Key Dimensions and Scopes of Technology Services
Technology services encompass a structurally complex sector spanning infrastructure provisioning, software deployment, managed operations, and AI-specific capabilities — each governed by distinct contractual, regulatory, and technical parameters. The scope of any given technology service engagement is defined by a combination of delivery model, jurisdictional requirements, organizational scale, and the regulatory frameworks that apply to the underlying data or systems. Understanding how these dimensions interact is essential for procurement professionals, enterprise buyers, and policy researchers navigating the AI stack landscape visible across the AI Stack Authority site index.
- What is included
- What falls outside the scope
- Geographic and jurisdictional dimensions
- Scale and operational range
- Regulatory dimensions
- Dimensions that vary by context
- Service delivery boundaries
- How scope is determined
What is included
Technology services, as a professional sector, encompass five primary categories: infrastructure-as-a-service (IaaS), platform-as-a-service (PaaS), software-as-a-service (SaaS), managed services, and specialist AI/ML services. Within the AI stack specifically, this extends to managed AI services, AI infrastructure as a service, MLOps platforms and tooling, large language model deployment, AI model training services, and AI API services.
The National Institute of Standards and Technology (NIST) defines cloud computing across three service models and five essential characteristics in NIST SP 800-145, which serves as the baseline taxonomy for most procurement frameworks and regulatory references. Within this taxonomy, included services share the characteristic of remote provisioning, metered access, and contractually defined service levels.
AI-specific services extend this baseline to include vector database services, GPU cloud services, AI data pipeline services, foundation model providers, fine-tuning services, and retrieval-augmented generation services. These services are distinguished from general technology services by their dependency on specialized compute hardware (most commonly NVIDIA A100 or H100 GPU clusters), probabilistic model outputs, and training-data governance requirements that do not apply to deterministic software.
| Service Category | Core Deliverable | Primary Governance Standard |
|---|---|---|
| IaaS | Compute, storage, networking | NIST SP 800-145 |
| PaaS | Development platforms | SOC 2 Type II |
| SaaS | Application access | ISO/IEC 27001 |
| Managed AI | End-to-end model operations | NIST AI RMF |
| AI API Services | Model inference endpoints | Provider SLAs, GDPR/CCPA |
| MLOps | Pipeline orchestration | MLflow, Kubeflow standards |
What falls outside the scope
Technology services as a sector excludes hardware manufacturing, physical device sales, and pure telecommunications carriage — even when those activities are provided by the same vendor that also offers cloud services. Regulatory classification matters here: the Federal Communications Commission (FCC) distinguishes between information services and telecommunications services under Title I and Title II of the Communications Act, a distinction that affects liability, net neutrality obligations, and access requirements.
Custom software development sold as a one-time deliverable (rather than as an ongoing managed service) is classified as professional services, not technology services, under most procurement frameworks including the Federal Acquisition Regulation (FAR) Part 12 and Part 39. Resale of third-party hardware without value-added service wrapping is similarly excluded.
Within AI specifically, academic research, internal AI experimentation without commercial service delivery, and government-operated AI systems used exclusively for internal agency functions are not classified as AI services for commercial sector purposes. Responsible AI services frameworks — including the NIST AI Risk Management Framework (AI RMF 1.0, published January 2023) — define service contexts as distinct from research contexts.
Geographic and jurisdictional dimensions
Technology services operate across 50 US states with no federal licensure requirement for general technology service delivery, but data-handling obligations create de facto jurisdictional layers. California's Consumer Privacy Act (CCPA), enforced by the California Privacy Protection Agency (CPPA), applies to businesses meeting revenue or data-volume thresholds regardless of the business's state of incorporation. Virginia's Consumer Data Protection Act (CDPA) and Colorado's Privacy Act impose parallel but structurally distinct obligations.
At the federal level, sector-specific data rules create jurisdictional overlays: HIPAA governs health data processed by covered entities and business associates, FERPA governs student records, and the Gramm-Leach-Bliley Act (GLBA) governs financial data — all regardless of where the service provider is physically located. AI security and compliance services operating in these regulated verticals face compounded jurisdictional requirements.
Cross-border service delivery adds export control dimensions. The Bureau of Industry and Security (BIS) within the US Department of Commerce regulates exports of certain AI and computing technologies under the Export Administration Regulations (EAR). High-performance GPU clusters and specific AI software tools are classified under Export Control Classification Numbers (ECCNs) that restrict sale and transfer to entities in designated countries.
On-premises AI deployment can reduce cross-jurisdictional data transfer exposure but does not eliminate regulatory obligations tied to the nature of the data processed. Edge AI services introduce additional jurisdictional complexity when inference hardware is physically located in states or facilities subject to sector-specific rules.
Scale and operational range
Technology service providers span a range from single-person consultancies to hyperscale cloud operators with global infrastructure. The three dominant hyperscale providers — Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform — collectively control approximately 65 percent of the global cloud infrastructure market, according to Synergy Research Group's Q4 2023 tracking data. This concentration has direct implications for enterprise AI platform selection and AI stack cost optimization decisions.
