Beijing holds these National People’s Congress meetings every spring. Every five years, the gathering signs off on a new five-year development plan. This year’s version is the fifteenth such plan issued since 1953, so Beijing refers to it as the fifteenth five-year plan. These plans signal how Beijing views the world, what their priorities are, and how they want the Chinese people to view their government and where the nation is headed. The meetings are highly scripted, and the plans are finalized well in advance. This year, Beijing crafted the political theatre to send a very clear top-line message: Everything is going according to plan. China is becoming a high-tech power on the world stage, the economy is moving toward higher-value-added growth, and the Chinese Communist Party is taking care of the Chinese people. To the extent that there are bumps in the road, that is due to China’s “external environment,” particularly the United States, which Beijing likes to paint as a global spoiler. 

Those top lines are fairly consistent year-to-year. Beijing always uses these meetings to signal that everything is going according to plan. The details are where things get interesting. This year, five key signals stood out as particularly relevant to the United States and its allies.

1. China is doubling down on rare earths

Beijing has worked for decades to amass control over global critical mineral supply chains. In 2025, China used that control to pressure the Trump administration to back down on tariffs and other policies Beijing objected to. Now Washington—along with many of its allies—is working to undo that leverage. The Trump administration is investing billions to bring new rare earths production facilities online and reduce US dependence on China for the minerals. 

But the new plan suggests China does not plan to stand idly by. Instead, Beijing is gearing up to bolster its dominance over those same supply chains. The new five-year plan states that China’s goal over the next five years is to “continuously strengthen [its] competitive advantages in rare earths, rare metals, and superhard materials.” It orders Chinese firms to move up the value chain. Chinese firms are already buying up the mines that produce these minerals in other nations, and they already send the material those mines produce to China for processing. Now Beijing wants the processed minerals to stay in-country to the extent possible, going into Chinese factories and making the global economy dependent on China not only for processed minerals but for the final products that contain them, as well. China already has that end-to-end dominance in rare earth magnets. Beijing wants to see that vertical control applied in other sectors. 

Last fall, referring to US efforts to diversify these same supply chains to reduce Chinese control, US Treasury Secretary Scott Bessent stated that the United States is “going to go at warp speed over the next one to two years, and we’re going to get out from under this sword the Chinese have over us.” Beijing is signaling that it will be doing everything in its power to sharpen that sword and keep it exactly where it is. 

2. Biotechnology is ascendant

Until now, leading on biotechnology innovation was a stretch goal for China. For example, the Made in China 2025 plan (the ten-year industrial policy blueprint issued in 2015) lays out concrete targets for Chinese firms to replace their foreign competitors across multiple sectors, but the goals for biotechnology were uniquely vague. That is changing. This new five-year plan lists eight frontier technologies targeted for breakthrough advancements. Of those, three are directly tied to biotechnology innovation: life science and biotechnology, brain science, and pharmaceutical innovation (the other five are artificial intelligence [AI]; quantum computing; nuclear fusion, deep sea, earth and polar exploration; and deep space exploration). The new plan details research and development priorities for each. 

This is the first time a five-year plan has gone into such detail on biotechnology priorities. And for good reason. China is now the world’s primary destination for first-in-human trials, and US firms are paying record amounts for China’s biotechnology outputs. In 2024, US firms paid $52 billion in licensing fees for innovative Chinese drugs; in 2025, that number jumped to $137 billion. 

The new plan indicates that Beijing is now ready to reduce the nation’s reliance on foreign firms. It calls for China to “build out a self-sufficient biotech ecosystem,” which is Beijing’s code for reducing China’s reliance on US and other non-Chinese firms. The plan also calls for tighter biological data regulations and for Chinese firms to maximize AI across this sector. Biotechnology has officially moved up to join the elite echelon of industries receiving Beijing’s priority attention and support. 

3. The pace of exports will continue

During a press conference at the two sessions, Minister of Commerce Wang Wentao offered his view on China’s trade balance: “Exports and imports are like the two wheels on a car. The more balanced they are, the more steadily it runs, and the farther it goes.” Unfortunately for Wang, little about China’s current balance would suggest a smooth ride: The country’s exports are so excessive relative to its imports that this hypothetical car would likely drive in circles. 

Domestic consumption accounts for less than 40 percent of China’s gross domestic product (GDP), nearly half the US number, which is around 70 percent of US GDP. Since Chinese consumers are not buying what Chinese factories produce, the nation is overly dependent on exports. That is disrupting global markets. In 2025, China’s total trade surplus with the rest of the world was $1.2 trillion, over 6 percent of its GDP. That surplus is due to China’s massive export volumes, which are threatening the economic security of many of its trading partners, putting firms out of business and triggering unemployment in those nations. 

But Beijing is betting that its trading partners will fail to do anything about it. If the nations that absorb Chinese goods put real tariffs and other barriers in place to stem the flood of those imports, Beijing would be forced to reassess its entire economic model. It would be forced to do real rebalancing, boosting Chinese consumers to enable them to buy more of what the nation produces. The new plan gives no indication that this is on the horizon. Instead, Chinese leaders appear to be betting that the current global trade policy paralysis will continue through 2030. 

4. AI-induced job loss remains a major blind spot

Beijing is taking a “move fast and break things” approach to AI deployment. Chinese leaders see AI as a ticket to achieving all of their major political priorities, from surveilling their citizens to achieving global technology leadership and generating new jobs at home. They are pushing to deploy it across the economy as quickly as possible to soak up every benefit AI can provide. Some of the risks from this approach recently played out across the nation when Chinese officials and consumers enthusiastically embraced OpenClaw personal AI assistants. Some local officials—desperate to show Beijing that they are using AI—offered more than one million dollars in grants to anyone developing new businesses based on OpenClaw. Soon the AI assistants were going rogue, running up large bills on consumers’ credits cards and sending their information to identity thieves. The Chinese government is now scrambling to put new guardrails in place.  

With AI-induced layoffs and unemployment, the downside risks are much more serious and will be harder to rectify. Already, China is suffering high unemployment among its urban youth: nearly 20 percent are unemployed according to China’s official statistics. The real number is certainly higher. China’s official youth unemployment statistics were so poor in 2023 that Beijing stopped reporting them and revised its methodology to exclude some elements of the population, such as students. 

Among the young people who do have jobs, a growing portion are gig workers, struggling to find full-time employment. The new five-year plan paints a rosy picture of AI boosting people’s livelihoods. For example, it calls for more AI use in elder care, classrooms, entertainment, and public services. But it does not acknowledge the likely job loss this will trigger for nurses, teachers, artists, and civil servants. It even pushes AI deployment in the very sectors where it is most likely to trigger job loss, such as using AI agents for personal assistants and AI-empowered robots for manufacturing. 

The plan does include a nod to the potential for AI-induced job loss. For example, it calls for Chinese officials to set up “investigation and response mechanisms for the impact of AI on employment” and provide “employment stability guarantees, re-employment training, and employment support” for workers who lose their jobs to AI. But this amounts to just a few sentences of generalities. In contrast, biotechnology is referenced across multiple chapters, with incredibly specific goals. Beijing does not yet seem to view AI deployment as a serious employment challenge. That is a major blind spot. 

