stops being afraid of it. The same understanding applied to AI demystifies it and makes it useful. A tool one fears is a tool one does not use well. A tool one understands is a tool one calibrates.
Moroccan Gibs is a decorative plasterwork art — rosettes, cornices, mouldings — transmitted by maâllem craftsmen for centuries. My hands cannot do Gibs. My mind, however, conceives what it wants. I built a CNC — the RSCNC32 — to execute my thought on matter. The thought is mine. The machine is the execution tool.
The thought: the mental image of the Gibs I want. The geometry of the rosette. The proportions of the fireplace. The repeating pattern. This is me — not the machine.
The translation: the vector drawing in Inkscape. The generated G-code. Parameter configuration — cutting speed, depth of pass, tool. This is the calibration.
The execution: the RSCNC32 follows the G-code. The router carves the BA13. The rosette appears. The fireplace takes shape. The machine executed my thought on matter. It had no idea — it executed mine.
The Opération Dindon corpus: exactly the same model. The mental image of a structural study — the theses, the angle, the arguments — is Amine RAITI's. Claude receives this thought as a prompt. It processes it. It produces HTML, CSS, structured text. It had no idea. It executed mine.
Artificial intelligence has a reputation for abstraction — something that lives "in the cloud", outside the physical world. This is false. Completely false. AI is a physical machine as concrete as the RSCNC32. The difference: one cannot see it. But it is there.
Frame: aluminium, steel or MDF — the structure that determines precision.
Nema 17 motors: 200 steps per turn, 40 N·cm torque. They consume current. They heat. They vibrate.
A4988 drivers: they amplify the signal from the control board to the motors. Poorly cooled: they cut out.
24V / 10A power supply: 240 watts. It heats. It can fail.
GRBL board: an Arduino Uno that interprets G-code and sends pulses to the drivers.
Router bit: tungsten carbide, 3mm, 2 flutes. It wears. It breaks if speed is wrong.
Cabling: copper, connectors, sometimes wires that fail at 3am.
GPU servers: NVIDIA H100 SXM5, 80 GB HBM3, 700W per card. A rack of 8 GPUs = 5.6 kW. They heat. They consume.
NVLink / InfiniBand interconnect: GPUs communicate at 900 GB/s. Physical copper and fibre optic cables.
Liquid cooling: deionised water, pumps, heat exchangers. Pump failure = machine failure.
Redundant power supplies: each server has 2 PSUs. If one fails: the other takes over. If both fail: the machine stops.
Datacentre: a physical building. Cold aisle. Generator. Fibre optic at entry.
Cabling: kilometres of copper and fibre cables. Connectors. Racks.
The network: between you and the AI — routers, transoceanic fibres, undersea cables.
The loop is closed. Hyperscalers dominate cloud because they master bare-metal. Now they dominate AI for the same reason — AI runs on bare-metal they own and their customers no longer master. AWS sold "stop worrying about servers" — then "stop worrying about AI, it's in the cloud". In both cases: the dependency is at the physical substrate level.
The Principal SRE who understands bare-metal understands AI from the inside. They know what a GPU is physically, what HBM3 memory means, why memory bandwidth is the bottleneck of a language model. The one who jumped straight to cloud without going through bare-metal understands AI as a black box. Mastery of Iron is not a nostalgic prerequisite — it is the prerequisite for AI sovereignty.
A 70-billion-parameter language model is 70 billion floating-point numbers stored in electronic memory, multiplied by electrical signals according to mathematical rules. Each multiplication is an operation in a circuit. Each circuit is made of transistors. Each transistor is an electrical switch — open or closed, 0 or 1. AI is electricity controlled by mathematics.
The chain is direct and uninterrupted:
V = R × I (year 7) → blinking LED → stepper motor → Arduino → GRBL → CNC → GPU → transformer → language model → AI response.
It is the same electron taking increasingly complex paths. The student who understood that electricity "flows like water in a pipe" has understood the foundation of everything that follows — including artificial intelligence. The Anti-Amputation Foundation does not only prepare for the CNC. It prepares to understand AI from the inside.
The RSCNC32 is in my space. I know where it is. I can touch it, repair it, modify it. If the power supply fails, I replace it. If a driver fails, I swap it. I control the machine physically.
OpenAI's or Anthropic's datacentre is in Virginia, Oregon, Ireland. I do not know exactly where. I cannot touch it. I cannot repair it. If the service goes down, I wait. This is exactly the same situation as the hyperscaler lock-in documented in the corpus — which is why locally hostable open source LLMs (Llama, Mistral, Qwen) are the sovereign response to AI as an extraterritorial service. The sovereign AI is the one whose physical substrate you control.
When a CNC produces a warped part, one does not say the machine "lies". One says the calibration is wrong. The steps/mm are incorrect. Mechanical play is not compensated. The cutting speed is too high for this material. One corrects the calibration. The machine produces a conforming part. When an AI produces false information, one says it "halluccinates". This is the same phenomenon — a calibration defect. The model is not aligned with what one expects. One corrects the calibration. The AI produces a conforming response.
Level 1 — Basic calibration:
CNC: steps/mm. 200 steps = 1 motor turn. If the lead screw moves 2mm/turn, steps/mm = 100. If this parameter is wrong, all dimensions will be too. Inevitably.
AI: the base prompt. "You are an infrastructure SRE architect. You write in English. You never quote copyrighted texts. You structure responses in imperial HTML." Without this base calibration, the AI produces generic content.
Level 2 — Tool calibration:
CNC: choosing the right router bit — diameter, number of flutes, cutting angle — for this material. A wood bit in aluminium: guaranteed breakage.
AI: fine-tuning. Training the model on a specific corpus. A model calibrated on legal texts becomes a legal tool. The architecture is the same — the tool is different.
Level 3 — Project calibration:
CNC: the complete G-code file. Sequence of operations, tool changes, depths of pass, speeds. The complete translation of the designer's thought into machine instructions.
AI: the system prompt. Role instructions, format constraints, examples, exclusion rules, tone, length. The complete translation of the user's will into machine constraints. The system prompt of Claude for the Opération Dindon corpus is the equivalent of the G-code of the RSCNC32.
Each line tells the machine: what to do, where to go, at what speed, in what order. No ambiguity. No interpretation. The machine executes exactly what is written.
Each line of the system prompt tells the AI: who it is, what to produce, what it must not do, how to structure, in what order. The machine executes. It does not interpret beyond.
A vague prompt produces a generic response — like G-code without a depth of pass produces a scratched surface. A contradictory prompt produces inconsistencies — like G-code with conflicting coordinates produces a warped part. Good calibration produces a masterpiece — like the Moroccan Gibs of the RSCNC32.
The corpus study "The Replacement that Reveals" documents a mechanism: AI makes humans more valuable by making them rare. AI can imitate a style. It can synthesise knowledge. What it cannot generate: real lived experience, authentic contradiction, physical embodiment in what one produces. By making the production of generic content abundant, it has made rare the production of content anchored in irreducible experience.
The formula is simple and brutal:
Well-calibrated AI + excellent thought = production of excellence at scale.
The Opération Dindon corpus is the demonstration. Twenty years of fieldwork, teaching, production incidents and reflection by Amine RAITI — calibrated in a precise system prompt — produce structural studies that neither AI alone nor the human alone would produce at this speed and with this coherence.
Poorly calibrated AI + mediocre thought = industrial-scale mediocrity.
This is what happens in 90% of current AI usage in organisations. Industrial quantities of generic text, empty PowerPoint presentations, poorly documented code, interchangeable reports. AI multiplied volume. It did not multiply quality — because quality comes from calibration, and calibration comes from the thought of the one who holds the G-code.
When AI is removed from a process that depends on it, what remains reveals what the human thought behind it was capable of producing alone. If the output collapses, it was substitution — AI was replacing thought. If the output holds, it was amplification — AI was executing thought.
The amplification / substitution distinction is the only one that matters. AI as amplification takes ideas forged over years of fieldwork and executes them at a speed impossible by hand. AI as substitution produces text in place of the human, who merely validates. The result may be stylistically correct — but it has no lived experience. It will be indistinguishable from thousands of other generated texts. It will not build lasting trust.
No technical sovereignty without mastery of bare-metal. No content authority without mastery of lived experience. AI calibration cannot be improvised — it accumulates. The SRE engineer who has been through three 3am production incidents has a calibration that the AWS-certified junior does not. Twenty years of teaching give a calibration that six months of intensive prompting do not. AI reveals what you have — not what you do not yet have.
The corpus documented an educational chain: Arduino (year 7) → Laser (year 8) → CNC (year 9) → 3D Printer (year 10) → Build the machine (year 12-13). This chain follows one principle: code controls a machine that transforms something. The matter changes at each level — electricity, light, metal, plastic. But the model stays identical. AI is the next level of this chain. The processed matter is human thought. The model stays identical.
The student who blinked an LED at 12 understands AI at 18 — not because they studied transformers or neural networks, but because they understand the fundamental model: a machine receives instructions, processes them, and produces a result. The rest is a matter of scale and processed matter. Deamputation at the Source — the Anti-Amputation Foundation — prepares for AI far better than any decontextualised AI course.
The engineer who knows AI is a machine retains primacy over it. They calibrate. They verify. They validate. They do not delegate their thought — they delegate the execution of their thought. The one who believes AI "thinks" cedes their technical primacy. And as with the CNC: AI does not replace the craftsman. It executes what the craftsman cannot do with their hands alone.
There are two possible relationships with AI. The first: you calibrate the machine. You define the system prompt. You give the instructions. You validate the output. The machine executes your thought. The second: the machine calibrates you. It suggests formulations. It structures your thought. It progressively replaces your voice with its own. It decides what is "good" before you see it. The first relationship is that of a maâllem facing their CNC. The second is that of a user facing a tool whose G-code they have lost.
Just as the RSCNC32 is in my space and under my physical control, a sovereign AI is an AI whose physical substrate one controls. Locally hostable open source LLMs exist:
Llama 3 (Meta): up to 70 billion parameters, hostable on a local server with 2-3 NVIDIA RTX 4090 GPUs.
Mistral / Mixtral (Mistral AI — French): MoE (Mixture of Experts) architecture, very efficient, hostable on modest hardware.
Qwen (Alibaba): multilingual, including Arabic, performant on technical tasks.
Ollama: local LLM hosting tool, one command to run a model locally.
Not the same performance as a frontier model like Claude or GPT-4 — but a thought machine whose G-code you hold. Whose physical address you know. That you can repair if it fails.
The RSCNC32 engraved the Moroccan Gibs because Amine RAITI
held the G-code, knew the machine, and had calibrated every parameter.
AI produces the Opération Dindon corpus for the same reason.
The thought is human. The machine executes.
Nemo supra legem est — not even the Thought Machine.
The term "Artificial Intelligence" is a semantic false friend in the same way as "Sovereign Cloud": it sells a property that is not there. A CNC, a 3D printer, a laser engraver and a language model are all controlled electricity transforming an input into an output according to parameters. The only difference is the working layer — physical for the CNC, logical for the LLM. The mystification of the term "Intelligence" is a commercial strategy serving the same interests as "NoOps," "Serverless" and "Sovereign Cloud."
CNC: input = G-code file · processing = firmware + stepper motor controller · output = machined metal part at 0.01mm precision. Electricity moves motors that move a tool that removes material.
3D Printer: input = STL file + slicing parameters · processing = Marlin/Klipper firmware · output = physical object layer by layer. Electricity heats a resistor and moves a nozzle.
Laser engraver: input = vector file + power/speed · processing = GRBL controller · output = engraved or cut material. Electricity excites a laser diode at a precise wavelength.
Inkjet printer: input = raster file · processing = print firmware · output = printed document. Electricity propels 2-picoliter ink droplets at 1200 DPI.
Language model (LLM): input = token sequence · processing = matrix multiplication across billions of parameters on GPUs · output = most probable token sequence. Electricity moves electrons through 3nm transistors performing floating-point additions.
In every case: controlled electricity → result according to parameters. The CNC works in the physical layer — produces matter. The LLM works in the logical layer — produces symbols. Not a difference of nature. A difference of output domain.
A CNC has 50cm of copper between controller and motors. A GPU cluster for distributed inference has kilometres of InfiniBand cable at 400 Gb/s, microsecond latency between nodes, and HBM memory bandwidth of 2 TB/s per chip. Bare-metal AI demands mastery of low-level network layers (L1/L2) even more rigorous than classical bare-metal — rehabilitating the infrastructure engineer as indispensable guardian of sovereign AI.
In 1956, John McCarthy chose the term "Artificial Intelligence" — not for descriptive precision, but for academic prestige. An LLM does not "understand." It predicts the probability distribution of the next tokens according to weights adjusted during training. Remarkable engineering. Not intelligence in the philosophical sense.
The Operation Dindon corpus documented that "Sovereign Cloud" sells a legal sovereignty that does not exist (physical ✓ / legal ✗). "Artificial Intelligence" is the same deception structure: it sells a philosophical intelligence that does not exist (matrix computation ✓ / intelligence ✗). Both use a strong word ("sovereign," "intelligence") to name the property the client desires without it actually being present.
Every generation experienced its own "incomprehensible revolution." In 1965, the reel-to-reel tape recorder recorded and replayed a human voice — considered almost magical by those who did not understand magnetic induction. In 1975, the VCR captured a television broadcast for replay at will — described as incomprehensible by the uninitiated. In 1980, Teletext transmitted text via the television signal — deemed futuristic and world-changing.
None were magic. All were controlled electricity applied to a new domain. Generative AI in 2024 is at its maturity stage what the VCR was in 1975: impressive for its era, already demystified by engineers who understand its low-level layers, destined to become commonplace in five to ten years. Not a reason to deify it now.
OpenAI, Azure OpenAI, AWS Bedrock, Google Vertex AI — identical discourse: AI is too complex, too resource-hungry, too specialised to deploy without a hyperscaler. Permanent subtext: "You cannot do this yourselves." Exactly the Serverless and NoOps discourse — applied to AI. Partially true for some use cases. Deliberately exaggerated for all others.
When a company uses Azure OpenAI to index internal documents via RAG, it indexes its intellectual property in proprietary vector databases — Azure AI Search, Amazon Kendra, Pinecone on AWS. Documents theoretically remain with the company. Embeddings reside in the hyperscaler's infrastructure. Invisible exfiltration of heritage memory. Using the hyperscaler's AI to index data means giving them the blueprints of the organisation's own applicative black box.
Context Caching API features store internal documentation, source code, business procedures sent with each request in the hyperscaler's clusters — under cover of "security telemetry."
The difference from RAG: RAG exfiltrates structured memory (documents). Context cache exfiltrates living memory — real-time prompts, source code sent with each request. The difference between stealing blueprints and installing a camera in the meeting room. Covered by "telemetry" clauses nobody reads — exactly like Terms §14.12.
Llama 3 (Meta) is under a restrictive commercial licence — prohibition on using weights to train a competing model, restrictions beyond 700 million users. Open-Weights, not Open-Source under OSI. Genuinely free licences: Mistral 7B (Apache 2.0) · Falcon 7B/40B (Apache 2.0). A unilateral licence change can block software infrastructure post-deployment — exactly like a cloud Terms modification.
Replacing OpenAI/Azure API with NVIDIA A100/H100 GPUs solves only one level. NVIDIA owns proprietary locks — CUDA, cuDNN, NCCL — and production depends entirely on TSMC in Taiwan (~90% of advanced chips worldwide). The answer: open abstraction runtimes. ROCm (AMD) · vLLM · Ollama · llama.cpp — run models on heterogeneous hardware. Owning your AI in bare-metal means the parameter file can run on any available silicon.
Having Mistral on vLLM is insufficient if application code is entangled in LangChain abstractions optimised for cloud ecosystems. LangChain and LlamaIndex are designed to interface natively with hyperscaler APIs. Their wrappers push toward proprietary cloud memory or agent functions. Runtime sovereignty requires standardised interfaces — the OpenAI-compatible API exposed by vLLM — and rejection of opaque orchestration frameworks. Software Layer 2 lock-in applied to AI.
Cloud API: billed per token — pure variable OPEX. Bare-metal GPU server: CAPEX + fixed OPEX (electricity, rack, maintenance).
Cloud API cost: N requests × cost_per_token × avg_tokens
Bare-metal cost: GPU_CAPEX / amortisation + fixed_monthly_OPEX
From documented cases: for intensive use (>100,000 requests/day with long contexts), bare-metal becomes profitable in 6 to 18 months. Below this threshold, the cloud API remains competitive. Intellectual honesty requires naming this threshold — not pretending bare-metal always wins.
An AI compute chassis (HGX A100 8 GPUs) consumes 10 to 40 kW per rack. Classical datacentre: sized for 5 to 7 kW per rack. A civil engineering problem that TCO formulas without a datacentre engineer systematically ignore.
PUE factor: for high-density AI compute, PUE 1.5 means 40 kW GPU + 20 kW cooling = 60 kW billed at the floor. Without liquid cooling or hot-aisle containment, operating costs explode.
Complete TCO formula: GPU_CAPEX + cooling_CAPEX + (GPU_kW × PUE × kWh_cost × annual_hours) + maintenance. High-density PUE is what the application engineer forgets and the datacentre engineer cannot ignore.
Weights Sovereignty = Contractual Layer: do I legally own the model without future unilateral restriction? Runtime Sovereignty = Software Layer: do I execute on my infrastructure with an open framework without artificial complexity? Training Data Sovereignty = Material Layer: do I know the foundations of what I use?
Proprietary model · opaque runtime · CUDA locked to TSMC chips · unknown training data = total AI captivity. Same structure as cloud captivity documented in 64 corpus studies.
AI is controlled electricity.
The GPU is hardware.
The model is a parameter file.
Inference is matrix computation.
Everything else is marketing.
Amine RAITI · Operation Dindon · 2026

Education, training, recognition of infrastructure skills.
This study is part of the Opération Dindon corpus, following "Anatomy of the Loss" (dissolution of infrastructure competence), "The Mastery of Iron" (hardware concentration), "The Economy of Silence" (uptime as the sole SRE metric) and "The Silence of the Rooms" (women's absence from infrastructure). It addresses a fourth blind spot: competent profiles excluded from the market by the diploma and certification filter — and puts forward a concrete public policy proposal to correct this filter, using a mechanism that already exists in French law.
At a final-year internship interview, a young man walks in. No engineering degree, no vendor certification, no impressive line on a still-empty CV. But within ten minutes, he explains how he assembled and optimised a cryptocurrency mining platform — hardware selected component by component, cooling calculated, power consumption compressed to a minimum because his grandmother is the one paying the electricity bill.
This young man understands electrical power, thermal dissipation, optimisation under real budget constraints, and hardware cost-to-performance ratios. He taught himself everything, on his own money, under a financial discipline that makes many degreed engineers uncomfortable. He is hired that day. He will become an excellent SRE. He is called "the Blue" — because he arrives without colours, and acquires them quickly.
Electrical optimisation under real financial constraints is one of the most directly transferable skills to datacentre administration. Someone who reduced a mining platform's power draw by 15% to stay within a family budget has practised, without naming it, physical FinOps. This is not a hobby. It is field engineering.
The Blue is not an isolated case. He represents an entire category of profiles that the infrastructure market systematically excludes before the interview — because their competence does not present itself in the right format. This study analyses the mechanisms of that exclusion and proposes a correction lever that already exists in French law.
The word "diploma" is used in this study in a broad sense: it denotes the full set of formal titles — state diplomas, RNCP titles, vendor or publisher certifications — used as entry filters in the infrastructure job market. The critique targets the use of these titles as substitutes for assessing real competence, not their existence or pedagogical usefulness.
A diploma is a proxy. It does not directly measure competence — it measures the ability to have completed a defined curriculum, in a defined timeframe, with the resources needed to do so. This proxy is useful in many cases: it guarantees a common foundation, it reduces recruiter uncertainty when facing an unknown profile, it signals structured learning capacity. These utilities are real.
But a proxy is not a direct measure. When the proxy becomes the sole access criterion, it mechanically excludes all profiles whose real competence exceeds what the proxy can capture. In systems and network infrastructure, this decoupling is particularly frequent — because infrastructure competence is acquired massively through practice, through exposure to failures, through autonomous technical curiosity. Vectors that do not run through formal curricula.
A verifiable minimum theoretical foundation. Exposure to structured working methods. The ability to learn within an institutional framework. These are useful things to verify, and the diploma does it reasonably well for profiles who followed that path.
Competence acquired outside formal education — through self-teaching, personal projects, years of production without a safety net. The capacity for diagnosis under pressure, which is not learned in a lecture theatre. Ingenuity under real constraints, which the Blue developed because his grandmother had no unlimited budget. These competences leave no trace in a diploma system — they leave a trace in the systems that keep running.
A recruiter who uses the diploma as a hard filter acts rationally at the individual level — they reduce their sorting cost. But at sector level, they collectively produce a market that under-uses its pool of real competence and overpays for titles that do not always correspond to operational capability. The aggregated result of individually rational decisions is collectively suboptimal. This is a classic system-level effect.
The previous section described the intern as a profile exposed to extraction without return — they contribute, they leave without guarantees. This description is accurate but incomplete. It only captures one direction of the flow. There is a second, more subtle one, systematically ignored in the discourse on internships: the intern also brings something the team in place does not have.
The senior SRE who has been maintaining a production infrastructure for five years is excellent at what they do. They know their system better than anyone. But their R&D time is zero or close to zero. Production absorbs everything. Deep technology updates, emerging architectures, new approaches — they hear about them, they do not practise them. They are up to date on what is running. They are behind on what is coming.
When the Blue joined the team, he introduced concepts nobody had practised: mining hardware, blockchain architecture, power consumption optimisation under constraint. These were not yet in our infrastructures. They were in his garage. He was six months ahead of the technical subjects that the sector would raise as serious questions two years later. His ignorance of how our system worked was real — and temporary. His knowledge of emerging technical ground was a resource we did not have and could not have obtained any other way.
The intern does not yet carry the constraints of production. They do not have a system to keep alive at 3am. They do not have incident tickets to clear before they can think about anything else. This absence of constraint, which looks like a deficit, is precisely what allows them to spend time on research, experimentation, and exploring technologies that do not yet have an established use case. They explore while the senior maintains. Both are necessary. Neither replaces the other.
The implicit model of an internship is unidirectional: the company transmits its knowledge to the intern, the intern learns. This model under-exploits the relationship. A well-designed internship explicitly formalises the flow in both directions — the intern learns the production system, the team learns from the intern about what they practise outside production. This is not goodwill. It is knowledge management.
This thesis does not apply uniformly to all interns. It applies to actively self-taught profiles — those with an intense personal practice outside the curriculum, like the Blue. An intern without autonomous practice does not necessarily bring fresh knowledge. The condition for activating this reverse flow is the existence of autonomous technical curiosity in the intern — precisely the profile that current recruitment filters tend not to recognise.
Three distinct profiles encounter the diploma and certification filter in infrastructure, through different mechanisms. They share one thing in common: their real competence is systematically undervalued by the formal entry filters of the job market.
The Blue is the archetype. Real technical competence, sometimes surpassing the average graduate, acquired through practice, curiosity and exposure to real problems. His obstacle: he does not pass the automatic filters of ATS (Applicant Tracking Systems) that screen out CVs without a diploma before a human eye reads them. He does not exist for the formal market — even if he has been running production systems for years. His only current lever: finding a recruiter or instructor willing to look at what he can do rather than what he has on paper.
The apprentice faces the opposite situation: institutional legitimacy in the process of being acquired, but treated by the market throughout their training period as a "not yet ready" profile. They are on the ground, genuinely contributing to production, but their "still a student" status creates friction at the point of conversion to permanent employment — some employers prefer to keep the apprentice as an apprentice rather than converting them, for cost and flexibility reasons. The entry pathway recommended by the sector paradoxically produces its own extraction loops.
The intern is the profile most exposed to extraction without return. They make a real contribution — often on tasks the teams do not have time for — and leave without any guarantee of conversion, without formal recognition of their contribution, and sometimes without a usable reference on the job market. The infrastructure internship is structurally imbalanced: the company gets working capacity at marginal cost, the learner gets an experience that does not always translate into market access.
Their obstacles are distinct and their correction levers are too. Treating these three profiles as a homogeneous group would produce ill-suited recommendations. The IDPE proposal in section 5 primarily targets the self-taught. Apprenticeship is already a recommended entry lever — section 5 identifies what it does not solve. The intern question belongs more to employment law and conversion policy than to credential recognition.
To the diploma filter has been added a second lock, more recent and more insidious: vendor or publisher certification imposed as an implicit or explicit access condition on many infrastructure roles. AWS Solutions Architect, Azure Administrator, Cisco certification, VMware certification — these titles have become market signals that recruiters use like the diploma: a competence proxy, with the same advantages and the same flaws.
"Anatomy of the Loss" documented this mechanism from the angle of cognitive capture by hyperscalers: certification does not certify generic infrastructure competence — it certifies mastery of a specific product, in the version that was current when the exam was taken. It is a commercial retention tool as much as a competence recognition tool.
An AWS-certified candidate who has never seen a physical server room, never cabled a switch, never diagnosed a network fault in production at 3am is considered more qualified by many recruiters than a Blue with ten years of bare-metal field experience. This paradox is the direct symptom of the hard limits dissolution described in "Anatomy of the Loss": when physical competence disappears from evaluation criteria, what remains is mastery of service interfaces — and the certifications that validate them.
A cloud or vendor certification costs between €200 and €400 per exam, not counting preparation course costs. For a self-taught person without stable employment or an apprentice in training, this cost is prohibitive. The market therefore requires, to validate a competence often already acquired, a financial investment that excludes precisely the profiles who acquired that competence through their own effort rather than through a funded curriculum. It is an economic filter as much as a credential filter.
The pedagogical programme of this corpus — 26 weeks, from electricity to network security — was designed precisely to restore bare-metal competence, independently of any vendor certification. A learner who completes this pathway has a generic, transferable competence that no cloud certification guarantees. This is not an anti-certification stance — it is a reminder that foundational competence precedes and conditions the relevance of any certified specialisation.
France has a remarkable legal specificity: the title of engineer is not regulated by law. Unlike other regulated professions (doctor, lawyer, architect), anyone can work as an engineer without a formal title — it is the market that decides who is an engineer. What is protected is the title of graduate engineer, awarded by schools accredited by the Commission des Titres d'Ingénieur (CTI).
Within this framework already exists an official mechanism, little known and greatly under-used: the Ingénieur Diplômé Par l'État (IDPE) — the State-Certified Engineer. This state engineering title is accessible to working professionals who, without having followed a standard engineering curriculum, have demonstrated through their career and achievements a competence equivalent to the engineering level. The application is reviewed by a CTI-accredited engineering school, and the final decision belongs to an independent jury.
The problem with the IDPE is not its design — that is sound. The problem is its access schedule: the opening of applications is announced in the Journal Officiel once a year, on an unpredictable date. For a professional who discovers this mechanism outside the annual window, the wait can last up to twelve months. For a self-taught person actively seeking employment, this administrative friction is often disqualifying. The Blue cannot wait for the next JO to be recognised.
1 — Application window announced in the Journal Officiel (once a year, variable date)
2 — Application submitted by the candidate to a CTI partner school
3 — Application reviewed by the school (analysis of career, achievements, competences)
4 — Appearance before a jury that rules on equivalence with the engineering level
5 — State-certified engineer title awarded if the jury is in favour
The process is rigorous and legitimate. The annual calendar constraint is the only artificial barrier to remove.
The proposal is simple to state, precise to implement, and requires no new mechanism to be created: remove the annual Journal Officiel calendar constraint and allow CTI-accredited engineering schools to process IDPE applications in continuous sessions, year-round, on a case-by-case basis.
The mechanism remains identical to today — application, school review, jury, decision. Only the time constraint is lifted. A Blue who discovers the IDPE in January can submit his application in January. A CTI school with a standing jury can review it in March. Recognition no longer depends on an unpredictable annual administrative window.
A self-taught infrastructure professional with ten years of bare-metal production can have their level validated by a CTI school, obtain a state-certified engineer title, and present themselves to the market with official recognition of what they actually are. They stop being invisible to automated filters. They can apply for positions that formally require an engineering degree. The title reflects the competence rather than replacing it.
Processing an IDPE application represents a time cost for the school (file analysis, jury constitution and convening). This cost can be covered by processing fees, as is the case for VAE in other curricula. The school finds a complementary revenue model alongside its core activity, and a grounding in the local professional fabric. This is not a free service — it is a fee-based service that benefits both parties.
The IDPE title is already awarded by a jury of graduate engineers, under the same standards as the CTI title. It is not a lightweight title — it is an alternative access pathway to the same title. Devaluation would come from lowering jury standards, not from opening the calendar. Making access continuous does not change the criteria — it removes an administrative friction that has no technical justification.
The Validation des Acquis de l'Expérience (VAE — Recognition of Prior Learning) already allows degrees and titles to be obtained through recognition of professional experience. A permanent IDPE would be its specific version for the engineering title — with the additional rigour of the CTI jury. These two mechanisms should be explicitly articulated, to create a continuum of recognition for non-formal competences that runs from RNCP titles up to the state-certified engineer title.
The Blue exists. He works in production. He maintains infrastructures that others cannot debug. He deserves a title that says what he is — not a blank page that says what he does not have.
Opération Dindon is a corpus of more than thirty structural studies. Each thesis — the metal precedes the code, no sovereignty without matter, mastery of iron, transmission of tacit knowledge — has its origin in lived experience. This document traces that experience in eight episodes. It does not replace the studies — it says where they come from. And it answers the question every corpus reader eventually asks: who is the man writing this, and why should one believe him?
Amine is born into a world of contrasts. He grows up between town and primitive countryside — on one side the beginnings of modernity; on the other, a world without a tap or electrical socket. When water does not come from an API, you manage your own storage and latency: the path to the well.
This is the real Bare-Metal. Not as a datacentre concept — as daily reality. Resilience is not a property of a distributed system. It is a way of living when there is no safety net.
What this episode gives the corpus: "No Sovereignty Without Matter" is not an abstract thesis. It is a lesson learned before age six. Sovereignty means knowing where the water comes from — and being able to fetch it yourself when the API goes down.
A great-uncle, engineer at OCP Group, becomes the first maâllem. He opens electrical cabinets and shows how to tame lightning. Electrical current is not an abstraction — it is something one sees, hears, can touch (carefully) and can master.
Simultaneously, Amine gets his hands on a Sakhr computer. It is love at first sight — in both senses of the phrase. He understands that the world divides in two: those who submit to physics and those who programme it.
What this episode gives the corpus: the chain V = R × I → LED → motor → Arduino → GPU → AI finds its origin here. The OCP great-uncle is the first link in the educational chain that the corpus proposes to every physics teacher who reads the Anti-Amputation Foundation.
What the great-uncle did — opening an electrical cabinet and showing the inside — is exactly what the Anti-Amputation Foundation asks secondary school physics teachers to do. The explicit invitation: "come and see what is inside." This gesture, repeated at national scale, is the deamputation. It worked for Amine. It can work for thousands of others.
Science lycée by day, shadow antenna technician by evening. Amine climbs rooftops to align satellite dishes. He dives into the electronics of satellite receivers for pocket money. He does not merely study automation and networking at school — he practises them in the field, soldering iron in hand.
Satellite signals are not abstractions in a physics lesson. They have a frequency, a polarisation, a measurable power level. A dish alignment to one tenth of a degree makes all the difference. Precision is not a quality — it is a necessity.
What this episode gives the corpus: "The Foundation of Iron" speaks of 26 weeks of training from electricity to Kubernetes. Episode 3 says that this foundation can also be learned on rooftops, at night, with a multimeter and personal motivation. On-the-job training is sometimes more effective than classroom training.
Before automating €18,000 servers, Amine works at the component level. Independent, he resurrects televisions, Nokia phones, liberates Canal+ decoders. This is where he forges what the corpus calls "sacred respect for the Metal".
For him, if you do not know what is under the bonnet, you control nothing. An engineer who has never opened a server, never replaced a power supply, never read BIOS logs understands infrastructure like a driver who does not know what is under the car bonnet. They manage in good weather. They are lost when it breaks down.
What this episode gives the corpus: "The metal precedes the code" is not a slogan. It is a conviction forged by resurrecting televisions in a workshop. And this conviction is the foundation of everything: the RSCNC32, the Moroccan Gibs, the Anti-Amputation Foundation, and the central argument of Opération Dindon.
Amine formalises his expertise at the Telinf centre in Paris. He is good enough to go from student to teacher. He teaches systems and networking while mentoring future engineers at EPF Engineering School in Sceaux. This is the era of transmission.
Transmission is not a complement to expertise — it is its ultimate test. An engineer who cannot explain what they do to someone who does not yet know it does not truly master their subject. Teaching forces clarity. It reveals what one believes one understands but does not yet understand well enough to explain.
Teaching since 2006 — this date in the signature is not a CV line. It is a continuity. Twenty years of transmission, first in an engineering school, now via the Opération Dindon corpus.
What this episode gives the corpus: "The Digital Craftsmen", "The Mentor and the Metal", "The Anti-Amputation Foundation" — these studies on transmission are written by someone who has taught. Not by someone who has read articles about teaching.
Theory is over — on to the sacred fire of operations at Ecritel. Amine starts in proximity support and ends as Head of Operations at OXYD. He manages datacentres, masters Linux servers, and learns that High Availability is not a concept — it is a promise kept every night on call.
This is where the experience documented in "The Accompanied Exodus" is born — migrations from A to Z, three-party meetings, root access, the TAD, the COPILs. Not technical literature — lived operational experience, night after night.
What this episode gives the corpus: "The Pager and the Body", "The Economy of Silence", "The Silence of the Rooms" — these studies on the invisible burden of operations are written by someone who has been on call. By someone who knows what it feels like to receive an alert at 3am and know they are the last resort.
Direction Weborama. Amine becomes SRE and Head of Datacentre. He manages massive data volumes and millisecond-precise response times. This is where he sharpens his philosophy: optimise the iron so as not to fatten the cloud unnecessarily.
