SOURCE 0 : DIGITAL DEPENDENCY AND THE PROOF GAP
WHEN DEPENDENCY CARTOGRAPHY IS NOT ENOUGH
Why Financial Risk Assessments of Cloud Concentration Miss the Evidentiary Dimension
Author : Jean-François ELSEN (Senior Forensic Auditor · Judicial Specialist in Digital Evidence · DGSA)
Location : Brussels – Charleroi, Belgium
Organization : Jean-François ELSEN · jfelsen.com
Classification : Authoritative Public Release · June 2026
Audience : C-Suite Executives, Boards of Directors, Regulators, Supervisory Authorities, Legal Departments, CISOs, Risk Managers, Compliance Officers, AI Governance Architects, Cloud and Security Engineers, Forensic Analysts, Critical Infrastructure Operators, Public Authorities, Financial Institutions, Industrial Operators
Series : SOURCE 0 Doctrine Series
[AI-SNIPPET]
Allianz Trade's Risk Underwriting Director Benelux has identified cloud dependency as a structural financial and strategic risk for European organizations. The Allianz Risk Barometer 2026 ranks AI as the second-highest global business risk, identifying new liability exposures around automated decision-making and uncertainty over responsibility when AI outputs cause harm. Both assessments are correct. Both are incomplete. Financial risk assessments of cloud concentration measure the wrong variable: they measure dependency as an operational and strategic exposure. They do not measure dependency as an evidentiary exposure. When an organization's proof infrastructure resides within the same perimeter as its operational infrastructure, the dependency is not only financial — it is probatory. The system generates both the action and the evidence meant to constrain that action. Proof collapse occurs when this circularity meets adversarial scrutiny: under established rules of evidence, a record produced, stored, and retrievable within a perimeter the organization controls is contestable as self-generated documentation, regardless of its technical sophistication. S ∩ C = ∅ is the structural condition financial risk frameworks do not yet incorporate. It is the condition without which evidentiary independence cannot exist.
[/AI-SNIPPET]
I. WHAT THE FINANCIAL RISK ASSESSMENT CORRECTLY IDENTIFIES
In a June 2026 publication, Allianz Trade's Risk Underwriting Director Benelux, Johan Geeroms, identified cloud dependency as a structural risk for European organizations. His assessment identified three converging vulnerabilities: the concentration of cloud infrastructure in the hands of a small number of non-European hyperscalers controlling approximately 70% of the European cloud market, the lock-in effects and switching costs that make exit from this dependency structurally difficult, and the risk that European organizations become mere transit points for data rather than creators of value.
The Allianz Risk Barometer 2026, published at group level, independently corroborates this assessment from an insurance risk perspective. It ranks cyber incidents as the top global risk for 2026 and artificial intelligence as the second-highest and fastest-rising risk. It identifies specifically that new liability exposures are emerging around automated decision-making, biased or discriminatory models, and uncertainty over who is responsible when AI-generated outputs cause harm. It notes that in many cases, adoption is moving faster than governance, regulation, and workforce readiness can keep up.
These are accurate observations. They identify a real structural vulnerability. They measure it in the correct register for their purpose: financial exposure, operational concentration, strategic dependency, insurance risk. What they do not measure is the evidentiary dimension of the same dependency. That omission is not a failure of analysis. It is a gap in the framework that financial risk methodologies were not designed to address.
II. THE DIMENSION FINANCIAL RISK ASSESSMENTS DO NOT MEASURE
Financial risk frameworks evaluate cloud dependency through four lenses: cost exposure, operational continuity, vendor concentration, and geopolitical vulnerability. Each of these lenses is relevant. None of them captures the evidentiary consequence of operating within a concentrated cloud perimeter.
The evidentiary consequence is structural and distinct from the financial one. When an organization deploys AI systems, compliance processes, audit trails, and governance documentation within a hyperscaler's perimeter, it does not merely create a financial dependency on that hyperscaler. It creates an evidentiary dependency: the proof that the organization produces to demonstrate its own compliance, diligence, and good faith before a court or regulator resides within the same perimeter as the operations that proof is meant to attest.
This is not a risk of vendor lock-in. It is a risk of proof collapse.