5. China aims to become the world’s biggest R&D funder

The new five-year plan calls for the Chinese government to keep research and development (R&D) spending growing at least 7 percent per year over the next five years. That means China’s national labs, universities, and industrial clusters will be flush with cash at a time when the United States is slashing those same budgets. As a result, new analysis in the journal Nature predicts that China’s public spending on research and development could surpass US spending by 2029. China is attempting to utilize this spending gap to leap ahead of the United States in “frontier science” and breakthrough technologies in critical sectors such as AI, quantum computing, and biotechnology. 

In the fourteenth five-year plan (2020-2025), Beijing focused primarily on commercial technology such as semiconductors, electric vehicles, and information and communication technologies. This new plan is aiming higher. It calls for Chinese firms to move the competition up the value chain to innovation in “future industries” or “frontier industries” that are not yet fully commercialized. It calls for Chinese firms to replace foreign competitors as the leading intellectual-property generators, reducing China’s reliance on the United States and boosting the nation’s “self-reliance.” Beijing is betting that US efforts to cut federal R&D spending are China’s big opportunity to surpass the United States as the world’s leading science and technology innovator. Chinese leaders do not plan to stand idly by and let that opportunity go to waste. 

Overall, the new plan indicates that Chinese leaders are much more focused on the nation’s strengths than its weaknesses, and they are feeling incredibly bullish going into 2026. This bodes for even more intense US-China competition over the coming years, particularly in advanced technologies. Washington needs to recognize that the margin of US leadership is narrowing.

The post Five takeaways for US policymakers about China’s new five-year development plan appeared first on Atlantic Council.

Executive summary

Securing artificial intelligence (AI) infrastructure requires ensuring the security of the cloud ecosystem. The cloud infrastructure that implements and executes AI workloads presents an opening for adversaries that existing vulnerability management institutions were not designed to cover. This brief examines the mechanisms through which vulnerabilities in cloud infrastructure are discovered, disclosed, communicated, and remediated, and finds them to be inadequate to meet the security demands of an ecosystem in which AI has a growing impact.

Nation-state actors continue to target cloud environments, compressing vulnerability discovery and exploitation timelines. At the same time, public vulnerability data, anchored by the Common Vulnerabilities and Exposures (CVE) ID system and the linked National Vulnerability Database (NVD), faces severe strain. The policy institutions tasked with addressing cloud security face leadership vacuums, funding uncertainty, and competing priorities.

Community and industry driven efforts to respond to these challenges remain fragmented and voluntary, while providers operate without public accountability. Making progress on these urgent challenges requires policy mechanisms to incentivize and mandate clarity and transparency in the cloud ecosystem.

Background

In the United States, several essential cybersecurity authorities and institutions face simultaneous disruption. The Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA), passed in 2022, proposed to establish the country’s first mandatory incident reporting regime for critical infrastructure sectors, has seen the publication of its final rule delayed to May 2026. The Cybersecurity Information Sharing Act of 2015 (CISA 2015), which provides liability and antitrust protections for companies sharing threat indicators with the federal government and each other, lapsed on September 30, 2025 and received only a temporary extension through September 2026, with bipartisan reauthorization efforts stalled in Congress. The Cybersecurity and Infrastructure Security Agency (CISA) continues to operate without a confirmed director, after the Senate failed to act on the administration’s nominee, and the agency has seen workforce reductions that have diminished its operational readiness. The Cyber Safety Review Board (CSRB), which conducted a landmark investigation of the 2023 Microsoft Exchange Online compromise, was dissolved in early 2025.

In Europe, a set of untested regulatory instruments are taking effect. The European Union (EU) NIS2 Directive expanded cybersecurity obligations for 18 critical sectors. The Cyber Resilience Act (CRA), adopted in 2024 with enforcement beginning in 2027, will require digital product manufacturers to build in cybersecurity capabilities and provide vulnerability disclosure mechanisms. The United Kingdom (UK) Cyber Security and Resilience Bill is progressing through Parliament with similar objectives.

The US, UK, and EU have also adopted policy approaches and established agencies specific to AI. In the US, the Trump administration’s AI Action Plan outlined goals of exporting the US AI stack abroad. The EU AI Act imposed obligations on AI developers based on the level of risk posed by specific AI models. The US and UK also established AI-specific testing and research organizations, the Center for AI Standards and Innovation (CAISI) and the AI Security Institute (AISI) respectively.

Cloud computing

Cloud computing describes a model of access to computing resources, where customers specify workloads, or defined sets of tasks, which cloud providers implement and execute. This model of access is an important part of AI development and deployment, and frontier AI companies have partnered with cloud providers to ensure access to cutting-edge compute resources.

Compute and virtualization services allocate processing power and include the orchestration platforms that oversee AI training and inference workloads. Data and storage services comprise the managed databases and object storage for training datasets, model weights, and inference outputs. Observability and logging services collect the telemetry essential to detecting anomalies and investigating incidents. Identity and access management services control who and what can interact with cloud resources.

Layered on top of these foundational services are AI-specific runtimes and serving frameworks (the managed environments in which models are loaded and scaled) as well as the web and API gateways through which users interact with AI systems. Each of these categories presents distinct vulnerabilities. A flaw in a container escape mechanism raises different remediation questions than a misconfiguration in a logging pipeline, yet both can impact the confidentiality, integrity, and availability of an AI workload.

Fraying public vulnerability infrastructure

The NVD has served for nearly two decades as an authoritative source for enriched vulnerability data, powering compliance frameworks, automated scanning tools, and risk assessments across both the public and private sectors. Budget constraints and rising submission volumes have degraded its reliability as an operational resource. The National Institute of Standards and Technology (NIST) acknowledged in early 2025 that a 32 percent increase in CVE submissions during 2024 meant the backlog was still growing.

CISA maintains the Known Exploited Vulnerabilities (KEV) catalog, which allows the agency to publicly announce vulnerabilities that have been exploited in the wild. As of March 2026, the catalog contains 1,551 vulnerabilities, making it a useful smaller-scale prioritization signal, especially in comparison to the NVD’s 339,010 vulnerabilities. CISA’s ability to update and maintain the KEV database is likely affected by the ongoing partial shutdown of CISA’s parent agency, the Department of Homeland Security, and the mass layoffs of CISA employees since January 2025.

Meanwhile, despite a clear recommendation from the CSRB’s review of the 2023 Microsoft Exchange incident, cloud providers do not comprehensively disclose security vulnerabilities or flaws within their cloud services that do not require customer action to fix. In 2024, both Microsoft and Google announced that they would issue CVEs for critical vulnerabilities, which are only a subset of the overall vulnerability landscape. Vulnerability scoring and severity evaluations are complex and involve judgement calls, so allowing providers to determine which vulnerabilities they disclose distorts publicly available data on cloud security issues.

Failing to issue a CVE identifier for a security flaw also precludes the vulnerability from being included in the KEV database, limiting the ability of US government agencies to publicly communicate evidence of exploitation. Companies can refuse to acknowledge security incidents or transparently communicate with customers in the absence of policy obligations, as Oracle’s communications around an incident in May 2025 exemplified.