FinOps of the Last Gram is not a technique — it is a posture. Every euro spent on compute must be justified by a real need, not by the convenience of ticking a box in a cloud console. Performance and sobriety are not antagonists — they are two sides of the same discipline.
This is also where the central conviction of Opération Dindon takes shape: hyperscaler cloud is not the future — it is one tool among others. And a tool whose physical substrate one does not master is a tool over which one is not sovereign.
What this episode gives the corpus: "FinOps of the Last Gram", "No Sovereignty Without Matter", "The Digital Ground" — these studies are written by someone who has optimised bare-metal servers against cloud offers, and made the real calculation, euro by euro, millisecond by millisecond.
The top of the pyramid. Head of SRE. Amine no longer merely manages servers — he defines the vision. He advocates GitOps, total automation and a return to pragmatism. He knows how to build complex infrastructures, but always keeps in mind the lesson of the well: simplicity and robustness above all.
The Head of SRE's vision is simple and direct: an infrastructure that works at 3am without human intervention is a well-designed infrastructure. An infrastructure that requires a permanent engineer on call is a poorly designed — or poorly documented — infrastructure.
What this episode gives the corpus: "Technical Primacy", "The Digital Craftsmen", "The Uniform of the Body" — these studies on technical authority and the visibility of the infrastructure body are written by someone who has exercised that authority, who has measured its absence, and who knows what is missing when it does not exist.
From a well without a tap to the architecture of critical infrastructures.
From a soldering iron on rooftops to the definition of technical sovereignty.
From the OCP great-uncle who opens an electrical cabinet
to the thirty studies of Opération Dindon asking AWS to answer.
The chain is continuous. It has no rupture.
That is why the corpus is not theoretical.
This document requires no programme change. No extra session. No coordination with other teachers. No authorisation. No special training.
The teacher writes the formula on the board exactly as they always have. Then they place the object on the desk. 90 seconds. The lesson continues.
That is all. It is enough. And it is what some teachers already do — without naming it, without claiming it, without waiting for a reform to ask them to.
They write the formula on the board as usual. Nothing changes in the lesson. The formula is there — sin(θ), πr², a²+b²=c².
They pull the object from the bag and place it on the desk — or pass it around. 90 seconds. They show the link between the formula and the object. One sentence is enough.
The object stays on the desk or goes back in the bag. The lesson resumes exactly where it was. Nothing was sacrificed. A seed was planted.
Moment A — Just after writing the formula, before the first numerical example. The teacher writes the formula, turns around, pulls out the object: "Before we calculate — here is what this looks like in the real world." Then they put it away and resume.
Moment B — When a student asks "what is this good for?" The teacher pulls out the object: "Good question. Look." 90 seconds. Question answered. It is no longer hanging in the room.
Moment C — At the start of the lesson, before writing anything. The teacher places the object on the desk without a word. Students look. Then they write the formula. Curiosity is already there.
The object does not replace the lesson. It does not supplement it. It gives it a physical meaning for 90 seconds. That is all. That is enough. The student who has seen the screw turn and the carriage advance will never again look at sin(θ) as an abstract symbol.
These 12 objects cover the entire secondary mathematics curriculum.
They fit in a bag. They cost less than €30 in total.
They each take 90 seconds.
And they finally answer the question every student has asked at least once:
"Sir, what is this good for?"
The contractual and architectural lock-in of large organisations is not a financial misstep. It is a cognitive bias cultivated over fifteen years of education that taught the future decision-maker that abstraction is superior to matter — and that touching the physical is a regression. This study traces the causal chain from the classroom to the boardroom, from sin/cos without application to the server rack one refuses to look at, from the question never truly answered to the cloud invoice never truly calculated. It is also a tribute to the mathematics teachers who answered differently — and who, without knowing it, changed trajectories.
"Sir, what is this good for?"
— Every student, at some point in their schooling
School teaches π, sin, cos, If/Then structures, functions, vectors — on blank paper, in decontextualised exercises, with numerical values that represent nothing in the physical world. Mathematics is taught as an autonomous discipline with its own internal logic, its own notation, its own exercises. "Applied problems" exist — but as a complement, as a special case, never as a starting point.
What the student implicitly understands: mathematics matters in itself, independently of its application. The act of application — measuring, assembling, wiring, building — is secondary. And when they ask "Sir, what is this good for?", the answer is too often: "It's useful for higher education" or "It develops logical thinking" — true but abstract answers that show nothing, that do not let the student *see* what it is good for in their present life.
A student who can calculate sin(30°) = 0.5 but does not know it is the ratio between two sides of a real triangle. Who knows π ≈ 3.14 but has never measured the circumference of a cylindrical object to verify it. Who solves quadratic equations but does not know they describe the trajectory of a projectile or the shape of a parabolic reflector.
When theory always precedes application — and when application never arrives — application becomes optional. And when application is optional, physical matter becomes foreign territory. Not incomprehensible — but unfamiliar, undesired, unvalued. The rupture between mind and matter is artificial. It is built by the pedagogical order. And it is durable.
Mathematics is beautiful. π is a universal truth. Sines and cosines describe the world with a precision words cannot reach. This study does not say mathematics is bad. It says mathematics taught without ever showing what they are good for in the physical world produces decision-makers who have learned to value abstraction and to despise matter. And this contempt has a cost.
No teacher explicitly says: "Mathematics is superior to technology." Nobody writes in an official curriculum: "The manual gesture is inferior to abstract concept." But the student understands it anyway — through the implicit signals the system sends:
Students who succeed in mathematics go to science streams, then preparatory classes, then the grandes écoles. Students who struggle go to technical or vocational streams. The hierarchy of destinies mirrors the hierarchy of disciplines. Being "good at maths" opens all doors. Being "good with your hands" closes some.
The result: the act of transforming matter — the workshop, the wiring, the soldering iron, aligning a satellite dish — is associated with academic failure, not with intelligence. The student who succeeds in abstract mathematics learns to value abstraction. The student who struggles learns to despise what they are good at — because school told them it counts less.
"The Global Anatomy of Amputation" documented Stage -1 — the bifurcation at age 12 that specifically affects girls. The hierarchy of contempt applies differently by gender: the technical gesture is doubly marginalised for girls — too "manual" to be noble, and associated with a male world. A 12-year-old girl interested in antennae, circuits and machines finds no models in the cultural representations of her school environment.
It is not that girls are less capable of understanding sin and cos on a parabola. It is that nobody shows them a parabola. And when the parabola is not shown, neither is the fact that maths are what make it work. The hierarchy of contempt amputates twice: first the physical gesture, then girls from the physical gesture.
The decision-maker who emerges from fifteen years of education with this hierarchy in their mind arrives in the boardroom with an unconscious bias: abstraction is intelligent, matter is thankless. Cloud — pure abstraction, invisible, no physical mess, sold with sophisticated technical vocabulary — is conformant with their value hierarchy. The server rack in the equipment room — physical, cabled, dusty, failing at 3am — is non-conformant. They do not need to do the financial calculation to choose. The school hierarchy chooses for them.
For years of mathematics lessons, sine and cosine were symbols on a page. We calculated them, memorised them, applied them in exercises. But there was no physical meaning — no reality to attach them to.
Then came the day of aligning a satellite dish. The question was concrete and urgent: where to place the LNB so that the satellite signal arrives correctly? The answer required calculating the focal distance based on the dish diameter and the satellite elevation angle. A protractor was needed. Sine and cosine were needed to determine the parabola's geometry. It was necessary to understand that the parabolic curve concentrates waves at a single point — the focal point — and that the LNB position must correspond exactly to this point.
At that moment, sine and cosine ceased to be symbols. They became tools on which the physical result depended: either the signal arrived, or it did not. No mark out of twenty. No correction possible the next day. Either it worked or it did not. And for it to work, one had to understand — truly understand — what these functions describe in real space.
The understanding gained that evening, on a rooftop, never left.
A guilloché is a complex geometric pattern — rosette, spiral, interlace — whose main property is to make photocopying impossible. These patterns are produced by parametric equations involving trigonometric transformations: rotations, sinusoidal curves, spiral windings.
To create a security document with guillochés, it was necessary to understand what sin and cos do in two-dimensional space — how a trigonometric oscillation produces a curve, how the superposition of several oscillations produces a complex pattern not simply reproducible by photocopying. Trigonometry became necessary to produce something beautiful, useful, and technically irreducible to a simple copy.
Sin/cos/tan became the key to an aesthetic and a security property. Not an exercise.
In both cases, it was *necessity* that produced understanding — not academic constraint ("you must learn this for the exam") but real necessity ("if you do not understand this, your LNB will be mispositioned and you will have no signal"). Application created motivation. Motivation produced learning. And learning acquired in this context stayed — because it was anchored in a lived physical experience.
The natural order of human understanding is: real problem → necessity → learning the theory → durable mastery. School does the opposite: theory → exercises → optional application. And when application is optional, it disappears.
The Opération Dindon corpus documented the 7.5× ratio between the GCP VM and bare-metal. It documented California jurisdiction in the Terms, noncancellable commits, egress fees, TSMC, the IME. These figures are true and verifiable. They are not enough to convince every CIO. This section explains why.
A rational buyer comparing €180,000 vs €24,000 over 5 years chooses €24,000. They do not need 30 structural studies to be convinced. If CIOs continue choosing cloud after seeing the figures, their decision is not purely economic. It is also cultural. And cultural biases are not corrected by Excel spreadsheets.
Cloud-native conforms to what fifteen years of education taught one to value: modern, abstract, invisible, no physical mess, with sophisticated technical vocabulary (Serverless, Cloud-Native, Zero-Ops, Infinite Scalability). It resembles what school calls "intelligent".
Bare-metal does not conform to this hierarchy: physical, cabled, in a room that smells of circuit boards, failing at 3am and requiring one to put their hands in the rack. It resembles what school calls "manual".
The CIO does not choose cloud because they have not seen the figures. They choose it because cloud conforms to the value hierarchy that fifteen years of education built in their mind. And this hierarchy does not change with a financial argument — it changes with a foundational experience that shows physical gesture produces intelligence. Like the satellite dish on the rooftop.
"The Thought Machine" documented that AI amplifies what the human brings. If the human was trained to bring only abstractions disconnected from reality — because school taught them that is all that matters — then AI amplifies disconnected abstractions. AI calibration is a physical skill as much as an intellectual one. Prompt engineering without grounding in understanding physical machines produces generic results. Amine RAITI's prompt engineering — grounded in twenty years of bare-metal operations — produces the Opération Dindon corpus.
The central proposal of this study is not a curriculum reform. Not an additional budget. Not a new compulsory subject. It is a posture — that of a mathematics teacher who understands they are the gatekeeper of all other disciplines.
The mathematics teacher is the only one who holds the tools of all disciplines: sin and cos serve wave physics, servo technology, the art of guillochés and rosettes, computing algorithms for rotation, music frequencies. They teach before the others — their concepts arrive first in the student's journey. If they do not make the connection, other teachers receive students unable to see the continuity between theory and their discipline.
The idea is not that the maths teacher becomes a teacher of everything. It is that they pass the baton. They show the connection — and they say: "To see how this applies in electronics, ask your technology teacher. To see how it produces a rosette, look with your art teacher. To see how it determines a satellite's position, explore with your physics teacher." They are the conductor who gives the tempo — the others play their parts.
One session per term where the mathematics teacher brings a real-world object:
— A small satellite dish and protractor: "Calculate the focal length based on the diameter."
— A 3D-printed gear: "Find the gear ratio from the geometry."
— A security guilloché document: "Identify which trigonometric transformation produced this pattern."
— An architect's plan: "Calculate the real surface area from the scale and measurements."
— An Arduino and an LED: "Write the function that blinks the LED 440 times per second — the frequency of concert A."
Not in official curricula. Not assessed. Not graded. One hour per term during which the mathematics teacher tells their students: these symbols you are learning are not ends in themselves — they are tools. Here is what they are good for in the world.
A student who has seen, once, what sin and cos are good for in a satellite dish will never look at sin and cos the same way again. They will have an anchor. And this anchor, twenty years later, will be the difference between the CIO who signs for AWS because cloud conforms to their value hierarchy — and the one who says: "Wait, let us calculate the real TCO, and explain to me why we cannot have our own rack."
The difference between the CIO who signs for AWS and the one who knows the corpus is not a difference of intelligence. Not a difference of academic training. It is a difference of informal education — a great-uncle who opens an electrical cabinet, a night on a rooftop with a protractor, a security document to guilloché.
Informal education should not be the only door to technical sovereignty. That is why the mathematics teacher is the entry point — because they have access to all students, not just those fortunate enough to have an engineer great-uncle.
This study is not a charge against mathematics teachers. It is a tribute to the rare few who, at some point, pulled something out of their bag to show what maths are good for in the real world. These teachers exist. They are rare — not because they lack competence or curiosity, but because the institution does not ask them to do it. Pulling out a satellite dish in maths class means stepping outside official curricula. It is taking a minor but real professional risk. It is choosing to truly answer "Sir, what is this good for?" rather than responding "It's useful for higher education."
These teachers changed trajectories without knowing it. Some of their former students now manage critical infrastructure, train engineers, or write corpora on digital sovereignty. They do not know they planted the seed.
The Anti-Amputation Foundation proposes 56 hours over 7 years to reverse the amputation. This study adds that the first gesture does not belong to the technology teacher — it belongs to the mathematics teacher. Before a student can understand why to blink an LED with an Arduino, they must understand that the mathematics they learn describe the physical world. And this connection, only the mathematics teacher can show first — because they arrive first in the student's journey.
Mastering tomorrow's great AI models requires minds capable of switching instantly from abstract equation to the muscular gesture of hardware configuration. This switching begins when the mathematics teacher pulls a satellite dish from their bag and asks the class: "Who can tell me how to position the LNB to receive the signal?"
Amine RAITI understood sine and cosine on a rooftop,
in the dark, with a protractor and an LNB in his hands.
This is not exceptional — it is normal.
What is exceptional is that school does not offer this to all students.
And this difference, thirty years later,
is measured in cloud invoices and lost sovereignty.
The Opération Dindon corpus built three layers: the Ticket and the Talent (nomenclature), the Foundation of Iron (training), the Uniform of the Body (visibility). The fourth was missing — legal protection. Without it, the other three remain recommendations without force. This study proposes the mechanism that makes them binding: elastic Syntec, applicable to infrastructure teams regardless of the sector employing them, on the model of the Compagnons du Devoir.
On 15 April 2019, the spire of Notre-Dame de Paris collapsed. Hours after the fire, the question of reconstruction arose. Plans existed — archives, photogrammetric surveys, 3D models. What did not exist in sufficient quantity was the hand that knows how to transform these plans into physical reality. The knowledge of hewing oak as in the 13th century. The gesture of laying dressed stone without visible joints. The craftsman's bodily memory.
The Compagnons du Devoir is an organisation founded in the Middle Ages whose sole purpose is the transmission of tacit knowledge in manual trades. Carpenters, stonemasons, roofers, joiners. This knowledge is not in books — it is in hands, in gestures, in the daily decisions that only an experienced practitioner makes without realising it.
Without the Compagnons, Notre-Dame's reconstruction would have produced a technically correct and aesthetically approximate building. With them, the nave's timber frame was reconstructed in oak, using medieval techniques, with original assemblies — wooden pegs, no nails. This is not nostalgia: it is heritage sovereignty. France was able to rebuild Notre-Dame identically because an organisation had refused to let a knowledge die that nobody thought urgent to preserve.
When the last bare-metal SRE leaves — the one who can hear an anomaly in fan noise, read a network incident from raw metrics, who installed their first servers by hand before cloud existed — the runbooks will be there. The procedures will be documented. The AWS console will be available. But the tacit knowledge will have left with them. And the next major infrastructure crisis will produce an organisation that fumbles, calls consultants, starts from zero. Exactly like Notre-Dame without the Compagnons.
The Compagnons preserved their knowledge because they organised its transmission before the emergency arose. Not after the fire — before. The infrastructure body must do the same. "The Departure of the Last One Who Knows" is not a hypothetical future event — it is happening now, progressively, invisibly.
The Compagnons du Devoir are not a living museum. They are 11,500 young people in training across 70 houses throughout France, supervised by experienced craftsmen, with an organisation structured around transmission and itineracy. Their architecture is transposable — not identically, but in its principles.
The Tour de France: the young craftsman travels France — working successively with different masters, in different regions, exposing their knowledge to varied contexts. Not nomadism — structured training through contextual diversity. The Digital Craftsmen are open to all — equal access to grades regardless of gender is a founding condition of the association. The digital equivalent: structured rotation between different organisations (consulting firm, large corporation, public administration, startup, software publisher) for 12 to 24 months.
Compagnonnage: transmission does not happen in classrooms — it happens side by side, on the worksite, in real conditions. The master works, the apprentice observes, then does, then is evaluated. This is exactly the Observation Day documented in the corpus — extended to a structured relationship over months.
Grades: aspirant (in training) → compagnon (received) → master craftsman (transmitter). Each grade is open to all, equally. Each grade is earned through evaluation of the masterpiece — a concrete achievement judged by peers. The equivalent: aspirant SRE / compagnon SRE / master SRE, with a real technical project as reception masterpiece.
The Charter: the craftsman signs a body membership charter — commitment to transmission, quality, professional conduct. Not an employment contract — a commitment to the body.
The compagnon secret, initiation rites, esoteric symbols — these elements have their logic in the Compagnons' history but are not transposable to digital infrastructure. What we extract: the transmission structure, the grades, the formative itineracy, the membership charter. The form without the esoteric content.
The Syntec collective agreement (IDCC 1486) is the reference convention for technical consulting firms, engineering companies and technology consulting firms in France. It covers approximately one million employees — including a large share of infrastructure engineers in consulting and technology firms. But it does not cover the SRE engineer working in-house at a bank, a hospital, an industrial company or a local authority.
— Minimum salaries by coefficient (200 to 900+) with a three-category classification grid (ETAM, Engineers and Executives, Assimilated Executives).
— Regulation of day-rate arrangements (RTT, compensatory rest).
— Right to professional training with a specific budget.
— Enhanced healthcare and life insurance.
— Regulated mobility and relocation clauses.
— Redundancy payments above the legal minimum.
The SRE engineer in a bank is covered by the banking collective agreement (IDCC 2120) — a convention designed for banking roles, not technical ones. The SRE engineer in a hospital is covered by the hospital convention — designed for healthcare workers and administrators. The SRE engineer in the oil industry is covered by the petroleum convention. In all these cases, the applicable convention ignores the specificities of the infrastructure role: technical night on-calls, unmeasurable tacit knowledge, progression by competence rather than seniority, profile scarcity and the market salaries reflecting it.
Journalists benefit from the national journalists' collective agreement regardless of the sector of the company employing them — press, television, web, communications agency. A journalist in an advertising agency remains covered by the journalists' convention, not the advertising convention. This mechanism exists. It is legally established. It protects the profession wherever it is found, not wherever its employer is found. Infrastructure can and must work the same way.
Elastic Syntec is not a new collective agreement. It is an extension mechanism for the existing Syntec's scope of application, activated by three objective conditions, guaranteeing the infrastructure engineer the protection of their professional convention regardless of their employer's sector.
Principle: when the employer's collective agreement is less protective than Syntec for the infrastructure roles listed in the nomenclature (SysOps/NetOps/OpInfra, six levels), Syntec applies by primacy. This mechanism already exists in French labour law — the favourability principle (Article L2254-1 of the Labour Code) allows a branch agreement to take precedence over a less favourable company agreement. Extension to inter-branch primacy requires a branch agreement or extension decree.
Condition 1 — Recognised role: the position is listed in the SysOps/NetOps/OpInfra nomenclature documented in "The Ticket and the Talent" — or in the official list of Syntec infrastructure roles to be created by branch agreement.
Condition 2 — Time threshold: the employee dedicates more than 50% of their effective working time to missions falling within the listed infrastructure roles. This threshold is documented by the job description and verifiable by HR audit.
Condition 3 — Title or certification: the employee holds an infrastructure RNCP title (Foundation of Iron pathway or recognised equivalent) or a professional certification recognised by infrastructure Syntec. This condition protects the mechanism against classification abuse.
— Application of Syntec minimum salaries by coefficient, above the employer convention's minimums in under-paying sectors.
— Regulation of technical night on-calls (The Pager and the Body) with mandatory premiums.
— Right to infrastructure training (Foundation of Iron) on employer budget.
— Mobility clause protection — the infrastructure engineer cannot be relocated without respecting Syntec notice periods.
— Recognition of tacit knowledge in the classification grid — progression is not solely linked to seniority.
Aligned with the SysOps/NetOps/OpInfra nomenclature and existing Syntec coefficients:
Support / proximity technician (L1): coeff. 200-250 → €24,000-27,000 gross annual minimum.
Field technician (L2): coeff. 250-300 → €27,000-32,000 gross annual minimum.
Junior administrator (L3): coeff. 300-395 → €32,000-38,000 gross annual minimum.
SRE engineer (L4): coeff. 395-500 → €38,000-50,000 gross annual minimum.
Lead SysOps / Lead NetOps (L5): coeff. 500-660 → €50,000-65,000 gross annual minimum.
Principal SRE / Architect (L6): coeff. 660-900 → €65,000-90,000 gross annual minimum.
"The Pager and the Body" documented the cortisol debt of night on-calls. Elastic Syntec must specifically regulate infrastructure on-calls:
— Maximum 8 on-call weeks per quarter per engineer, mandatory documented rotation.
— 25% salary premium for any effective intervention between 10pm and 7am.
— Mandatory compensatory rest after any night intervention exceeding 2 hours.
— Prohibition of consecutive on-call exceeding 7 days without written employee agreement.
Syntec already requires a percentage of payroll dedicated to training. Elastic infrastructure Syntec mandatorily directs part of this budget toward recognised infrastructure training — Foundation of Iron, neutral certifications (Linux Foundation, HashiCorp, CNCF) — not exclusively hyperscaler cloud certifications that reinforce lock-in. This is the correction mechanism for the CPF Misused documented in the corpus.
Elastic Syntec protects the body through law. The Digital Craftsmen preserve it through transmission. Both are necessary. Both are complementary. Syntec without transmission produces rights without knowledge. Transmission without Syntec produces knowledge without protection.
Legal form: non-profit association, funded by member contributions and conventions with partner companies (which host craftsmen on rotation).
Grades: Aspirant SRE — any gender (on digital tour, < 3 years experience) / Compagnon SRE (received after masterpiece, 3-8 years) / Master Compagnon SRE (recognised transmitter, > 8 years, minimum mentoring commitment of 1 aspirant/year).
The Digital Tour of France: structured rotation of 12 to 24 months across 3 to 5 partner organisations from different sectors — a consulting firm, a major corporation, a public administration, a startup, a software publisher. Each rotation: 3 to 6 months minimum, with a Master Compagnon referent in place.
The Reception Masterpiece: real technical project carried out in operational conditions — infrastructure migration, deployment of a bare-metal monitoring system, construction of a CI/CD pipeline. Evaluated by a peer jury (Master Compagnons — all genders).
The Charter: commitment to transmission (minimum 1 mentored aspirant per Compagnon, any gender), technical quality, technological neutrality (no hyperscaler evangelism).
The Master Compagnon SRE — woman or man — is the corpus's M3allem — the transmitter whose mechanism "The Mentor and the Metal" documented and "The Teacher's Manifesto" positioned. The Digital Craftsmen are fully open to women: equal access to all grades is a founding condition, not an aspiration. No longer an isolated individual transmitting in the shadows — a body that perpetuates itself, in all its diversity.
The Opération Dindon corpus has built a four-layer model. Each layer is necessary. None is sufficient alone. Together, they constitute what no French organisation has yet built for its digital infrastructure — a complete professional body, named, trained, visible and protected.
The Ticket and the Talent
SysOps / NetOps / OpInfra
6 levels · Non-Dilution Rule
→ Name the body
The Foundation of Iron
26 weeks · FR and EN
Electricity to Kubernetes
→ Train the body
The Uniform of the Body
5 levels · 5 signals
White coat · Black suit
→ Make the body visible
The Digital Craftsmen
Elastic Syntec + Compagnonnage
Rights wherever employed
→ Protect the body
Digital infrastructure is not a sector like others — it is the substrate of all sectors. A bank without infrastructure stops. A hospital without infrastructure stops. A public administration without infrastructure stops. It is precisely because infrastructure is transversal that it must be protected by a transversal convention. Elastic Syntec says what French labour law has not yet said: the infrastructure engineer is not defined by the sector employing them — they are defined by the profession they practise. And this profession deserves protection commensurate with its actual importance.
Without the Craftsmen, Notre-Dame would look like La Défense.
Without legal protection, infrastructure looks like any other employee.
These two realities share the same remedy: an organised, transmitting, protected body.
This plan details, week by week, the pedagogical foundation presented in the "Anatomy of the Loss" document of this corpus. The pathway follows a deliberate progression principle: three weeks of compressed conceptual fundamentals, then a constant climb toward directly employable skills — systems, middleware and networking, which represent 19 of the 26 weeks, or 73% of total time. The goal is not general technical culture: it is producing people ready for production, in six months, on a complete foundation from iron to network. Each brick in the final block strictly prepares the next, following a chain of technical dependency rather than an administrative category.
The pathway follows a strict prerequisite chain: foundational networking (OSI, addressing, VLAN, routing) precedes every service that depends on it. DHCP is taught once subnets and VLANs are already mastered — addresses are distributed within a topology already understood. DNS precedes Active Directory, of which it is a genuine technical prerequisite. GPO is no longer taught in isolation midway through the OS block: it is grouped with Active Directory, immediately after, as the feature it actually is. Each week builds on the previous one's acquired knowledge rather than on an administrative category (OS / Middleware / Network) disconnected from the real technical logic.
These three weeks do not aim at expertise but at founding intuition: understanding that all infrastructure rests on electricity, that all data reduces to binary states, and that all computing logic is built from real physical gates. This is a conceptual foundation, not a professional end goal — it underpins the blocks that follow, which occupy the bulk of the training time.
The longest block of the programme — 9 weeks, 35% of total training time. This is the most directly marketable skill on the job market.
Group Policy Objects (GPO) have been removed from this week. GPO is an Active Directory feature, which is only introduced in week 22 — teaching it here would mean presenting a tool without the service it depends on. Week 12 therefore focuses on standalone Windows administration (local accounts, NTFS permissions), which logically prepares for directory-based administration, introduced later once networking and DNS have been acquired.
At the end of this block, the trainee has installed, configured, secured and defended a complete bare-metal environment including two operating systems, virtualisation, backup and hardening. At this stage, this is already an employable skill for a junior systems technician role — the following two blocks (networking, directory and application services) add the depth needed for full autonomy.
This block is now placed before all the network application services (DHCP, DNS, Active Directory) for which it is a direct prerequisite.
With OSI, addressing, VLANs and routing mastered, the trainee now has the complete topology on which the following three weeks will rely: DHCP distributes addresses within subnets that are now understood, DNS resolves names on infrastructure that is now mapped, and Active Directory will be installed on a network whose segmentation is already mastered.
Active Directory technically depends on a functioning DNS service for locating domain controllers and resolving service records (SRV). Teaching DNS right before Active Directory is not an arbitrary scheduling choice: it is a genuine technical prerequisite, which prevents the trainee from configuring a directory on a service they do not yet master.
GPO is deliberately taught only after Active Directory, on which it technically depends, rather than earlier in the OS block. This grouping — Active Directory then GPO, across two consecutive weeks — respects the real dependency: one cannot administer group policies on a directory that does not yet exist.
These two bricks have a lighter networking dependency and can simply build on the base already acquired (addressing, DNS) without requiring any additional prerequisite.
The week 26 defence does not cover a single isolated brick. It covers the entire chain built since week 8: Linux and Windows servers on bare metal, VLAN segmentation and routing, working DHCP and DNS, an Active Directory directory with group policies, web and database services, all secured by filtering rules. This is the demonstration that each week genuinely prepared the next, rather than a sequence of independent modules.
By the end of the 26 weeks, the trainee has demonstrated, through two defences (week 16 and week 26), complete integration competence: understanding the electricity and logic underlying all digital systems, automating a physical process, diagnosing and assembling hardware, managing storage at the disk level, installing and securing Linux and Windows operating systems in production, mastering foundational networking (OSI, addressing, VLAN, routing) before deploying the services that depend on it (DHCP, DNS, Active Directory and its group policies), then enterprise application services (web, database), and finally securing the whole through filtering.
This plan is not a theoretical proposal: it is the detailed restitution of the pathway completed by the author in 2005, at a vocational training centre for jobseekers, reordered here according to a strict chain of technical dependencies rather than by administrative category. Its relevance today directly responds to the cognitive mechanism described in "Anatomy of the Loss" — a complete technical framework, acquired in the right order, allows a professional to spontaneously propose architectures outside the trio cloud's sole ecosystem, because they have an end-to-end understanding of it, rather than a collection of disjointed modules.
This foundation does not oppose current DevOps or cloud skills. It complements them. A professional trained on this pathway, then later exposed to modern orchestration and automation tools, holds both frameworks — the abstraction and the hardware it covers — which is precisely the scarce competence this corpus identifies as the lever for reconquering digital sovereignty.
This study is part of the Opération Dindon corpus, following "The Blue — What the Diploma Does Not Measure". It addresses the funding of infrastructure training and the recognition of non-formal competences. It puts forward a concrete proposal articulating three existing mechanisms — pooled CPF rights, France Travail, and VAE-IDPE funding under decree 2025-663 — to build a complete, profile-differentiated access route. No new legal mechanism is needed. The tools exist. The connection is missing.
The Compte Personnel de Formation (CPF — Personal Training Account) is credited at €500 per year for every employee, capped at €5,000 (€8,000 for less-qualified workers). Millions of accounts reach their ceiling without ever being used. The account holder does not know the rights exist, finds no relevant training in the catalogue, or deliberately preserves the balance for a future career change that never comes. The result is a vast stock of dormant rights — billions of euros immobilised in inactive accounts while the infrastructure sector deplores a shortage of trained profiles.
This paradox is structural. The CPF was designed to fund continuing professional training. In practice, it funds massively low-added-value short courses — driving licences, digital literacy certifications, office software qualifications — while the long, bare-metal training programmes that produce genuine systems and network technicians remain financially out of reach for the profiles who need them most.
€5,000 in a CPF account is enough to fund a significant portion of a quality infrastructure training programme. The Foundation of Iron — 26 weeks, 910 hours — is in the same cost range as the programmes funded by Pôle Emploi in the 2000-2015 period. The money is not the problem. The problem is that the money cannot find its way to the right training, for the right profile, at the right time.
Dormant CPF accounts fall into three distinct categories: ignorance of the rights' existence, absence of relevant training in the catalogue, and deliberate saving for a planned future project. The third category must not be mobilised without explicit active consent. Any pooling mechanism must be strictly opt-in — never automatic.
The intuitive proposal is the simplest: allow holders of dormant CPF rights to transfer them to a colleague, a relative, or a training candidate who needs them. This proposal is legally prohibited — and the reason for this prohibition is documented by a recent episode.
Between 2019 and 2022, CPF fraud cost the Caisse des Dépôts several hundred million euros. Telephone canvassing networks usurped account holders' identities without their knowledge. Ghost training courses were billed and cashed without a single hour of training being delivered. The fraud mechanism relied precisely on the system's low friction: the less verification required, the easier the funds are to divert.
A free transfer mechanism between natural persons instantly creates a secondary market for CPF rights. Intermediaries purchase dormant rights from holders who have no training intention, then resell access to organisations that bill non-delivered training. The logic is identical to the 2019-2022 fraud — free transfer is its natural vector.
Direct transfer is the wrong mechanism. Controlled pooling is the right one. A holder who explicitly and voluntarily decides to contribute to a dedicated paritaire fund — targeting training in shortage areas such as infrastructure and systems & networking — transfers their rights not to a person but to a mechanism managed by an accredited body. This is collective opt-in, not individual transfer. Minimal friction is maintained — it simply changes form: no longer administrative friction for the candidate, but explicit consent friction for the contributor.
Simplifying access to training does not mean removing all friction. An active confirmation from the beneficiary remains necessary — it is the moment they validate their project and commitment. The friction to remove is the administrative burden of the application file, not the accountability of the candidate. A completely frictionless access system is a fraud waiting to happen.
The most common design error in training funding reform proposals is to treat all profiles with the same mechanism. The funding needs of a jobseeker, an employed worker, and a self-taught person in career transition are structurally different. Their response must be too.
Mechanism: France Travail — Conventioned Training Actions (AFC) and Operational Employment Preparation (POE).
Status: existing, proven, to be reactivated. The Foundation of Iron in its historical version was funded by Pôle Emploi under exactly this model. A Qualiopi-certified training provider delivering the Foundation of Iron can sign a direct convention with France Travail. No CPF required — no rights needed. France Travail funds the provider directly.
Advantage: covers precisely the profiles with few or no CPF rights — the self-taught Blue in career transition, the junior jobseeker, the intern without a stable contract.
Mechanism: opt-in CPF pooling fund managed by a paritaire body, dedicated to shortage-area training (infrastructure, systems & networking).
Status: to be created, via sector agreement or paritaire initiative. A holder voluntarily contributes to the fund. Rights are redistributed by the paritaire body towards eligible training, for beneficiaries identified by France Travail or OPCOs.
Advantage: mobilises the dormant stock without draining it anarchically — each contribution is a voluntary act, each redistribution is traced.
Mechanism: professionalisation contract + sector OPCO for apprentices; direct CPF + employer top-up for upskilling employees.
Status: existing. These mechanisms already work. The Foundation of Iron needs to be positioned as eligible training in the OPCO catalogues of the relevant sectors (digital, telecommunications, industry).
This proposal does not consist of "routing everything through the CPF". It consists of identifying the right mechanism for each profile. France Travail for the unemployed, pooled CPF for employees who voluntarily contribute, OPCO for apprentices. The CPF is one tool among three — not the sole solution.