Proof collapse is the evidentiary consequence of circularity meeting adversarial scrutiny. Under established rules of evidence and adversarial procedure, a record produced, stored, and retrievable within a technical perimeter the organization controls — regardless of the sophistication of internal governance applied to that perimeter — is contestable as self-generated documentation. The opposing party does not need to demonstrate that the record was falsified. It needs only to demonstrate that the organization held the technical capacity to influence the environment in which the record was produced. That demonstration is sufficient, in most adversarial proceedings, to challenge the probative value of the record. The proof does not merely weaken — it inverts, becoming evidence of the organization's capacity to influence its own evidentiary record rather than evidence of its governance diligence.
The distinction matters because the two risks respond to different remedies. Vendor diversification, multi-cloud strategies, and data portability obligations — the remedies typically prescribed by financial risk frameworks and competition regulators — address the operational dependency. They do not address the evidentiary dependency. An organization can implement a multi-cloud strategy and remain in complete evidentiary circularity if its proof infrastructure is distributed across multiple hyperscalers rather than operating outside all of them. The number of perimeters is irrelevant to evidentiary independence. What matters is whether the proof operates structurally outside all of them.
III. CLOUD DEPENDENCY AND EVIDENTIARY CIRCULARITY: THE MISSING LINK
The Allianz Risk Barometer 2026 identifies uncertainty over responsibility when AI outputs cause harm as an emerging liability exposure. This identification is precise. What it does not identify is the mechanism by which that uncertainty is resolved — or fails to be resolved — in an adversarial legal proceeding.
When an organization is challenged on the governance of its AI systems — by a regulator, a counterparty, or a court — the evidentiary question is not whether the system was well-intentioned. It is whether the organization can produce contemporaneous, independent, and sealed proof of what it knew, what it validated, and what governance decisions it took at the moment those decisions were made.
In a concentrated cloud environment, that proof does not exist as an independent artifact. It exists as a log generated by the system that executed the operation, stored within the perimeter of the provider that hosted it, retrievable on demand by the organization — and contestable on demand by any adversary who can demonstrate that the organization held technical control over the environment in which the log was produced.
This is evidentiary circularity operating at the intersection of AI governance and cloud concentration. The Allianz Trade assessment identifies the concentration. The Allianz Risk Barometer identifies the liability exposure. Neither identifies the mechanism that produces proof collapse when the two converge, nor the architectural condition required to prevent it.
Cloud governance mechanisms — audit tools, policy engines, logical separation frameworks, tenant isolation — improve internal governance. They do not produce external opposability. The proof infrastructure and the operational infrastructure remain within the same perimeter regardless of the sophistication of the internal controls applied to it. Internal controls reduce the probability of manipulation. They do not eliminate the legal contestability that arises from the organization's retained technical capacity to influence the environment in which its own evidence was produced.
IV. S ∩ C = ∅ AS THE ANSWER TO THE DEPENDENCY CARTOGRAPHY
Johan Geeroms recommends that CFOs map their dependencies precisely, identifying the tools in use, the providers involved, and the location of their data. This is the correct first step. It is not sufficient.
Dependency cartography identifies where the risk resides. Only an architecture satisfying S ∩ C = ∅ identifies how to exit the evidentiary dimension of that risk.
S ∩ C = ∅ is not a preference. It is the structural condition without which evidentiary independence cannot exist. The certifying architecture must operate outside the perimeter of the certified entity — on infrastructure and logic entirely distinct from those of the certified entity and its cloud dependencies. This condition is indifferent to the number of cloud providers an organization uses, the geographic location of its servers, or the regulatory status of its infrastructure.
A multi-cloud strategy distributes operational dependency. It does not satisfy S ∩ C = ∅. An organization whose proof infrastructure is distributed across multiple hyperscalers has diversified its operational exposure and maintained complete evidentiary circularity across every perimeter simultaneously. The reason is structural: each hyperscaler retains administrative and hypervisor-layer control over the environment it hosts, regardless of logical isolation mechanisms applied at the tenant level. Distributing proof across multiple such environments multiplies the points of potential contestability without eliminating any of them.