Hyperscale cloud providers operate vulnerability reward programs (VRPs) that incentivize external researchers to report flaws. According to a program website, Google’s Cloud VRP has issued $3,574,399 in awards over the past year. These programs are voluntary, variable in scope and payout, depend on the communications channels offered by the cloud provider, and are not subject to public reporting obligations.

Provider programs are siloed. No mechanism exists for identifying shared flaws across cloud platforms or generating a system-wide view of collective vulnerability data. This limitation is consequential considering research demonstrating that independently developed cloud services can harbor similar security flaws due to shared open-source dependencies or common architectural patterns. The absence of cross-provider coordination means that when a researcher identifies a vulnerability pattern in one cloud platform, there is no systematic process for evaluating whether the same pattern exists in others.

AI services are not immune from these systemic challenges. A July 2025 container escape vulnerability in the NVIDIA Container Toolkit, discovered by Wiz researchers, highlighted that security issues in popular libraries impact customers regardless of their cloud provider.

Community-driven projects have attempted to address the lack of standardized tracking mechanism for cloud security issues. The Wiz-backed Open Cloud Vulnerability and Security Issue Database catalogs publicly known cloud vulnerabilities and flaws, providing researchers and practitioners with a centralized reference for flaws that might otherwise be scattered across notification methods. The ONUG Cloud Security Notification Framework addresses the lack of a common data model for security notifications across providers. While these efforts are valuable, neither possesses the institutional backing to compel provider participation or to generate the kind of systematic accounting of vulnerabilities in cloud platforms which could form the basis of further policy action.

AI changes the risk landscape

As a target, AI infrastructure concentrates extraordinarily valuable intellectual property within cloud environments: model weights, proprietary training data, novel research methods, and fine-tuning configurations, all of which are only as secure as the weakest component of their infrastructure. The scarcity of compute resources specific to AI may lead organizations to deprioritize security requirements in favor of rapid access to processing power. The emergence of AI-focused cloud providers, newer entrants that may lack the mature security operations and vulnerability management programs of established hyperscale cloud providers, creates additional points of systemic risk.

As a tool, AI is reshaping the vulnerability landscape on both the offensive and defensive sides, rapidly accelerating the pace of vulnerability discovery and exploit development. Google’s Project Zero reported 20 vulnerabilities in popular open-source packages, each of which was discovered and reproduced by an AI agent without human intervention. A similar collaboration between Mozilla and Anthropic discovered 22 vulnerabilities in Firefox and crafted partial exploits for each of them. Wiz’s first-ever cloud hacking competition surfaced over 11 vulnerabilities in open-source code comprising foundational layers of cloud infrastructure. Open-source maintainers and operators of bug bounty programs have raised alarm about the increasing volume of AI-generated bug reports, which are of varying quality and require significant effort on the part of developers and maintainers to evaluate.

Recommendations

Government agencies must respond to the changing cloud vulnerability landscape. As experts have warned, failing to keep pace with the rapid rate of developments in offensive cyber risks of AI will have security consequences. Managing the risks posed by AI for vulnerability discovery and exploitation requires recommitting to known best practices, which can serve as a foundation for future policy experimentation and adaptation.

1. Follow through on lapsed and languishing cybersecurity efforts

Congress should reauthorize the Cybersecurity Information Sharing Act of 2015, which remains the foundational legal framework enabling voluntary cyber threat intelligence sharing between the private sector and federal government. Temporary extensions do not provide sufficient assurance and protection to organizations committing to information sharing, and even brief lapses disrupt long-standing collaborations.

Consistent with the AI Action Plan, the federal government should establish a dedicated Artificial Intelligence Information Sharing and Analysis Center (AI-ISAC) to centralize threat intelligence specific to AI systems, model vulnerabilities, and adversarial exploitation techniques. This body could facilitate real-time coordination across industry, academia, and government, led by DHS in collaboration with CAISI and the Office of the National Cyber Director (ONCD).

Congress should ensure CISA and NIST, as the stewards of the KEV catalog and NVD, receive sustained, adequate resourcing to fulfill their role in the vulnerability management ecosystem.

Congress should re-establish the Cyber Safety Review Board, resolving issues with the original board’s investigation by giving the board both subpoena power and sufficient staff to support critical investigations. Congress should also clarify criteria for incidents reviewable by the board. As recent analysis in Lawfare argued, a review board specific to AI could investigate the role of AI in cyberattacks. An AI-specific body should also be scoped to include cloud security incidents, reflecting the cloud’s critical role as AI infrastructure.

2. Incentivize and disclose high-quality public vulnerability data for cloud computing

ONCD should lead on establishing a comprehensive, government-backed information and data sharing solution to drive more effective vulnerability management across the cloud ecosystem. Policy design in cloud cybersecurity suffers from a lack of high-quality public data on critical and non-critical vulnerabilities; patterns of misconfiguration; and trends in exploitation techniques by threat actors.

ONCD’s leadership on this challenge, as a component of the National Cybersecurity Strategy’s goal to shape adversary behavior, could improve collaboration with the private sector and cloud providers, while avoiding diverting CISA from its core mission of protecting government and critical infrastructure systems.

Greater data transparency and disclosure of vulnerabilities across the ecosystem could serve as the foundation of prioritization processes across the cloud ecosystem, increasing pressure on providers to tackle vulnerabilities and classes of vulnerabilities that have security consequences for government entities and companies worldwide. That prioritization should privilege shared vulnerabilities, architectural flaws, and common weaknesses present across multiple hyperscale providers, which no current mechanism systematically or publicly identifies and addresses.

3. Lead on international coordination

The US government should pursue alignment with the European Union Agency for Cybersecurity and allied governments on cloud vulnerability disclosure norms. The US government’s support of vulnerability databases and coordination efforts creates benefits for other countries. Questions about the stability of that support spur divergent efforts, such as the European Union Agency for Cybersecurity establishing its own database for cataloging cyber vulnerabilities.

Ensuring that AI safety institutions and cybersecurity agencies share information and coordinate on vulnerability management, rather than operating in parallel silos, should be an explicit element of efforts to mitigate the risks of emerging AI for cloud computing security. 

The United States and the United Kingdom should begin by harmonizing their own practices and then extend that alignment to the EU. The forthcoming CIRCIA rule and the UK’s Cyber Security and Resilience Bill offer opportunities to embed cloud-specific vulnerability and incident reporting requirements that can serve as reference points for international coordination. Encouraging international allies to adopt the same approach to disclosing vulnerabilities in compute infrastructure can contribute to changing the incentive structure of the AI compute industry, shifting it towards greater transparency from cloud providers.

Conclusion

Trust in cloud computing cannot be sustained without visibility. The physical location of a data center does not determine its vulnerability to misconfigured access controls, unpatched container runtimes, or supply chain compromises. The cloud infrastructure that underpins AI development and deployment is subject to a vulnerability management regime designed for a different era of computing. Cloud-specific security flaws fall between existing institutional mandates, and the organizations building the most consequential AI systems lack the ability to demand transparency from the infrastructure they depend on.

The building blocks for a better approach exist, but the policy architecture to connect them is missing. The United States and its allies and partners possess both the responsibility and the capacity to design an approach to cloud vulnerability management that matches the scale and complexity of the systems it is meant to protect. The question is whether they will do so before the gap between the complexity of cloud infrastructure and the maturity of the institutions overseeing it becomes the defining vulnerability of the AI era.