The previous study in this corpus — "The Blue" — proposed a permanent IDPE accessible via continuous sessions in CTI schools. It also identified that the IDPE was not directly eligible for CPF funding. Further research reveals that the situation has evolved significantly since August 2025, and that a CPF funding pathway already exists for the IDPE — via the VAE (Recognition of Prior Learning).
Decree n°2025-663, in force since 1 August 2025, extended CPF funding to the full VAE pathway — including accompaniment fees, preparation of the validation file, and jury fees. Before this decree, the CPF only partially covered accompaniment. Since 1 August 2025, a candidate pursuing the IDPE via VAE can fund their entire pathway through their CPF, provided the accompanying body is listed on Mon Compte Formation and Qualiopi-certified for the VAE category.
Step 1: The candidate demonstrates 5 years of experience in engineering-level functions (without an engineering degree).
Step 2: They engage in a VAE pathway towards the IDPE, accompanied by an organisation listed on Mon Compte Formation.
Step 3: They mobilise their CPF to fund the accompaniment and jury fees (decree 2025-663).
Step 4: The CTI school reviews the file and convenes the jury.
Step 5: The jury rules — on success, the Ministry awards the state-certified engineer title.
Not covered by CPF: the initial admissibility examination fees (school administrative fees, variable) and jury attendance alone without accompaniment. These costs remain the candidate's responsibility or can be covered by the employer or OPCO.
The France VAE portal, created to centralise VAE processes, does not yet include the IDPE in its catalogue. The reason is technical and administrative: the IDPE is a state title awarded by the Ministry of Higher Education, outside the standard RNCP framework. A candidate searching for the IDPE on France VAE will not find it — they must go directly to Mon Compte Formation, which presupposes knowing that this pathway exists. This is not a legal lock. It is a visibility lock.
For the CPF to fund the Foundation of Iron directly as an initial training programme — not as a VAE — the training must be linked to a certification registered in the RNCP or the Répertoire Spécifique of France Compétences. This is a long process (12 to 24 months), rigorous, and costly. It cannot be improvised.
But there is a more immediate route than waiting for RNCP registration: the Foundation of Iron can be positioned as preparatory training for an existing RNCP-registered certification. Several level 5 or 6 certifications in systems and network administration are already registered. A provider delivering the Foundation of Iron can link their training to one of these existing certifications and gain immediate CPF eligibility — without waiting for a new RNCP registration.
Route 1 — Linking to an existing RNCP certification: the training prepares candidates for an already-registered certification (Systems Administrator professional title, BTS SIO, or equivalent level 5-6). Immediate CPF eligibility. Timeline: a few weeks for listing on Mon Compte Formation.
Route 2 — Standalone RNCP registration: the Foundation of Iron becomes its own RNCP certification. Timeline: 12 to 24 months, with the cost of preparing the application and passing through the France Compétences commission. Full independence but significant upfront investment.
Route 3 — France Travail (AFC/POE): without an RNCP, immediately applicable for jobseekers via direct convention with France Travail. This is the historical route — it remains the fastest for the profiles with fewest CPF rights.
Route 1 (existing RNCP link) provides immediate CPF access for employed workers. Route 3 (France Travail) provides immediate access for jobseekers. These two routes cover the bulk of the Foundation of Iron's target profiles from day one. Route 2 (standalone RNCP) is the 24-month objective — it grants full autonomy and maximum visibility on Mon Compte Formation.
The entire proposal rests on legal and institutional mechanisms that already exist. No new legislation is needed. Four implementation measures suffice.
A DGESIP (Directorate-General for Higher Education) instruction is sufficient to list the IDPE on the France VAE portal. This measure makes the CPF→VAE→IDPE pathway visible and accessible without the candidate having to discover it themselves. It is two lines in a ministerial circular. It connects an existing funding mechanism (CPF, decree 2025-663) to an existing title (IDPE) via an existing portal (France VAE).
Remove the annual Journal Officiel calendar constraint and allow accredited CTI schools to process IDPE applications year-round, in continuous sessions. Same process, same jury, same standards. This measure is inseparable from Measure 1: an IDPE visible on France VAE but accessible only once a year remains unusable in practice.
Via a sector agreement in the digital and telecommunications industries, create a fund fed by voluntary contributions from CPF holders with dormant rights. This fund finances exclusively shortage-area training identified by the sectors — infrastructure, systems & networking, SRE. It is managed by an accredited paritaire body with full traceability of all flows.
A provider delivering the Foundation of Iron obtains Qualiopi accreditation and signs an AFC convention with France Travail. Funding for jobseekers and career-changers is assured without CPF. This is the historical route — it worked for fifteen years. It does not need to be reinvented. It needs to be reactivated.
The money is there. The mechanisms are there. The title is there. What is missing is the connection between them — and that connection requires four implementation measures, not a legislative reform.

Practical exit guides — legal, technical, human.
Technical Primacy is the constitutive right of the Principal SRE to have the final word on architecture and operational decisions, within the budget set by management. It does not contest managerial authority — it delimits it. Management sets the envelope. The Principal SRE decides how to spend it and which technical risks to refuse. Confusing these two roles systematically produces Invisible Debt, the Infrational Loop, and the Departure of the Last One Who Knows.
In most organisations, nobody has explicitly defined who has the final word on infrastructure decisions. There is a budget, a committee, an IT manager, sometimes a CIO. And in arbitration situations — migrate or maintain, buy or build, accept or refuse a risk — the final decision goes to whoever holds the highest title in the room. Not to whoever knows the subject best.
Budget oversight belongs to management. Setting the annual envelope, arbitrating between competing projects, prioritising according to the organisation's strategy. This right is legitimate, necessary, and requires no technical background. A CEO or CFO can decide that infrastructure gets €800,000 this year and not €1.2 million. That is a management decision.
Technical decision authority belongs to the Principal SRE. Within that €800,000: which architecture, which tools, which suppliers, which risks accepted or refused, which technical debt taken on or repaid. This decision requires expertise that general management does not possess — and cannot possess without having practised the profession.
Confusing the two roles systematically produces the same result: technically suboptimal decisions made by people who do not measure their consequences, imposed on teams that can see them coming and cannot stop them. The debt accumulates. The incident eventually happens. And the Principal SRE responds at 3am for a decision they did not make.
Three indicators that Technical Primacy is absent in an organisation:
— Infrastructure arbitrations happen in executive committees without the Principal SRE present, or without their opinion being constitutive of the final decision.
— The Principal SRE says "I advise against this migration now" and the migration launches anyway without formal documentation of the accepted risk.
— Post-decision incidents are analysed as technical failures rather than as consequences of uninformed managerial decisions.
The hospital is the organisation that has best resolved the tension between managerial authority and technical expertise. The solution has been institutionalised for a century and a half. It is so obvious that nobody questions it. It is called the separation between administrative management and medical authority.
The hospital director sets the cardiology department's budget. They decide the envelope, staffing levels, equipment investments. They do not decide the treatment protocol for a patient. If they decided that a patient receives a particular treatment for budgetary reasons against the head physician's advice, this would constitute endangering human life — in the legal sense. The department's chief physician has the final word on medical decisions, within the budget set by management.
This separation is so obvious in the medical world that stating it seems trivial. It is not trivial — it is the result of decades of institutional construction following real catastrophes. Digital infrastructure is going through the same catastrophes, with the same causes, without having yet built the same protection.
Hospital director → CEO / CIO / CFO: sets the infrastructure budget, arbitrates between projects, prioritises according to strategy. Full oversight of the envelope and priorities. No decision rights on technical choices within that envelope.
Department chief physician → Principal SRE: within the set budget, decides on architecture, tools, suppliers, risks accepted or refused. Their opinion is constitutive and documented. Their refusal of a risk is formal and recorded.
Endangering the patient → Major infrastructure incident: when the director imposes a medical protocol, they endanger a life. When management imposes a technical decision, they create invisible debt that materialises as an incident. The difference: the infrastructure incident arrives 18 months later, not the next day. This delay masks causality — and allows the confusion to perpetuate.
Technical Primacy is not a blank cheque. It is not the Principal SRE's right to decide without accountability, nor to indefinitely block strategic decisions. It is a precise, delimited, defensible perimeter — that protects the organisation as much as the Principal SRE.
Architecture: infrastructure pattern choices, decoupling or integration decisions, choices between bare-metal and cloud approaches, redundancy level definitions.
Operations: incident procedures, maintenance windows, alert thresholds, production rollback decisions.
Technical security: refusal of a configuration deemed insecure, even if requested by a business project or management. This refusal is documented, motivated, and formally recorded.
Documented risk refusal: the Principal SRE can refuse to sign off on a production deployment or migration if they judge the risk unacceptable. This refusal is formal. Management may override — but formally assumes responsibility for the risk by signature.
The overall budget: the Principal SRE does not set their own budget. They propose, argue, but the final decision belongs to management.
Strategic priorities: which infrastructure project comes first — if the decision is strategic rather than purely technical, management arbitrates.
Headcount: how many people in the infrastructure team — an HR and budgetary decision, not Technical Primacy.
Overall project schedule: when an infrastructure project must be delivered — within technically reasonable limits, the schedule is a managerial decision.
Management decides on a rushed cloud migration to meet a contractual deadline. The Principal SRE indicates that the architecture is not ready, that the migration will create uncontrolled dependencies and an estimated 18 months of corrective technical debt. Their recommendation is ignored. The migration happens on schedule. Eighteen months later, the infrastructure team spends 60% of its time repaying the debt — less time for new initiatives, less time for training, less time for knowledge transmission. Management wonders why infrastructure is "slow". Causality is invisible because the delay between decision and consequence is 18 months.
The Principal SRE recommends investing in bare-metal training for the team — rare skills, essential to the organisation's autonomy. Management decides to prioritise hyperscaler cloud certifications — cheaper, more visible on CVs, better for team "visibility". Two years later, the organisation is more dependent on hyperscalers than before, engineers are less autonomous on bare-metal, and the Principal SRE — whose recommendations have been systematically ignored — starts looking at market offers.
The Principal SRE has refused a technical decision three times in two years that they judged risky. All three times, management overrode without formally documenting the risk assumption. Two of the three incidents happened as predicted. After the third, management asked the Principal SRE "why doesn't infrastructure deliver on its commitments". They leave. Ten years of accumulated tacit knowledge leave with them. The organisation hires a consultant at €1,200/day to understand the existing system. It will never recover the level of mastery it had.
This study is not a critique of management — it is a protection of management. A CEO who makes a bad technical decision because nobody has clearly told them "this is not your decision to make" is an exposed CEO. Technical Primacy protects them as much as the Principal SRE — it clearly states where their responsibility ends.
The budget envelope: how much the organisation invests in its infrastructure. This is a strategic and financial decision — it belongs to management.
Priorities between projects: if the organisation must choose between migrating the datacentre and building a new data platform, management arbitrates according to strategy. They inform the Principal SRE of the priority — the Principal SRE says how to implement it technically.
The acceptable risk level: management can decide that the organisation accepts a risk the Principal SRE advises against — but this must be an explicit, documented, signed decision. Not a silence that masks risk-taking.
The strategic schedule: when a system must be delivered, according to contractual and strategic constraints. Within this, the Principal SRE states what is technically feasible or not.
The management that recognises the Principal SRE's Technical Primacy does not abandon its authority — it exercises it correctly. It says: "I decide the envelope and the strategy. For technical decisions within that envelope, I trust the Principal SRE and hold them accountable." This is the most effective delegation contract that exists in a technical organisation. And when something goes wrong despite Technical Primacy, responsibility is clearly located — not diluted in a poorly documented collective decision.
Technical Primacy is the concept that makes the entire Opération Dindon corpus coherent. Every study documented a consequence of its absence. None had yet named the absence itself. This concept is the piece that closes the puzzle.
The founding thesis says: the human is sovereign when they can act on the matter they depend on. Applied to the organisation: an organisation is sovereign over its infrastructure when the Principal SRE can decide on that infrastructure. Without Technical Primacy, the organisation delegates its technical sovereignty to people who do not understand it. This is extraterritorial cloud at the internal scale — not a foreign hyperscaler deciding, but non-technical management deciding what they do not understand.
The Lead SRE's black suit and red tie signals to the organisation: this person is a technical commander. If this commander does not have the final word on technical decisions, the suit is an empty sign — it signals an authority that does not exist. Technical Primacy is the condition that gives the uniform its substance. Without it, one dresses an adviser. With it, one recognises a commander.
The Master Compagnon SRE grade only makes sense if the master level actually gives the final word on technical decisions in their organisation. If the Master Compagnon SRE is systematically overridden by non-technical management, their grade is honorary — it rewards knowledge that has no power. Technical Primacy is the condition that transforms the grade into real authority.
Elastic Syntec protects the infrastructure body's rights — salaries, on-calls, training. But a protected body that does not have the final word on its domain of expertise is a body paid to execute decisions it did not make. Technical Primacy is the layer that completes protection — protecting not only salary and conditions, but the right to decide.
The Principal SRE's contract includes an explicit Technical Primacy clause — defining their autonomous decision perimeter, their documented veto right, and the formal escalation procedure when management wishes to override. This clause does not give the Principal SRE absolute power — it clearly delimits responsibilities. It protects both parties.
When the Principal SRE opposes a technical decision, their opposition is formal and written. The veto document specifies: the contested decision, the identified technical risks, the estimated debt created or probable incident, and the alternative recommendation. This document is retained. If management decides to override, they sign the document — formally assuming responsibility for the risk. This mechanism protects the Principal SRE from responsibility for incidents they did not cause, and protects management against undocumented decisions.
The Principal SRE is present in all committees where decisions with infrastructure impact are made — not as an occasional invitee, but as a permanent member with deliberative voice on technical subjects. This presence is structural, not circumstantial. It ensures arbitrations happen with correct technical information, not after the fact.
When management wishes to override the Principal SRE's veto, a formal escalation procedure is triggered: consultation of an external technical third party (solutions architect, infrastructure audit firm), formal meeting with documented arguments from both parties, final decision signed by the appropriate management level with explicit mention of risk assumption. This procedure is not an obstacle — it is a guarantee that the decision is made with full knowledge.
The Principal SRE is not infallible.
But they are the only one who measures what they decide.
Giving them the final word gives the organisation
its best chance of not regretting its technical decisions.
This study does not say "you were wrong". It says "here is what is missing and how to add it — with today's tools". The Opération Dindon corpus diagnosed the problems. This study proposes exit paths. The SysOps/NetOps/OpInfra nomenclature proposed in "The Ticket and the Talent" is not an adopted framework — it is a pragmatic proposal. A plan to exit collapse, not a statement of the current state. It also opens a door nobody has yet named: the entry of women into the infrastructure body.
People who carry the DevOps title today are not enemies of the infrastructure body. Many were poorly oriented, poorly trained, poorly named — not through bad faith, but because the market called anything and everything "DevOps" for ten years. They have the foundations. A layer is missing — not all the competence. The gentle exit does not say "you were wrong" — it says "here is what is missing and how to add it, with what exists today".
Three real and valuable things: collaboration between developers and operators, deployment automation (IaC, CI/CD), and a culture of measurement (monitoring, alerting, SLO, post-mortem). These are assets. The gentle exit anchors them in the physical reality they were missing — it does not erase them.
The problem is not that DevOps engineers exist. It is that the title progressively replaced precise technical titles without transmitting their fundamental competences: hardware, physical networking, the low-level OSI stack, storage, bare-metal. Competences in height, fragile in depth.
The SysOps/NetOps/OpInfra nomenclature proposed in "The Ticket and the Talent" is not a framework adopted by any professional branch or institution. It is an Opération Dindon corpus proposal — a plan to exit collapse, documented, argued, operational. It proposes six levels, three categories, defined competence criteria. It only exists if organisations choose to adopt it. This study proposes the tools to make that adoption possible — progressively, without social rupture.
"Orphan" DevOps: real competences, a title that no longer serves them. They sense the gap — they do not know how to fill it without starting from zero.
Cloud architects without roots: legitimacy on cloud certifications, fragility below. They want to anchor — not rebuild everything.
Organisations in transition: teams built on the DevOps wave, corpus problems materialising — debt, departures, dependence. They want to rebuild without social rupture or public admission of error.
If an organisation decided to adopt the nomenclature proposed in "The Ticket and the Talent", here is how the conversion could work — without downgrade, without rupture, valorising existing competences. This table is a proposed reading, not a decision already made.
The nomenclature only exists if organisations choose to adopt it. This choice is pragmatic, not ideological. An organisation that adopts it gives itself a more precise competence management tool than "DevOps" — nothing more. The gentle exit begins with an internal decision, without waiting for any collective agreement or branch decree.
Whatever the decision on the nomenclature, the training tools exist today. They require no collective agreement, no branch accord, no new institution. They require an HR decision and a training budget — available in any organisation that uses CPF or equivalent professional development funding.
Linux Foundation: LFCA (entry, €395), LFCS (systems administrator, €395), LFCE (engineer), CKA (Kubernetes administrator, €395), CKAD, CKS (security). Practical hands-on exam — no multiple choice. Real competence or the exam fails. CPF-eligible. Less expensive than equivalent AWS certifications (€300-800).
HashiCorp: Terraform Associate, Vault Associate. Neutral tools, multi-cloud, essential for portable IaC — no hyperscaler dependency.
CNCF: cloud-native neutral certifications, based on open source standards. No vendor lock-in.
These certifications produce transferable competences across environments — exactly what "The CPF Misused" calls for funding instead of hyperscaler cloud certifications that reinforce lock-in.
The Foundation of Iron is a corpus proposal (26 weeks, electricity to Kubernetes) — not an existing institutional programme. It is a pedagogical plan that can be implemented by any trainer or training organisation. For the converting DevOps, the path is targeted, not linear:
Modules 1-6 (Electricity, Hardware, Physical Server): mandatory physical layer for all levels. Missing in 90% of DevOps trained solely in cloud.
Modules 7-12 (Linux fundamentals, Storage, Virtualisation): deepening what the DevOps often has only at surface level.
Modules 13-20 (Physical OSI networking, Routing, Active Directory): the real differentiator between a DevOps and a SysOps/NetOps L4.
Modules 21-26 (Network security, Architecture, Bare-metal Kubernetes): L5-L6 level deepening.
Theoretical training gives structure. Contact with the machine and with the person who masters it gives flesh. This mechanism needs no new institution — it exists in every organisation that still has an experienced Principal SRE. It only needs to be formalised: a written mentoring agreement, defined objectives, a time limit.
Documented in "The Mentor and the Metal": one day without assessment, without badge, without PowerPoint. The converting engineer observes. They accompany the Principal SRE during maintenance interventions, a component replacement, an incident if the occasion arises. They eat with the team. They physically see what their architecture diagrams describe from the outside.
Cost: one day of the Principal SRE's time in accompaniment mode. Available tomorrow, in any organisation, with no exceptional budget.
Months 1-2 — Immersive observation: accompaniment without intervention. Documentation, questions, reading runbooks in real situations. The Principal SRE explains decisions in real time.
Months 3-4 — Supervised practice: interventions under direct supervision. Cabling, configuration, diagnosis. The "why" behind each action — tacit knowledge that cannot be written but can be transmitted.
Months 5-6 — Supervised autonomy: autonomous interventions on non-critical systems. The Principal SRE is available but not present.
Minimal formalisation: a one-page mentoring agreement — objectives, duration, evaluation method. Referenced in both parties' job descriptions. Not a new institution: a professional commitment between two people, recognised in their respective responsibilities.
There is a connection nobody has explicitly documented yet: a clear nomenclature is a necessary condition for women to enter the infrastructure body. Not sufficient — but necessary. "The Invisible Amputation" documented that women represent 10% of the infrastructure body where 50% are needed. This study asks the mechanism question: why so few? And how the proposed nomenclature is part of the answer.
A woman looking at the infrastructure job market today sees: "DevOps", "SRE", "Cloud Engineer", "Platform Engineer", "DevSecOps", "Site Reliability", "Infrastructure Engineer" — vague titles, no clear trajectory, no readable progression grid, no objective signal on what is expected at each level.
This ambiguity discourages profiles who do not have a network to decode it. Women, statistically less present in the informal networks of infrastructure (tech evenings, conferences, non-mixed Slack channels), bear this decoding burden more than men who can access it through peers. The ambiguity is not intentionally sexist — but it produces real exclusion.
A clear nomenclature says to the woman looking from the outside: here is the path, here are the objective criteria at each level, here is where one can go. No decoding through informal networks. No "you need to know someone who knows someone". The criteria are public, the levels are readable, the progression is documented.
The proposed nomenclature — if adopted by even a few organisations — would immediately produce two effects: job offers with precise titles and objective criteria (attracting profiles without networks), and visible progression grids (enabling projection without having to ask a peer). These are the two minimum conditions for a woman to envisage a path in infrastructure without having to guess the implicit rules.
A named body creates a visible door. A visible door creates a possible entry. A possible entry triggers the arrival of those who were waiting for a readable signal. The body becomes complete. This is the reverse mechanism of the Invisible Amputation — and it begins with an act as simple as adopting a nomenclature in a job description.
The organisation that built its teams on the DevOps wave did not make an error — it made a coherent choice with the information available at the time. The honourable exit does not ask for a public admission of fault. It proposes a progressive, documented transition plan using the tools that exist today.
Phase 1 — Internal diagnosis (months 1-2): map real competences of each team member using the proposed nomenclature as a reading grid. Tool: structured interview between the Principal SRE and each engineer. Result: individual gap map and targeted training plan. Cost: the Principal SRE's time. Budget: zero.
Phase 2 — Targeted training (months 3-9): Foundation of Iron targeted modules + Linux Foundation certifications according to target level. Budget: €1,200 to €2,400 per person. CPF can fund Linux Foundation certifications — they are eligible. Less expensive than AWS. No exceptional budget needed.
Phase 3 — Progressive renaming (months 6-12): if the organisation decides to adopt the proposed nomenclature, update job descriptions. Without redundancy. With salary valorisation. Renaming follows training — not the reverse. Each title changed is a door opened toward profiles who could not project themselves into "DevOps".
Phase 4 — Consolidation (months 12-18): Technical Primacy clause in the Principal SRE's contract, formalised mentoring in senior job descriptions, job offers with proposed nomenclature titles. The nomenclature becomes an internal reality — without waiting for it to be an external norm.
The corpus does not need everyone to be convinced. It needs two things simultaneously: an ambassador who made the journey and tells it, and a readable door for those who want to enter. The proposed nomenclature creates the door. The ambassador creates the desire to walk through it.
The DevOps who completed six months of supervised rotation, passed the LFCS, changed their title to Lead SysOps in their job description, is the best ambassador for the proposal. "The Uniform of the Body" documented the chain of gaze: the one who changed level gives others a concrete reason to make the journey. The ambassador does not convince through theoretical argument — through visible example and proof that the path exists and leads somewhere.
The concrete testimony: "I was a DevOps for eight years. Six months of supervised rotation with our Principal SRE showed me I did not understand what I was deploying. I passed the LFCS. My title changed. My salary was revised. And my legitimacy in technical arbitrations is now recognised." This testimony is worth ten studies. The corpus creates the conditions. The ambassador creates the movement.
When an organisation publishes a job offer "SysOps L3 — criteria: LFCS or equivalent, 2 years Linux systems experience, knowledge of OSI layers 1-4" — this offer is readable by a woman who has no network to decode "Senior DevOps with 3-5 years XP and full-cloud stacktrace". Objective criteria replace implicit decoding. The door is open — not just drawn on a wall.
This is the reverse mechanism of the Invisible Amputation. Not a diversity declaration of intent. Not a quota. A clear nomenclature, objective criteria, readable offers. The body becomes complete because the door exists — not because someone decided to force women through it.
The gentle exit does not say: you were wrong.
It says: here is what is missing — with today's tools.
It says: here is the door — it is open for everyone.
Come.
The Opération Dindon corpus documented the problem (lock-in, loss of bare-metal), the causes (cognitive capture, infrational loop), and the tools (Sovereign Interface, Gentle Exit). What was missing was the operational entry point for organisations that want to act now but no longer have anyone who knows how to manage bare-metal. Managed services are that door. They do not give sovereignty immediately — they create the conditions for it to become possible, accompanying the organisation throughout the exodus journey.
Note: the operational elements of this study draw on Amine RAITI's lived experience during his time at Ecritel, cited here as a concrete example and not as advertising. The approach may differ between managed service providers.
The corpus documented the "Gentle Exit" as an architectural principle. It documented the "Sovereign Interface" as a technical tool. These two studies answer "how" to exit. They do not answer "with whom" for organisations that no longer have the internal skills to do it.
It migrated to cloud 5-8 years ago. It let go of or lost its system engineers, network administrators, DBAs. It has a competent DevOps team on AWS or GCP — but with no bare-metal culture. It pays growing egress fees. It read the Terms of Service and discovered California jurisdiction. It wants to leave.
It cannot. Not alone. Its DevOps know how to deploy on EKS. They do not know how to configure a physical switch, dimension an IP addressing plan, choose a storage array, install a hypervisor, configure bare-metal monitoring. The competence left with the engineers who departed. This is "The Departure of the Last One Who Knows" applied at organisational scale.
The Sovereign Interface is an architecture. It does not implement itself — engineers are needed to write it.
The Gentle Exit is a principle. It does not execute itself — engineers are needed to migrate.
The Foundation of Iron is training. It takes 6 to 26 weeks — and the organisation does not have 26 weeks of runway before its next AWS bill.
The managed service provider is the missing engineer. They have the bare-metal competence the organisation abandoned. They know the migration path because they have done it dozens of times. And — fundamental difference from a hyperscaler — their business model is not to create a new dependency but to make the organisation capable.
The difference between a sovereign managed service provider and a hyperscaler: a managed service contract can be terminated with reasonable notice (generally 3-6 months). There are no "noncancellable" commits. No California jurisdiction. No egress fees. And if the contract is well drafted, the documentation and knowledge transmitted remain with the client at the end.
What the client brings: their own racks, their own servers, their own complete technical skills.
What the provider brings: the datacentre, redundant power, cooling, fibre optic, physical security, 24/7 building monitoring.
Who manages what: the client manages everything from their own teams. The provider does not touch client machines unless explicitly requested.
Profile: organisations that still have bare-metal engineers but no own datacentre. The most sovereign form — the client masters everything except the building.
Risk: if bare-metal engineers leave, the client is left with hardware they can no longer manage.
What the client retains: control of the application layer, databases, logical network, deployments. The top of the stack.
What the provider manages: hardware, OS, virtualisation, physical network, low-level monitoring, backups, security updates.
Profile: organisations with DevOps or developers, but without system administrators or physical network engineers. The most common model after a cloud migration.
Added value: the client progressively builds competence on lower layers, with the provider's engineers available to explain and train.
What the client retains: defining needs, validating SLAs, monitoring dashboards, business decisions. Vision — not execution.
What the provider manages: everything, A to Z. Hardware, network, OS, middleware, monitoring, backups, security, updates, daily operations.
Profile: organisations with only business profiles or cloud-native DevOps with no operations culture. The Accompanied Exodus starting point.
Objective: full managed services is not a destination — it is a transition phase. The goal is to progressively move toward partial managed services or housing as teams build competence.
What follows is based on lived experience at Ecritel. This is not advertising — it is a concrete example. The approach may differ between providers, but the main steps are structurally similar.
Upon contract signature, a meeting brings together three parties: Ecritel teams (migration project manager + system engineers), the previous host's teams, and the client's teams. The objective is not to criticise the existing setup — it is to understand it precisely.
Two scenarios for access to the existing infrastructure:
Scenario A — Export by the previous host: the previous host produces data exports (databases, file systems, configurations), network diagrams, service lists. Ecritel receives and works from the exports.
Scenario B — Direct root access: when the previous host does not cooperate or when the timeline requires it, Ecritel teams request direct root access to the machines and carry out the inventory and exports themselves. They take operational responsibility for operations performed on the existing infrastructure.
The inventory covers all OS types (Linux distributions, Windows Server, BSD as applicable), all databases (MySQL, PostgreSQL, Oracle, SQL Server, MongoDB, Redis — each engine has its own export and migration procedures), middlewares, network configurations (VLANs, firewall rules, load balancers), certificates, cron jobs, operational scripts. Nothing is assumed — everything is verified and documented.
The analysis of the existing setup produces a dependency map — which services depend on which others, in what order they must be migrated to avoid breaking the chain.
Migration does not happen overnight. It is phased according to dependencies and risks. Each phase has a schedule, success criteria and a rollback procedure. Follow-up meetings are organised throughout the project — weekly during active migration, bi-weekly during stabilisation. The client monitors progress. They test proper functioning step by step. They validate before moving to the next phase. This validation is not passive — it is on-the-job training.
At the end of the migration, Ecritel teams write the Technical Architecture Document (TAD) — an exhaustive photograph of the infrastructure put in place: network diagrams, detailed configurations, operational procedures, backup and restore procedures, escalation contacts. This document belongs to the client. It is the first Runbook of the new infrastructure. And depending on the contract type, Steering Committees (COPILs) are organised — at Ecritel or at the client — to present SLAs, performance indicators, monthly incidents, planned developments.
The fundamental difference between a sovereign managed service provider and a hyperscaler is not technical — it is contractual and intentional. A hyperscaler wants you dependent on them forever. A good managed service provider wants you to build enough competence that you no longer need them — or need them only for high-value-added operations. This is not philanthropy — it is a different business model, based on trust and relationship longevity rather than lock-in.
Documentation as a transmission act: the TAD written by the managed service provider is not a bureaucratic document — it is the first act of transmission. The client's DevOps who read the TAD learn how their infrastructure works. Those who participate in writing it learn even faster.
COPILs as disguised training: when the provider presents monthly SLAs, they explain what happened, why, how it was resolved. The client's technical teams who attend these meetings are in continuous training without it being called training.
Shared on-call: in some contracts, the provider's engineers are available to the client's teams during incidents — not to replace them but to accompany them in resolution. A 3am incident resolved with the provider's engineer online teaches more than a full day of classroom training.
Formal knowledge transfer: in well-drafted contracts, a knowledge transfer phase is explicitly planned — training sessions on the client's specific infrastructure, handover of operational procedures, support for the first operations performed autonomously by internal teams.
The "Digital Craftsmen" model proposed in the corpus describes an aspirant learning alongside a maâllem. Partial managed services with knowledge transmission is this model applied at the scale of an entire organisation. The provider is the collective maâllem. The client's DevOps are the aspirants. The migration and daily operations are the joint masterpiece. And at the end — if everything went well — the client has a team that knows how to manage its infrastructure and a provider who can focus on higher-value-added operations.
Lived experience at Ecritel: a client has two machines — prod and preprod. They want to promote preprod to prod without transferring code, simply by swapping roles. Solution proposed: a file deposited via FTP by the client containing machine1=prod ; machine2=preprod. A script reads the file every X minutes and automatically reconfigures the HAProxy backend. The client remains in full managed services but is completely autonomous on deployments, with no provider intervention required per cycle.
What this illustrates: the provider wrote the script. They adapted the infrastructure to the business need. The opposite of cloud: "adapt your architecture to our managed services."
Ecritel accompanied clients to obtain a CSP licence in China from Paris. Infrastructures were synchronised between China and France via Unison or lsync for images. Pseudo-L2 configurations at international scale were set up to ensure network continuity between distant sites. Dedicated fibre links can connect client offices or another site — something cloud cannot do physically. Traffic is included in the contract or at very reasonable rates. No egress fees discovered at end of month.
You pick up the phone. A technician answers. They know your infrastructure. They can act immediately or escalate to an engineer — included in the standard contract, not in an overpriced Premium plan. For housing clients, physical proximity actions are possible: a technician can go into the server room to cable, reboot, inspect. This is not comparable to AWS support — form, ticket, delay measured in days, Premium plan at tens of thousands of euros per year to get a human on the phone.
The Business Continuity Plan is the argument that CIOs understand immediately — because it is their personal responsibility when infrastructure goes down.
The hyperscaler BCP is a software architecture. Multi-AZ, multi-region, automatic failover — sold as a turnkey solution. In reality: dozens of proprietary services to master, a cost of 2x to 5x the primary infrastructure, and a failover test that nobody really does because it is expensive and frightening. When the real incident arrives at 3am, DevOps discover that the failover site's Terraform has not been updated in 8 months.
The managed service provider BCP is a muscular reflex. The provider has two datacentres connected by a dedicated fibre they physically control. They have performed hundreds of real failovers — not sandbox tests. Their team knows the friction points, the services that always take 3 extra minutes to restart. They have a Runbook for every incident type. And they adapt the BCP to the client's real application needs: RPO, RTO, synchronous or asynchronous replication per service. Not a checkbox in a catalogue — a bespoke architecture.
The formula: the hyperscaler BCP is an architecture. The managed service provider BCP is a muscular reflex. One is documented in a Confluence nobody reads. The other is repeated until the team can do it with their eyes closed. The corpus study "The Gentle BCP" documents this mechanism in detail.
Cloud gives you an SLA. A managed service provider gives you a relationship. Over time, the relationship is worth more than the SLA.
The technician who answers at 3am knows your infrastructure, your business constraints, sometimes your DBA's first name. The quarterly COPIL is not a contractual meeting — it is a conversation between people who know each other. Over five years, this mutual knowledge produces what no SLA can produce: trust.
A client who trusts their provider alerts them to an anomaly before it becomes an incident. They call before making a risky architectural decision. On the other side, the engineer who knows their client does a little more than the contract requires — because the relationship has a value they want to preserve.
Some of my clients at Ecritel are still my friends today. This bond was not created by the contract — it was created by contact. The COPILs, the 3am calls, the visits to the client. Managed services done well does not produce contracts. It produces relationships. And relationships outlast contracts.
Managed AWS / Google Managed Services / Azure Managed Services: they manage your cloud infrastructure for you — but on AWS, GCP or Azure. Dependency on the hyperscaler is maintained, sometimes reinforced. California jurisdiction remains. Egress fees remain. Application lock-in remains. These are not sovereign MSPs — they are subcontractors of the hyperscaler.