Mid-market managed service providers (MSPs), defined by CompTIA's industry research as firms generating between $1 million and $100 million in annual managed services revenue, serve the majority of US small and medium enterprise deployments. At the smallest operational scale, boutique AI consulting and advisory services firms operate with 1 to 10 full-time professionals, typically serving specific vertical niches such as healthcare AI or financial services AI.
Operational range also varies by compute access. A startup deploying a large language model via API faces fundamentally different constraints than an enterprise deploying a self-hosted foundation model requiring 8 or more A100 GPUs per inference node. AI stack considerations for startups differ categorically from enterprise-grade deployments requiring dedicated infrastructure and 99.99% uptime SLAs.
Regulatory dimensions
No single federal statute governs technology services comprehensively in the United States. Regulation is fragmented across sector, data type, and function. The primary federal regulatory bodies with jurisdiction over aspects of technology service delivery include:
- Federal Trade Commission (FTC) — Unfair or deceptive acts and practices (UDAP) authority under Section 5 of the FTC Act; enforcement actions related to data security and AI-generated deception
- Securities and Exchange Commission (SEC) — Cybersecurity incident disclosure requirements under the 2023 Cybersecurity Disclosure Rule (17 CFR Parts 229 and 249)
- Department of Health and Human Services (HHS) — HIPAA Security Rule (45 CFR Parts 160 and 164)
- National Institute of Standards and Technology (NIST) — Voluntary frameworks including the NIST Cybersecurity Framework (CSF 2.0) and AI RMF
The Executive Order on Safe, Secure, and Trustworthy AI (EO 14110, October 2023) directed NIST to develop guidance on AI red-teaming, evaluation, and standards for frontier models — establishing a regulatory trajectory that affects foundation model providers and generative AI services operating at scale.
AI observability and monitoring services are increasingly implicated in regulatory compliance workflows, as the SEC's 2023 disclosure rule requires material cybersecurity incidents to be reported within 4 business days of determination of materiality.
Dimensions that vary by context
Scope boundaries shift materially across three primary contextual axes: industry vertical, organizational size, and deployment model.
In the healthcare vertical, an AI diagnostic tool is regulated as a medical device under FDA's Digital Health Center of Excellence guidance, making it subject to 510(k) clearance or De Novo classification requirements — a regulatory burden that does not apply to the same AI system used in a non-clinical context. Multimodal AI services processing medical imaging face different regulatory treatment than those processing retail imagery.
In financial services, algorithmic decision-making systems that affect credit, insurance, or employment are subject to the Equal Credit Opportunity Act (ECOA) and Fair Housing Act (FHA), enforced by the Consumer Financial Protection Bureau (CFPB). The CFPB issued guidance in 2023 affirming that these obligations apply to AI-driven models.
The open-source vs. proprietary AI services distinction also creates variable scope: open-source model deployments shift compliance and security responsibilities to the deploying organization, while proprietary API services retain responsibility within the provider under contractually defined terms.
Service delivery boundaries
Technology services are bounded by contract terms, technical architecture, and operational responsibility allocation. The shared responsibility model, formalized by major cloud providers and referenced in NIST SP 800-210, delineates which security and compliance obligations rest with the provider versus the customer across IaaS, PaaS, and SaaS layers.
AI service level agreements define performance floors including uptime commitments, latency targets, throughput guarantees, and data residency constraints. These agreements determine whether a vendor's obligations extend to model accuracy, inference latency at the 99th percentile, or only infrastructure availability.
AI integration services mark a boundary zone where service scope becomes contested: integration work may be classified as professional services, managed services, or software services depending on whether the output is a running system, a one-time implementation, or an ongoing operational relationship. AI service procurement frameworks must explicitly define this boundary to avoid scope disputes.
How scope is determined
Scope determination for technology services follows a sequential qualification process across 6 primary dimensions:
- Data classification — Identify the regulatory category of data to be processed (PHI, PII, financial records, public data) using applicable statutory definitions
- Deployment model — Specify cloud, hybrid, or on-premises architecture, which determines provider responsibility allocation under shared responsibility frameworks
- Geographic footprint — Map data origination, transit, and storage locations against applicable state privacy laws and federal sector regulations
- Compute requirements — Quantify GPU/CPU requirements, storage IOPS, and network throughput to establish infrastructure tier
- Compliance certification requirements — Identify required certifications (SOC 2 Type II, FedRAMP, HIPAA BAA, ISO 27001) from the applicable regulatory and contractual baseline
- Contractual boundary definition — Allocate responsibility across provider and customer using shared responsibility documentation and SLA terms
The AI stack components overview provides a reference architecture that maps these dimensions against specific technology layers. AI workforce and staffing services and AI stack vendor comparison resources support the organizational and procurement phases of scope determination, respectively.
A common misconception holds that scope is primarily a technical question. In practice, regulatory classification and contractual allocation determine the majority of service scope disputes — technical architecture is a constraint within which regulatory and legal boundaries operate, not a substitute for them.