Sara Ann Brackett is an associate director with the Cyber Statecraft Initiative, part of the Atlantic Council Tech Programs. She focuses her work on open-source software security, cloud computing, and software supply-chain risk management within the Cyber Statecraft Initiative’s cybersecurity and policy portfolio.

The author would like to thank the Cyber Statecraft Initiative and Atlantic Council Tech Programs teams for their support and guidance throughout this project. Thank you to Trey Herr and Tess deBlanc-Knowles, who provided thoughtful feedback, and to Safa Shahwan Edwards and Jen Roberts, who were instrumental in planning and executing a workshop that informed this paper. Thank you to Nikita Shah, whose feedback shaped earlier iterations of this brief and its accompanying visualizations. The author would also like to thank the workshop participants who shared their expertise and perspectives under Chatham House Rule.

Issue Brief Dec 3, 2025

Cloudbusting: Policy for evaluating trust in compute infrastructure

By Sara Ann Brackett

A global cloud built on technical assurances—not geography—is essential to securing critical infrastructure and the future of AI.

Artificial Intelligence Cybersecurity

Report Sep 30, 2025

404 Accountability not found: Spyware accountability through software liability

By Sara Ann Brackett, Jen Roberts

This report proposes a legislative safe harbor framework that would incentivize technology companies to engage in spyware accountability.

Cybersecurity United Kingdom

Issue Brief Sep 5, 2025

Securing data in the AI supply chain  

By Justin Sherman

To avoid lopsided AI policy, policymakers must see the data used and generated by AI as a chain, not a snapshot.

Artificial Intelligence Cybersecurity

The Atlantic Council’s Cyber Statecraft Initiative, part of the Atlantic Council Technology Programs, works at the nexus of geopolitics and cybersecurity to craft strategies to help shape the conduct of statecraft and to better inform and secure users of technology.

learn more

The post Securing cloud infrastructure for AI appeared first on Atlantic Council.

• Executive summary
• Introduction
• Part one: Military AI tech trends
• Part two: The specter of algorithmic warfare
• Part three: Future scenarios
• Part four: Policy recommendations
• Conclusion

Executive summary

Military artificial intelligence (AI) is moving from the margins of experimentation into the core of how NATO will fight, make critical decisions, and deter competitors over the next decade. The 2022 NATO Strategic Concept identifies the technological edge to be critical for the Alliance to fulfil its core tasks. Both contemporary warfare and renewed strategic competition suggest that data-driven AI decision-support systems and autonomous battlefield capabilities augmented with AI will define the character of future conflicts. There is a justified focus on evaluating strategic risks associated with such systems.

This report argues that integrating AI into military systems does not generate vulnerabilities that are fundamentally new in kind compared to existing cyber risks. But the difference lies in consequences. Once AI-enabled decision-support systems and autonomous platforms become critical to Alliance operations, interference with data, models, and computing infrastructure may have implications for NATO’s ability to see, decide, and act under pressure. Similarly, the offensive use of AI-enabled capabilities does not, on its own, raise or lower the nuclear threshold. Escalation thresholds in algorithmic warfare will continue to be driven by effects on the ground rather than by whether a system is AI-enabled. Yet the characteristics of AI—the speed, system opacity, and physical infrastructure—create more room for human error, misperception, and miscalculation.

To explore such possibilities, the Atlantic Council’s Transatlantic Security Initiative, in partnership with the NATO Office of the Chief Scientist, conducted a foresight study to clarify how adversaries might counter AI-enabled capabilities and to examine what this means for NATO doctrine, strategy, and deterrence. The research combined horizon scanning and expert interviews, an off-the-record workshop held in Washington, under Chatham House rules, and scenario modeling. The project mapped AI technology trends across decision-support systems and autonomous platforms, identified likely AI vulnerabilities and vectors of attack, and explored escalation dynamics through structured discussion and scenario-based exercises.

This project brought a new perspective into the debate on the impacts of transformative military AI on future warfare for two reasons. First, it is innovative in its comprehensive scope that encompasses both physical and cyber dimensions of algorithmic warfare. Indeed, it foregrounds the AI triad of data, algorithms, and computing power and shows how each can be attacked through cyber, kinetic, and electromagnetic (EM) means. And second, it examines the intersection of AI and nuclear weapons from a different angle: Tailored nuclear weapons are treated as a potential countermeasure against military AI for their electromagnetic pulse (EMP) effects.

There are two key findings.

While military AI does not generate “shock and awe” in and of itself, AI can exacerbate existing risk conditions for accidents and inadvertent escalations.

The report finds that the employment of military AI does not make the use of tailored nuclear weapons more likely. Instead, the choice of target, physical damage, and casualties are what matter. Workshop participants ranked responses to a notional AI-enabled drone saturation attack in the Baltic region by their perceived escalatory potential. Diplomatic action and electronic warfare were the most preferred responses, followed by kinetic strikes, cyber operations, and directed-energy weapons (DEW). Tailored nuclear EMP attacks were viewed as highly escalatory and politically unacceptable for NATO to use to repel an attack over NATO territory, even when framed as a tool of “information warfare.”

At the same time, military AI is expected to make the difference in terms of increasing speed, autonomy, scale, and uncertainty. This research, however, revealed that in comparison with all three components of the AI triad, the human remains the most vulnerable element of AI. Humans are routinely exposed to phishing, social engineering, cognitive bias, and already run the risk of deskilling as more tasks are delegated to machines.

Integrating AI into military operations therefore creates dangers along two pathways. First, speed and data are working against their user. Such compressed timelines can create cognitive problems in decision-making. Without safety and quality protocols in place, flooding decision-support systems with noisy or nonpatternable data can further thicken the fog of war for commanders. Second, AI-enabled military systems become increasingly complex and can lead to normal accidents, making foreign interference detection and exposure difficult to distinguish from system failures.

Algorithmic warfare highlights the importance of electromagnetic spectrum dominance.

Digital modernization of defense—the data-centric approach and software-defined capabilities—will make electromagnetic threats more salient. Russia’s war in Ukraine already highlights how GPS jamming, communications blackouts, and electronic warfare shape combat operations. This trend will intensify as NATO begins to lean on AI-enabled and multidomain command and control.

Advances in military applications of AI further strengthen the convergence between the cyber domain of operations (digital code) and the electromagnetic environment (electrons). In a crowded and contested spectrum, where software-defined radios, commercial satellites, and cloud-linked data centers underpin military networks, the distinction between “cyber” and “conventional” attack begins to blur. Further fielding of directed-energy weapons also indicates shifting the center of gravity to energy supplies.

Attacks on AI systems can use several vectors. The adversary can target model weights through espionage and hacking; poison training datasets; blind or spoof sensors on intelligence, surveillance, and reconnaissance (ISR) platforms; disable data relays; or physically damage hardware in data centers, cables, satellites, or uncrewed systems. Cyber operators, electronic warfare units, special forces, and conventional reconnaissance-strike systems may all participate in degrading AI-enabled capabilities. In contrast, the ongoing trend of lowering the cost of warfare will make any requirements for new protection measures, such as shielding or hardening, difficult to implement due to the trade-offs in terms of cost, weight, and endurance.