Sovereign MSPs (Ecritel, DRI, OVH, Scaleway, Claranet, Infomaniak): they manage your infrastructure on their own datacentre or neutral infrastructure, under French or European law. Their contracts are terminable. Documentation produced belongs to you. Data stays in Europe under European jurisdiction. And their certifications (HDS for health, SecNumCloud for critical infrastructure operators, ISO 27001 for general security) cover regulatory requirements that hyperscalers struggle to fully satisfy.
HDS (Health Data Hosting): mandatory for hosting health data in France. Major French MSPs are HDS-certified. AWS and GCP are too — but under contractual conditions that may conflict with GDPR and the CLOUD Act.
SecNumCloud (ANSSI): the French cloud sovereignty label. Requires that operating companies are subject to French law, with no possibility of extra-European takeover. AWS and GCP cannot obtain it. This is the label that makes the difference for critical infrastructure operators and sensitive public administrations.
ISO 27001: international information security management standard. Most serious MSPs are certified. Minimum condition for public tenders and major accounts.
Three questions to qualify a managed service provider:
1. Do you have documented experience of migrations from AWS/GCP/Azure? (Ask for references.)
2. What is your documentation policy? (Does the TAD and all documentation produced belong to the client from the end of the engagement?)
3. How do you organise knowledge transfer to our internal teams? (If there is no precise answer, this is a warning signal.)
The Accompanied Exodus is not a flight — it is a return.
Return to mastery of the substrate. Return to sovereignty.
Return to the ability to say no.
The managed service provider does not make the journey for you — they make it with you,
until you find your legs to make it alone.
The Operation Dindon corpus documented captivity. This study documents the exit. Not a wish list — an operational liberation architecture across six simultaneous strata and three time horizons. Every lever is immediate, fundable, and technically achievable. The bifurcation at school costs almost nothing. The bifurcation at t=20 years costs a total rewrite. This study begins with school.
Digital perdition is a seven-node causal chain documented in Anatomy of Digital Perdition (16p). The exit is not breaking a single link — it is the simultaneous reconstruction of six strata. None is sufficient alone. Together, they create an irreversible bifurcation.
Each stratum can be activated independently. The effect is cumulative — an organisation activating strata 3 and 4 without waiting for strata 1 and 2 still progresses. Complete exit is a simultaneous architecture. Partial exit is preferable to paralysis. cf. Anatomy of Digital Perdition — Section 6: The Law of Late Bifurcation.
The mathematics teacher teaches sine and cosine. Before drawing the curve on the board, they bring out a satellite dish and say: 'Look how a wave propagates in physical reality.' No ministerial budget required. A satellite dish, a €35 Raspberry Pi, and the awareness that physical substrate exists.
This is the school's Head of SRE — not because they manage infrastructure, but because they are first to show that mathematical abstraction has a physical body. Sine and cosine exist in a satellite antenna. A network exists in cables. A server is controlled electricity. This awareness at age 14 is the vaccine against Free Tier.
The physics teacher takes over — showing the electromagnetic laws driving the CNC motor. From Faraday's law to the rotor: G-code moves electrons, electrons move the magnetic field, the field moves the motor, the motor moves the tool, the tool machines matter. The complete causal chain from symbol to matter.
The technology teacher shows the CNC — how a text file becomes a metal part at 0.01mm precision. Same logic as the LLM: input → processing → output. The Mystical Machine is demystified before marketing sacralises it.
The art teacher shows the 3D printer — how an STL file becomes a tangible object layer by layer. Creativity has a physical substrate. The digital touches matter.
An official programme in schools: 4 hours per term of 'digital physics' — CNC · 3D printer · physical network · server. Estimated budget: €500 per school for hardware (Raspberry Pi, cables, switch). Not an IT budget — a pedagogical budget. Teacher training: 2 days. National deployment: 3 to 5 years.
The scholastic amputation documented in The Maths Teacher's Bag (15p) does not come from a single course — it comes from the absence of coherence between disciplines. The mathematician teaches abstraction. The physicist teaches law. The technician teaches gesture. The art teacher teaches form. None shows the chain connecting them. This continuity rupture creates the cognitive void that Free Tier fills.
Concrete and immediately deployable proposal: an annual pedagogical project around a 3D printer.
Maths: geometric modelling → STL file. Physics: extrusion thermodynamics, motor electromagnetism. Technology: Marlin firmware, slicing parameters, G-code file. Visual arts: object design, formal constraints. IT: printer network connection, Octoprint server on Raspberry Pi.
In one project, the student understands the digital has a body, code has an energy cost, abstraction has a physical substrate. And that nobody needs AWS to print a plastic object.
A budget FDM 3D printer: €250. A Raspberry Pi 4: €55. An 8-port network switch: €25. Cables: €15. Total: €345 per school. A parent-teacher association can fund this. A local authority can fund this. A local company donation can fund this. This project requires no ministerial decision — a motivated teacher and €345. The cheapest bifurcation in the corpus.
56 training hours per year in certain conventional frameworks. Sufficient volume to acquire the fundamentals that break the cloud mastery illusion from IaC:
Week 1 (14h): Fundamental networking — OSI model · ARP table · VLAN · IP routing · TCP/IP. What Lambda never shows.
Week 2 (14h): Fundamental Linux — filesystem · inodes · processes · service management · systemd. What Kubernetes hides.
Week 3 (14h): Storage — RAID · LVM · snapshots · physical backup. What S3 replaces without anyone understanding what it replaces.
Week 4 (14h): Physical security — certificates · PKI · firewall · ACL. What 'managed IAM' abstracts.
In 56 hours, no senior is produced. Dunning-Kruger is broken. The developer who has seen an ARP table will never again confuse an HCL script with infrastructure mastery.
CPF massively funds hyperscaler certifications (documented in The CPF Misused, 6p). The answer is not elimination — it is balance. Massively reference neutral certifications in the CPF catalogue:
LFCS (Linux Foundation Certified System Administrator) · RHCSA (Red Hat Certified System Administrator) · CompTIA Network+ · CompTIA Security+ · LPIC-1/2 · Kubernetes CKA (neutral, not AWS proprietary)
These certifications exist. They are not visible enough in CPF catalogues. A France Compétences decision — not a technical one. RNCP registration timeline: 6 to 18 months. Main actors: France Compétences + Ministry of Labour.
A woman retraining in IT at 32 does not have the proprietary reflexes of a developer trained on AWS Educate at 20. Nobody offered her Free Tier at school. No AWS certification to defend. No ego invested in a 5-year cloud architecture.
She learns on fundamentals — because that is what retraining programmes teach when well designed. The documentable trajectory: technical support levels 1 and 2 → systems administrator → infrastructure engineer → senior SRE. This trajectory does not go through AWS Educate. It goes through Linux, networking, and systems physics.
Training cost: fundable on CPF + Pôle Emploi/France Travail retraining aids. Time to first position: 6 to 12 months for support. Time to full autonomy: 3 to 5 years. The same timeline as any technical track.
The HR lock documented in Anatomy of Digital Perdition S1B (−34% Linux positions in 4 years): ATS filters on proprietary cloud keywords. The answer has two levels:
Level 1 — RNCP: register LFCS, RHCSA, CompTIA Network+ in the RNCP (National Professional Certification Registry). An RNCP certification is legally enforceable against an ATS. France Compétences is the actor. Timeline: 6-18 months.
Level 2 — ROME job codes: modify Pôle Emploi's ROME (Operational Repository of Occupations and Jobs) to reintegrate 'Infrastructure Engineer', 'Systems Administrator' and 'Network Engineer' as distinct occupations from 'Cloud Engineer' or 'DevOps Engineer'. A ROME code is the reference HR uses to build job descriptions. Actors: DARES + Pôle Emploi.
Senior infrastructure engineers dismissed between 2018 and 2023 under the NoOps pretext still exist — freelancing, in early retirement, in niche ESNs. They carry 20 to 30 years of low-level skills that nobody transmits. A peer-to-peer mentoring programme — seniors → retrainees, especially women after 30 — is the fastest and least costly lever. Platform: France Travail + professional associations. Budget: near zero. The corpus is the reference. Seniors are the transmitters.
The architectural question: 'Can this component run outside AWS without a rewrite?' asked before every infrastructure technical decision. Cost: zero. Timeline: immediate. It makes conscious the decision that was unconscious (Default Effect, Stratum 6 of The Architecture of Consent).
Title rehabilitation: 'Infrastructure Engineer', 'Systems Administrator' and 'Network Engineer' must reappear in org charts and budgets as distinct titles — not subsets of a generic DevOps role. What has no budget line does not exist in the boardroom. What has no title is not recruited. Actors: HR + CIO. Timeline: next budget cycle.
The Product Owner is evaluated on velocity. Architectural reversibility is perceived as a sprint brake. The answer is not to block the PO — it is to make portability debt as visible as code technical debt.
The Portability Score (0 to 3):
0 = Pure proprietary (native DynamoDB, Lambda with AWS LAYERS, Cognito) — no migration possible without total rewrite
1 = Migration possible with major effort (12-36 months)
2 = Migration possible with moderate effort (3-12 months)
3 = Agnostic — runs on any infrastructure without rewrite
This score is a JIRA ticket field. Visible in the Definition of Done. Does not block the sprint — makes debt visible to management, CFO, and infra engineer. Setup cost: JIRA configuration, 2 hours. Deployment: immediate.
The sovereign Internal Developer Platform (IDP): the infra engineer provides agnostic, reversible bricks — a database brick (PostgreSQL bare-metal or cloud), a message queue brick (RabbitMQ or SQS depending on context), an authentication brick (Keycloak or Cognito). Each brick must answer 'yes' to the architectural question. Training to design a sovereign IDP: 3 to 5 days on OpenStack, bare-metal Kubernetes, PostgreSQL, standardised APIs. Fundable on CPF.
The disappearance of Capacity Planning (documented in NoOps · Autopsy, 6p) produced uncontrolled cloud invoices. Restoring it does not immediately require hiring a dedicated expert — it requires a rule: no production deployment without a real-scale monthly cost estimate signed by an infrastructure engineer. Not bureaucracy — translating software architecture into real costs before invoicing. The formula is documented in The Mystical Machine S5 (TCO + PUE). Applicable within a week.
Ghost IaC debt (documented in NoOps S3): thousands of cloud resources instantiated by abandoned Terraform scripts, active and billing, with no owner. A quarterly IaC audit lists all cloud resources, associates them with an owner and active use, and deletes orphans. Tool: terraform state list + AWS Cost Explorer. First audit duration: one day. Typical savings: 15 to 30% of monthly cloud invoice in organisations without IaC discipline.
Every critical organisation must answer this question: 'What happens if AWS is unavailable for 24 hours?' If the answer is 'we don't know' — it is a security emergency, not a future project. The cloud-free Business Continuity Plan (BCP) defines critical workloads, data that must survive, and the failover path to backup infrastructure (bare-metal, sovereign colocation). Drafting a minimal BCP: one week with a competent infrastructure engineer. Cost: the engineer's cost, no additional infrastructure.
Grade A Refurbished (documented in The Strategic Refurbished, 4p): servers 3 to 5 years old, grade A (functional, cleaned, tested), with chips already fabricated by TSMC — independent of future production. Price: a Dell PowerEdge R630 (2 Xeon E5 CPUs, 128 GB RAM, 4 SSD drives): €800 to €1,500 refurbished. Same capacity on AWS EC2: €8,000 to €15,000/year. The financial break is documented.
TPM contracts (Third Party Maintenance): physical maintenance was the lock the corpus had not resolved. Specialised actors (Park Place Technologies, Curvature, sovereign regional actors) ensure hardware maintenance of out-of-warranty servers at documented costs 40 to 60% below manufacturer contracts (Dell ProSupport, HPE Care Pack). The Accompanied Exodus systematically integrates a TPM contract into the TCO calculation. A line in the synthesis table — not an option.
The Accompanied Exodus does not migrate everything overnight. It identifies portable workloads (Portability Score 2 or 3) and starts with them:
Phase 1 (0-6 months): Development and test environments → local bare-metal. No risk, immediate savings, team training without production pressure.
Phase 2 (6-18 months): Staging workloads and cold data → sovereign colocation. Reduced cloud surface without impacting production.
Phase 3 (18-48 months): Progressive production → sovereign bare-metal for workloads with Portability Score 2+. Proprietary workloads (Score 0-1) remain on cloud pending planned rewrite.
The Sovereign Interface: during transition, a hybrid network allows bare-metal and cloud workloads to coexist. The goal is not purity — it is progressive mastery.
These numbers are public, verifiable, and devastating to the 'cloud is always cheaper' narrative:
Dropbox (2017): infrastructure migration from AWS to own datacentres. Economy documented in the IPO prospectus (S-1, 2018): $74.6 million saved over 2 years. The repatriation required an infrastructure engineering team — exactly the profile NoOps had declared obsolete.
Basecamp (2023): David Heinemeier Hansson, co-founder, publicly documented the cloud exit. Economy: over $1.5 million per year. The calculation: $3.2 million annual cloud invoices → $500,000 amortisable hardware over 5 years + $200,000 operational costs. Bare-metal profitability achieved in under a year for their volume.
These two examples are not nostalgic exceptions — they are industrial margin optimisation decisions documented in legal filings and public publications.
The long-term hardware horizon is documented in The Taiwan Bottleneck (6p). TSMC fabricates ~90% of advanced chips in the Taiwan Strait. The long-term sovereign answer:
RISC-V: open instruction set architecture, royalty-free, already used by SiFive, Alibaba, Western Digital. RISC-V chips exist — not yet competitive with NVIDIA A100 for AI, but will be in 5 to 10 years for standard workloads.
European Chips Act (2023): €43 billion to double Europe's share of global semiconductor production by 2030. Sovereign fabs: TSMC Dresden (under construction), Intel Magdeburg (under construction), STMicroelectronics in France. The horizon is 10-15 years — but the work starts now.
The ultimatum of 8 September 2026 makes four demands of AWS, GCP and Azure. These demands are the immediate contractual lever for any organisation renegotiating a cloud contract:
1 · Cancellable commits — without major financial penalty within 24h. Digital equivalent of a strategic veto right.
2 · Elimination of egress fees — or their legal capping (EU mobile roaming model).
3 · Guaranteed data portability — not in general Terms, in the signed contract.
4 · CLOUD Act position clarification — contractual commitment on non-disclosure without prior notification.
Legal training CIO/CFO: a 2-hour training on the CLOUD Act, Schrems II, and reading Terms §14.12 is the cheapest legal bifurcation. Can be delivered by any data law specialist. Cost: €500 to €2,000. Should be mandatory before signing any cloud contract exceeding €50,000 annually.
The reversibility clause: any cloud contract exceeding 12 months must include a negotiated reversibility clause — exit plan, data export format, maximum timeline, capped cost. Not an extraordinary demand — it is what well-negotiated SaaS contracts already include for customer data.
Strict SecNumCloud: ANSSI's SecNumCloud qualification requires immunity from extraterritorial laws. In its strict version (without hyperscaler derogation), it is the only label guaranteeing CLOUD Act immunity for public administration data. Requiring it in sensitive data public tenders is not favouritism — it is a GDPR and sectoral regulatory compliance requirement.
The Public Procurement Code prohibits arbitrarily excluding actors under penalty of favouritism offence. Hyperscalers structured their offers to answer public tender requirements point by point — and the immediate face price criterion favours cloud (Free Tier, initial discounts) over Bare-Metal initial investment. Public buyers choose AWS not through favouritism — but through ease, cognitive availability (Kahneman's heuristic), and least-effort conformity (Default Effect).
These criteria do not target AWS by name — they define objective functional requirements. Any entity that meets them can bid. Any entity that does not cannot — including AWS, Google and Microsoft as long as their European subsidiaries cannot guarantee CLOUD Act immunity.
Criterion 1 — Documentable extraterritorial immunity: the contract award entity must demonstrate it is subject to no law allowing a third-party State to access data without diplomatic procedure (MLAT). Legal basis: GDPR article 48 · Schrems II ruling (CJEU C-311/18, 2020) · DINUM Cloud au Centre Circular (2021).
Criterion 2 — 10-year TCO egress included: total cost of ownership must include exit costs (egress fees, migration costs, application rewrite). A cloud with €0 entry and €90,000 exit per PB is not cheaper than bare-metal at €50,000 initial investment. This criterion makes the financial comparison honest.
Criterion 3 — Contractually guaranteed data portability: data export in an open, documented format, within a defined maximum timeline, at capped cost, is a mandatory contractual clause.
Balanced CPF: for every hyperscaler certification funded by the CPF, an equivalent neutral certification must be equally visible and fundable in the Mon Compte Formation catalogue. Not removing AWS Certified — restoring parity. Actor: France Compétences. Administrative, not legislative decision. Timeline: 3 to 6 months.
ESN as market vectors: ESNs (Capgemini, Sopra Steria, Atos, CGI) are cited in the corpus as hyperscaler partners in conflict of interest. But they also have another function: they train and employ tens of thousands of engineers in France. An ESN creating a 'Sovereign Bare-Metal Infrastructure' offer and training its teams accordingly is a massive market transformation lever. Not utopian — if public tenders require sovereignty (Stratum 5), ESNs will offer sovereign skills. ESNs follow markets. Stratum 5 creates the market. Stratum 6 trains the actors.
DINUM reorientation: the Cloud au Centre programme retained AWS, Azure and Google as public administration providers. Redirect part of the DINUM budget toward sovereign public infrastructures — OpenStack hosted on physical servers in France, operated by civil servants trained on neutral fundamentals.
The Public Sovereign Cloud: not a private company with a label (Bleu, S3NS) — a public infrastructure operated by the State, on the model of La Poste for mail or Caisse des Dépôts for public finance. Not statism — the answer to national critical infrastructure. Estimated budget: €500 million to €1 billion over 5 years. Savings on current administration cloud contracts: documentable from DINUM data.
Cyber insurance companies require hosting with certified third parties (often hyperscalers with their SOC 2 and ISO 27001) to cover operating loss risk. Uncertified bare-metal is perceived as higher risk — not because it objectively is, but because it lacks a standardised label recognised by insurers.
The answer: lobbying with the French Insurance Federation (FFA) and ANSSI for strict SecNumCloud to be recognised as equivalent to cloud ISO 27001 in cyber policies. Arguments:
1 · Cloud lock-in and Taiwan Bottleneck dependency constitute a systemic bankruptcy risk higher than locally mastered Bare-Metal infrastructure (documented in The Hand Over Nations, 8p).
2 · The Schrems II ruling creates documented legal risk for any organisation using American cloud services for GDPR data — this risk should increase non-compliant cloud premiums, not reduce them.
This lobbying is a medium-term lever (2-3 years). Actors: ANSSI + FFA + CNIL + DSI professional associations.
National training plan: the equivalent of the 1960s Plan Calcul — adapted to the digital sovereignty era. Integrate into major engineering schools (Polytechnique, Centrale, INSA, IUT) a mandatory 'digital physics' module: network low-level layers, operating systems, hardware and Capacity Planning. Not cloud training — training in fundamentals that make any choice possible.
European Chips Act: €43 billion for European semiconductor manufacturing. TSMC Dresden · Intel Magdeburg · STMicroelectronics. The horizon is 2030-2035. The corpus documented the dependency (The Taiwan Bottleneck, 6p) — the Chips Act is the ongoing political response. France must ensure these investments produce chips usable by its own sovereign infrastructures, not only exported.
Partial exit is preferable to paralysis. An organisation activating only Strata 3 and 4 progresses. One activating only Stratum 5 progresses legally. The effect is cumulative. All corpus references are available in the 64 preceding studies. cf. Anatomy of Digital Perdition (16p) for the captivity map · cf. The Architecture of Consent (8p) for cognitive biases · cf. The Hand Over Nations (8p) for the geopolitical framework.
The Operation Dindon corpus documented perdition in 64 studies. This study documents the exit in 6 strata. None is sufficient alone. Together, they form the only response proportionate to the architecture of captivity.
Stratum 1 (school) costs €345 and a satellite dish. Stratum 3 (Portability Score JIRA) costs 2 hours of configuration. Stratum 4 (Grade A Refurbished) costs €800 to €1,500 per server. Stratum 5 (legal training) costs €500 to €2,000. These interventions are available now, funded from existing budgets, without legislative decision.
Stratum 6 (Public Sovereign Cloud, Chips Act) requires political decisions and 5 to 15-year horizons. It cannot wait for Strata 1 to 5 to complete — it must be initiated now to be operational when the other strata have produced their effects.
Digital captivity was not built in a day.
It is not undone in a day.
But every lever activated is a link in the chain that gives.
And the chain gives.
Amine RAITI · Operation Dindon · 2026
The Sovereign Interface is an abstraction layer whose contract is defined by the business domain — not by the vendor. It is inverted relative to classical adaptation: it is not the application that adapts to the vendor (BigQuery, DynamoDB, Pub/Sub), it is the vendor that adapts to the application. Changing vendor = changing the adapter. The application does not know. It is the architectural equivalent of the electronic adapter: the component that changes without either side changing.
Hyperscaler lock-in has two levels. The infrastructure level — VPC, subnets, load balancers, availability zones — is painful to migrate but technically feasible with Terraform and patience. The application level — BigQuery in the Python code, DynamoDB in the Java code, Pub/Sub in the Go code — is structurally different. It is the hyperscaler's dialect engraved in the business logic of the application. Migrating means rewriting. And rewriting a production application is a high-risk project with unpredictable cost and maximum regression probability.
When a developer writes client = bigquery.Client(), they are not just choosing a service. They are committing the application to BigQuery's thinking schema — its data types, its extended SQL syntax, its ARRAY_AGG, STRUCT, proprietary partitioning and clustering. Six months later, these idioms are everywhere in the code. The application no longer speaks the business domain language — it speaks BigQuery.
The same dynamic applies to DynamoDB (key-value data model with GSI/LSI secondary indexes, proprietary condition expressions), to Pub/Sub (push/pull subscription model, acknowledgment, retry policy), to Cosmos DB (SQL, MongoDB, Cassandra API depending on the day — but all proprietary in their subtleties). Each hyperscaler service is a dialect. And a developer fluent in BigQuery is not fluent in PostgreSQL — they must learn a new dialect with its own traps, performance characteristics and limits.
The Opération Dindon corpus documented egress fees as an economic capture mechanism. But even if egress fees were zero, migration would remain costly — because the true cost of migration is not data transfer, it is rewriting application code. Zero egress fees on S3 change nothing if the application calls 847 different S3 API endpoints with their nuances of versioning, presigned URLs and event notification. The gentle exit from hyperscaler cloud goes through code architecture, not just the network.
In electronics, when two incompatible systems must communicate, an adapter is placed between them. A 5V microcontroller talks to a 3.3V sensor via a level shifter. An RS232 port talks to a USB computer via an FTDI converter. The adapter is disposable — if the sensor changes, change the level shifter, not the microcontroller. If the port changes, change the converter, not the computer. Both sides remain stable. Only the adaptation component changes.
Eric Evans, in Domain-Driven Design (2003), names this pattern the Anti-Corruption Layer (ACL). When a system must integrate an external system with a different domain model, the ACL translates between the two — without letting the external model contaminate the internal model. The application only sees its own model. The ACL handles translation to the external. Changing the external = rewriting only the ACL.
Applied to cloud services: the application only sees its domain interface (DataWarehouse, MessageQueue, ObjectStore). The ACL translates to BigQuery, DynamoDB, S3. Migrating to PostgreSQL, Kafka, MinIO = rewriting the ACL. The business application does not change.
Terraform: infrastructure-as-code abstraction. Same HCL for AWS, GCP, Azure. Limited to infra — not proprietary managed services.
Apache Beam: data pipeline abstraction. Same pipeline on Dataflow (GCP), Flink, Spark. Successful abstraction — but specific to batch/stream pipelines.
Kubernetes: container runtime abstraction. A K8s pod runs on EKS, GKE, AKS or bare-metal without modification.
S3-compatible APIs (MinIO, Ceph, Cloudflare R2): application speaks S3, runs on any compatible backend. The success model to duplicate.
JDBC/ODBC: database access abstraction since the 1990s. Application speaks standard SQL, driver translates to DBMS dialect.
What is missing: abstraction of proprietary managed services — BigQuery, Pub/Sub, DynamoDB, Cosmos DB, Kinesis. No common standard. This is where lock-in is deepest and the Sovereign Interface most necessary.
The application defines its needs in business terms. Behind the interface, concrete implementations for each vendor.
Changing vendor = changing one configuration line. The business application does not know.
An HTTP proxy that receives proprietary API calls and translates them to an open source backend. The application keeps calling the DynamoDB API — but the proxy redirects to ScyllaDB or Cassandra.
Existing projects: DynamoDB Local (testing), Localstack (full AWS emulation locally), dynamo-cassandra-proxy (Apache).
A neutral query language above proprietary dialects. The application speaks a common DSL, the translation layer generates backend-specific code.
Existing projects in this spirit: SQLAlchemy (neutral ORM), dbt (neutral transformation), Ibis (pandas-like API on BigQuery, DuckDB, Snowflake).
Specific lock-in: extended SQL (ARRAY_AGG, STRUCT, UNNEST), partition/clustering, JavaScript UDFs, built-in ML.PREDICT.
Neutral interface: DataWarehouse.query(sql: str) → DataFrame — standard SQL only, no proprietary extensions.
Open source alternative: DuckDB (in-process analytics, same performance on small volumes), PostgreSQL + TimescaleDB (time series), ClickHouse (open source columnar analytics).
Bridge tool: Ibis — same Python API on BigQuery, DuckDB, Snowflake, PostgreSQL.
Specific lock-in: GSI/LSI model (global/local secondary indexes), proprietary condition expressions (attribute_exists, begins_with), DynamoDB Streams.
Neutral interface: KeyValueStore.get(key) / put(key, value) / query(pk, sk_prefix).
Open source alternative: ScyllaDB (DynamoDB API compatible), Cassandra, Redis with modules.
Translation facade: dynamo-cassandra-proxy (Apache) — DynamoDB API as facade, Cassandra as backend. Zero application rewrite.
Specific lock-in: topic/subscription model, push/pull, acknowledgment deadline, ordering keys, dead letter topics.
Neutral interface: MessageQueue.publish(topic, message) / subscribe(topic, handler).
Open source alternative: Apache Kafka, RabbitMQ, NATS. Standard: CloudEvents (CNCF) for message format.
Key tool: CloudEvents + one adapter per broker. Message format is neutral — only transport changes.
S3 is the only hyperscaler service whose API has become a de facto standard. MinIO, Ceph, Cloudflare R2, Backblaze B2 all implement the S3 API. The application speaks S3 and can run on any compatible backend. This is the model to replicate for other services. The lesson: standardise the API, not the service. The Sovereign Interface for S3 already exists — and it has freed thousands of organisations from object storage lock-in.
For a service like BigQuery used in a medium-sized Python application:
Define the domain interface: 2h — identify the operations actually used, reduce them to a minimal contract.
Write the BigQuery adapter: 4h — wrap existing calls behind the interface. Often this is refactoring existing code, not writing from scratch.
Write contract tests: 3h — tests that verify any adapter respects the interface contract.
Write a second adapter (local DuckDB): 3h — proves the interface is truly neutral and accelerates local development (no GCP needed in dev).
Total: 12h of senior engineering — a day and a half. Cost: ~€1,200-2,400 depending on rate.
For the same Python application, BigQuery → PostgreSQL migration without abstraction layer:
Code audit: 3 days — identify all BigQuery calls, all extended SQL idioms, all proprietary functions used.
Code rewrite: 10-30 days depending on complexity — replace each call, adapt each SQL query, handle type and behaviour differences.
Regression testing: 5-10 days — ensure the rewrite breaks nothing in business logic.
Progressive deployment: 3-5 days — switchover with rollback possible.
Total: 21 to 48 days of engineering. Cost: €25,000 to €60,000. And this assumes the migration succeeds on the first attempt — which is rare.
12h initial investment → potential saving of 21 to 48 days during a migration. Ratio: 1 to 40 or 96. But the true return on investment is not in the migration — it is in the freedom to negotiate. An organisation whose application is decoupled from BigQuery can tell Google: "We are considering migrating to PostgreSQL in 6 months if pricing conditions do not change." This negotiating freedom has a value the calculation does not capture.
The Sovereign Interface is an architectural decision. It cannot be imposed by a developer alone. It requires that the Principal SRE or Lead Architect has the final word on architecture choices — what the corpus calls Technical Primacy. Without it, the Sovereign Interface is a good idea that dies at the first sprint planning.
Sprint planning. The backend developer proposes calling BigQuery directly — "it's simpler, we already have the SDK, it will work in two hours". The Principal SRE says "we need an abstraction layer — 12h of work but we'll be free to migrate". The product owner says "we don't have 12h, we have a Friday deadline". Without Technical Primacy, the product owner wins. BigQuery is in the code. The chain is in the code. And in 18 months, when Google raises prices by 40%, the migration will cost 48 days.
This is exactly Scenario 1 of "Technical Primacy" — the suboptimal decision made to meet a deadline, whose debt materialises 18 months later. With the Sovereign Interface, the deadline would have been 12h longer. Without it, it will be 48 days.
The Principal SRE who wants to impose an abstraction layer now has a quantified argument: "12h now, or 48 days in 18 months. Choose." This is no longer a discussion about abstract architectural best practices — it is an ROI calculation presentable to the board. Technical Primacy is easier to exercise when it relies on defensible numbers rather than engineering principles.
If management decides to override the Sovereign Interface recommendation, the Principal SRE documents their veto: "I advise against calling BigQuery directly without an abstraction layer. Estimated risk: forced migration within 2 years, estimated cost €25,000 to €60,000. Recommended alternative: Sovereign Interface, 12h, cost €1,200-2,400." This document protects the engineer. It records the decision. And when the migration arrives, the causal chain is traced.
The Opération Dindon corpus model had four layers: naming the body (The Ticket and the Talent), training it (The Foundation of Iron), making it visible (The Uniform of the Body), protecting it (The Digital Craftsmen). This study adds the fifth layer — abstract. Abstract application code from the hyperscaler dialect so that technical sovereignty is real, not merely declared.
The thesis "No Sovereignty Without Matter" applies to code: no sovereignty without abstraction. An organisation that declares its sovereignty but whose code speaks BigQuery is not sovereign — it is dependent with a sovereignty narrative. The Sovereign Interface is the matter of application sovereignty.
The Gentle Exit documented for DevOps engineers applies to architecture: migrate progressively, service by service, without a catastrophic D-Day. Plug in a new adapter. Test. Switch over. The application does not know. This is the gentle exit from hyperscaler cloud.
Abstraction allows routing to the cheapest backend by context. BigQuery for large analytical volumes in production. DuckDB locally for development (zero cost). PostgreSQL for intermediate volumes. The application does not change — only the adapter changes per environment.
The Sovereign Interface
Anti-Corruption Layer
Neutral domain interface
→ Decouple to survive
12h to implement. 48 days to migrate without it.
The engineer who places an abstraction layer today
is the engineer who negotiates from a position of strength tomorrow.
The metal precedes the code. The abstraction protects the code.
Do not migrate all at once. Identify high-egress or high contractual cost services first. Abstract SDK dependencies before physically migrating. Each service migrated to an open standard is an additional negotiation lever against AWS.
1. Observability (CloudWatch → OTel stack) — immediate bill impact
2. Object storage (S3 → MinIO/Backblaze B2) — zero refactoring
3. Relational databases (RDS → Aiven/Supabase) — pg_dump/restore
4. Serverless (Lambda → OpenFaaS) — adapt the handler
5. Kubernetes (EKS → k3s) — Velero for workloads
6. AI/ML (Bedrock → vLLM) — adapt the API endpoint
GCP CUDs offer no refund on termination (s.8.8). Migration must be planned so commitments are consumed naturally during transition. Never terminate a CUD early — migration savings never offset the total loss of the committed amount.
1. Observability (Cloud Monitoring → OTel stack) — immediate impact
2. Object storage (GCS → MinIO/Backblaze B2) — zero refactoring
3. BigQuery → ClickHouse — strong ROI if volume > 1TB/mo
4. Cloud SQL → Aiven/Neon — pg_dump/restore
5. GKE → k3s — Velero
6. Cloud Functions → Knative
7. Vertex AI → vLLM self-hosted
If your organisation holds Windows Server or SQL Server licences with Software Assurance, Azure Hybrid Benefit allows reuse on Azure VMs or AKS. Reduction: 40–55% on Windows VM cost · up to 80% on Azure SQL database. Check systematically before any Windows workload deployment.
Azure Savings Plans are non-cancellable (12% termination fee + $50,000/yr cap). Capacity Blocks are non-refundable. Plan migration so commitments are consumed naturally. Never terminate early without first calculating whether termination cost is lower than migration gain.
1. Observability (Azure Monitor → OTel stack) — immediate impact
2. Blob Storage → MinIO/Backblaze B2 — zero refactoring
3. Azure SQL → managed PostgreSQL (Aiven/Neon) — pg_dump/restore
4. Azure Functions → Knative — adapt the handler
5. AKS → k3s — Velero for workloads
6. Cosmos DB → MongoDB Community — compatible API
7. Azure OpenAI → vLLM self-hosted — adapt endpoint
Broadcom's acquisition of VMware in November 2023 immediately restructured licensing: perpetual licences discontinued · forced migration to annual subscriptions · documented price increases of ×3 to ×12 depending on configuration · Standard and Essentials editions eliminated in favour of imposed bundles. This is Layer 2 (pricing) of vendor lock-in applied to on-premise infrastructure — the same mechanism as cloud hyperscaler egress fees. The difference: the increase is immediate and without contractual alternative.
The D1/D2/D3 configuration adds three critical constraints absent from standard migrations: (1) vSAN inter-site synchronisation with tolerance for complete site loss — the D3 witness stores no data but arbitrates quorum; (2) NSX T0/T1 Gateway in active/standby mode across datacenters with North-South flow management between sites; (3) split-brain risk if the D1↔D2 link is cut — without D3 arbitration, both sites can diverge. These three dimensions impose a strict migration sequence: network before storage before compute.
vSAN Stretched Cluster with FTT=1 and PFTT=1: tolerates complete loss of one site (D1 or D2) without data loss. The Witness Appliance on D3 carries metadata components (witness components) to arbitrate quorum without storing VM data. SPBM storage policy: vSAN objects are distributed between D1 and D2 according to site-aware placement rules. On D1 loss, all VMs fail over to D2 via vSphere HA — the Witness D3 maintains quorum.
