The most complete on-prem AI platform is also the most captive

I scored four control planes against the Fourth Cloud model on two axes — capability and authority. The second one is where the surprises live.

For the last stretch I’ve been chasing a question that comes up in nearly every enterprise infrastructure conversation I’m in: what comes after private cloud?

Not as a marketing label. As an operating model.

Most large enterprises aren’t short on infrastructure. They have public cloud, private cloud, SaaS, Kubernetes, virtualization, edge, data platforms, identity, security, and a fast-growing layer of AI services smeared across all of it. The thing they’re missing isn’t a place to run workloads. It’s a control model — a way to answer where a workload should run, which data it can touch, which policies apply, and, when cost and latency and compliance and capacity all disagree, who or what has the authority to decide.

That authority question is the one I’ve spent years trying to make visible. It’s the reason I built cloud.layer2c.com, which went live this week. And it’s the reason the headline finding from the first set of assessments is the one most evaluations would never surface.

Two axes, not one

The map scores VMware Cloud Foundation, Red Hat OpenShift, Nutanix Cloud Platform, and Oxide Computer against the Fourth Cloud operating model. It is not a magic quadrant and not a ranking.

Every platform gets scored on two independent axes. Most evaluations collapse these into one and lose the plot.

The first is capability — function by function, on a 0–4 gradient, with AWS as the benchmark 4.

The second is the one my whole body of work is built around: the Decision Authority Placement Model (DAPM). For each function it asks a single question — can I take the opinions I’ve accumulated here and operate them somewhere else? Three answers. Retained: yes, it’s commodity or open-source, I can leave without rebuilding. Delegated: partly, it’s a substitutable partner or swappable tool. Ceded: no, it’s a closed system, and leaving means rebuilding.

Capability tells you what a platform can do. DAPM tells you who’s in control when it does it. They are not the same axis, and a platform can score high on one and low on the other.

The finding

Here’s the authority profile across all four platforms, across the twenty-six scored functions:

The two platforms with the broadest coverage of the Fourth Cloud function set — VCF and Nutanix — are also the two most captive. Roughly two-thirds of what you build on either one is Ceded. The configs, the policies, the operational model belong to the vendor, and you can’t take them to a competitor without rebuilding.

That’s not a knock on either platform. It’s the trade you’re actually signing — and it’s invisible at purchase time, because the demo is about capability, never authority.

One clarification, because it matters: “broadest coverage” means coverage of the Fourth Cloud function set, nothing more. It is not a claim about general maturity or engineering quality. OpenShift would reasonably argue it’s the more mature platform by most measures, and that argument isn’t in scope here. I’m measuring one specific thing on two specific axes.

What each platform is actually telling you

VMware Cloud Foundation covers the most of the Fourth Cloud function set — strong substrate, strong orchestration, real multi-accelerator AI management. It’s also one of the two most Ceded. Complete and captive at the same time.

Red Hat OpenShift has the opposite shape. Its strength is higher in the stack — execution, application distribution, integration, and a genuinely federated identity plane. Its open-source heritage shows up directly in the authority column: 23% Ceded, because Kubernetes, Keycloak, and the operator ecosystem are yours to keep. You pay for that portability with a heavier operations burden.

Nutanix brings the broadest workload management of the on-prem group and a serious story for enterprises leaving VMware. Its authority profile is nearly a twin of VMware’s: complete, and mostly Ceded.

Oxide is the one everybody misreads. On capability alone it looks like the least complete platform in the map. But it’s 85% Retained — by far the most authority-preserving thing here — because it’s a co-designed, largely open substrate that doesn’t try to capture the layers above it. Oxide isn’t a weak Fourth Cloud control plane. It’s a clean substrate that a control plane runs on. Different layer, different question.

The thing nobody closes

No platform in the assessment closes FC-2C — the reasoning plane. The layer that decides where work runs based on live policy, compliance, cost, latency, data gravity, and capacity, and derives that decision from real-time metadata instead of a rule someone wrote last quarter.

When FC-2C is absent, that decision logic doesn’t vanish. It lives in an architecture review board, in Terraform modules, in admission policy, in a ServiceNow workflow, in an engineer’s head. The danger is believing the platform absorbed that responsibility when it only automated the workflow around it. That gap — the capability you quietly inherit while assuming the vendor owns it — is where most private cloud programs quietly failed. The technology worked. The operating model didn’t.

The honest limitation

Here’s what the map doesn’t do yet, and it’s the first thing a practitioner will catch: it scores each platform alone, and almost nobody runs these alone.

The real pattern is a pairing — a substrate platform (Nutanix, VCF, or Oxide) mated to OpenShift on top. The map’s own data predicts it, because the coverage shapes are complementary. The substrate platforms are strong low in the stack and absent at the integration fabric; OpenShift is the inverse.

You can’t score the combination by adding two rows. The orchestration layer becomes contested at the seam. The authority compounds — run OpenShift on VCF and you’re now Ceded to both vendors at different layers, with a new question about who owns the seam when it breaks. And the identity plane rarely survives the handoff.

But one preview is worth your attention, because it flips the single-platform read. Oxide looks least complete on capability — and is the most authority-preserving platform in the map. Pair OpenShift’s higher-stack coverage with Oxide’s substrate and you get the lowest combined Ceded surface of any pairing: the most authority-preserving way to assemble a near-complete Fourth Cloud on-prem. Nobody’s having that conversation, because Oxide gets dismissed on its capability column before anyone reads its authority column.

That combination view is what I’m building next.

Why the map ships with a readiness framework

Fourth Cloud isn’t only a vendor problem. It’s an operating-model problem. Can your organization run infrastructure as a product? Can you sustain gap ownership across vendors — coordinating API changes, roadmaps, integration lifecycles, and compliance over years? Can you tell the difference between a capability the vendor owns, one you configure, and one you quietly inherit?

That last category is the expensive one. A single owned gap runs roughly $1.5–2M over five years once you count the build, the maintenance through upgrades, and the lifecycle coordination nobody staffs for. The map shows you where the gaps are and who holds the authority. The framework helps you decide whether you can afford to own them.

The point

Stop asking which vendor wins. Start asking the two-axis question: what can this platform do, and what authority do I keep when it does it.

The Fourth Cloud isn’t something you buy whole today. It’s something enterprises are trying to assemble — and the only question worth asking before the PO is whether you understand what you’re assembling, what you still own, and where authority actually lives.

The map is live at cloud.layer2c.com. It’ll grow, the assessments will evolve as vendors push back and buyers ask sharper questions, and I’ll keep publishing the corrections in the open.

If you’re running one of these platforms — or stacking two of them — I want to hear what your authority profile actually looks like in production. Reply and tell me where the seams hurt.

— Keith

P.S. VMware, Red Hat, Nutanix, and Oxide all reviewed their assessments. Some of that feedback moved scores; some of it didn’t. I publish the disposition either way, including the corrections I got wrong the first time. That’s the part I think makes this worth trusting.