The report develops three future scenarios, including a fourth baseline case, to identify likely implications of future algorithmic warfare for NATO’s doctrine and strategy: guarded opportunism, brave new world, and minority report.

• Guarded opportunism outlines a future in which military AI, despite its transformative impacts, does not require the military to dramatically alter the rules of engagement. Instead of introducing qualitatively new risks or vulnerabilities, the challenges related to military AI remain manageable with disciplined cyber hygiene and resilient power supply. On the risk side, this scenario points to heightened dangers of AI-fueled hybrid warfare below the threshold of armed conflict.
• Brave new world is a less likely but more dangerous scenario detailing the conditions for escalation spirals. Transformative effects of AI lead to conventionalizing nuclear weapons. Fielding of AI-enabled military capabilities provokes the adversary to use new nuclear-powered EM weapons. Nuclear EMP attacks are viewed as a legitimate use of nuclear weapons that belong to the specter of algorithmic warfare.
• Minority report presents a different take on the possible algorithmic future in which AI technology hype drives strategy. This scenario focuses on cognitive challenges for political and military decision-makers, who tend to overestimate near‑term benefits and discount the long-term risks and compound challenges of AI integration. Instead of improving AI operational implementation processes, countries race to achieve phantom AI advantages that destabilize the international security environment.

For NATO to leverage and maintain the advantage from transformative AI technologies, this report makes seven recommendations for NATO leaders that can contribute to NATO’s future strategy and doctrine adaptation.

1. Master AI literacy. NATO needs to develop standards for continuous AI skill development for commanders, operators, and policymakers. AI literacy is not just a strategic competency but also an instrument of restraint.
2. Engineer redundancy. Instead of creating a digital copy of all existing procedures, NATO should prioritize maintaining the ability to transmit information on rehearsed secondary systems.
3. Coordinate approach to AI tech industry. NATO should develop a code of conduct for AI tech company engagements that addresses the formation of an exclusive suppliers’ group, the knowledge gap in the private sector, and the rules for civilian software engineers in war zones.
4. Maintain information dominance. NATO should develop a functional framework for operationalizing AI in support of algorithmic warfare that prioritizes military objectives over abstract benchmarks and diversify its early warning systems.
5. Clarify escalation thresholds. NATO should develop a shared understanding of escalation thresholds for algorithmic warfare, decide on response triggers, and predelegate command authority in time-compressed scenarios to avoid escalation risks and decision paralysis.
6. Assess the electromagnetic layer with accuracy. Future algorithmic warfare will require NATO to treat electromagnetic spectrum operations as a distinct layer of multidomain operations to protect its strategic initiative and command-and-control superiority. NATO should also update its standards to reflect the changing scope of critical infrastructure as AI becomes a strategic asset to avoid underestimating the EM layer.
7. Deter by ambiguity. NATO should project resilience while cloaking its sensitive AI assets in a black box unexplainable by adversaries. However, such deterrence by ambiguity should not erode internal accountability of NATO-run AI systems.

Introduction

The 2022 NATO Strategic Concept emphasizes the importance of the Alliance maintaining its technological edge to achieve mission success.¹ But NATO’s ability to ensure military effectiveness and uphold a credible deterrence and defense posture faces challenges in the era of emerging and disruptive technologies. In the context of rapidly evolving warfare tactics and renewed strategic competition, AI-powered decision-support systems (DSS) and autonomous battlefield capabilities are expected to shape future conflicts. NATO’s 2022 Digital Transformation Vision therefore intended to accelerate the adoption of data and AI analytics to unlock new advantages for the Alliance.²

Accordingly, NATO’s AI Strategy encourages strategic foresight activities to help allies achieve a reasonable level of AI readiness.³ It also focuses on anticipating new challenges and risks related to algorithmic warfare from adversarial use of AI. While the military potential of AI is versatile and uncertain, it has nonetheless become difficult to overlook its importance to strategic competition. Countries are racing to develop and deploy AI across their civilian economies and militaries. Russia, the most significant and direct threat to NATO allies, and the People’s Republic of China, a strategic competitor seeking to control key technologies, have widely communicated their intentions to field AI for military purposes.⁴

Research objective

The Atlantic Council’s Transatlantic Security Initiative, in partnership with the NATO Office of the Chief Scientist, has conducted a foresight study addressing this crucial topic. This effort seeks to gain more clarity on AI’s transformative military effects over the next decade. This report assesses the vulnerabilities entailed in AI integration into NATO military capabilities in the context of the digital transformation of defense and the growing importance of electromagnetic spectrum operations. Importantly, it identifies ways in which adversaries might counter future AI-enabled capabilities on and off the battlefield. The objective is thus to understand how these developments may affect NATO’s doctrine and strategy moving forward.

This report’s focus on the transformative effects of military AI is highly relevant given NATO’s ambition to conduct multidomain operations.⁵ As outlined in the Digital Transformation Implementation Strategy, NATO political and military leaders intend to use advanced analytics in combination with multimodal data from sensor networks for a consolidated multidomain situational awareness in real time.⁶ While the “digital backbone” is intended to enable command and control across all domains, a broader digital interoperability framework with a secured data-sharing ecosystem will enhance political consultation and decision-making processes.  

This report therefore seeks to address the complex question of the likely implications of future military AI countermeasures on NATO’s doctrine and strategy. This means identifying the risks from integrating transformative AI into military systems, examining the vulnerabilities the adoption of AI will create, assessing the severity and probability of corresponding adversarial attacks, and formulating recommendations. Importantly, to limit the dangers of technological determinism, this project examined how political and military leaders and policy planners (at the state level of decision-making) perceive new technologies appearing on the battlefield and craft their responses to escalate or not.⁷

Methodology

In terms of methodology, this report used several data collection and analysis tools. The first phase of the project consisted of horizon scanning and road mapping. Through a structured evidence-gathering process based on desk research of relevant open-source documents and background expert interviews, this report identified the most important drivers of change, as well as the likely future developments at the intersection of AI and the defense sector that are at the margins of current thinking and planning.

In the second phase, the Atlantic Council hosted an off-the-record closed workshop held on an unclassified level in Washington. Through two prescripted discussions, conducted under Chatham House rules, policy and scholarly experts were asked to stress test the assumptions from the first phase. This informed the project on the likelihood of AI countermeasures and conditions for escalation in future algorithmic warfare, as well as to validate recommendations.

The third and last phase of the project centered on future scenario development. This is a useful policy analysis tool that visualizes a set of possible future conditions to help NATO decision-makers to anticipate challenges as they define capability requirements for NATO’s success in future algorithmic warfare.

Structure

This report proceeds as follows. Part One maps AI technology trends and their military applications over the next decade, from the battlefield to the war room. Part Two then proceeds to anticipate the vulnerabilities of AI-enabled systems and to assess the possible vectors of attack to explore escalation pathways in algorithmic warfare; it covers both digital and physical dimensions across the so-called “AI triad” of algorithms, data, and computing power—and adds a human factor.

Part Three outlines three algorithmic futures—guarded opportunism, brave new world, and minority report—based on the likely transformative effects of military AI and their impact on international security. This line of scientific inquiry is highly relevant given ongoing research concerned with the impact of roboticized autonomous systems operating with minimal human supervision on future conflicts.⁸

Part Four discusses recommendations for NATO leaders. Based on the project’s findings, this report raises seven main action points that are categorized into three areas: AI readiness and resilience; military AI doctrine; and deterrence.