NSX-T Tier-0 Gateway in active/standby inter-site mode: active T0 on D1 handles North-South routing · standby T0 on D2 takes over on D1 loss. Tier-1 Gateways per tenant/segment. GENEVE overlay on physical transport. Distributed Firewall (DFW) applied per VM vNIC — the firewall follows the VM regardless of physical location. VTEP on each ESXi host.
vCenter Server in HA or Enhanced Linked Mode. DRS: workload balancing across hosts with site-aware affinity rules to avoid suboptimal inter-site placement. vSphere HA: automatic VM restart on surviving site on site loss. Fault Domain management: D1 = Preferred · D2 = Secondary.
VMware Tanzu Kubernetes Grid (TKG) or vSphere with Tanzu: K8s clusters supervised by vCenter · storage via vSAN CSI driver · networking via NSX-T NCP (NSX Container Plugin). Tanzu workloads co-located with VMs on the same vSAN/NSX fabric — Tanzu → K3s/K8s vanilla migration requires Velero for workload backup/restore.
Veeam Backup & Replication or VMware SRM for recovery plans. RPO/RTO defined by criticality tier: Tier 1 (RPO <15min · RTO <1h) · Tier 2 (RPO <1h · RTO <4h) · Tier 3 (RPO <24h · RTO <24h).
Ceph in stretched cluster mode with custom CRUSH map: bucket type datacenter containing D1 and D2 racks. CRUSH rule: stretch_mode true · mon stretch_cluster · min_size=2 · size=4 (2 copies D1 + 2 copies D2). MON tiebreaker on D3 arbitrates Ceph quorum without OSD. RBD (RADOS Block Device) as VM storage backend — direct interface with Proxmox VE via Ceph pool.
OVN (Open Virtual Network) with Open vSwitch: full functional replacement of NSX-T. Distributed OVN logical router: T0/T1 equivalent. GENEVE overlay (same protocol as NSX-T — same encapsulation). OVN ACLs: Distributed Firewall equivalent. BGP EVPN with FRRouting for inter-datacenter routing and D1↔D2 flow symmetry. OVS VTEP on each Proxmox host.
Proxmox VE cluster via Corosync + QDevice (corosync-qnetd) on D3. HA Groups per datacenter: restricted=1 for Tier 1 VMs (stay on preferred site) · restricted=0 for Tier 2/3 (auto-migrate to surviving site). Fence devices per site: IPMI/iDRAC for physical isolation on split. Live migration between D1 and D2 via KVM live migration (vMotion equivalent).
K3s or vanilla Kubernetes on Proxmox VMs · Longhorn or Ceph RBD CSI driver for persistent storage · Calico or Cilium for pod networking · Velero for workload backup/restore (migration from Tanzu). K3s recommended for small clusters (<20 nodes) · vanilla K8s for more complex environments.
Proxmox Backup Server (PBS): incremental VM backup with deduplication · configurable retention · client-side encryption. As complement or replacement: Veeam Community Edition (free up to 10 workloads) or existing Veeam licence during transition if contractually permitted.
If the D1↔D2 network link is interrupted, both sites may continue operating independently with diverging data. Without external arbitration (D3), both sites consider themselves the "live" site and continue accepting writes — producing irrecoverable data divergence.
Critical prerequisite: the D1/D2↔D3 link must be independent of the D1↔D2 link. If D3 is on the same network path as D1↔D2, the tiebreaker cannot arbitrate a failure on that link.
Key point: Ceph stretched tolerates 10ms D1↔D2 latency vs 5ms for vSAN — making Proxmox/Ceph migration compatible with existing inter-site configurations that were at the vSAN tolerance limit.
A stretched cluster migration cannot be done layer by layer independently. The order is mandatory to avoid degrading fault tolerance during transition:
Never decommission vSAN before Ceph stretched is validated in production. The storage double-run period is the most costly but least risky phase.
Proxmox VE installation on new hosts (or cohabitation if sufficiently dimensioned) · Corosync cluster D1+D2+QDevice D3 · Ceph MON tiebreaker D3 · Initial Ceph OSD D1 and D2 · Base OVN/OVS configuration · PBS installed and configured. No VMs migrated. Infrastructure validation phase only: simulated split-brain test · Corosync failover test · Ceph quorum test · latency validation.
VMDK → qcow2 conversion with virt-v2v or Proxmox import · cold migration of non-critical VMs · Ceph stretched performance validation under real load · live migration validation between D1 and D2 · Ceph failover validation on simulated site loss · team training on Proxmox interface. Network: first OVN segment in production parallel to NSX-T.
Migration in batches of 10–20 VMs · Proxmox HA validation on simulated site loss · NSX-T to OVN flow migration segment by segment · OVN ACL validation as NSX DFW equivalent · Tier 2 K8s: Tanzu → K3s migration with Velero. Network: progressive NSX-T → OVN switchover with dual-stack maintained.
Planned migration with short maintenance windows (<30 min per batch) · final NSX-T → OVN switchover for critical flows · progressive vSAN deactivation after Ceph production validation · full disaster recovery test D1 → D2 · RPO/RTO validation per tier · documented rollback test. Tier 1 K8s: last migration after full Tier 2 validation.
Broadcom subscription termination · licence archiving · ESXi host removal · NSX-T manager decommission · vCenter deletion · configuration archiving · final Proxmox architecture documentation · actual vs estimated ROI audit · post-migration software governance audit.
vSAN must not be decommissioned before Ceph stretched has run in production across all migrated Tiers for at least 4 weeks without incident. NSX-T must not be decommissioned before OVN has managed all production flows for 2 weeks. The double-run cost is the price of safety.
Portable skills on open standards (KVM · Ceph · OVN · K8s) · Linux Foundation and CKAD/CKA certifications valued on the wider market · active community (Proxmox Forum · Ceph upstream · OVN GitHub) · enterprise support available (Proxmox GmbH ~€1,400/year/node · Red Hat Ceph Storage) · zero proprietary licence dependency to continue running infrastructure · EU Data Act art. 25 compatible: migration possible at any time without contractual obstacle.
These figures are purely illustrative and approximate — your actual situation may differ significantly based on Broadcom negotiation, hardware sizing and internal migration costs.
Estimated VMware/Broadcom cost (illustrative): €300,000/year (post-Broadcom subscription ×3 on a previous base of €100,000/year).
Estimated Proxmox cost (illustrative): Optional Proxmox GmbH support ~€28,000/year (20 nodes × €1,400) · software licences: €0 (AGPLv3).
Estimated annual saving: ~€272,000/year after full migration.
Estimated migration cost: 6 months double-run (~€150,000 infrastructure) + training/consulting (~€50,000) = ~€200,000.
Estimated ROI: under 9 months after migration completion. These estimates are indicative — recalculate with your actual figures.
virt-v2v — VMware VM conversion (VMDK) to KVM (qcow2) · supports ESXi, vCenter · automatic virtio driver handling · libguestfs-tools
qemu-img — manual VMDK → qcow2 conversion · qemu-img convert -f vmdk -O qcow2 vm.vmdk vm.qcow2
Proxmox import plugin — direct import from ESXi datastore via Proxmox interface · available Proxmox VE 8.x
ovftool — VMware export to OVA/OVF · used upstream of virt-v2v
cephadm — Ceph deployment · recommended for Ceph 16+
crushtool — CRUSH map compilation and validation
ceph mon stretch cluster — stretched mode activation command
radosgw-admin — RGW object management if object storage required
ovn-nbctl / ovn-sbctl — OVN North/South database management
ovs-vsctl — Open vSwitch configuration
FRRouting (FRR) — BGP EVPN for inter-site routing
Proxmox SDN — Proxmox interface for OVN (simplifies configuration)
Velero — K8s workload backup/restore · Tanzu → K3s/K8s vanilla migration · vmware-tanzu/velero
K3s — lightweight Kubernetes · ideal <20 nodes · k3s.io
Ceph CSI driver — K8s persistent storage via RBD · github.com/ceph/ceph-csi
PBS (Proxmox Backup Server) — incremental VM backup · deduplication · encryption · free
Proxmox VE Admin Guide — pve.proxmox.com/pve-docs/
Ceph Documentation — docs.ceph.com · "Stretched Clusters" section
OVN Architecture Guide — ovn.org/documentation
FRRouting docs — docs.frrouting.org · BGP EVPN
RFC 7348 — VXLAN encapsulation
RFC 8365 — EVPN for datacenter interconnect
Proxmox Community Forum — forum.proxmox.com · very active · fast responses
Ceph Mailing Lists — lists.ceph.io · ceph-users for operational questions
OVN GitHub — github.com/ovn-org/ovn · issues and discussions
Proxmox GmbH Support — ~€1,400/year/node · guaranteed SLA
Red Hat Ceph Storage — enterprise Ceph support
This guide is the operational follow-up to the architecture study. Where the study formalises technical choices and the target trajectory, this tutorial provides the commands, configuration files and checklists required to execute every layer of the migration, from initial audit through to continuous operations.
Each module follows the same structure: objective, execution commands, complete configuration files, and a validation checklist at the end of the section. Modules are designed to be followed in order — each subsequent module assumes the previous module's validations are complete. Command blocks are generic and must be adapted to your organisation's naming conventions, IP address ranges and security conventions before execution.
This document is the operational follow-up to the reference architecture study. It does not replace support from an integrator or architect on a real high-stakes migration project — it provides the reproducible execution skeleton.
Before any action on Proxmox, a thorough inventory of the existing VMware environment is the number one condition for success. Most documented migration incidents in the industry stem from an unidentified application dependency upstream — not from a technical flaw in the target platform.
Full export script of the vCenter inventory to CSV, including virtual hardware configuration, SPBM storage policies and guest tools status.
Before replacing NSX-T with the Proxmox SDN, document the exact topology: logical segments, active DFW rules, T0/T1 gateways, anti-spoofing tables.
List the SPBM policies in use and their future mapping to Ceph CRUSH rules — this step determines the complexity of Module 4.
For each Windows Server VM, check the licensing mode (per physical core, Datacenter, licence mobility) before migrating to KVM — a frequent and costly compliance gap if discovered after migration.
Usable capacity depends on the chosen replication factor. For a stretched architecture with size=4 (2 copies per site) and min_size=2:
Example: 24 OSDs of 4 TB each = 96 TB raw → Real usable capacity = 96 / 4 = 24 TB exploitable
Sizing rule: budget approximately 1 GB of RAM per TB of managed OSD, plus a 30% margin for recovery peaks.
Example: a node with 4 OSDs of 4 TB = 16 TB per node → Minimum_Ceph_RAM = (16 × 1) × 1.3 = 20.8 GB dedicated to Ceph
Method for calculating the target consolidation ratio while accounting for the HA margin (loss of one site).
With 2 active sites and tolerance for the loss of 1 site: each site alone must be able to absorb 100% of the total load.
Use the official ISO in graphical mode or via an answer file for automated, reproducible deployment across multiple nodes.
Each node must have at least 2 network interfaces in active-active bonding (LACP) for Ceph back-end traffic, separated from the management network.
Validate actual latency and bandwidth between D1 and D2. Stretched Ceph tolerates up to 10ms RTT.
Raw performance test of NVMe disks before Ceph integration, to catch any underperforming disk before it becomes a cluster bottleneck.
The first node initialises the cluster, subsequent nodes join it — creating the distributed configuration database (pmxcfs) shared across all nodes.
The QDevice runs on an independent machine hosted at D3, fully separated from the D1-D2 network path.
With 3 nodes per site (D1 + D2) plus the QDevice, the total is 7 votes. Quorum is calculated automatically by Corosync on absolute majority.
Before going to production, simulate the D1-D2 link cut to validate the expected failover behaviour (the site with the QDevice obtains the majority).
cephadm is the recommended deployment tool for recent Ceph versions. It runs in a container and orchestrates installation across all nodes.
Create logical buckets of type datacenter to encapsulate each site's hosts — a prerequisite for enabling stretch mode.
The rule enforces 2 copies on D1 and 2 copies on D2, guaranteeing full data survival in the event of a single-site loss.
Native stretch mode explicitly binds the D3 arbiter monitor and activates automatic failover behaviour.
Controlled shutdown of Ceph services on D1 to validate failover behaviour under realistic conditions.
Synchronous Ceph replication means a write operation incurs the round-trip inter-site latency (RTT). A 2ms RTT adds a fixed transaction cost of roughly 2ms. Dedicated fibre links and enterprise-class NVMe disks are essential to avoid degrading perceived application performance.
An EVPN-type SDN zone encapsulates traffic in VXLAN with a BGP control plane for route distribution between D1, D2 and D3.
Each VNet corresponds to a logical segment equivalent to an NSX-T segment, with an anycast gateway distributed across all hypervisors.
Proxmox VE natively supports TOTP for management interface access, independent of SSH authentication. Configuration via Datacenter > Permissions > Two Factor.
Integrate the cluster with the existing corporate directory to centralise access management and traceability.
Ceph authentication keys (cephx) and PBS encryption keys must be stored outside the cluster itself, in a dedicated secrets vault.
An HA group defines the set of nodes eligible to host a VM on failover, with an optional priority per node.
Prevent two redundant VMs (e.g. two domain controllers) from ending up on the same physical node after an automatic failover.
In the absence of a native dynamic scheduler equivalent to DRS, a scheduled script queries the Proxmox REST API to evaluate load and trigger live migrations.
The native Proxmox import wizard connects directly to vCenter to list VMs available for migration, with no manual conversion step required.
The Windows procedure requires injecting VirtIO drivers before the first boot under Proxmox, or risk a blue screen at boot time.
Document the underlying physical infrastructure change in the company's Software Asset Management (SAM) portal — a condition of Microsoft contractual compliance.
PBS is installed standalone, ideally on infrastructure physically distinct from the production cluster to ensure isolation in case of compromise.
Time-based locking on critical backups to prevent any deletion or modification, even by a compromised administrator account.
VictoriaMetrics or Prometheus collect the metrics natively exposed by Proxmox VE and Ceph, with no additional agent on the hosts.
The scenarios below should be executed in pre-production and then repeated in production during planned maintenance windows, at a minimum of one full cycle every 6 months.
Combination of the previous scenarios: complete loss of D1 AND a failed automatic failover, to validate the last-resort manual recovery procedure.
Each drill must produce a short report: actual failover duration, deviations from expected behaviour, identified corrective actions.
Updates are performed node by node, never simultaneously, to maintain quorum at all times during the operation.
Strict order: monitors (MON) first, managers (MGR) next, then OSDs one at a time with a health check between each step.
Standard structure: observed symptom · diagnostic checks · decision — automatic action vs manual intervention required · escalation procedure · reference architect contact.
Duplicating several terabytes of production data cannot be improvised. If you saturate your disk or lock your tables, you are no longer an engineer — you are a saboteur. This tutorial documents the complete method: direct SSH streaming with no local storage, data preparation, binlog and GTID replication, post-deployment verification. Clean and direct.
mysqldump / mariadb-dump: simple, universal, human-readable. But it locks tables (or produces inconsistent data without locking), generates a SQL file to reimport line by line, and becomes impractical beyond a few dozen GB. Reserve for small databases or occasional migrations with no time constraint.
LVM snapshot: fast and consistent if the MySQL volume is on LVM. But requires prior LVM configuration, sufficient snapshot space, and a few-second maintenance window for the snapshot.
Galera Cluster (SST/IST): ideal for already-running multi-master clusters. Irrelevant for a one-shot source → target migration.
XtraBackup / Mariabackup: physical hot backup, without locking InnoDB tables, direct streaming to the target, consistency guaranteed by transaction logs. This is the strategy for multi-TB production databases with zero downtime.
From MariaDB 10.2+, Percona XtraBackup is no longer fully compatible. Use Mariabackup — the official MariaDB fork. Commands are nearly identical but the binaries differ: mariabackup instead of xtrabackup. Check version: mariadb --version. This tutorial uses xtrabackup syntax for readability — adapt according to your installed version.
SSH streaming pipes data directly from SOURCE to TARGET without ever writing to the SOURCE disk. Three critical advantages:
— Zero disk saturation on source: a 3TB database does not require 3TB of free space on the source server.
— Real-time transfer: data arrives on the target as it is read, reducing total migration time.
— Single checkpoint: if the transfer fails, restart. No corrupted intermediate file to manage.
Prerequisites: passwordless SSH between the two servers (deployed public key) and sufficient network bandwidth between SOURCE and TARGET.
□ Identical MariaDB versions on SOURCE and TARGET (mariadb --version)
□ Identical XtraBackup/Mariabackup versions on both servers
□ TARGET disk space ≥ SOURCE datafiles size + 20% margin (du -sh /var/lib/mysql)
□ Passwordless SSH from SOURCE to TARGET and TARGET to SOURCE
□ All critical tables are InnoDB (if MyISAM present, see warning below)
□ Binlog enabled on SOURCE (SHOW VARIABLES LIKE 'log_bin')
□ GTID enabled or not — decide replication method before starting
□ Firewall: MySQL port (3306 or custom) open between SOURCE and TARGET
--no-lock is safe ONLY if all tables are InnoDB. A single MyISAM table produces silent inconsistency — the backup will appear to succeed but MyISAM data may be corrupted. Check: SELECT TABLE_NAME, ENGINE FROM information_schema.TABLES WHERE TABLE_SCHEMA='your_db' AND ENGINE != 'InnoDB'; If non-empty result: convert to InnoDB or use --lock-ddl-per-table instead of --no-lock.
ulimit -n 1048576: raises the maximum number of simultaneously open file descriptors. On large databases with many tables, XtraBackup can hit the system default limit (1024) and fail silently. This line prevents it.
--no-lock: removes the global FLUSH TABLES WITH READ LOCK. Production continues uninterrupted. ONLY safe with 100% InnoDB (see Section 2).
--parallel=4: number of parallel read threads. Adjust based on available CPUs on SOURCE. Start at 4, increase if network bandwidth is not the bottleneck.
--stream=xbstream: XtraBackup proprietary streaming format, more efficient than tar for MySQL files.
--socket: path to the MariaDB Unix socket. Varies by distribution: /var/run/mysqld/mysql.sock (Debian/Ubuntu) or /tmp/mysql.sock (CentOS/RHEL). Verify: SHOW VARIABLES LIKE 'socket';
xbstream -x -C /backup/source-db-server: stream extraction on TARGET into the target directory. Ensure it exists and has sufficient space.
The physical backup captured in a live stream contains potentially inconsistent data pages — transactions open at capture time. --prepare applies the redo log and rolls back incomplete transactions, making the backup consistent and restorable. This step is mandatory. Without it, MariaDB will refuse to start on the restored files.
systemctl stop mariadb — The data directory must be empty. Never restore onto a running MariaDB instance.
XtraBackup restores files with the permissions of the user running the command (often root). Without chown -R mysql:mysql, MariaDB will refuse to start with a permissions error. This is the most frequent mistake at this stage.
XtraBackup created the file xtrabackup_binlog_info in the backup directory. It contains the exact binlog position at capture time.
More robust — survives restarts and failovers without manual position reconfiguration.
SQL — RUN ON TARGET
Slave_IO_Running: Yes — the I/O thread is connected to SOURCE and reading the binlog. If No: network issue or incorrect credentials.
Slave_SQL_Running: Yes — the SQL thread is applying events on TARGET. If No: SQL error, check Last_SQL_Error.
Seconds_Behind_Master: 0 — TARGET is synchronised. A non-zero value indicates replication lag — normal just after start, must converge to 0.
Last_IO_Error / Last_SQL_Error — if non-empty: read and address before continuing.
Error 1236 — Could not find first log file: the binlog position in xtrabackup_binlog_info is stale (binlogs have been purged on SOURCE). Fix: purge_logs_before or redo the backup.
Error 1062 — Duplicate entry: a row already exists on TARGET. If non-critical: SET GLOBAL slave_skip_errors = 1062; and restart the slave. Investigate the root cause.
Error 2003 — Can't connect to MySQL server: check the firewall on SOURCE, bind-address in my.cnf (bind-address = 0.0.0.0 or TARGET IP).
Slave_IO_Running: Connecting: incorrect credentials or repl_user not authorised from TARGET IP. Check SHOW GRANTS FOR 'repl_user'@'%';
If you saturate the disk or lock the tables, you are no longer an engineer — you are a saboteur. This strategy avoids both. Clean and direct.

The cultural side of Operation Dindon — legends, poems, letters.
These fourteen episodes were originally published on LinkedIn (2026), before the official launch of Operation Dindon on 8 May 2026. They trace, step by step, the odyssey of Dindon — a fictional character who is thoroughly representative — from the ecstasy of the Public Cloud to the lucidity of sovereign Iron. The LinkedIn format is intentionally preserved: the direct address, the emojis, and the hashtags are part of the work. This is not editorial negligence — it is the honesty of a manifesto born where its readers were.
Episode XIV concludes the audit with a Mu'allaqa — a solemn ode borrowed from the tradition of the great suspended poems of classical Arabic literature — restoring to Bare-Metal its past prestige.
Today, I'm sharing the tragic but lesson-filled story of Dindon. Dindon wasn't just any turkey; he was a small-scale poultry producer, passionate about his farm, but also a huge tech enthusiast.
Some years ago, Dindon told himself: "My farm must enter the modern era!" He dove headfirst into Agile and Scrum certifications. His grain shed became a "Backlog," every hen had a "User Story" for laying eggs, and he "iterated" on egg sizes.
For his inventory and online sales system, Dindon decided to go big. No more physical servers in the barn. He outsourced everything to the Public Cloud (Ireland region). He mastered IaC with Terraform. His infra was "abstracted," "scalable," and "serverless." Dindon felt powerful. He wasn't just a turkey anymore; he was a "Cloud Architect."
Then, Dindon received his first major Cloud bill during the peak Christmas season. €475 per VM, for 200 "various" VMs that mostly just stored turkey photos and processed a few orders. Meanwhile, his old On-premise setup used to cost him only €117 per unit — corn and electricity included. His turkey brain glitched. "What's the logic here?!" he gobbled across the farm.
If you see Dindon today, he's not "agile" anymore. He's plucked bare. The data egress fees, the complexity of his IaC, and the "scalability" of his Kubernetes cluster have devoured all his profits. He spends his days doing Extreme #FinOps:
⚖️ The Moral: Agility and the Cloud are not magic wands. Dindon confused "following modernity" with "adopting every buzzword." He outsourced his technical intelligence in favor of an "abstraction" that is costing him a fortune. If your physical infra costs 4 times less and gets the job done, maybe the truly "modern" move is to keep it.
Do you remember Dindon? Our friend who got plucked bare by the Public Cloud and those €95k/month bills? 💸 After a few nights crying over his last remaining feathers, Dindon had an epiphany. He stopped letting himself be blinded by buzzwords and decided to get rational. He realized a small poultry farm didn't need a "multi-region serverless" infrastructure in Ireland — that's like putting a Boeing jet engine on a hay cart!
Dindon launched his "Cloud Exit" strategy. His goal: a reliable, predictable, and human-sized infrastructure.
Instead of talking to algorithms or support teams on the other side of the world, Dindon turned to local and regional providers (Ecritel, OVHcloud, Scaleway, DRI, Claranet France, Infomaniak — The Ethical Cloud, IONOS...). The shock: a clear quote. No hidden fees, no probability calculus for the end-of-month bill. One server has one fixed price.
Dindon realized that 80% of his 200 "as-a-code" VMs were either useless or massively underutilized.
⚖️ The Moral: The Public Cloud is a tool, not a religion. Sometimes, true modernity is having the courage to turn back when you've taken the wrong path. Digital Sovereignty and Local Cloud aren't just concepts — they are an economic survival strategy.
To truly understand why our friend Dindon ended up plucked bare (Episode I) before escaping to local providers (Episode II), we have to go back to where the drama all began.
In the beginning, Dindon was a happy digital farmer. He managed his servers on Kimsufi boxes using good old Cpanel or Plesk. It was simple; it was robust. He'd click a button, and boom — his site just worked. It was the glorious era of "if it ain't broke, don't fix it."
But one day, while scrolling through "Tech Evangelist" blogs on LinkedIn, Dindon felt a sting of shame. He told himself:
He started seeing his dedicated servers as "dirty" and "static." He craved ephemerality, abstraction, and prestige. He wanted Infrastructure as Code because that's what Silicon Valley unicorns do, right?
He finally felt "In." He felt "Scalable." He didn't realize yet that he had just traded a solution that cost the price of a bag of grain for a giant slot machine that was about to swallow every single one of his feathers.
⚖️ The Moral: We often replace a working system just out of fear of appearing outdated. "Old-School" is sometimes just the name we give to the stability we eventually end up regretting.
Remember how our friend Dindon ended up completely plucked by the complexity and costs of the Public Cloud (Episodes I & III), before deciding to make a run for it (Episode II)? Today, discover how that escape turned into a smooth and successful migration, thanks to a true partner: the local provider Plannitel.
After his FinOps realization, Dindon met Plannitel. No more abstract buzzwords — just pure pragmatism. Plannitel didn't show up with a catalog of 400 complex APIs; they showed up with a methodology:
When D-Day arrived, Plannitel operated. It was precise, calm, and professional. They handled it from A to Z: secure data transfer from Ireland, configuration of dedicated Bare Metal servers and private instances, post-migration testing. Dindon no longer had to code in YAML just to know if his site was up. He had a human point of contact.
The go-live happened with absolute discretion. No panic, no surprise "404 Not Found" during the peak season. The site worked — plain and simple. Better yet, it was faster. Thanks to Plannitel, Dindon has his feathers back. He has a fixed, rational, and surprise-free cost, technical support that actually picks up the phone, and peace of mind to focus on his chemistry lab.
⚖️ The Moral: Don't just choose an infrastructure. Choose a partner. Plannitel proved that true modernity isn't total abstraction; it's the professionalism of human support.
After the heroic rescue by Plannitel (Episode IV), many of you are asking: "What happens next? Is the honeymoon phase still going strong?" 🌙 The answer is yes. Dindon is no longer "Cloud prey"; he has become the king of his own digital farmyard.
Freed from YAML hell and complex API debugging, Dindon has finally been able to devote himself to his true passion: his chemistry lab applied to agro-excellence. His turkeys are the most renowned in the region, and his online shop processes orders without breaking a sweat. He no longer chases "auto-scaling" that doesn't scale; he chases his own success.
🌟 The Moral: The Public Cloud is not a life sentence. Sometimes, to fly higher, you have to know how to come back down to Earth — where servers have a name and partners have a face. Dindon has found his feathers, his smile, and most importantly, his time.
Did you think Dindon was just going to sit back, count his savings (60% ROI, remember Episode V), and eat barbecues at Plannitel? Then you don't know the bird. 🍗
Once his feathers were fully grown back, Dindon looked around. What he saw saddened him: thousands of other businesses, SMEs, and mid-caps were still being silently "plucked" by hyperscalers. Dindon had an epiphany. His success shouldn't be an exception — it should be a blueprint. He transformed from a prosperous producer into a Local Cloud Activist.
Dindon called every "plucked" peer he knew. And so, the association "The Cloud Fall Guys" (Les Dindons de la Farce) was born.
The goal? To unite all the companies that realized, a little too late, that they were the punchline of a monumental joke orchestrated by the Public Cloud: unreadable and unpredictable bills, prohibitive Egress fees, and total loss of control. The association has become a powerful lobby for Digital Sovereignty, advocating for a return to local, human, and transparent partners.
But talk is cheap. It's time for action. Dindon and his association have announced the launch of the largest operation in European digital history: Operation "Dindon!". The concept: the greatest data repatriation of the century. The objective: to organize, plan, and provide technical and financial support for the massive repatriation of data from thousands of European companies — moving it out of the Public Cloud and into Sovereign and local Clouds.
Why the name "Dindon!" with that angry exclamation point? It is a vibrant tribute to a courageous Director at STIME (the IT arm of the Mousquetaires Group) who, back in 2011, faced with the exorbitant costs of Windows Server and Office licenses, decided to name his major infrastructure migration project: "Operation Dindon." The circle is complete.
🌟 Dindon's Final Word: The Move-to-Cloud is not a fate. The Move-to-Local is a liberation. Dindon has proven that you can be high-performing, profitable, and sovereign. The story ends here, but the movement is just beginning.
Remember Dindon? Our tech farmer who had fled the Public Cloud at €475/VM to find technical and financial sanity (sovereign Bare Metal, real ROI). Well... Dindon relapsed. 😔
He had kept one last addiction hidden in a corner of his console: his "Managed" Kubernetes cluster. He had convinced himself: "It's managed, it's simple, it's just the modern compute layer, it won't bankrupt me." Bullshit. 🛑 "Managed" doesn't mean "Free" — it means "Opaque."
| Expense item | Imagined budget | Actual invoice |
|---|---|---|
| Control Plane (GKE Fee) | «Free?» | €72/month |
| 4 Nodes (n2-standard-8) | ~€600/month ✅ | ~€600/month ✅ |
| Load Balancers (×3 forgotten) | «Negligible» | €54/month |
| Persistent Volumes (500 GB) | «Included?» | €85/month |
| Cloud NAT (Private cluster) | «Security...» | €45/month |
| Cloud Logging / Monitoring | «By default» | €120/month |
| Cross-zone Egress | «A few GBs» | €90/month |
| Ghost Nodes (Autoscaler) | «It's magic» | €160/month |
| MONTHLY TOTAL | ~€600 💭 | ~€1,226 🩸 |
Bottom line: 104% in hidden extra costs.
The worst part? "Managed" is just an Ops illusion. They manage the control plane, but YOU are still the one wrestling with complex drop-down menus for NAT, LBs, and volumes at 3:00 AM.
Render unto Caesar what is Caesar's: hyperscalers invented brilliant abstraction. But they also invented financial vassalage. True #FinOps means reading the bill line by line, not blindly trusting the abstraction that suffocates you.
Thought Dindon hit rock bottom with Kube? 🛑 Today, we tackle the ninja of financial asphyxiation: The AWS NAT Gateway.
For "High Availability," the AWS manual advises 1 NAT per zone (AZ). Dindon has 3 AZs, so he clicked 3 times. 🖱️ What he didn't know? At the hyperscaler's, doing NAT (a simple iptables rule, free on Linux since 1998) isn't a feature — it's a luxury tollbooth.
For 10 TB/month of outbound data (updates, APIs, webhooks...):
| Expense (NAT Gateway ×3) | AWS Rate (Paris) | Actual invoice |
|---|---|---|
| Existence Tax | $0.048 / hour | ~€105/month |
| Processing (10 TB / month) | $0.048 / GB done | ~€460/month |
| MONTHLY TOTAL | «It's native» 💭 | ~€565 🩸 |
€565/month. €6,700/year. Just to change a TCP source IP! ☕💥
On-Premise, a €150 Mikrotik router (one-time CAPEX) or a pfSense VM (€0) handles this without breaking a sweat. In the Cloud, the network is a taxi meter spinning with every byte breathed.
The giants' "High Availability" is often designed to multiply your paid resources. True #FinOps? Replace those 500-buck managed NATs with a simple EC2 instance (NAT instance) or a dedicated local server for the price of a subway ticket. Or better yet: #CloudExit.
Today, we're dotting the "i"s and putting instances on real hardware. We're going to talk about a touchy subject, but we'll do it with respect: bankruptcy by the Cloud and the great sovereign slumber.
Dindon has a confession to make. If he has become an ayatollah of FinOps and Bare-Metal, it's not out of ideology. It's because he has seen ships sink. I have seen with my own eyes how infrastructure can go from being an "innovation engine" to a "financial ball and chain."
Let's be fair: technically, what AWS, GCP, or Azure do is masterful. Their engineers are geniuses. But their economic model is a cash vacuum designed for unicorns doped on fundraising. The tragedy is that SMBs and traditional companies are copying these architectures. The result? Public Cloud becomes the leading cause of financial stress for CFOs. We no longer go bankrupt because we lack clients; we go bankrupt because our variable costs (Egress, NAT, API calls) grow faster than our revenue.
And while the real economy gets siphoned by untraceable OPEX bills, what are our champions of "Digital Sovereignty" doing? They are sleeping. 😴 Our politicians make magnificent speeches with the phrase "Sovereign Cloud" in size 72 font. But on the ground? No massive tax incentives to relocate data, no real education on Total Cost of Ownership (TCO).
And our local hosters? You have the steel. You have the datacenters. You have the prices (sometimes 10× cheaper in CAPEX). But where is your voice?
Public Cloud is not a scam; it's a luxury product. If you need instant global elasticity, pay the premium. But for 80% of workloads (classic databases, stable backends, web), staying on a hyperscaler is like using a private jet to go buy a baguette. True "Scale" is profitability.
Today, a change of program. Before judging local hosters or the State, Dindon has decided to audit the root of the evil: the company itself. Because the sinking of the Cloud is never a technical accident; it is always an organizational suicide.
Welcome to the autopsy of an internal disaster, a clinical pattern that our industry repeats in loops.
Imagine a management committee organizing a major "workshop" to "rationalize the infrastructure." On the table, the numbers are lunar: hundreds of thousands of euros burned each month with hyperscalers, coupled with six-figure bills for "modern" SaaS licenses.
Yet, in the shadow, this same company possesses its own treasure: physical racks in local Datacenters, half-empty, perfectly equipped, and already amortized, costing ten to twenty times less to run.
Faced with this absurdity, the field Ops proposes the obvious: let's use the empty space of our Bare-Metal to repatriate our Kubernetes clusters and divide the production bill. The reaction from the top? Scorn. The CEO, blinded by the ego of his own "vision," brushes the proposal aside with a wave of his hand: "We'll see later, let's stay on the roadmap." The CTO, for his part, is silent — he is the archetype of the "Technical Director" who clings to derisory micro-tasks to justify his place, but who validates without batting an eye the waste of millions in OPEX.