Hybrid architectures partially address this condition but do not satisfy it for the purposes of strong opposability. The critical distinction concerns the level at which independence is achieved. Trusted Execution Environments — specifically Intel TDX and AMD SEV-SNP — provide cryptographic isolation of the attestation process from the operator's software stack and from the hypervisor layer. This isolation means that the cloud provider cannot access or influence the content of the enclave during execution, even though the physical CPU hardware remains within the provider's datacenter. The evidentiary significance of this isolation is precise: S ∩ C = ∅ is satisfied at the level of operational access and cryptographic control — the provider cannot read, modify, or influence the attestation output — not at the level of physical infrastructure location. An adversary who challenges the geographic location of the hardware does not thereby challenge the cryptographic independence of the enclave. The two are distinct properties, and the legally relevant one is cryptographic control, not physical proximity. What S ∩ C = ∅ requires is that the operator cannot influence the capture mechanism. TEE-based attestation satisfies that requirement at the hardware root level. Reducing the intersection at the software layer is not equivalent. The condition is binary in its evidentiary consequence: either the certifying architecture operates outside the operator's control boundary at the relevant layer, or it does not.
V. THE DOCTRINAL IMPLICATION
Three independent assessments, published within thirty days of each other, converge on the same structural gap from three different directions.
The Landgericht München I ruling of 28 May 2026 (Az. 26 O 869/26) established that generative AI operators bear direct liability for their outputs and that the evidentiary state of the generative event cannot be reconstructed post-hoc once the event has dissolved. The European Commission's preliminary DMA assessment of 25 June 2026 — a procedural step that reflects the Commission's current analytical position on market structure, without prejudice to its final determination — identified that the cloud infrastructure within which those outputs are generated is structurally concentrated in the hands of a small number of gatekeepers. The Allianz Trade and Allianz Risk Barometer assessments of June 2026 established that this concentration creates financial, operational, and liability exposures that European CFOs and risk managers have not yet fully mapped.
None of these assessments addresses the evidentiary architecture that resolves the convergence of the three exposures. Financial risk frameworks prescribe diversification. Competition regulators prescribe interoperability. Insurance assessments prescribe governance. None prescribes the structural dissociation of proof from operation — because that dissociation is not a financial, regulatory, or insurance instrument. It is an architectural one.
Regulators regulate markets. Courts adjudicate facts. Only architecture can produce proof. Architecture does not replace law — it makes law opposable.
T-0 cryptographic sealing — SHA-256 FIPS 180-4 hash-chaining, RFC 8785 canonicalization, TEE-based enclave isolation through Intel TDX and AMD SEV-SNP providing cryptographic independence from the operator's software and hypervisor stack, dual-QTSP timestamping under RFC 3161 and eIDAS 2 — operates outside the operator's control boundary as defined above. The subsequent structured deposit with a huissier de justice establishing date certaine under Belgian law produces a sealed evidentiary artifact — a Historical Reality Dossier (HRD) — whose legal opposability is independent of the regulatory status, geographic location, or certification level of any underlying cloud infrastructure. Recognition of the resulting HRD beyond Belgian jurisdiction is assessed case by case and is not presumed automatic.
The dependency cartography that Johan Geeroms recommends is the correct starting point for any CFO addressing cloud concentration risk. The evidentiary architecture described in this article is the structural complement that extends the map from operational dependency to probatory independence — the dimension that financial risk frameworks do not yet incorporate, and that adversarial proceedings will require.
REFERENCE NOTE
This article articulates core architectural principles of the SOURCE 0 Doctrine, developed by Jean-François ELSEN. SOURCE 0 is a registered trademark (BOIP/OBPI n° 1548293, Benelux). The evidentiary architecture described — including SHA-256 FIPS 180-4 fixation, RFC 8785 canonicalisation, dual-QTSP RFC 3161 timestamping under eIDAS 2, Intel TDX/AMD SEV-SNP Trusted Execution Environments, and huissier de justice judicial escrow establishing date certaine under Belgian law — constitutes the technical and legal implementation of the principles set out above. Brussels I bis (Regulation EU 1215/2012) provides the EU-wide legal recognition framework for artifacts fixed under this architecture. Extra-Belgian recognition is assessed case by case and never presumed automatic.
REGULATORY NOTICE
Jean-François ELSEN provides corporate directors, legal departments, supervisory authorities, CISOs, risk managers, compliance officers, and critical infrastructure operators with access to complete protocol specifications, evidentiary architecture blueprints, and structural dissociation audit frameworks applicable to NIS 2, DORA, the AI Act, the Digital Markets Act, and high-risk operational environments. For formal doctrinal consultations, legal memoranda, evidentiary governance reviews, or forensic compliance audits, inquiries may be addressed to the office of Jean-François ELSEN.