Part one: Military AI tech trends

AI is becoming a general-purpose military technology that will sit inside almost every digital system that NATO uses.⁹ Its transformative effects will likely concentrate in two areas. First, decision-support systems will expand the scale of information analytics military commanders can process to make better decisions fast. Second, autonomous and semiautonomous platforms will shift how militaries sense, move, and strike on the battlefield. Together, these developments are driving an AI era of algorithmic warfare.¹⁰

AI can, in principle, be implemented in everything that uses a computer. As defense establishments digitize, AI has never been a single-purpose capability in itself. Rather, AI architecture underpins modern command, control, communications, intelligence, surveillance, reconnaissance, logistics, and weapons systems. NATO’s own definitions reflect this evolution. In 1995, NATO described AI as the capability of a functional unit to perform tasks generally associated with human intelligence, such as reasoning and learning. By 2005, it was also seen as “the branch of computer science” focused on building systems that reason, learn, and improve themselves.¹¹ These definitions now apply across a much broader digital ecosystem. Software has become a defining component of many weapon systems and AI is increasingly embedded in sensors, networks, and command-and-control tools.

The overall expectations about AI’s impact on future warfare can be captured in three concepts: speed, scale, and autonomy. Speed refers to faster sensing, processing, and engagement cycles. Scale refers to the ability to handle vast volumes of data and to coordinate large numbers of distributed assets, including swarms of UASs. Autonomy refers to the degree to which AI systems can operate with minimal human supervision. NATO’s challenge will be to harness these three dimensions without sacrificing control, accountability, or interoperability.

From general-purpose enabler to algorithmic warfare

The military applications of AI span relatively low-stakes use cases such as administrative automation and training, operational functions like logistics and cybersecurity, and high-stakes roles in targeting, electronic warfare, and human-machine teaming in combat.¹² From a functional standpoint, experts in defense and military affairs expect AI to matter depending on the AI model type, broadly divided in four categories: generative AI, classification, prediction, and autonomy.¹³ This includes tasks in which large volumes of data must be processed quickly, where patterns are too complex for human perception, where actions need to follow real-time operational intelligence fast, and where simulated environments can meet high training requirements.

Generative AI: Content, coaching, and cognitive effects

Generative AI models create novel content that mimics the statistical properties of the data on which they are trained in response to human prompts. In the military context, these systems are likely to be used as “agents” or virtual advisers that support commanders and staff in alleviating their daily administrative burdens and automating less critical processes, such as drafting routine reports, summarizing long documents, and translating technical information.¹⁴ In training and simulation, generative AI models can serve as simulation tools in war games and exercises. They populate synthetic environments with plausible adversarial actors and behaviors. This role improves scenario realism and generates alternative courses of action.

At the same time, these features can also be weaponized for offensive information operations. Adversaries can use generative AI to run large-scale, low-cost disinformation campaigns. This may involve producing tailored propaganda or impersonating Alliance leaders, journalists, and civil society voices. Generative AI will therefore be a powerful tool in the hands of adversaries seeking to manipulate perceptions and erode NATO’s cohesion.¹⁵

Classification: Noise and signal in a sensor-saturated battlespace

Classification models excel at recognizing patterns in labeled data and assigning new inputs to categories they have learned. Militaries already use such models for computer vision, facial and object recognition, and behavior detection. Computer vision models can identify vehicles, aircraft, ships, and infrastructure in imagery from satellites, aircraft, and UASs against their regularly updated data libraries. Classification tools can become crucial for early warning systems, from detecting stealthy cyber intrusions to flagging irregular troop movements. In sum, over the next decade, these systems are well-suited to sit at the core of intelligence, surveillance, reconnaissance, and targeting architectures.

Much is expected from AI-enabled electronic warfare too. In a battlespace saturated with sensors, classification tools can automate filtering of the electromagnetic spectrum, such as distinguishing signal from noise and highlighting anomalous signals that warrant human attention. Furthermore, signal processing algorithms can suggest waveforms to counter hostile signals and thus help overcome adversarial jamming in real time.¹⁶ As the electromagnetic spectrum becomes more contested, the ability to recognize and respond to subtle patterns faster than an adversary will be a critical advantage.

Prediction and data fusion: Scaling decision support

Prediction models analyze historical and real-time data to identify trends and forecast likely future events. In military settings, they underpin decision-support systems (DSS) designed to help commanders cope with complexity and information overload. The transition to multidomain operations underscores the importance of such multimodal data fusion and analytics.¹⁷

This type of AI model is therefore suitable to support battle management, as they fuse information from multiple sources and data streams from land, air, maritime, cyber, and space assets, and integrate them into a single operating picture that is updatable in real time.¹⁸ However, this also means that such data-centric decision-making processes can narrow commanders’ perceptions and constrain their choices.¹⁹

They can also highlight early warning indicators, propose likely adversary courses of action, and flag emerging risks in logistics and supply chains. In logistics, in particular, AI can support predictive maintenance of critical stockpiles; forecast demand for ammunition, fuel, and spare parts; and anticipate bottlenecks in transportation networks.²⁰ Predictive systems can also assist with medical support by estimating casualties and optimizing the positioning of medical resources.²¹

Autonomy: From perception to action

Autonomy involves AI systems that perceive their environment, process real-time data from sensors, and make decisions in pursuit of a mission objective without constant human intervention. In this case, AI models can cause kinetic effects, as they can direct hardware and/or software to react within the physical realm based on the input from the immediate environment.

Onboard AI enables uncrewed aircraft, ground vehicles, and maritime platforms to filter and fuse sensor inputs, navigate in contested environments, and pass the most relevant information back to human controllers. Advances in machine vision, for example, allow drones to compare real-time imagery from downward-facing cameras with stored satellite images and inertial data to determine their position without reliance on global navigation satellite systems. This is particularly important in GPS-denied or heavily jammed environments.²²

Autonomy is also extending to terminal guidance and target recognition. Today, many drones operate on autopilot for parts of their mission, with humans in- or on-the-loop for final engagement decisions. Over time, fully autonomous solutions that combine visual navigation, target recognition, and terminal guidance are likely to proliferate. Seamless data flows, however, are crucial. The Ukrainian forces use a practice that resembles “Uber targeting,” where one unit identifies a target, shares the observation on an encrypted network, and the targeting assignment goes to whichever unit is available, even facilitating joint-strike capability from multiple vectors.²³ AI-enabled systems that can collect, process, and act on information in real time will make such dynamic targeting more common, especially when communications with higher headquarters are degraded.