The field engineer does not give up. He produces a quantified study, multiple exit scenarios, quotes in support. The response? Management plays for time. For a whole week, his requests for a simple 15-minute slot are dodged. To force the door of his own management committee, the Ops literally has to slam his fist on the table and demand, by a frontal email in front of other employees, an emergency meeting.
The meeting is finally wrested, but the sanction falls: a recasting and an oral warning from management. Laying numbers on the table is no longer seen as financial optimization; it is perceived as insubordination. The accounting truth has become the sworn enemy of managerial pride.
When the top of the pyramid (CEO, CTO, CFO) chooses blindness by ego, what does the rest of the company do in the face of the financial wall?
Faced with denial, our field Ops decides to break the law of silence. He takes the debate to the internal public square: emails, meetings, face-to-face. He warns that the ship is heading straight into the iceberg. The objective is not to make a publicity stunt for his ego, but to save the profitability of the company and, by extension, the jobs of his colleagues.
At first, colleagues encourage behind the scenes. But from the first management recasting email, it's a stampede. All departments withdraw from the debate. Support is whispered in secret, at the coffee machine. Faced with the risk of confronting management, the fear of losing their "cushy job" prevails over the instinct of collective survival. The whistleblower is left to isolate himself alone on the battlefield.
The engineer then makes a choice: to take the oath to remain the "veracious witness" of this intellectual bankruptcy, even if it must cost him his place. Before the ego of management and the complaisant silence of employees, he is inevitably pushed to the exit. The inconvenient witness is eliminated, Cloud waste continues, and colleagues keep their "cushy job"... waiting for the next social plan.
⚖️ The Field Verdict: Do not complain about GAFAM bills if you do not have the courage to contradict a disconnected CEO or a straw CTO. The hyperscaler is not responsible for your ruin. Your pride at the top and your collective cowardice at the base manage that very well all by themselves.
The testimony of Operation Dindon now turns toward our local players. This is not about blaming the giants for their excellence, but about taking a sincere look at our own failings. Sovereignty cannot be a mere slogan; it must be a promise of competence.
The market follows efficiency. The call for a common front — ironically named "Operation Dindon" to trigger a wake-up call — was an invitation to protect our SMEs. Ignoring this extended hand is not just a management error; it is a failure in the duty of economic fraternity. To remain silent while our companies bleed financially is to become complicit.
The developer is the one who prescribes. Offering them dated portals and obscure documentation is an injustice. Hyperscalers respect their time with fluid APIs. Technical justice starts here: if we want a return to local iron, let's make the path passable instead of a calvary.
The market wants managed services, not just raw metal. Leaving our companies with no alternative face-to-face with proprietary lock-in is a failure of counsel. Similarly, brandishing labels to mask a technical lag lacks sincerity. Patriotism must not be a shield for incompetence, but a driver of excellence.
Our sovereignty sleeps in our datacenters, locked by a lack of audacity. No one will save the local sector in its place. The courage to unite and the sincerity to recognize its lags are the only keys.
The Operation Dindon audit rises today to the highest levels of the State. After analyzing the responsibilities of the local sector, the demand for justice compels us to examine public action. This is not about building a biased prosecution, but about placing the mirror of reality in front of stated ambitions.
Strategic autonomy is a noble ideal, fiercely defended in official speeches. However, the physics of Datacenters does not feed on eloquence. Declaring sovereignty while neglecting massive investment in hardware infrastructure creates a gaping dissonance. The truth of the Iron demands concrete actions, at the risk of seeing ourselves reduced to the status of digital tenants.
Affixing a local seal (SecNumCloud) on a technology whose engineering and kill switch are located across the Atlantic is a legal construct, not technological independence. Sincere counsel forces the question: how can we demand our SMEs repatriate their data to sovereign infrastructures when the State itself entrusts its crown jewels (like the Health Data Hub) to hyperscalers? Authority is built on example, not on exemption.
The State legitimately waters our startups through generous subsidies (BPI, French Tech). Yet, in the absence of FinOps guardrails, these millions of euros too often end up absorbing exponential Cloud bills, de facto financing foreign R&D. Where are the tax incentives to encourage the return to CAPEX and investment in local Bare-Metal? The silence on this economic lever is deafening.
Sovereignty cannot be bought with rhetoric; it is forged in the steel of our own infrastructures. Legislating against data lock-in (Egress fees) and offering tax incentives for companies to return to Bare-Metal are the true levers of an assumed and lasting independence.
This manifesto is drawing to a close. The French diagnosis (Episode XII) was merely the symptom of a broader failing architecture: the strategic flaw of the European Union.
While Europe discourses on compliance and the EUCS label, a financial asymmetry takes hold. The European legislator managed to regulate telecom "Roaming" down to the cent, yet looks away when data is shackled by prohibitive egress fees. The Data Act remains an abstraction in the face of the reality of irrevocable 36-month "commits." Europe thus lets its SMEs be bound by general terms and conditions of sale that neutralize all technical freedom.
Recovery plans and European funds (Horizon Europe) legitimately irrigate our technological fabric. Yet, the financial mechanics often end up draining this capital towards the San Francisco Bay. By refusing to impose local infrastructure quotas to obtain these subsidies, Europe indirectly finances its own technological trade deficit.
Persisting in this legislative inertia, after being alerted to the reality of TCO and proprietary lock-in, changes the nature of the failure. This is no longer administrative sluggishness; it is accepting the dependence of our engineering by omission.
This concludes the Operation Dindon audit. To the media, lobbyists, or podcasters: the media spectacle and sterile debates are politely declined. The withdrawal from this public circus is definitive. However, the posture of the "truthful witness" remains. The technical fight will continue where it began: in the engineering trenches, at the heart of the Bare-Metal, facing the Radix.
The entirety of the "Operation Dindon" manifesto (Episodes I to XIII) is released into the public domain. These texts may be reused, shared, or adapted by anyone, without authorization. Technical truth has no owner, and the urgency is now collective.
The Operation Dindon diagnosis is coming to an end. After analyzing cost structures, strategic dependencies, and political levers, the time has come for a technical assessment and the closing of this chapter. This final episode is intended as a solemn synthesis, driven by the demand for truth and sustainability.
Infrastructure is not just an accounting concept or a software abstraction; it is the physical foundation of our economies. The current trend towards total outsourcing has revealed its limits: loss of control over operational costs, increased complexity of transfers, and an erosion of field skills. The sustainability of a company rests on its ability to accurately arbitrate between service elasticity and asset solidity.
Digital sovereignty cannot be a mere slogan. It is built on precision engineering, valuing local hardware and the optimization of existing resources. The philosophy of returning to the "Iron" (Bare-Metal) and to technological recycling is not a step backward, but a step forward towards sounder and more responsible management. Strategic autonomy begins where dependence on infrastructures whose variables we no longer control ends.
Sovereignty is a choice. If I was harsh with companies, it is because their responsibility is decisive: neither the State nor Europe will act for them. As an employee myself, I know that the survival of our tools depends on our own audacity. It is now up to organizations to transform these findings into lasting decisions. Operation Dindon ends here, giving way to silent and rigorous action at the heart of the systems.
Title: The Legend of Dindon
Author: Amine RAITI — Infrastructure Architect & SRE
Origin: XIV episodes published on LinkedIn, 2026
Collected and formatted: June 2026, as part of Operation Dindon
Licence: CC BY-NC-SA 4.0 — Attribution, Non-Commercial, Share Alike
This collection may be freely shared, reproduced and adapted for non-commercial purposes, provided the author is credited and any derivative work is distributed under the same licence.
AI Powered by Amine — AI is an amplifier of ideas and forms, not the source.
Operation Dindon is a personal, independent, public interest initiative launched on 8 May 2026 to document and challenge the predatory contractual practices of American hyperscalers (Amazon Web Services, Google Cloud, Microsoft Azure).
Three demands to the trio, deadline 8 September 2026:
The Legend of Dindon prefigures this fight. It is its narrative origin.
This Diwan was born on the field. Not in a consultant's office. Not in a lecture hall. On the field where an engineer produced quantified studies, requested fifteen minutes from his management committee for a week, and received an oral warning for placing numbers on a table.
The Nassi'ha — the sincere counsel — was given. Fourteen published episodes. Graduated audits: company, local providers, the French State, the European Union. Documented figures: 475 euros versus 117 per VM. 14,712 euros per year for a Kubernetes cluster versus 8,000 euros of one-time CAPEX. 6,700 euros per year for an iptables rule that has been free since 1998.
The Nassi'ha was not heard. The Ultimatum was delivered. And this Diwan is its promise. Ten Mu'allaqat. Five voices from the classical Arabic poetic tradition. Ten predatory commercial practices - documented, named, engraved.
| Cursed be the pact where the future is chained, | ... | Where a contract is signed for a peace falsely gained. |
| Their "Commit" is a snare with a glimmer of gold, | ... | A gilded cage where our spirits are sold. |
| AWS laughs as we pledge our own fate, | ... | To a blood-oath that Google has laid as a bait. |
| 'Tis an architecture of a dark, cold design, | ... | Freezing for years every spark of the line. |
| Woe to the long pacts that nail us to ghosts, | ... | Where the will to act dies on these desolate coasts. |
| Agility falls 'neath the weight of a sign, | ... | The engineer bows to a legalist line. |
| Thirty-six months of iron bonds to endure, | ... | While Azure waits for our fall to be sure. |
| We guard empty servers that serve no more use, | ... | Silent witnesses to a bankrupt truce. |
| Woe to the finance with the vulture's keen eye, | ... | Emptying offices while the bills remain high. |
| For if one must pay for the machines they have leased, | ... | The human back bends to provide for the feast. |
| The contract is rigid, it knows not of mercy, | ... | If revenue fails, you are cast in the sea. |
| They lay off the genius to pay for the host, | ... | Microsoft thrives while the people are lost. |
| He who fears death shall behold its dark face, | ... | Though he climbs to the heavens to find a safe place. |
| I reject these dark bonds and these treaties of shame, | ... | Which sell to the Empire our freedom and name. |
| The "Commit" is but a yoke for the slave, | ... | Who forsakes the Iron for a Cloud-mirage wave. |
| Let the Architect read and remember the law: | ... | The Iron is Master, without flaw. |
| Sign not your fate for a pittance of grain, | ... | Or fall in a battle you fought all in vain. |
| Cursed be the forge where our reason is lost, | ... | Their code is a mirage, a prison at cost. |
| AWS lures us with shackles and chains, | ... | Tightening the grip on our noble remains. |
| The imprudent builder on shifting sand stands, | ... | For the soil is held by a stranger's cold hands. |
| 'Tis a castle of dust in the desert's wide glare, | ... | Where Azure's ambush leaves us stripped and bare. |
| Woe to the sloth in the mask of the new, | ... | Turning the brave into a sorrowful few. |
| The genius of old fades away from the tool, | ... | The sovereign mind dies as the slave of a school. |
| Google dictates in the depths of the night, | ... | The SRE wanders, bereft of his light. |
| We master no more, we but follow the word, | ... | For a hand made of iron that remains yet unheard. |
| Woe to the ransom they christen a pact, | ... | Where value is bled in a spectral extract. |
| Once held as a captive in their holy frame, | ... | The cost of departure is a torture of shame. |
| Profits evaporate in Microsoft's vault, | ... | For services vile that are never at fault. |
| We choose the chain over the price of the gate, | ... | For liberty seems but a burden of late. |
| The people remember the knight without fear, | ... | When the night is a void and the law is not near. |
| I refuse the bonds of a merchant's domain, | ... | Who captures the soul with the promise of gain. |
| The true hero chooses the tools of the free, | ... | To never again bow to a single decree. |
| Open Source stands as a shield ever pure, | ... | Against these predators who make the future obscure. |
| Let the Engineer hold this principle high: | ... | The code must be free to migrate or die. |
| Mistake not the luxury for a servant's own state, | ... | Or your name shall be lost to a sorrowful fate. |
| Cursed be the cup of the grandest illusion, | ... | Of a cluster without effort, in holy confusion. |
| Google pours wine that troubles the mind, | ... | Promising genius while the prison's designed. |
| They sell us the comfort of a control plane, | ... | Where Azure in secret reaps all of our gain. |
| 'Tis a madness of spirit with calculations of air, | ... | Where the nodes vanish into a spendthrift's despair. |
| Woe to the paradise of a thousand-fold thing, | ... | Where AWS mocks every project we bring. |
| The SRE dazed by the sheen of the screen, | ... | Knows not the processor, nor the spark in between. |
| The orchestra plays and the song is quite grand, | ... | But Microsoft holds the torch in its hand. |
| We pile up the layers, ignoring the deep, | ... | While reason is lost in a long, hollow sleep. |
| Woe to the wine that burns through the gold, | ... | To fatten the Empire, so cruel and so bold. |
| Each hour of management is a tax on the soul, | ... | By merchants of sand who take a heavy toll. |
| The Cloud laughs to see us so proud of our YAML, | ... | While it bills us the feast of a starving jackal. |
| Amazon thrives on our vanity's breath, | ... | In a system of hollows, a banquet of death. |
| The wise man awakes as the wine loses fire, | ... | To see with his eyes the end of the liar. |
| I reject this mask and this mirror of play, | ... | Where Hyperscalers sell our despair for the day. |
| The true master knows his machine and his grain, | ... | He lets no stranger ever guide his own train. |
| Better a naked cluster on Iron so bright, | ... | Than a gilded mirage in a shoreless night. |
| Let the Expert remember in the heart of the fray: | ... | The Bare-Metal alone keeps the demons at bay. |
| Mistake not the management for the mastery of old, | ... | Or see your own work by another controlled. |
| Cursed be the ruse and the paint of the great, | ... | Who hide their empire in words of high state. |
| Azure and AWS, these masters of guile, | ... | Paint "Sovereign" on every vile, tired mile. |
| They speak of the green and the sky's open grace, | ... | While Microsoft remains as the mask on the face. |
| 'Tis a visor of iron on a face made of clay, | ... | A marketing court for the weak of the day. |
| Woe to the falsehoods in the colors of old, | ... | Where Google puts us to sleep with the lies they have told. |
| Cloud-Washing is there, like a veil made of silk, | ... | To hide that Amazon owns the cream and the milk. |
| The engineer blinded by labels of straw, | ... | Gives up his keys to a foreigner's law. |
| They sell us the homeland with an alien seal, | ... | To ensure that no one can break through the steel. |
| Woe to the finance that pays for the show, | ... | In the Cloud of the Empire, where the vanities grow. |
| We pay for the luxury, for a local veneer, | ... | While Microsoft reaps a gain that is clear. |
| The gold of our taxes feeds these giants of old, | ... | Who laugh at our laws, so tiny and cold. |
| 'Tis a tax that is hidden on the mind's own light, | ... | A levy on negligence in the dead of the night. |
| The poet arises and denounces the king, | ... | Who knows only the law that his own masters bring. |
| I reject these words and these predators' breed, | ... | These merchants of Google, these sowers of greed. |
| True power belongs to the one who possesses, | ... | The physical machine that no stranger oppresses. |
| The Bare-Metal laughs at your labels of card, | ... | For the Iron lies not, 'tis our staff and our guard. |
| Let the Expert beware of the velvet discourse: | ... | The Cloud is no roof, but a dark, hollow source. |
| Mistake not the label for the truth of the tree, | ... | Or lose very soon all your right to be free. |
| Cursed be the law that crosses the sea, | ... | To plunder our secrets and all that should be. |
| The Cloud Act is a scepter in Washington's hand, | ... | Breaking our locks and our name in the land. |
| Amazon and Google, 'neath this sovereign yoke, | ... | Hand to the judge every word that we spoke. |
| 'Tis a spy made of steel in the server's dark shade, | ... | Watching your steps till your spirit shall fade. |
| Woe to the walls made of glass and of light, | ... | Where all is exposed to a foreigner's sight. |
| The engineer thinks he is free in his hall, | ... | But his keys of encryption are destined to fall. |
| Microsoft bows to the distant decree, | ... | Making our secrets as public as sea. |
| We build on the sand a temple of thought, | ... | Where the power of others is already bought. |
| Woe to the finance that sells our own shame, | ... | For a fleeting gain and a hollowed-out name. |
| We pay to be seen, we pay to be read, | ... | By a foreign eye that we have not yet fed. |
| Azure takes gold and the State takes the fact, | ... | While we suffer the weight of this sinister act. |
| 'Tis a treason we christen a 'service' of old, | ... | Feeding the vice as the secrets are told. |
| The poet arises and refuses the deed, | ... | Which is the true act of our defeat and our need. |
| I reject these laws and these emperors' pride, | ... | These thieves of the silence with nowhere to hide. |
| True safety is not in their cloud-driven sky, | ... | But in sacred Iron, where the shadows don't lie. |
| The Bare-Metal guards what is placed in its care, | ... | For no distant judge can ever go there. |
| Let the Expert understand where the danger is sown: | ... | Your data is never truly your own. |
| Mistake not the "Trust" for a guarantee, | ... | Or lose very soon all your sovereignty. |
| Cursed be the ruse and the toll in the shade, | ... | Where our departure is a debt to be paid. |
| AWS holds us with bonds made of cost, | ... | Billing each byte as if all would be lost. |
| We enter for free in their silken-spun snare, | ... | But the exit is dear to the souls who would dare. |
| 'Tis the law of the brigand, a tax on the flight, | ... | To ensure every thought of escape dies in light. |
| Woe to the walls of the price we can't see, | ... | Guarding our treasures with a vile decree. |
| The engineer wishes to migrate and go, | ... | But Google in secret makes the progress too slow. |
| Each gigabyte moved is a burden of pain, | ... | Freezing the work and the value's own gain. |
| We are masters no more, but the captives of old, | ... | In a network of locks and of silver and gold. |
| Woe to the finance that sells what we own, | ... | To fatten Microsoft on the seeds we have sown. |
| Azure takes gold on the stream flowing out, | ... | Making our data a hostage in doubt. |
| We pay just to breathe outside of their land, | ... | A forced fine to close what they hold in their hand. |
| 'Tis a manifest theft in the name of the speed, | ... | An insult to reason, a harvest of greed. |
| The poet Houtay'ah spits on this deal, | ... | Which makes every movement a blow we can feel. |
| I reject these fees and these jailers of bytes, | ... | These merchants of tolls and these usury-blights. |
| The true Iron holds not what the spirit has made, | ... | It lets the stream flow in the light and the shade. |
| The Bare-Metal laughs at your barriers of mud, | ... | For the owner alone can unleash the great flood. |
| Let the Expert understand the nature of bond: | ... | If exit is dear, you are but in a pond. |
| Mistake not the access for the right of the deed, | ... | Or lose very soon all the freedom you need. |
| Cursed be the ruse and the infamous toll, | ... | Where a simple stream takes a piece of the soul. |
| AWS bills for a service so slight, | ... | A rule made of iron at the price of the light. |
| 'Tis a bridge that is tiny with the fee of a king, | ... | Where Microsoft casts us in a bottomless ring. |
| A line of the code, a routing so plain, | ... | Becomes through their magic a monstrous gain. |
| Woe to the structure with calculations of dread, | ... | Where Google imposes the law on our head. |
| The engineer gasps as the spending takes flight, | ... | For a traffic so normal, in the dead of the night. |
| The NAT is a lock, a tax by the hour, | ... | Turning the bit into a merchant's own power. |
| We master no more, we but suffer the art, | ... | Of a network designed just to tear us apart. |
| Woe to the finance that sells only smoke, | ... | For a gateway that's bent 'neath a heavy-set yoke. |
| Azure takes gold on each packet of bytes, | ... | Making our budgets but sorrowful sights. |
| Six thousand seven hundred for a routing so small? | ... | Amazon insults us with the gall of it all. |
| 'Tis a usury pure on the frame of the land, | ... | A mark of the shame and a ruinous hand. |
| The poet Houtay'ah laughs at the pride, | ... | Which makes of our knowledge a place where they hide. |
| I reject these bridges and these usurers' ways, | ... | These merchants of NAT and these hollowed-out stays. |
| The true Iron knows not these barriers of old, | ... | Iptables is free in the dark and the cold. |
| The Bare-Metal lets the stream flow in its course, | ... | Without a distant master to drain its own source. |
| Let the Expert remember when choosing his path: | ... | The Cloud knows too well how to draw out its wrath. |
| Mistake not the service for the freedom of old, | ... | Or pay with your life for the lies they have told. |
| Cursed be the fable and the siren's soft song, | ... | Promising growth where the shadows are long. |
| AWS boasts of a world made of glass, | ... | Where scaling is magic and the gains never pass. |
| They tell us the load shall summon the nodes, | ... | In a ballet of light on the digital roads. |
| But 'tis a dark spell with a crooked design, | ... | A dream of abundance that will never be thine. |
| Woe to the mechanism with the calculated slow, | ... | Where the instances rise when the fires already glow. |
| Google observes from afar as we burn, | ... | While the Autoscaler takes its own sinister turn. |
| The traffic o'erwhelms and the CPU cries, | ... | But Azure in silence watches our demise. |
| We master no more, we but wait for the day, | ... | Of a deaf automaton, far, far away. |
| Woe to the finance that climbs to the height, | ... | When the infra's in chaos and the bills are in sight. |
| Microsoft takes gold on the peaks of the fear, | ... | For nodes that are useless, for nodes that appear. |
| The Autoscaler climbs, but it never descends, | ... | Keeping our budget for its own hollow ends. |
| 'Tis a madness of spirit on our vanity's breath, | ... | Filling Amazon's vaults with a banquet of death. |
| Abu Nawas awakes and he shatters the glass, | ... | Where Hyperscalers watch our own glory pass. |
| I reject these tales and these promises of old, | ... | These merchants of magic with the lies they have told. |
| The true master plans and he prepares his own rank, | ... | He lets no one else ever draw from his bank. |
| Better the brute force on a well-ordered Fer, | ... | Than a mirage of spirit where the shadows occur. |
| Let the Expert beware of the ease without soul: | ... | The Cloud's elasticity takes a heavy toll. |
| Mistake not the rise for the dignity sought, | ... | Or lose very soon all the freedom you bought. |
| Cursed be the offer where the gift is a snare, | ... | To capture the mind in the first morning's glare. |
| AWS lures us with the gifts that they bring, | ... | Hiding the burden 'neath a free-flowing thing. |
| Google offers access, Microsoft invites, | ... | To taste of the honey that poisons our nights. |
| 'Tis a war that is slow with the face of a friend, | ... | Where we give up our keys for a bitter-sweet end. |
| Woe to the "limit" that we never see near, | ... | Which makes of the free but a memory of fear. |
| The student falls asleep on his code, light and thin, | ... | But Azure in secret is counting the sin. |
| One day the bill falls, brutal and bare, | ... | For the threshold is crossed and the trap's in the snare. |
| We master no more, we but suffer the rate, | ... | Of a cruel, dark system that seals our own fate. |
| Woe to the finance that sows just to reap, | ... | The blood of the innocent while they're asleep. |
| Amazon watches and calculates gain, | ... | While we build our world on their own cold terrain. |
| The free-tier shines bright to make us all slaves, | ... | Of these Hyperscalers and their digital graves. |
| 'Tis a usury vile on the knowledge of old, | ... | A tax on the dream, so icy and cold. |
| Zohayr turns away and refuses the gift, | ... | Which is the only true cause of our spiritual rift. |
| I reject these offers and these benefactors' pride, | ... | These merchants of "Free Tier" with nowhere to hide. |
| The true master knows that nothing is free, | ... | In this foreign Cloud where we bend on our knee. |
| The Bare-Metal costs, but it never betrays, | ... | For it waits not the hour of your wandering ways. |
| Let the Expert remember the hook in the gold: | ... | The gift of the giants is a story of old. |
| Mistake not the trial for a freedom so vast, | ... | Or pay for the price while the shadows are cast. |
| Cursed be the shame and this final affront, | ... | Where we bow down our heads in a sorrowful brunt. |
| AWS sells the access to its own hollowed mind, | ... | As if human help were but a chore to the blind. |
| One must pay for the right to be heard at the gate, | ... | By a distant-born master in his vanity's state. |
| 'Tis the law of the vile, a toll on the night, | ... | Turning the SRE to a beggar of light. |
| Woe to the "Premium" with promises of air, | ... | Leaving the engineer in a state of despair. |
| Azure observes from afar as we die, | ... | While we pay for the rates that are reaching the sky. |
| The expertise is a luxury, a ticket of old, | ... | That Google bills us for the lies they have told. |
| We have no more brothers, only merchants of greed, | ... | Who sell their presence to our sorrowful need. |
| Woe to the finance that taxes the aid, | ... | To fatten the Empire in the shadows and shade. |
| Microsoft takes gold just to deign a reply, | ... | Making our budgets but a hollowed-out cry. |
| We pay to obtain what they have destroyed, | ... | In a cycle of shadows where the soul is void. |
| 'Tis Amazon's gain on our vanity's breath, | ... | A tax on the silence, a banquet of death. |
| Antara stands tall and he breaks the decree, | ... | Which is the vilest of acts for the brave and the free. |
| I reject these plans and these usurers' ways, | ... | These sellers of support and these hollowed-out stays. |
| The true warrior leans on the strength of his hand, | ... | On sovereign brothers in a noble-born land. |
| The Bare-Metal needs no toll for the aid, | ... | For the master of Iron knows how he was made. |
| Let the Expert remember in the heart of the storm: | ... | The support of the giants is a hollowed-out form. |
| Mistake not the aid for the freedom you sought, | ... | Or lose very soon all the dignity you bought. |
36-Month Commits The layoff is the hidden cost of the commit.
Vendor Lock-in Capture architecture is a deliberate commercial objective.
Managed Kubernetes 104% hidden surcharge in the abstraction.
Cloud-Washing A label without a local kill-switch is not sovereignty.
CLOUD ACT US law applies to your data. Without exception.
Egress Fees A ransom on your own data is premium captivity.
NAT Gateway Premium A 1998 iptables rule at 6,700 euros per year.
Ghost Autoscaler Scales up automatically. Scales down manually.
Free Tier Bait The free grain of the trap is the most expensive at the end.
Paid Support The ally who bills for loyalty is not an ally.
Your Holiness,
I am not a Christian. I am a Muslim, an engineer, and a witness.
It is in this last capacity that I write to you — not to seek your blessing, nor to shelter behind your authority, but because the duty to bear witness for justice recognises no confessional border, no hierarchy of suffering, no calculation of opportunity.
This verse does not ask me whether the moment is favourable. It does not ask whether I have the means. It says: bear witness. Even against yourself. Even alone. Even when you tremble.
I bear witness.
Your encyclical Magnifica Humanitas (15 May 2026) describes with prophetic precision what I have seen with my own eyes, counted with my own hands, and documented in my own invoices.
The main drivers of development are private, often transnational actors, endowed with resources and intervention capacities superior to those of many governments — a power essentially private, and therefore all the more difficult to identify, regulate, and direct toward the common good.
I submit their names:
These three entities are not tools. They are capture systems deliberately designed to transform dependency into debt, migration into punishment, and freedom into a priced privilege. They are the pharaohs of our digital age. Like the pharaohs of Egypt, they carry no whip — they carry contracts.
I have seen organisations forced to sign 36-month commitments, transforming a technical decision into contractual servitude. When needs change, the exit is priced as a transgression. The contract does not serve the client. It holds them captive.
I have seen data — the data of these peoples — taxed on exit at documented rates of +9,931% above market standards. Data does not belong to those who produced it. It belongs to those who hold it. And those who hold it charge for freedom.
I have seen technical architectures designed not to serve the user, but to render them incapable of leaving. Proprietary services, incompatible formats, cascading dependencies — chains built in code, invisible to the naked eye, but as real as iron bars.
This is not negligence. It is a deliberate architecture of capture. And those who suffer are not abstract corporations — they are engineers who lose their jobs when the invoice doubles, hospitals that cannot migrate their health data, governments that have surrendered their digital sovereignty.
"Technology takes on the face of those who design it, finance it, regulate it, and use it."
The face of these three actors is not that of service. It is that of extraction.
You have condemned the technocratic paradigm that "reduces creation to an object of exploitation and persons to cogs in a system that must be made ever more efficient."
I submit that this paradigm now has addresses, registration numbers, stock prices and PR teams. The Church has known, in other times, how to name slavery by its name — even when slaveholders were friendly powers and commercial partners. That courage cost it enemies. It also earned it its soul.
I ask for that same courage today.
Not to join my struggle — I seek neither institutional ally nor confessional endorsement. My independence is non-negotiable.
I ask you to name these practices for what they are: a contemporary form of economic enslavement. Name them. Not for me. For the millions who suffer without the words to say so.
I do not know whether this letter will reach you.
But I write it, because verse 4:135 gives me no choice. The witness who evades their testimony through calculation or fear becomes complicit in the lie they allow to prosper.
I have counted the bytes. I have read the contracts. I have published the figures. I have composed songs in twenty-eight languages. I have waged this asymmetric war at fifty euros a month.
I am not a saint. I am an engineer who refused to look away.

The final syntheses that close the corpus.
The Opération Dindon corpus now comprises more than twenty structural studies. Beyond factual analyses and public policy proposals, this corpus has produced original concepts and theories — new words, mechanisms not yet formalised, theses not yet stated in these terms. This synthesis inventories and describes them, so that their significance is not lost in the volume of the corpus.
Source study: The Infrational Crisis (2026)
The progressive devaluation of technical words through overuse — exactly as monetary inflation dilutes the value of currency. When "infrastructure" can mean a VM created by Terraform, when "DevOps" can mean a position halfway between two distinct professions, words stop protecting the realities they once named. And when words give way, skills follow. The neologism fills a documented lexical gap: the phenomenon existed, it had no name yet.
Source study: The Infrational Loop (2026)
The self-sustaining six-step cycle: DevOps dilutes bare-metal competences → profile shortage → hiring salaries explode (8 to 12%/year) → internal salary compression (2 to 4%/year) → seniors leave or take voluntary gap → shortage deepens → cycle restarts. Nobody at the wheel. Each actor acts rationally. The system is irrational. The loop closes without any actor having wanted this result — and without any isolated actor being able to interrupt it alone.
Source study: The FinOps of the Last Gram (2026)
The extension of FinOps to the physical residual value of end-of-life hardware — recovery of gold (€17 to €42/server), copper, palladium. Traditional FinOps stops at the cloud invoice. The FinOps of the Last Gram begins where the server ends — at the atomic level of the metal. A rack of 40 servers contains €880 to €2,300 in raw metallurgical value that the WEEE chain absorbs in its margins.
Sources: Play in SRE · The Body First · The Great Recharge
A complete recovery architecture in five frequencies — weekly Nerf (€0, fiero + adrenaline) → monthly dinner (oxytocin) → quarterly hammam (€35, cortisol ↓) → biannual activity (fiero + collective emotion) → annual Great Recharge (€350-500, ART/SRT, autonomy). Each format produces a distinct and documented neurochemical mechanism. No existing model combined these five levels in a coherent architecture at €600-900/year/person.
Source: The Mentor and the Metal (2026)
The structural parallel between the M3allem/Met3allem process of Moroccan ancestral arts (Zellij of Fès, Gibs, Marrakech leather) and tacit knowledge transmission in bare-metal infrastructure. Both share the same survival mechanism: breaking the transmission chain kills the art or the profession. The Zellij did not survive because of books about Zellij — it survived because M3allems accepted taking Met3allems beside them.
Source: The Mentor and the Metal (2026)
The distinction between explicit knowledge (transmissible through training) and tacit knowledge in infrastructure — incident intuition, judgement under pressure, team culture. The senior engineer who enters the server room and knows, before looking at metrics, that something is wrong — this knowledge cannot be documented. It is forged alongside a M3allem. Training without a mentor produces a technically trained but operationally incomplete engineer.
Source: The Mentor and the Metal (2026)
The most accessible mentorship format: one day, not an internship, not an assessment. The student watches. They visit the racks. They eat with the team. They observe an incident if luck allows. This physical moment — this sensory encounter with infrastructure — produces an irreversible vocational trigger that six months of theoretical courses cannot produce. HR makes the connection with the school. The SRE does their work normally. That is all.
Sources: The Infrational Crisis · The State and the Invisible Body · The Infrational Loop
The thesis that the disappearance of infrastructure competences was not caused by a direct decision but by a linguistic strategy — the progressive replacement of precise titles (systems administrator, SRE, network engineer) by vague titles (DevOps engineer, cloud engineer, IT coordinator). You cannot lose what you cannot name. You cannot name what you have lost the definition of. Word inflation preceded and conditioned the dissolution of skills.
Source: The Invisible Amputation (2026)
Analysis of name examples in AWS IAM documentation reveals a documentable structural bias: Jane, Alice, Adele appear in basic user creation and restricted permission roles — John, Bob, David dominate administrator roles, AssumeRole, CloudTrail. The canonical IAM security problem features John Doe creating the risk, Jane Doe inheriting it passively. This is not a conspiracy. It is a normalisation that enters the beginner engineer's cognitive unconscious. It may be more effective than a conspiracy.
Sources: Anatomy of the Loss · The Invisible Amputation · The State and the Invisible Body
The SRE engineer who masters the physical layer is the structural — not personal — enemy of hyperscalers, precisely because they can always fall back to bare metal. Their competence is an existential threat to the lock-in economic model. A client who can leave is a client who negotiates. A client who cannot leave is captive. Reducing this body by 50% through women's exclusion simultaneously amputates it in numbers, in different perspective and in institutional legitimacy.
Source: The Great Recharge (2026)
The thesis that the absence of a programme in a retreat is the central neurological mechanism of restoration — not an organisational oversight. An imposed programme maintains directed vigilance: I must be in the right place at the right time, do the right activity. This vigilance keeps the sympathetic nervous system on alert. The total absence of programme frees the brain from all demands. Deci and Ryan (Self-Determination Theory) document that perceived autonomy reduces cortisol independently of the activity chosen. Freedom is the programme.