From incremental adoption to algorithmic warfare

Together, developments in these functional areas point toward the algorithmic future of warfare. Broadly speaking, algorithmic warfare refers to integrating automated, autonomous, and AI technologies into the conduct of war, while decreasing the role of human elements.²⁴ In algorithmic warfare, the military conducts operations through AI-enabled capabilities that collect, analyze, and act on data at speeds and scales beyond human capacity. Artificially intelligent means operate when human warfighters cannot and reduce their exposure to danger. Such AI-enabled autonomous capabilities will especially be assigned tasks at the edge of the battlespace to handle time-critical sensing and response functions without human supervision and with minimum guidance.²⁵

Yet the most transformative effects of military AI are likely to appear in two use cases. First, AI in DSS will expand the scale and speed of information processing, giving commanders a richer but more mediated view of the operating environment. Decision-support tools will not only help humans make better-informed choices but also shape the decision space by highlighting some options and obscuring others. Second, AI embedded in weapons platforms will use speed and autonomy to compress the kill chain, shrinking the time between detection, identification, decision, and engagement.²⁶ This has implications for escalation control, the rules of engagement (ROE), and the role of commanders in supervising rapid, machine-driven engagements.

Drivers of change

Several structural drivers are signaling greater reliance on AI and algorithmic approaches to warfare. These drivers are particularly important for NATO as it implements its Digital Transformation Vision and prepares for multidomain operations.

Digital modernization of defense

First, the broader digital modernization of defense is creating the conditions in which AI can thrive. Modern militaries are upgrading their IT infrastructure and moving to software-defined capabilities that deliver new functionality to existing platforms.²⁷ This also means adopting data-centric approaches to capability development through collaborative digital spaces.

As militaries continue implementing digital modernization of their forces, their dominance in the electromagnetic spectrum is crucial for their new dependencies on sensors, satellites, and networked systems. Russia’s war in Ukraine has underscored the importance of EM warfare, including GPS jamming and communications blackouts.²⁸ These developments push militaries to design more resilient, autonomous, and decentralized command-and-control structures with better cybersecurity measures. At the same time, electromagnetic warfare in the West has not gotten the attention it needs and is still seen as largely subservient to or stovepiped from cyber.²⁹

Interconnected domains

Second, the move toward multidomain operations (MDO) requires integrating effects across land, air, maritime, space, and cyberspace, as well as in the virtual and cognitive dimensions. MDO aims to “[orchestrate] military activities, synchronize non-military instruments of power, and deliver converging effects at the speed of relevance.”³⁰ To make this possible, allies are building a digital backbone that can enable command and control across all domains. However, the effectiveness of this backbone depends on interoperable data sharing, secure and reliable communications, and advanced analytics capable of fusing data into a real-time consolidated multidomain picture. Turning well-integrated AI models into C4ISR systems that enhance situational awareness and support decision-making becomes part of the key conditions for conducting multidomain operations.

Autonomy pursuits

Third, recent and ongoing conflicts are accelerating experimentation with AI-enabled autonomous and decision-support systems. In Ukraine, AI-driven platforms already analyze extensive sensor and signal data to generate real-time targeting suggestions and logistical predictions.³¹ In Gaza, reports indicate that machine-learning systems such as “Gospel” and “Lavender” have been used to support dynamic targeting and terminal navigation by combining multi-source imagery with other intelligence inputs.³² These cases illustrate a shift from isolated, weapon-centric AI applications toward more comprehensive systems that inform planning, targeting, and force deployment at all command levels.

Drones are no longer only agents of remote warfare but are fast becoming agents of algorithmic warfare as well. Demand has surged for battlefield drone footage. Thousands of drone-camera videos depicting successful strikes are used to train computer-vision models, while engineers race to design uncrewed systems that can navigate and coordinate in GPS- and communications-denied environments using on-board processing and limited power.

Two motivations stand out: building “mass for precision” and supplementing shrinking human force structures. Swarm tactics and swarm command seek to saturate defenses and compress reaction times through the coordinated use of large numbers of low-cost platforms. At the same time, demographic trends and recruitment challenges will incentivize greater robotic integration and human-machine teaming. Forward-deployed, uninhabited platforms on standby will increasingly redefine how militaries think about force projection and readiness.³³ For instance, large drone formations can provide the aggressor with an edge in the invasion of foreign territory, highlighting the challenge to the capacity of air defenses.³⁴ Across these trends, AI is fast becoming more than just a technological tool; it is a vital strategic competency,³⁵ and will likely determine which militaries can exploit AI—at scale and under stress. For NATO, understanding where AI is most likely to transform operations, and how adversaries might target the vulnerabilities of AI-enabled systems, is a prerequisite for credible deterrence and effective defense in the emerging era of algorithmic warfare.

Part two: The specter of algorithmic warfare

Militaries have not yet realized the full potential of AI technologies, but it is not difficult to see how AI will shape the strategic environment and wartime paradigms. As the AI race intensifies, potent AI-enabled capabilities will be deployed as part of NATO’s digital transformation and decision-support ambitions.³⁶ This section translates interview insights and workshop discussions into a structured analysis of AI’s core components and their vulnerabilities and the likely vectors of adversarial attack. Two case studies used in the workshop—AI applications in autonomous weapons platforms and in a decision-support system—further informed the analysis of the limits of main AI countermeasures and the conditions under which escalation in algorithmic warfare may occur. This is because the likelihood of an adversary attacking NATO for using AI models for predictive maintenance is comparatively low.

AI triad

Military AI rests on three interlocking components often described as the AI triad: data, algorithms, and computing power.³⁷ Each component has a specific implication for offense-defense parameters. For instance, algorithms imply attacks on model architecture, computing power involves disrupting semiconductors and supply chains, while data concern cyberattacks to poison datasets.

Data refers to information about the focus area of the machine-learning system, collected from sensors and other sources, organized, stored, and made accessible. Algorithms are the series of instructions used to process information; machine-learning algorithms derive insights from datasets and the learnable parameters that encode the core capabilities of an AI model in model weights. Computing power provides the speed and capacity to execute algorithms at scale, train models to determine weights, and run inference offline on deployed systems.³⁸ In practice, computing power includes processors and graphics cards, advanced semiconductors, content delivery networks, power supplies, and cooling. Defense applications often need to run offline on edge devices under strict size, weight, and power constraints, or on government cloud resources with limited GPU availability. Data, sometimes dubbed the new “munition” due to their importance for modern warfare, encompasses issues such as volume, quality, salience, and labeling. The amount of training data strongly influences effectiveness, though collecting the right operational data and labeling it correctly are important for accuracy and alignment. Algorithms feed data into model weights through training, and their resulting internal architecture determines future data analysis in real-time operations.

AI vulnerabilities and vectors of attack

Integrating AI introduces several challenges along the entire triad. Core datasets are massive, models can be opaque, and natural-language prompting expands input surfaces. These characteristics create multiple entry points for adversaries and raise the importance of disciplined processes and safeguards. Adversaries will attempt to degrade NATO’s AI-enabled capabilities by targeting the triad across cyber, electromagnetic, and conventional kinetic dimensions. This section outlines how such attacks would prevent the Alliance from enjoying advantages from AI.

Computing power

Vulnerabilities associated with computing power reflect the physicality of AI infrastructure. This is because advanced semiconductors and specialized chips must be sourced, supplied, and integrated into systems that also require stable energy and cooling. The performance of inference-heavy applications may depend on AI-optimized hardware. These dependencies create risks during material shortages, expose weak points in data centers, and constrain performance at the tactical edge.

Adversaries can exploit material attributes of semiconductors. They can disrupt the supply of specialized AI chips, seed vendor-supplied Trojan backdoors, or manipulate cloud architectures built with commercial technology. They can target the electricity supply of data centers and sabotage their water-cooling systems to cause outages, or damage undersea cables and content-delivery networks to disrupt data flows.