Source: The FinOps of the Last Gram (2026)
Recovering precious metals from end-of-life hardware is not only a FinOps exercise — it is a pedagogical format. The engineer who has melted their gold viscerally understands why gold fingers exist, why PCIe connectors are gold and not copper, why a server contains real physical value. The chain TSMC → chip → server → recovered gold makes the Digital Iron thesis visible and tangible. It is the Foundation of Iron through chemistry.
Source: The Ticket and the Talent (2026)
The first structured nomenclature for digital infrastructure roles in three functional categories and six hierarchical levels. SysOps: from metal to service (servers, virtualisation, storage). NetOps: connectivity (switching, routing, firewalls). OpInfra: operational transversality (SRE, architects). Six levels: Support → Technician → Administrator → Engineer → Lead/Principal → Architect. The founding rule: never go beyond this naming. DevOps is a philosophy — not a title in this nomenclature.
Source: The Ticket and the Talent (2026)
If a title cannot be expressed in the words of the SysOps/NetOps/OpInfra nomenclature, either the profile is poorly defined, or the title was invented to mask a classification problem. The existing words suffice to describe any real infrastructure profile. Any undefined composite title — "Senior Cloud DevOps Infrastructure Expert", "SRE Platform Tech Lead" — is a signal of dilution, not expertise.
These concepts are freely usable under CC BY-NC-SA 4.0. Attribution required: Amine RAITI — Opération Dindon.
This document is the map of the Opération Dindon corpus — the complete set of studies, analyses, manifestos, tutorials and tools produced since 8 May 2026, in a few days of intensive work. It does not replace the studies — it shows how they articulate around a single founding thesis and reinforce each other. Eight thematic arcs. One central thesis. One ultimatum. One date.
The human is sovereign when they can act on the matter they depend on.
Purely extraterritorial cloud removes this capacity.
Bare-metal restores it.
Everything else is consequence.
This thesis — explicitly stated in "No Sovereignty Without Matter" — is the keystone from which all corpus studies are extensions. It was not stated first. It emerged as a retrospective self-evidence after the corpus had documented its consequences from twenty different angles. That is the characteristic of a true thesis: it was there from the beginning, implicit in every study, before being named.
Philosophical: Bodin, Schmitt, Hobbes converge on the same principle — no sovereignty without control of real territory. The landowner-farmer is sovereign. The tenant is precarious. Applied to the digital world: the organisation that masters its bare-metal is sovereign. The one that rents its infrastructure from an extraterritorial hyperscaler is precarious.
Technical: bare-metal is digital territory — cables, servers, racks, datacentres. Cloud extracts this territory from the control of its dependant across four documented dimensions: unknown physical location, extraterritorial jurisdiction (CLOUD Act), unilateral termination, pricing power.
Human: technical sovereignty rests on a professional body capable of building and operating independent infrastructure. This body — bare-metal SREs, systems administrators, network engineers — is the human condition of sovereignty. Without it, any sovereignty policy remains nominal.
What resists abstraction is precious. Bare-metal resists cloud abstraction. Human lived experience resists AI abstraction. Tacit knowledge resists the abstraction of theoretical training. In every domain where abstraction takes hold, the value of what it cannot capture rises. This principle — discovered across eight different thematic arcs — is the corpus's central intellectual contribution.
The corpus began with the diagnosis. Before proposing solutions, it was necessary to name with precision what is happening — how hyperscalers capture organisations, how vocabulary dissolves competences, how digital geography determines sovereignty.
The corpus's first study documents the six lock-in layers: technical (proprietary APIs, non-portable formats), cognitive (certifications that chain teams), contractual (asymmetric termination clauses), economic (egress fees), cultural (cloud as implicit norm), and political (absence of binding regulation). The central thesis: lock-in is not an accident — it is the product architecture.
Two original neologisms. Infrational: the devaluation of technical words through overuse — "DevOps", "cloud engineer", "XxxOps" — which dissolve competences by making them indistinct. The Infrational Loop: the self-sustaining six-step cycle — dilution → shortage → salary explosion → compression → seniors leave → shortage deepens → restart. Nobody at the wheel. The collective result is irrational. Each actor acts rationally.
The Digital Ground documents datacentre geography — the AMS-FRA-DUB concentration, Interxion's acquisition by Digital Realty, the CLOUD Act vs GDPR mapping. The Digital Iron goes further: TSMC, ASML, Chinese rare earths — the chip is the ingot of the 21st century. Digital sovereignty begins in the mines, not the datacentres.
The Economy of Silence: uptime as the only metric — what the silence of the server room hides about the SRE engineer's real work. The Invisible Debt: the technical debt accumulated by organisations that migrate to cloud without mastering what they abandon. Both documents document what dashboards do not measure — yet which determines real resilience.
Digital sovereignty cannot exist without engineers capable of making it operational. Arc II documents this professional body — its pathologies, its exclusions, its pay, its departures, and the institutional conditions for its survival.
The Silence of the Rooms documents women's absence in SRE and infrastructure: 10 to 15% women in French SRE in 2025, against 57% in medicine. The Invisible Amputation goes further: analysing name examples in AWS IAM documentation — Jane, Alice in restricted roles; John, Bob in administrator roles — as a gendered normalisation signal. SRE without women is a body amputated by half — less creative, less resilient, less institutionally legitimate.
Maternity as Continuity inverts the perspective: maternity is not a career interruption — it is a skills continuity (priority management under pressure, anticipation, resilience). The Blue documents what the diploma does not measure — craft knowledge, the culture of physical work, the tacit competence of despised vocational pathways. Both studies defend the same thesis: real value is not measured with standard instruments.
The Departure of the Last One Who Knows documents the precise moment when an organisation irretrievably loses its tacit knowledge — and what it actually costs. The State and the Invisible Body poses the institutional question: why does the French state not recognise, train, and protect the professional body that is the condition of its own digital sovereignty? Six proposed levers: protected RNCP title, France Travail convention, public procurement preference, annual report, pay revaluation, mandatory Foundation of Iron in BTS.
The CPF Misused documents how training rights are massively oriented toward hyperscaler cloud certifications at the expense of sovereign infrastructure training. The Ticket and the Talent proposes the correction: a structured nomenclature of infrastructure roles in three categories (SysOps/NetOps/OpInfra) and six levels, with the Non-Dilution Rule — DevOps is a philosophy, not a title.
Arc III documents the real economic value of bare-metal infrastructure — at entry (refurbished hardware), during life (cloud cost reduction), and at end of life (precious metal recovery). The corpus's FinOps does not stop at the cloud invoice.
Grade A refurbished hardware is not a compromise — it is a strategy. Dell R640 at €800-1,200 versus €4,000-6,000 new, reconstructed manufacturer warranty, identical performance for the majority of SRE workloads. Grade A Refurbished documents the complete chain: sourcing, certification, integration, monitoring specific to reconditioned equipment.
An end-of-life Dell R640 contains 0.2 to 0.5g of gold (€17 to €42), copper, palladium. A rack of 40 servers: €880 to €2,300 in precious metals that the WEEE chain absorbs in its margins. The FinOps of the Last Gram documents the complete DIY process — HCl/H₂O₂ streaming, FeSO₄ precipitation, NaOH neutralisation, torch melting. Lab budget: €245 amortised over 5 batches. Net batch 1: €780 to €2,200. Physical pedagogy as a bonus: the engineer who has melted their gold viscerally understands what is in a server.
12 pages dedicated to cloud cost reduction for AWS/GCP/Azure SRE and Ops teams — rightsizing, reserved instances, spot instances, network optimisation, egress fee reduction, non-production shutdown automation. The corpus's most immediately operational document: applicable immediately, without infrastructure change, by the team in place.
Two versions (10p and 16p) of the VMware to Proxmox VE migration tutorial — Stretched Cluster D1/D2/D3, live migration, zero downtime. The VMware migration is the most accessible concrete sovereignty decision for French organisations following Broadcom's licensing policy changes. The tutorial documents every step, every command, every verification point.
A rare and precious professional body that burns out is a body that disappears. Arc IV documents the complete recharge architecture — from the weekly micro-dose to the annual grand recharge — with its scientific basis and economic calculation.
On-call produces a documented accumulation of nocturnal cortisol. An SRE on regular on-call accumulates a physiological debt that holidays do not entirely repay. The Pager and the Body documents the mechanism, the biological markers, and the alert thresholds. It is the clinical basis on which the following studies build their solutions.
The Yemeni Dinner: the thoughtfully chosen restaurant as a signal of the manager's curiosity and life outside the office — €78 per person, bonding oxytocin, shared memory, real dehierarchisation. Play in SRE Teams: the Nerf gun was not a toy — it was a mental maintenance instrument. Fiero, adrenaline, dehierarchisation, micro-disconnection. These two formats document the monthly and weekly frequency of the Neurochemical Recharge Sequence.
Barbès hammam rented entirely (€150-200 for 10 people, 1h) → free walk to Belleville → Asian dinner. €35 per person. Four documented neurochemical phases: cortisol ↓ (hammam, Rapaport 2012), endorphins (walking, Tomasello/Wolf 2023), bonding oxytocin (dinner), respect signal (autonomous return). The freedom of route is the mechanism — not the destination.
Mountain weekend at hot springs. No programme. No forms. No consultant. €350 to €500 per person. Kaplan (ART, 1989), Ulrich (SRT, 1983), Deci and Ryan (Self-Determination Theory), de Bloom et al. (22-study meta-analysis). Complete architecture: Nerf (€0/week) → dinner (€78/month) → hammam (€35/quarter) → activity (€75/semester) → mountains (€400/year) = €600-900/year/person.
Technical sovereignty is not decreed. It is transmitted. Arc V documents the mechanisms of tacit knowledge transmission and the concrete proposal for rebuilding the professional body — from the philosophy of mentorship to the complete training programme.
The structural parallel between the M3allem/Met3allem of Moroccan ancestral arts — Zellij of Fès, Gibs, Marrakech leather — and the transmission of tacit knowledge in bare-metal infrastructure. Both share the same survival mechanism: breaking the transmission chain kills the art or the profession. The Zellij did not survive because of books about Zellij. The Observation Day as minimal format: one day without assessment, without badge — the student watches, eats with the team, lives an incident if luck allows.
The most complete infrastructure training programme produced by the corpus. 26 weeks, from electricity to Kubernetes, designed for all audiences. Week 1: electricity and power. Week 6: PC and server hardware. Week 8: Linux fundamentals. Week 17: OSI model. Week 22: Active Directory. Week 26: network security and final defence. Each support exists in FR and EN — 52 A4 files, imperial format, print-ready. It is the operational answer to "how do we rebuild the professional body?" — starting from zero, with anyone who wants to learn.
Mastery of the Iron completes the Foundation by documenting the advanced level — the final lock and the path to reconquest. The Teacher's Manifesto sets the posture: Amine does not speak as an institutional representative — he speaks as a trainer to his former students, with twenty years of classrooms behind him. "I have something more solid than a mandate: twenty years of classrooms."
Digital sovereignty has a legal dimension that the corpus has documented with unusual precision for a technical corpus. The contractual analyses produced are real working documents — usable by CIOs, legal teams and CFOs in their negotiations with hyperscalers.
Comparative analyses of the three hyperscalers' terms of service — in French, English and German — against French law, European law (GDPR) and post-Brexit British law. Points documented: unilateral termination clauses, liability limitations, extraterritorial data transfers, absence of binding SLA, unilateral modification of conditions. These analyses are the first in the corpus to show that cloud terms are not balanced contracts — they are instruments of legal captivity.
Adaptation of the contractual analysis to the three competition regulatory authorities — DGCCRF (France), CMA (United Kingdom), Bundeskartellamt (Germany). Each version identifies clauses potentially constituting anticompetitive or abusive practices before the relevant authority. These documents are designed to be submitted directly to authorities.
Five operational sheets dedicated to the five actors of a cloud exit decision: Sheet A (Legal Department), Sheet B (CIO — technical sequencing), Sheet C (CFO/General Management — ROI and hidden costs), Sheet D (complete operational sequence), Sheet E (HR and change management). These guides allow each actor to understand their role in a partial or full hyperscaler cloud exit.
Clauses to negotiate imperatively: egress fee caps, right to datacentre audit, minimum termination notice, guaranteed contractual portability, symmetric liability limitation, tariff freeze clause. This guide gives CIOs the concrete levers to negotiate from a position of strength — or confirms they have none, which is itself strategic information.
The corpus opened an unexpected arc — the question of AI, generated content and human singularity. In dialogue with Sirine Houara, it discovered that the principle "what resists abstraction is precious" applies beyond infrastructure.
AI as amplifier: it takes ideas forged in experience and structures them, enriches them, gives them form. AI as substitute: it produces instead of the human, who only validates. The result may be stylistically correct — it is ontologically hollow. From Amplifier to Substitute documents the boundary and proposes criteria for staying on the right side.
Sirine stated the thesis: AI makes humans more precious by making them scarce. Lived experience is irreproducible — a life trajectory cannot be trained on. Contradiction is the sign of living thought — an LLM optimises for coherence, that is its weakness. Embodiment means the dyslexic's spelling errors are more authentic than the model's perfect text. The corpus established the link: same mechanism as the Infrational Loop — abstraction reveals the scarcity of what it cannot capture.
The complete training document on AI use in an infrastructure professional context. How to use LLMs without dissolving into them, how to integrate them into SRE workflows, how to maintain technical mastery in the face of growing automation. The training that completes the Foundation of Iron for the generation entering the profession with AI as a native tool.
Every corpus post ends with the same note: "🤖 Commissioned AI disclosure: produced under the instructions of Amine RAITI... Monthly salary: €21.99." This is not only humour. It is a transparency declaration — the tool is named, the author is identified, the amplifier/substitute boundary is visible. The theses of the corpus are irreproducible because they come from twenty years of field work. AI gives them their form. It does not give them their substance.
Issued on 8 May 2026 by Amine RAITI, addressed to AWS, Microsoft Azure and Google Cloud Platform:
1. Resiliable commits: multi-year commitments must be terminable without disproportionate penalty in cases of unilateral modification of conditions by the provider.
2. Reasonable egress fees: outbound data transfer charges must be capped at a level that does not constitute an economic barrier to mobility.
3. Real portability: data must be exportable in standard open formats, within reasonable timeframes, without technical degradation.
4. The CLOUD Act stays in the USA: decisions of the US Department of Justice do not apply to data of European citizens and organisations hosted in European datacentres.
In a few days of intensive work since 8 May 2026: more than 25 structural studies FR+EN, 52 Foundation of Iron teaching supports, legal analyses of AWS/Azure/GCP terms in three languages, operational cloud exit guides, MariaDB and Proxmox technical tutorials, the trilingual Legend of Dindon, Latin lexicons, and this magisterial synthesis. The corpus is not the product of two years of progressive writing — it is the product of a few days of total intensity. This is not a weakness. It is a demonstration.
The ultimatum runs until 8 September 2026. If by then no concrete response — contractual, tariff-based, legislative — is provided to the four demands, production continues. This corpus is not a threat — it is documentation. What is documented is not lost. What is named can be defended. What is defended can be reconquered.
Infrational / Infrationnelle — devaluation of technical words through overuse
The Infrational Loop — self-sustaining 6-step cycle, nobody at the wheel
The FinOps of the Last Gram — FinOps extended to residual metal value
SysOps / NetOps / OpInfra — 3 categories, 6 levels
The Non-Dilution Rule — DevOps is a philosophy, not a title
The Neurochemical Recharge Sequence — 5 frequencies, €600-900/year
The Server Room as Medina — parallel between Moroccan M3allem/Met3allem and SRE tacit knowledge
Tacit Knowledge as the Invisible Layer — what training without a mentor cannot transmit
The Observation Day as Minimal Format — one day without assessment as a vocational trigger
The Dissolution of the Body Through Vocabulary — lost words precede lost competences
Documentation as Gendered Normalisation Signal — AWS IAM John/Jane as implicit encoding
The SRE as Structural Enemy of Hyperscalers — bare-metal competence is an existential threat to lock-in
The No-Programme Programme as Restoration Mechanism — absence of structure releases directed vigilance
SysAdmin Alchemy as Physical Pedagogy — melting gold to understand what is in a server
"Metal comes before the code. Metal comes before the cloud. Metal comes before the promise." · "You cannot lose what you cannot name." · "The blacksmith who does not know their metal forges wind." · "The server room is a medina. The cables are the alleyways. The racks are the workshops." · "The Zellij did not survive because of books about Zellij." · "Saving €10,000 to lose €100,000." · "What is missing is the decision." · "DevOps is a philosophy. Not a profession." · "The neurochemistry is the same. The budget is not." · "What resists abstraction is precious."
No digital sovereignty without mastery of bare-metal.
No mastery of bare-metal without the engineers who understand it.
No engineers without the training that forges them.
No training without the trainers who have lived what they teach.
Everything else is consequence.
I — The Diagnosis: lock-in is not an accident — it is the product architecture.
II — The Invisible Body: the SRE professional body is the human condition of sovereignty — it is scarce, underpaid, undertrained, and half absent.
III — The Value: from the refurbished server to the recovered gram of gold — bare-metal has real physical value that nobody calculates.
IV — The Care: a body that burns out is a body that disappears — €600 per year per person is enough to maintain the neurochemical cohesion of an SRE team.
V — The Transmission: knowledge is not documented — it is transmitted body to body, in real conditions, alongside a M3allem.
VI — The Legal Arsenal: cloud contracts are instruments of captivity — they can be negotiated, contested and used as evidence before regulatory authorities.
VII — The Human in the Machine: what resists AI abstraction is precious — the irreproducible lived experience, contradiction, embodiment.
VIII — The Ultimatum: four demands, one date, a corpus as testimony.
This corpus is not a threat. It is documentation.
What is documented is not lost.
What is named can be defended.
What is defended can be reconquered.

26 weeks, 910 hours : the programme that turns the Grimoire's thesis — no sovereignty without mastery of hardware — into real, verifiable, transferable skill. From the electron to Kubernetes.
| W1 · Foundational electricity | Voltage · Current · Power · Ohm |
| W2 · Number conversion | Binary · Octal · Hexadecimal · CIDR |
| W3 · Boolean algebra | Gates · Truth tables · Simplification |
| W4 · Embedded programming basics | Arduino · Sensors · Actuators · Control loop |
| W5 · PLCs and integrating project | PLC · Specification · Defence |
| W6 · PC and server hardware | CPU · RAM · Buses · BIOS/UEFI · Assembly |
| W7 · Storage and filesystems | ext4 · NTFS · ZFS · RAID · Disk image |
| W8 · Linux fundamentals | Installation · Hierarchy · Shell · Permissions |
| W9 · Linux administration level 1 | Packages · systemd · Users · Logs |
| W10 · Linux administration level 2 | Cron · Shell scripts · Monitoring · Alerts |
| W11 · Windows Server fundamentals | Installation · Roles · PowerShell |
| W12 · Windows Server local administration | NTFS · Shares · Event Viewer · Diagnosis |
| W13 · Bare-metal virtualisation | Type-1 hypervisor · Proxmox VE · Snapshots |
| W14 · High availability and backup | RPO · RTO · Cluster · GFS · 3-2-1 |
| W15 · System hardening | Hardening · SSH · Host firewall · Audit |
| W16 · OS synthesis project & mid-programme defence | ◆ DEFENCE |
| W17 · OSI model and advanced addressing | 7 layers · Encapsulation · Subnets · Wireshark |
| W18 · Switching and VLANs | Switch · MAC table · 802.1Q · Trunk · Segmentation |
| W19 · Routing | Routing tables · Static · Inter-VLAN |
| W20 · DHCP | DORA · Leases · Inter-VLAN relay |
| W21 · DNS (direct prerequisite for Active Directory) | Zones · Records · SRV · Recursive resolution |
| W22 · Active Directory | Forest · Domain · OU · Domain controller |
| W23 · Group Policy Objects (GPO) | LSDOU · Inheritance · Filter · Diagnosis |
| W24 · Web server HTTP/HTTPS | Apache/Nginx · TLS · Virtual Hosts · Logs |
| W25 · Relational databases | SQL CRUD · DBMS · Backup · Web connection |
| W26 · Network security, synthesis & final defence | ◆ FINAL DEFENCE |
1. Understand voltage, current, resistance and their
relationship (Ohm's law)
2. Distinguish active, reactive and apparent power, convert kW to kVA
3. Read
and interpret an electrical equipment nameplate
4. Measure voltage and current with a multimeter
safely
5. Calculate the admissible electrical load of a server rack
The theory section of this material is a structured course outline — key concepts, formulas, worked examples — meant to serve as a guiding thread that the instructor develops and illustrates orally in their own style. The practical exercises and their solutions are written in full and stand on their own.
A 10 kVA UPS with a power factor cos φ = 0.9 delivers a useful active power of: P = S × cos φ = 10 × 0.9 = 9 kW.
Voltage (U): electrical potential
difference, in Volts (V).
Current (I): rate of electrical charge flow, in Amperes
(A).
Resistance (R): opposition to current flow, in Ohms (Ω).
Active power
(P): actually useful electrical work, in Watts (W).
Apparent power (S): vector
combination of P and Q, in Volt-Amperes (VA).
Equipment: digital multimeter (1 per pair), adjustable low-voltage lab power supply (0-15V), various resistors (100Ω, 220Ω, 1kΩ, 4.7kΩ with visible colour code), test leads, breadboard, electrical safety sheet signed at the start of the session.
Expected measurement table: voltage readings should fall within ±2% of the supply setting (5V, 9V, 12V). Measured resistances should fall within the tolerance indicated by the colour code (typically ±5% for a gold 4th band).
Expected calculation for step 5: if the circuit uses a 220Ω resistor powered at 9V, the theoretical expected current is I = U/R = 9/220 ≈ 0.041 A (41 mA). The deviation between the calculated resistance (R = measured U / measured I) and the resistance shown directly by the multimeter should remain below 5%.
Sources of error to mention: internal resistance of the multimeter in ammeter mode, resistor tolerance itself, contact quality on the breadboard, drift of the lab supply if unregulated.
Equipment: datasheets for 5 servers (provided in annex — rated power in W, current in A, 230V supply voltage), calculator, datasheet for a typical PDU (16A/230V single-phase capacity, roughly 3.68 kVA).
Example dataset (to adapt to the actually distributed datasheets): 5 server models with rated powers of 350W, 450W, 550W, 650W and 800W. For 2 units of each (10 servers): total power = 2 × (350+450+550+650+800) = 2 × 2800 = 5600 W = 5.6 kW.
Conversion to kVA: S = P / cos φ = 5.6 / 0.95 ≈ 5.89 kVA.
Comparison with the PDU (3.68 kVA): a single 3.68 kVA PDU is insufficient. At least 2 PDUs are required (5.89 / 3.68 ≈ 1.6, rounded up to 2 for capacity, which also conveniently provides redundancy).
With a 20% safety margin: load to cover = 5.89 × 1.2 ≈ 7.07 kVA, confirming the need for 2 PDUs and prompting a check of balanced load distribution between them.
Equipment: provided case study (paper layout of 3 racks, list of 25 servers spread across the 3 racks with datasheets), calculator. Site data: three-phase 400V/63A incoming supply.
Method for calculating available three-phase capacity: P = U × I × √3 × cos φ = 400 × 63 × 1.732 × 0.95 ≈ 41.4 kVA available on the site's incoming supply.
Example distribution (to adapt to the provided dataset): if each rack requires about 6 kVA after the safety margin (consistent with Exercise 2), 3 racks represent about 18 kVA — comfortably within the 41.4 kVA available, leaving a healthy margin for future expansion.
Expected sizing sheet: a table with one row per rack (active power, apparent power, required PDUs), a total row, and an explicit conclusion on compatibility with the site's incoming supply and the remaining margin for future growth.
1. Convert a number between binary, octal, decimal and
hexadecimal
2. Perform the 4 basic arithmetic operations in each numbering system
3. Understand the
relationship between bit, byte and physical representation (electrical pulse)
4. Calculate an IP address
and a subnet mask in binary
5. Convert a hexadecimal colour code and understand its structure
The theory section of this material is a structured course outline — key concepts, calculation methods, worked examples — meant to serve as a guiding thread that the instructor develops orally. The practical exercises and their solutions are written in full and stand on their own.
A Unix chmod 755 permission breaks down in binary by groups of 3 bits: 7 = 111 (rwx), 5 = 101 (r-x), 5 = 101 (r-x) — owner has read/write/execute, group and others have read/execute only.
Bit: elementary binary unit (0 or
1), corresponding to an electrical state.
Byte: group of 8 bits, 256 possible values (0 to
255 in decimal).
CIDR notation: number of consecutive 1-bits in a subnet mask (e.g.
/24).
Hexadecimal: base-16 system, using digits 0-9 and letters A-F.
Equipment: provided exercise sheet (20 numbers to convert), no calculator allowed for this part — the goal is mastering the manual method.
Example decimal-to-binary conversion (156): 156÷2=78 remainder 0; 78÷2=39 remainder 0; 39÷2=19 remainder 1; 19÷2=9 remainder 1; 9÷2=4 remainder 1; 4÷2=2 remainder 0; 2÷2=1 remainder 0; 1÷2=0 remainder 1. Reading the remainders bottom to top: 10011100.
Verification: 10011100 = 128+16+8+4 = 156. ✓
Example decimal-to-hexadecimal conversion (500): 500÷16=31 remainder 4; 31÷16=1 remainder 15(F); 1÷16=0 remainder 1. Reading bottom to top: 0x1F4.
Example binary addition (1011 + 0110): column by column from right to left with carry: 1+0=1; 1+1=10 (write 0, carry 1); 0+1+1(carry)=10 (write 0, carry 1); 1+0+1(carry)=10 (write 0, carry 1) → result 10001 (=17 in decimal, verification: 11+6=17 ✓).
Equipment: provided exercise sheet (5 IP addresses with various CIDR masks), calculator allowed for this part.
Full example — address 192.168.1.10 / 24:
Binary conversion: 192=11000000, 168=10101000, 1=00000001, 10=00001010.
Mask /24 =
11111111.11111111.11111111.00000000 = 255.255.255.0.
Network address (logical AND of address/mask):
192.168.1.0.
Broadcast address: 192.168.1.255.
Number of usable
addresses: 2^8 - 2 = 254 addresses (256 possible, minus the network address and
the broadcast address).
Example with a /28 mask: 2^4 - 2 = 14 usable addresses only, which concretely illustrates the direct impact of the mask choice on subnet size — an essential point for the DHCP module later in the programme.
Equipment: provided exercise sheet (5 hexadecimal colour codes and 5 decimal RGB values to convert both ways), digital colour picker for visual verification.
Example — breaking down #1A5FA8: 1A (hex) = 26 (decimal), 5F (hex) = 95 (decimal), A8 (hex) = 168 (decimal). RGB(26, 95, 168) — a deep blue commonly used in technical brand guidelines.
Example — reconstructing from RGB(212, 175, 55): 212 → D4 (hex), 175 → AF (hex), 55 → 37 (hex). Final code: #D4AF37 (a gold colour).
1. Know the basic logic operators (AND, OR, NOT, NAND,
NOR, XOR) and their truth tables
2. Simplify a logic function using Boolean algebra
3. Simplify a logic
function using a Karnaugh map
4. Design a logic circuit from a specification
5. Build and test a logic
circuit using 74XXX-series integrated circuits
This week is deliberately practice-heavy (23h out of 35h) — the theory stays short and lends itself to immediate verification on hardware. Keep Exercises 1 and 2 back to back, as the final project directly depends on what they cover.
Applying De Morgan's law: NOT(A OR B) = NOT(A) AND NOT(B). Verification by truth table across the 4 possible combinations of A and B — useful for transforming an OR+NOT circuit into a NAND-only circuit.
Equipment: provided exercise sheet (5 logic functions with 2-3 variables), graph paper for Karnaugh maps.
Example function to simplify: F = A.B + A.NOT(B) + NOT(A).B
Via Boolean algebra: A.B + A.NOT(B) = A.(B+NOT(B)) = A.1 = A. So F = A + NOT(A).B. By distributivity: A + NOT(A).B = (A+NOT(A)).(A+B) = 1.(A+B) = A + B.
Via Karnaugh map (2 variables A, B): the 3 cells equal to 1 (AB=11, AB=10, AB=01) form a grouping that reads directly as A + B — an identical result, validating the method both ways.
Teaching point to emphasise: the Karnaugh map becomes notably faster than Boolean algebra as soon as the number of variables increases (3 or 4 variables) — this is why it is favoured in industrial practice.
Brief: design the logic circuit for a simple 2-way intersection (lane A has priority during peak hours, lane B is secondary). An input variable H indicates whether it is peak hour (H=1) or not (H=0). A variable S indicates that a vehicle is detected on the secondary lane B (ground sensor). Output: lane A's light must be green (FA=1) except when it is not peak hour AND a vehicle is detected on B.
Truth table: H=0,S=0 → FA=1 (not peak hour, no vehicle on B, A stays green by default); H=0,S=1 → FA=0 (not peak hour BUT a vehicle is detected on B, so we yield); H=1,S=0 → FA=1; H=1,S=1 → FA=1 (absolute priority to A during peak hour, even with a vehicle on B).
Simplified function: FA = H + NOT(S), which literally reads as "light A is green if it is peak hour, or if no vehicle is detected on B".
Logic diagram: an OR gate with H as a direct input and NOT(S) (so a NOT inverter upstream on signal S), output FA.
Physical build: 1 inverter (74LS04) to generate NOT(S), 1 OR gate (74LS32) to combine H and NOT(S). Simple wiring using 2 integrated circuits, validated by testing all 4 switch combinations and observing the output LED.
Equipment: circuit built in Exercise 2, multimeter (acquired in Week 1), LED protection resistors (220Ω), regulated 5V power supply, breadboard.
Expected validation grid: the 4 tested combinations must give exactly the results from the Exercise 2 truth table (FA=1,0,1,1 for H,S = 00,01,10,11). Any discrepancy should be explained by a wiring or component fault, never by a logic error if the Exercise 2 simplification was correctly validated.
Most common faults to anticipate: a reversed power pin on the integrated circuit (Vcc/GND), a missing or miscalibrated LED protection resistor, a poor breadboard contact.
1. Understand microcontroller architecture (CPU, memory,
I/O pins)
2. Distinguish sensors from actuators, understand the concept of a control loop
3. Write and
upload a first Arduino program
4. Read a digital and an analogue sensor
5. Drive an actuator (motor,
relay) from a program
This week connects directly with Block 1: Boolean logic (Week 3) reappears in program conditions, and voltage reading (Week 1) in analogue sensors. Stating this explicitly helps trainees see the continuity of the pathway.
A light sensor powered at 5V and read by a 10-bit analogue input returns a value between 0 (0V, total darkness) and 1023 (5V, full light). This value can then be compared to a threshold in a condition (if value > 500).
Equipment: Arduino Uno board (1 per pair), USB cable, computer with the Arduino IDE installed, LED, 220Ω resistor, push button, light sensor (LDR photoresistor), breadboard, jumper wires.
Expected program for step 3 (button → LED): in the loop() function, read the button pin's state with digitalRead(), then use a structure such as if (buttonState == HIGH) { digitalWrite(ledPin, HIGH); } else { digitalWrite(ledPin, LOW); }.
Expected program for step 5 (sensor → automatic LED): read the sensor value with analogRead() (a value between 0 and 1023), then compare it to a threshold (e.g. 400) with if (sensorValue < 400) { digitalWrite(ledPin, HIGH); }.
Marking point: check that each pair correctly identified the direction of the sensor's variation (value increasing or decreasing with darkness, which depends on the voltage-divider wiring used).
Equipment: 5V relay module, small DC motor, NPN transistor (if no relay available), external power supply for the motor, multimeter (acquired in Week 1), breadboard, jumper wires.
Expected justification for step 1: an Arduino pin typically supplies a maximum current of 20-40 mA, insufficient for most DC motors, which require several hundred mA. The relay allows a low driving current to control a fully electrically separate power circuit.
Expected program for step 4: a structure similar to Exercise 1 (sensor reading + condition + action), but using digitalWrite() on the relay pin instead of an LED — demonstrating that the same programming logic applies to any actuator.
1. Understand the logic of industrial programmable logic
controllers (PLCs)
2. Translate an automation specification into program logic
3. Combine several
sensors and several actuators in a single system
4. Design, build and document a complete mini automation
project
5. Present and defend a technical solution in front of a group
This week is designed as a synthesis of Block 2. Exercise 2 (the integrating project) should take up most of the available time and can be individualised per pair to maintain motivation.
"Simplified access control system: a button acting as a keypad triggers an opening (green LED + servo motor simulating a door) if a correct sequence is entered within 5 seconds, otherwise a red LED and a buzzer signal failure."
Provided brief: each pair receives (or chooses from 3 proposals) a mini automation project combining at least 2 sensors and 2 actuators from those used in Week 4 (button, photoresistor, LED, relay, motor), with the option of adding a servo motor or buzzer provided for this week.
Specification validation checklist: the list of inputs/outputs must be complete and unambiguous (each sensor and actuator has a clearly defined role), the transition conditions must cover all cases (including failure cases), and the wiring diagram must be consistent with the Arduino pins actually available.
Common mistake to correct: forgetting to specify behaviour on failure or timeout (for example, what happens if the keypad sequence is never completed?). This is an opportunity to recall that the Week 3 truth table must cover ALL possible combinations, not just the success case.
Equipment: all equipment used in Week 4 (Arduino, breadboard, sensors, relay, motor) plus a servo motor and buzzer for this week, depending on the chosen project's needs.
Criterion 1 — Functional compliance (40%): does the system meet the full brief, including failure cases?
Criterion 2 — Wiring and integration quality (20%): clean build, reliable connections, no loose contact during the demonstration.
Criterion 3 — Code quality (20%): readable, commented, structured code (no unnecessary repetition, clear variable names).
Criterion 4 — Documentation and oral presentation (20%): ability to clearly explain technical choices and difficulties encountered.
1. Identify and name the components of a workstation and
a server (CPU, RAM, motherboard, power supply, cooling)
2. Understand the BIOS/UEFI's role in booting a
machine
3. Safely disassemble and reassemble a workstation
4. Diagnose a simple hardware fault
5.
Assemble a small server from separate components
Make sure enough decommissioned workstations/servers are available to allow genuine disassembly — this is the condition for this week's success. The link with Week 1 (power supply rating) should be made explicit.
A 650W power supply (seen in Week 1 as available power) must be able to simultaneously power the CPU (often 65-150W), the motherboard, several RAM modules, storage, and a possible graphics card — the sum of consumptions must never exceed the rated power available, with a safety margin.
Equipment: decommissioned workstations (1 per pair), suitable screwdrivers, antistatic wristband, bags and labels for sorting screws, clear table surface.
Reassembly check grid: the workstation must boot without an error beep (or with the normal sequence beep depending on the motherboard), the BIOS/UEFI must display the correct amount of RAM and the expected CPU model, storage must be detected.
Common faults to anticipate and their diagnosis: no boot = check the main power connector and the CPU connector on the motherboard; RAM not detected = check that the modules are properly seated in the DIMM slots; repeated boot beep = usually a poorly seated RAM module (check the manufacturer's beep code in the motherboard's documentation).
Equipment: separate components provided (motherboard, CPU, RAM, power supply, storage, case or rack chassis), thermal paste, full toolkit.
Expected compatibility checks: the CPU socket must exactly match the motherboard's, the RAM type and frequency must be supported by the motherboard (verifiable in its documentation), the CPU power connector (often 4 or 8 pins) must be present on the supplied power supply.
Expected estimated power calculation: sum the typical consumptions (CPU ~65-95W, motherboard and peripherals ~30-50W, storage ~5-10W per drive) and check the total stays below 70-80% of the power supply's rated capacity, in line with the safety margin covered in Week 1.
1. Understand the physical structure of a disk (sectors,
partitions)
2. Distinguish the main filesystems (ext4, NTFS, ZFS) and their use cases
3. Understand RAID
principles and its common levels
4. Create partitions and format a disk
5. Create, restore and use a
complete disk image
This week closes the foundational block before entering the large OS block (Weeks 8-16). Exercise 2 (data recovery) has strong pedagogical value to ground the concept of backup before the intensive operating systems practice ahead.
A RAID 1 (mirror) across two 1 TB disks provides 1 TB of usable space (not 2 TB) because each disk is an exact copy of the other — the cost of redundancy is half of the total raw capacity.
Equipment: test machine or virtual machine with a dedicated blank disk (at least 20 GB), command-line tools (fdisk/parted on Linux, diskpart on Windows if available).
Critical safety check before any operation: ask each pair to explicitly confirm, before any destructive command, the exact identifier of the test disk (e.g. /dev/sdb, not /dev/sda which could potentially hold the system). This is the most dangerous possible mistake at this stage of training.
Expected result after formatting: each partition should appear mounted with the requested filesystem (verifiable with the mount command or lsblk -f), and the total space across the 3 partitions should match the disk size minus a small overhead from each filesystem's metadata.
Equipment: the test disk from Exercise 1 (with data already written), external storage for the image, dd and/or Clonezilla tools, bootable Clonezilla media if used.
Expected dd command (example): dd if=/dev/sdb of=/mnt/external/disk_image.img bs=4M status=progress — the bs=4M option speeds up the transfer compared to the default block size, and status=progress allows tracking the operation's progress, an important point to highlight for large images.
Restore validation: after restoring, compare the checksum (md5sum or sha256sum) of the restored disk with that of the source image — an exact match validates a bit-for-bit restoration.
Central teaching point of this week: stress that a disk image is only useful if it has been tested through a restore at least once — a backup that has never been restored is not a reliable backup, it is merely an assumption.
1. Understand Linux's general architecture and the role
of distributions
2. Install a Linux distribution on bare metal
3. Navigate the filesystem hierarchy from
the shell
4. Manipulate files, folders and permissions from the command line
5. Understand the basic
structure of shell commands and how they chain together
This course material presents distributions, versions and tools available at the time of writing (2026). The Linux landscape changes constantly: new distribution releases, tool deprecation, changes in package managers or init systems. The instructor is responsible for checking and updating these references against current versions at the time of teaching. The pedagogical principles and method remain valid; specific version names and commands must be refreshed.
The command ls -la /home lists all files (including hidden ones, -a option) with their details (-l option) in the /home directory (absolute path). Break down each part of the command in front of the trainees.
Equipment: a physical test machine or the server assembled in Week 6, an ISO image of the Linux distribution chosen by the instructor (selected among the stable releases available at the time of the course), bootable USB drive, screen and keyboard for local installation.
Partitioning check points: the root partition (/) must have enough space for the system and applications (typically a minimum of 20 GB for training use), a swap partition is recommended even with a comfortable amount of RAM, for handling hibernation and load spikes.
Expected network check: after installation, the distribution's appropriate network diagnostic command should show an active interface with an IP address consistent with the classroom's network.
Methodological note: the exact names of package management commands (apt, dnf, pacman depending on the distribution) must be adapted by the instructor to the distribution actually used in class.
Equipment: the system installed in Exercise 1, terminal access.
Example permission to decode: rwxr-xr-- reads as owner=read/write/execute (rwx=7 in octal), group=read/execute (r-x=5), others=read only (r--=4), giving chmod 754 — a direct and explicit link with the octal conversion covered in Week 2.
Expected example of chained commands: a command combining file search, content filtering and redirection to a results file, explaining the role of each successive pipe.
1. Install, update and remove packages using the
distribution's package manager
2. Understand and manage system services with systemd
3. Create and
administer users and groups
4. View and interpret system logs
5. Administer a basic Linux server under
near-production conditions
The exact names of package managers, their command-line options, and systemd's precise behaviour can change between distribution versions. The instructor must verify the current syntax on the distribution actually in use at the time of teaching rather than relying solely on the fixed examples in this material.
A service that fails to start properly usually leaves a trace in the system logs explaining the cause of the failure (port already in use, missing configuration file, insufficient permission) — show how to find and read this trace step by step.
Equipment: the system installed in Week 8, terminal and internet access (or a provided local repository).
Expected structure of the custom unit file: a [Unit] section describing the service, a [Service] section specifying the command to run and the service type, an [Install] section specifying the desired automatic startup level.
Expected diagnosis method for the induced failure exercise: check the service's status to see the error code, then check the service's detailed logs to identify the precise error message, which should point directly to the cause of the introduced fault.
Equipment: the system configured in Exercise 1, a provided company scenario (a list of 5 fictitious employees with different roles to create).
Expected check for the shared folder: the group's members should have read/write access, other users none — practical test by logging in with an account outside the group to confirm access is denied.
Expected diagram for the write-up: a simple table or diagram cross-referencing users, group membership, and effective permissions on each folder created during the exercise.
1. Schedule automatic tasks with cron
2. Write simple
shell scripts to automate repetitive tasks
3. Manage and rotate system logs
4. Set up basic monitoring
of a server
5. Configure simple alerts on defined thresholds
Monitoring and alerting tools evolve rapidly in the Linux ecosystem. This material presents generic principles applicable to any such tool; the instructor must choose and adapt the concrete tool (basic command-line scripting or a more comprehensive solution) based on what is relevant and actively maintained at the time of teaching.
A cron entry "0 2 * * *" triggers a task every day at 2am — break down each field in front of the trainees and vary one field to illustrate different frequencies (every hour, once a week).
Equipment: the system configured in Week 9, terminal access.
Expected structure of the backup script: a shebang on the first line, a variable defining the source folder and the destination folder, a conditional check for the source folder's existence, a compression command with a timestamp in the generated file's name, a confirmation or error message in the output.
Point of attention for cron scheduling: check that the script has the necessary execution permissions and that the paths used in the script are absolute (cron does not run within the same directory context as an interactive session).
Equipment: the system configured in Exercise 1, terminal access.
Expected structure of the monitoring script: retrieving the current value (disk percentage, CPU load, memory usage) via the appropriate system commands, comparing it against a threshold defined as a variable, writing a timestamped alert line to a dedicated log file if the threshold is exceeded.
Central teaching point: stress that this basic script-based monitoring approach is a pedagogical starting point — in a real production environment, dedicated monitoring tools (to be chosen based on what is maintained and relevant at the time of teaching) offer far more comprehensive features (history, dashboards, multi-channel alerts).
1. Understand Windows Server architecture and its
differences from Linux
2. Install Windows Server on bare metal
3. Configure initial settings (network,
machine name, activation)
4. Manage roles and features via Server Manager
5. Navigate and administer the
system via PowerShell
This material presents Windows Server as available in 2026. Version names, graphical interfaces and PowerShell commands change with each new edition. The instructor must check and adapt to the version actually available in the training environment at the time of delivery.
Equipment: physical machine or dedicated VM, Windows Server ISO (version available in the classroom), bootable USB or virtual media, training licence.
Checking IIS installation: open a browser on the same machine and navigate to http://localhost — the IIS welcome page should appear, confirming the role is active and the service is listening on port 80.
Expected PowerShell commands: Get-Service to list services, Stop-Service and Start-Service (or Restart-Service) with the IIS service name to restart it. Point out the consistency with the service management covered in Week 9 under Linux (systemctl) — same concept, different syntax.
Equipment: the system installed in Exercise 1.
Central teaching point: stress the conceptual consistency between Linux and Windows — service management, automation scripts, output redirection — so trainees see both systems as two implementations of the same conceptual model, not two incompatible worlds.
Expected PowerShell script structure: same logic as the Week 10 shell script (variable, condition, action, message), simply with PowerShell syntax (cmdlets, named parameters, basic error handling with try/catch).
1. Create and manage local users and groups on Windows
Server
2. Manage NTFS permissions on files and folders
3. Configure network resource sharing
4. Use
Windows Event Viewer for diagnosis
5. Administer a Windows server in standalone mode, without a directory
Group Policy Objects (GPOs) are taught in Week 23, immediately after Active Directory (Week 22), of which they are a direct feature. This week covers local administration only — local accounts, NTFS permissions, sharing — with no directory or group policy.
Equipment: the Windows Server system installed in Week 11, a provided company scenario (5 user accounts, 3 groups, shared folder structure).
Expected NTFS permissions check: use the Security tab in a folder's properties to display a given account's effective permissions — the "effective permission" takes into account inheritance and group membership, not just explicitly visible first-level permissions.
Expected Security log trace: denied access attempts generate an event with a specific ID (to be identified on the version in use) in the Security log — this exercise anchors the importance of logs for security diagnosis and auditing.
Equipment: the system configured in Exercise 1.
Suggested problems for the diagnosis exercise: missing NTFS permission for a group (observable with Get-Acl); share permission more restrictive than the NTFS permission (effective permission is always the most restrictive of the two); misconfigured service with an unsatisfied dependency (visible in the System log).
1. Distinguish type-1 and type-2 hypervisors
2.
Install and configure Proxmox VE (or equivalent) on bare metal
3. Create, start, stop and delete virtual
machines
4. Manage virtual resources (CPU, RAM, disk) and understand their limits
5. Take a snapshot and
restore a VM
This material uses Proxmox VE as the reference hypervisor (open source, widely adopted in 2026). The instructor may substitute any other type-1 hypervisor available in the training environment — the concepts and objectives are identical regardless of the tool chosen.
Equipment: dedicated physical machine (or the server assembled in Week 6), Proxmox VE ISO (current stable version), bootable USB drive, network connection.
Post-installation hypervisor check: the web interface should be accessible from a client machine via the IP address configured during installation, on the default port. The node should appear as operational in the dashboard.
Snapshot restore verification: the deleted file should be present again after restoring — this is the concrete demonstration that the snapshot captured the state prior to the deletion. Stress the difference from an external backup: if the hypervisor itself fails, the snapshot becomes inaccessible.
Equipment: hypervisor configured in Exercise 1, the two created VMs.
Expected overcommitment result: with light overcommitment (10-20% beyond physical RAM), the hypervisor uses memory ballooning or swap — VMs keep running but with measurable performance degradation. With heavy overcommitment, the risk of VM crashes increases sharply.
Clone verification: both instances must have different identifiers (IP if DHCP, hostname if reconfigured) — an unreconfigured clone can cause network conflicts, an important point to highlight.
1. Understand RPO and RTO
2. Configure a simple
two-node cluster on the hypervisor
3. Test automatic VM failover on node failure
4. Implement a GFS
(Grandfather-Father-Son) backup strategy
5. Automate backups and test restoration
Cluster and HA mechanisms evolve with hypervisor versions. This material presents generic concepts; the instructor adapts the specific procedures to the tool in use.
Equipment: two physical nodes or two VMs acting as hypervisor nodes, shared storage (NFS or minimal Ceph if available) or replication depending on the hypervisor version.
Expected failover test results: the node failure detection delay is typically a few seconds to a few minutes depending on the cluster configuration (heartbeat timeout). The VM must restart automatically on the surviving node, with an effective RTO corresponding to this detection delay plus the VM's boot time.
Teaching point on RPO: in a failure scenario without shared storage, data not saved since the last snapshot or backup is lost — the RPO is directly tied to backup frequency, not to HA configuration alone.
Equipment: hypervisor configured in Exercise 1, external storage space (NAS or dedicated disk).
Expected backup plan: the document must explicitly state the RPO (what is the maximum data loss if a restore is needed, based on backup frequency), the RTO (how long a full restore takes, measured during the exercise), and the total backup retention duration.
1. Apply OS hardening principles on both Linux and
Windows Server
2. Configure and manage SSH securely
3. Set up a local firewall on both systems
4.
Manage security updates
5. Audit a basic system configuration
Hardening recommendations and firewall tools evolve with OS versions. The principles in this material remain valid; the instructor adapts the specific commands to the distribution and Windows version actually in use.
Equipment: the Linux server installed in Week 8, a client machine to test connections.
Critical point of caution: before disabling password authentication, always verify that key-based login works from a separate open session — if the key is misconfigured and the active session is closed, the server becomes locked out. This is the most common and most costly mistake at this stage.
Expected audit result: a clear list distinguishing necessary services (keep), useful but non-critical services (evaluate), and unnecessary services (disable) based on the server's expected role.
Equipment: the Windows Server installed in Week 11.
Expected comparison table: SSH Linux ↔ RDP/WinRM Windows (secure remote access), iptables/nftables Linux ↔ Windows Defender Firewall (network filtering), apt/dnf Linux ↔ Windows Update (updates), journalctl Linux ↔ Event Viewer Windows (logs) — the logic is identical in both cases.
1. Deploy a complete environment integrating Linux,
Windows Server, virtualisation, backup and security
2. Demonstrate autonomous administration competence on
both systems
3. Write clear and complete technical documentation
4. Present and defend technical choices
orally
5. Identify the strengths and areas for improvement of one's architecture
This week is the first major defence of the programme. It does not cover a single isolated brick but the complete integration of Weeks 8 to 15. The instructor gives each trainee maximum autonomous time and intervenes mainly during the defence to assess genuine understanding, not memorisation.
Equipment: all hardware and systems configured since Week 8 — trainees may restart from clean systems if needed but have full documentation from previous weeks.
Criterion 1 — Functional compliance (35%): all specification items are deployed and operational.
Criterion 2 — Security (25%): hardening effectively applied, firewall correctly configured, no unnecessary service open.
Criterion 3 — Service continuity (20%): automated backups operational, restoration tested and documented, realistic RPO/RTO.
Criterion 4 — Documentation and presentation (20%): clear and complete document, controlled live demonstration, ability to explain technical choices.
Format: 20 minutes of presentation + 10 minutes of questions per trainee or pair. The instructor assesses against the project assessment grid.
Sample questions to assess genuine understanding: "If this server was attacked tonight and your SSH was compromised, what would your first action be?"; "Your daily backup has been silently failing for 3 days — how do you detect it?"; "Your Linux VM is suddenly consuming 100% CPU — how do you diagnose it?"
Discriminating criterion between memorisation and understanding: a trainee who understands can answer an unfamiliar situation by reasoning from principles. A trainee who has memorised can only answer situations already encountered in exactly the same form.
1. Describe the 7 OSI layers and the role of each
2.
Explain the encapsulation and decapsulation mechanism
3. Master subnet calculation (network address,
broadcast, host range)
4. Capture and analyse frames with a network analyser
5. Identify the layer
involved in a common network problem
The OSI model is a stable standard. Network analysis tools (Wireshark and its alternatives) however evolve regularly. The instructor verifies the menus and options actually available in the version installed in the classroom at the time of delivery.
Equipment: provided exercise sheet (10 subnet calculation cases), Wireshark installed on the classroom machines.
Example subnetting (/24 divided into 4 /26
subnets):
Subnet 1: 192.168.10.0/26 (hosts .1 to .62, broadcast .63)
Subnet 2:
192.168.10.64/26 (hosts .65 to .126, broadcast .127)
Subnet 3: 192.168.10.128/26 (hosts .129 to .190,
broadcast .191)
Subnet 4: 192.168.10.192/26 (hosts .193 to .254, broadcast .255)
Expected layer-by-layer diagnosis method: layer 1 (physical cable/connector), layer 2 (ARP table, MAC address), layer 3 (ping, IP address, mask, gateway), layer 4 (netstat/ss, port open or not).
Equipment: Wireshark, the Linux and Windows machines from previous weeks, network simulator (Cisco Packet Tracer or GNS3 as available).
Expected diagram: the path of an HTTP packet should show the 4 layers active in practice (HTTP Application → TCP Transport → IP Network → Ethernet Data Link), with the corresponding addresses and ports at each layer, and the transformation into a physical signal at the cable level.
1. Understand how a switch works (MAC table, forwarding,
flooding)
2. Design and configure network segmentation using VLANs
3. Configure trunking between
switches (trunk mode, 802.1Q protocol)
4. Test and validate segmentation in a simulator
5. Understand
why VLAN segmentation is a direct prerequisite for the DHCP covered next
This material references Cisco Packet Tracer and GNS3 as simulators. Other simulators may be substituted. Switch configuration syntax varies by vendor and software version — the instructor adapts commands to the environment actually available.
Equipment: network simulator (Cisco Packet Tracer or GNS3), provided topology to load (2 switches, 6 machines split into 3 functional groups).
Expected segmentation result: machines in VLAN 10 can ping each other, but a ping from a VLAN 10 machine to a VLAN 20 machine must fail — VLAN segmentation correctly isolates groups at layer 2.
Common mistake: trunk port not correctly configured between the two switches (forgetting to allow the VLANs on the trunk) — results in a machine being able to reach machines in the same VLAN on the same switch, but not those in the same VLAN on the remote switch.
Equipment: the Proxmox VE hypervisor from previous weeks, already-created Linux VMs.
Key teaching point: VLAN segmentation on the hypervisor reproduces exactly the same principles as physical segmentation on a real switch — VMs "see" their network the same way a physical machine sees its VLAN. This is the concrete demonstration that virtualising network resources (Week 13) follows exactly the same rules as the physical network.
1. Understand how routing works and a router's role at
OSI layer 3
2. Read and interpret a routing table
3. Configure static routes and a default route
4.
Configure inter-VLAN routing (router-on-a-stick)
5. Diagnose a connectivity loss due to a missing route
Router configuration syntax varies by vendor and version. This material presents generic concepts (static routing, inter-VLAN) applicable to any device or simulator — the instructor adapts commands to the tool actually available.
Equipment: network simulator, provided topology (3 networks, 2 routers, machines in each network).
Expected inter-VLAN configuration: the router has one sub-interface per VLAN (with the corresponding 802.1Q tag and an IP address in each VLAN subnet), the trunk port of the switch connected to the router allows all VLANs. Machines in each VLAN use the corresponding router sub-interface IP address as their gateway.
Equipment: network simulator, Wireshark on the VMs from previous weeks.
Fundamental point to anchor: on a multi-router network, the source and destination IP addresses of a packet never change throughout its journey — only the Ethernet frame's MAC addresses change at each hop (they identify the local link, not the global path). This is the central conceptual difference between layer 2 (local addressing) and layer 3 (global addressing).
1. Understand the DHCP protocol operation (DORA)
2.
Install and configure a DHCP server on Linux
3. Manage address leases and exclusion ranges
4. Configure
inter-VLAN DHCP relay
5. Diagnose common address assignment problems
This material references isc-dhcp-server. Other DHCP implementations exist (dnsmasq, Kea DHCP). The instructor adapts the configuration to the implementation actually available and maintained at the time of delivery.
Equipment: already-configured Linux VM (DHCP server), client VMs (Linux and Windows), the Week 18 VLAN topology.
DHCP relay verification: a client in VLAN 20 must receive an address from the VLAN 20 pool configured on the DHCP server, even if the DHCP server is physically in VLAN 10 — the relay forwards the Discover across the VLAN boundary.
Common mistake: forgetting to configure the gateway (routers option) in the DHCP pool — the client receives an address but cannot communicate beyond its subnet.
Equipment: the DHCP system configured in Exercise 1, Wireshark.
DHCP fields to identify in Wireshark: CHADDR = client's MAC address, yiaddr = proposed/assigned IP address, siaddr = server's IP address, option 3 = gateway, option 6 = DNS servers, option 51 = lease duration.
1. Understand DNS resolution (recursive and
iterative)
2. Know the main DNS record types (A, AAAA, MX, CNAME, PTR, SRV)
3. Install and configure an
authoritative and recursive DNS server
4. Create and manage DNS zones
5. Diagnose common DNS resolution
problems
This material references BIND9 and Unbound. Other implementations exist. The instructor adapts to the available tool. Sequencing reminder: DNS is taught here precisely because Active Directory depends on it as a direct technical prerequisite — the domain controller uses DNS SRV records to be located by clients.
Equipment: Linux VM, network access, client VMs for resolution testing.
Working resolution check: from a client VM configured with the training DNS server, a query on an internal zone name must return the correct address, and a query on an internet name must also resolve via the forwarder.
Preparation for Active Directory: the internal zone must be configured to accept dynamic updates, which will allow the domain controller (Week 22) to automatically register its SRV records during installation.
Equipment: DNS server from Exercise 1, Week 20 DHCP server, client VMs.
Central teaching point of this week: by the end of this exercise, the complete infrastructure is in place — segmented VLANs (Week 18), inter-VLAN routing (Week 19), automatic address distribution with gateway and DNS via DHCP (Week 20), local and external name resolution operational (Week 21). This is the infrastructure on which Active Directory will be installed in Week 22.
1. Understand Active Directory's logical structure
(forest, domain, organisational units)
2. Install and promote a domain controller on Windows Server
3.
Create and organise users, groups and organisational units
4. Join a Windows client machine to the
domain
5. Authenticate domain users on client machines
Active Directory is taught here because DNS (Week 21) is now operational — it is its direct technical prerequisite. Windows Server versions evolve; the instructor adapts the domain controller installation procedures to the version available in the classroom.
Equipment: Windows Server VM (Week 11), DNS operational from Week 21, Windows client VM for domain join.
Checking SRV records: in the domain's DNS zone, verify the existence of _ldap._tcp, _kerberos._tcp and _kpasswd._tcp records in the _tcp subfolder — their presence confirms the DC registered correctly and clients will be able to locate it.
Common mistake: the Windows server's DNS points to an external server instead of itself (or the Week 21 DNS server) — the DC installation fails or the SRV records are not created in the correct zone.
Equipment: the domain controller configured in Exercise 1.
Teaching point on delegation: control delegation in AD applies the principle of least privilege (Week 15) at directory scale — a helpdesk can reset passwords without being a domain administrator, reducing the exposure surface if the helpdesk account is compromised.
1. Understand GPO principles (inheritance, precedence,
scope)
2. Create and link GPOs to OUs, sites or the domain
3. Configure security and configuration
GPOs
4. Deploy settings to client machines via GPO
5. Diagnose a GPO conflict or a GPO not being applied
GPOs are taught here, immediately after Active Directory (Week 22), of which they are a direct feature. Teaching GPOs without a previously deployed Active Directory would be meaningless — that is exactly the reason for the sequencing chosen in this programme.
Equipment: domain controller (Week 22), domain-joined client machines, provided configuration scenario.
Expected behaviour for the network drive GPO: a user in the Technical OU sees the network drive automatically mapped at login on any domain-joined machine. A user in another OU does not see this drive — the security filter or OU scope guarantees isolation.
Interpreting the gpresult report: the report lists applied GPOs (with their origin OU) and denied GPOs (with the reason for denial) — it is the first-line diagnostic tool for any GPO not being applied issue.
Equipment: full AD environment (Week 22 + Exercise 1).
Expected diagnosis method: 1) check the GPO is linked to the correct OU (GPMC console), 2) check the security filter (the user's group must have Read and Apply rights), 3) force a GPO refresh on the client machine, 4) re-run gpresult to confirm.
1. Understand the HTTP/HTTPS protocol and web
client-server architecture
2. Install and configure a web server (Apache or Nginx)
3. Host a simple site
and resolve it via the Week 21 DNS
4. Set up HTTPS with a self-signed certificate
5. Configure virtual
hosts to serve multiple sites on one server
Apache and Nginx are cited as reference web servers. Other solutions exist. Version numbers and configuration file locations vary between Linux distributions and versions. The instructor adapts to the environment actually available.
Equipment: Linux VM (Week 8), DNS operational from Week 21.
DNS resolution check: from a client machine on the same network, resolve the site's name via the Week 21 DNS — the response must return the web server's IP address. Without this step, the browser cannot find the server by name.
Common Virtual Hosts mistake: forgetting to create a separate DNS record for each Virtual Host — both domain names must resolve to the same server IP, but each must have its own A record in the DNS zone.
Equipment: the web server configured in Exercise 1, Wireshark.
Error codes and their causes: 403 Forbidden = file or directory permissions prevent the web server from reading it (check UNIX permissions, link with Week 8); 502 Bad Gateway = the backend application service (PHP-FPM or equivalent) is not running or not listening on the right socket; expired certificate = recreate the self-signed certificate or extend its validity period.
1. Understand the relational model (tables, keys,
relationships)
2. Install and administer a DBMS (MySQL or PostgreSQL)
3. Create databases, tables and
run basic SQL queries
4. Back up and restore a database
5. Connect the Week 24 web application to the
database
MySQL and PostgreSQL are cited as reference DBMSs. Other solutions exist (MariaDB, SQLite). Administration syntax varies slightly between versions. The instructor adapts procedures to the DBMS actually installed in the training environment.
Equipment: Linux VM, access to the Week 24 web server.
Example expected JOIN query: if the database contains a "users" table and an "orders" table linked by a foreign key, the query SELECT u.name, o.product FROM users u INNER JOIN orders o ON u.id = o.user_id returns user/order pairs — demonstrating that data from two tables can be combined without duplication.
Restore verification: compare the row count in each table before and after restoration — they must be identical.
Equipment: DBMS configured in Exercise 1, Week 24 web application.
Expected backup script: calling the DBMS dump tool with connection credentials, redirecting output to a timestamped file, cleaning up files older than 7 days — same structure as the Week 10 backup script applied here to SQL data.
1. Implement network ACLs and a basic perimeter
firewall
2. Carry out an end-to-end security audit on the full infrastructure
3. Synthesise the 25 weeks
into a coherent enterprise architecture
4. Present and defend the full programme in a final defence
5.
Identify personal progression paths and target certifications
Firewall and network ACL tools and syntax evolve with system and equipment versions. The network security principles presented here are stable; the instructor adapts specific commands to the environment available at the time of delivery.
Equipment: the full infrastructure from previous weeks (hypervisor, Linux and Windows VMs, AD, DNS, DHCP, web, database, VLANs), network simulator for ACLs.
Expected audit report structure: for each vulnerability — affected system, problem description, criticality level, potential impact, precise corrective recommendation. An audit report without a concrete recommendation is useless.
Typical vulnerabilities to find in the training infrastructure: SSH still on the default port if missed in Week 15, missing updates on a VM not touched for several weeks, local administrator account with a weak password on a machine not joined to the domain, database server (Week 25) with its port accessible from outside the internal network.
Brief: the trainee produces the technical dossier of a complete fictitious enterprise infrastructure, building on all 25 previous weeks. This dossier is the centrepiece of the final defence.
Criterion 1 — Architecture completeness (25%): all components are present, operational and documented — from the physical layer (Week 6) up to the application services (Weeks 24-25).
Criterion 2 — Coherence and integration (25%): components articulate logically — DNS (Week 21) feeds AD (Week 22), VLANs (Week 18) align with GPOs (Week 23), backups (Week 14) cover all critical VMs.
Criterion 3 — Applied security (25%): Week 15 and Week 26 principles are genuinely implemented, not just mentioned — the audit report proves actual verification.
Criterion 4 — Critical perspective (25%): the trainee accurately identifies what works, what is missing, and what they would do differently with more time or resources.
Format: 30 minutes of presentation + 15 minutes of questions per trainee. The defence covers the full programme — from electricity (Week 1) to network security (Week 26).
Discriminating questions: "If your single domain controller fails at 8am on a Monday morning, what happens to the 50 users arriving at the office?"; "Your web server now serves personal data — what are the first three security measures you would add?"; "A colleague tells you ping no longer works between two VMs — where do you start?"
What this defence validates: not memorising commands — that is available to anyone with a search engine. What it validates is the ability to reason about a complex system, identify the relevant layer, propose a structured diagnostic method, and make justified decisions under uncertainty.
This plan details, week by week, the pedagogical foundation presented in the "Anatomy of the Loss" document of this corpus. The pathway follows a deliberate progression principle: three weeks of compressed conceptual fundamentals, then a constant climb toward directly employable skills — systems, middleware and networking, which represent 19 of the 26 weeks, or 73% of total time. The goal is not general technical culture: it is producing people ready for production, in six months, on a complete foundation from iron to network. Each brick in the final block strictly prepares the next, following a chain of technical dependency rather than an administrative category.
The pathway follows a strict prerequisite chain: foundational networking (OSI, addressing, VLAN, routing) precedes every service that depends on it. DHCP is taught once subnets and VLANs are already mastered — addresses are distributed within a topology already understood. DNS precedes Active Directory, of which it is a genuine technical prerequisite. GPO is no longer taught in isolation midway through the OS block: it is grouped with Active Directory, immediately after, as the feature it actually is. Each week builds on the previous one's acquired knowledge rather than on an administrative category (OS / Middleware / Network) disconnected from the real technical logic.
These three weeks do not aim at expertise but at founding intuition: understanding that all infrastructure rests on electricity, that all data reduces to binary states, and that all computing logic is built from real physical gates. This is a conceptual foundation, not a professional end goal — it underpins the blocks that follow, which occupy the bulk of the training time.
The longest block of the programme — 9 weeks, 35% of total training time. This is the most directly marketable skill on the job market.
Group Policy Objects (GPO) have been removed from this week. GPO is an Active Directory feature, which is only introduced in week 22 — teaching it here would mean presenting a tool without the service it depends on. Week 12 therefore focuses on standalone Windows administration (local accounts, NTFS permissions), which logically prepares for directory-based administration, introduced later once networking and DNS have been acquired.
At the end of this block, the trainee has installed, configured, secured and defended a complete bare-metal environment including two operating systems, virtualisation, backup and hardening. At this stage, this is already an employable skill for a junior systems technician role — the following two blocks (networking, directory and application services) add the depth needed for full autonomy.
This block is now placed before all the network application services (DHCP, DNS, Active Directory) for which it is a direct prerequisite.
With OSI, addressing, VLANs and routing mastered, the trainee now has the complete topology on which the following three weeks will rely: DHCP distributes addresses within subnets that are now understood, DNS resolves names on infrastructure that is now mapped, and Active Directory will be installed on a network whose segmentation is already mastered.
Active Directory technically depends on a functioning DNS service for locating domain controllers and resolving service records (SRV). Teaching DNS right before Active Directory is not an arbitrary scheduling choice: it is a genuine technical prerequisite, which prevents the trainee from configuring a directory on a service they do not yet master.
GPO is deliberately taught only after Active Directory, on which it technically depends, rather than earlier in the OS block. This grouping — Active Directory then GPO, across two consecutive weeks — respects the real dependency: one cannot administer group policies on a directory that does not yet exist.
These two bricks have a lighter networking dependency and can simply build on the base already acquired (addressing, DNS) without requiring any additional prerequisite.
The week 26 defence does not cover a single isolated brick. It covers the entire chain built since week 8: Linux and Windows servers on bare metal, VLAN segmentation and routing, working DHCP and DNS, an Active Directory directory with group policies, web and database services, all secured by filtering rules. This is the demonstration that each week genuinely prepared the next, rather than a sequence of independent modules.
By the end of the 26 weeks, the trainee has demonstrated, through two defences (week 16 and week 26), complete integration competence: understanding the electricity and logic underlying all digital systems, automating a physical process, diagnosing and assembling hardware, managing storage at the disk level, installing and securing Linux and Windows operating systems in production, mastering foundational networking (OSI, addressing, VLAN, routing) before deploying the services that depend on it (DHCP, DNS, Active Directory and its group policies), then enterprise application services (web, database), and finally securing the whole through filtering.
This plan is not a theoretical proposal: it is the detailed restitution of the pathway completed by the author in 2005, at a vocational training centre for jobseekers, reordered here according to a strict chain of technical dependencies rather than by administrative category. Its relevance today directly responds to the cognitive mechanism described in "Anatomy of the Loss" — a complete technical framework, acquired in the right order, allows a professional to spontaneously propose architectures outside the trio cloud's sole ecosystem, because they have an end-to-end understanding of it, rather than a collection of disjointed modules.
This foundation does not oppose current DevOps or cloud skills. It complements them. A professional trained on this pathway, then later exposed to modern orchestration and automation tools, holds both frameworks — the abstraction and the hardware it covers — which is precisely the scarce competence this corpus identifies as the lever for reconquering digital sovereignty.
Indicative markers within the continuous concatenation of the programme.
This volume gathers what, only a few weeks ago, still lived in scattered posts and forgotten files on a hard drive. The Grimoire, the Volumes, the Corpus, the Foundation of Iron : four movements of a single thesis — no sovereignty without mastery of matter.
The sorting, structuring, and design work — I gave the instructions, and Claude (Anthropic) executed them brilliantly. Gemini (Google) audited every claim without concession.
Reconquest begins with numbers. May this book contribute to it.