Data

Data is vulnerable across the lifecycle of AI models. Adversaries can poison training datasets through cyber operations that mislabel data or introduce hidden triggers that cause the model to misbehave. Poorly labeled or biased datasets degrade performance, making certain classes of objects invisible to the system or misclassifying them at critical ranges. If the wrong data is collected, or if the right data is corrupted, the entire decision-support chain can lead a model to malfunction and reduce its reliability in the long term.

Adversaries can also interfere with real-life data collection. Because drones and other autonomous systems rely on environmental input, adversaries can tamper with surroundings to impact sensory input and cause abnormal behavior. For instance, blinding sensors on ISR platforms with optical illusions, or adjusting the sensors themselves, and generating spoofing signals can mislead the model into inappropriate responses.³⁹ In addition to onboard perception and planning modules, adversaries can target control interfaces, power management, data relays, and user interfaces used to coordinate connected autonomous systems. Alternatively, disabling low-orbit satellites can also stop real-time input and data sharing.

Algorithms

Incorporating AI into the digital architecture makes the existing systems susceptible to attacks that target the AI model itself. Because model parameters encode internal configuration variables crucial for its operation, compromising weights and biases gives an attacker significant leverage. Adversaries can also try to steal model weights through espionage or proxy hackers, gaining access to the core capabilities of the model for manipulation.⁴⁰
Adversaries can thicken the fog of war for algorithms by flooding AI-enabled DSS with inputs that are inaccurate, uncategorizable, or nonpatternable. They can exploit the rare and unpredictable features of the battlefield, since AI models are mostly trained on either synthetic data or on datasets from previous conflicts that may not quite fit the type and circumstances of the current war zone.

Interviewed experts and workshop participants indicated that the most likely adversarial action against military AI architecture would include:

1. Blinding sensors on ISR platforms to stop the real-time input of new data.
2. Spreading misinformation to confuse the algorithms with nonpatternable data.
3. Physically damaging undersea cables to disrupt data sharing.
4. Conducting espionage in the suppliers’ private lab facilities.

Surprisingly, however, the most vulnerable component of AI seems to be the human; data and algorithms follow, with the computing power being the least vulnerable of AI components. Such human-related vulnerabilities include personalized phishing, social engineering, cognitive bias, and deskilling.

Countering military AI

Having discussed the vectors of adversarial attacks on AI-enabled military systems and capabilities, this section now briefly comments on the means of such attacks. These AI countermeasures include cyber operations, conventional kinetic attack, electronic warfare, directed energy weapons (DEW), and tailored nuclear weapons with enhanced electromagnetic pulse (EMP). Each has distinct advantages and limitations.

Cyber operations

Cyber operations can interfere with how AI models learn and operate by manipulating ones and zeros. Cyberattacks can degrade the model’s performance or integrity, limit its availability by delaying responses or rendering command-and-control systems inoperative at crucial moments.⁴¹ Integrating AI into military systems increases their vulnerability simply by creating more targets for computer hacking.⁴² These AI vulnerabilities include compromising software libraries, poisoning training data, hijacking AI infrastructure, or stealing sensitive AI properties. Such cyberattacks, however, require prior intelligence to target the right datasets and processing centers. Their effects can be difficult to assess and attribute in real time, which increases the potential for miscalculation.

Conventional kinetic action

Conventional kinetic attacks can target ISR assets including space-based systems, airborne warning and control system aircraft, and other hardware components integral in critical AI infrastructure. Traditional air defenses can target offensive AI onboard small autonomous vehicles with low-cost interceptors, nets, and guns. Kinetic action is tangible but can be escalatory depending on target and context, and it may be expensive or resource-intensive if used at scale against saturation attacks.

Electronic warfare

Electronic warfare uses electromagnetic energy to degrade hostile systems by jamming or spoofing. EW can produce reversible, nonlethal effects, but it is constrained by range, power, antennas, and by the need for detailed knowledge of enemy waveforms and code. Focused jamming and signal spoofing in case of multisensor platforms can confuse AI into analytical errors and lead to wrong reactions. Jamming, however, is possible only in the case of collaborative autonomous platforms that communicate among themselves the adaptive course of their action.

Directed-energy weapons

High-power microwaves and high-energy lasers widen the range of electromagnetic spectrum operations (EMSO). They can disable or destroy electronics on autonomous platforms using concentrated electromagnetic energy.⁴³ While microwaves are suitable for area defenses and perimeter denial against swarms of drones, lasers with their energy beams perform point defense similar to short-range air defense and counter-rocket, artillery, and mortar missions. They have low logistics tails and low cost per shot, but they are power hungry and range-limited. Atmospheric conditions, such as rain and fog, can reduce beam quality and effectiveness, as well as increase fratricide risks. Their applications for space missions look promising given their reusability and the potential to degrade or destroy a satellite.⁴⁴

Tailored nuclear weapons with enhanced electromagnetic pulse

Nuclear explosions of all types—from underground to high altitudes—are accompanied by an electromagnetic pulse. The strength and area coverage of this intense time varying electromagnetic radiation depends on the warhead type and yield, and the altitude of the detonation.⁴⁵ This means that while high-altitude airbursts can have a continent-wide deposition region, for explosions in the atmosphere at altitudes below 30 kilometers, the radius ranges from 5 to 16 kilometers.⁴⁶

Since the 1960s, EMPs, either man-made or natural, have been known to have a potential to disrupt, damage, or destroy a wide array of electrical and electronic systems.⁴⁷ Degradation of electrical and electronic system performance as a result of exposure to the EMP may cause either permanent functional damage or a temporary operational impairment, lasting from seconds to hours.⁴⁸ Computers used in data processing systems, communications systems, and semiconductors belong to the category of devices most susceptible to failure.⁴⁹

While airbursts have little or no fallout and no residual radiation, it is difficult to predict their effects and impact on today’s sensitive electronics, as well as avoid collateral damage and civilian casualties. Together with the difficulty to signal limited nuclear use, since the adversary cannot distinguish low-yield from high-yield weapons, such employment of nuclear EMP weapons remains highly problematic and inherently escalatory.⁵⁰ Experimental exercises over the past decades have identified no assurance that a nuclear strike would remain limited.⁵¹

Escalation and algorithmic warfare

The workshop assessed the salience of AI-enabled lethal operations along an escalatory pathway from minor cyber operations to DEW and nuclear EMP. The following paragraphs summarize the expert participants’ discussion on the conditions under which the use of military AI could increase the risk of escalation.

Escalation is defined as “an increase in the intensity or scope of conflict that crosses threshold(s) considered significant by one or more of the participants.”⁵² Escalation thresholds then depend on retaliation in response to some form of attack. The workshop discussion highlighted the distinction between effects-based and means-based escalation logics. While effects-based logic identifies thresholds depending on the impact that is irrespective of the weapons type, means-based logic emphasizes the qualitative difference between nuclear, conventional, and cyber domains. Some means are regarded as less escalatory than others. For instance, cyberattacks have proven capable of restraining the escalation dynamic and even de-escalating geopolitical crises.⁵³ Similarly, attacks on large drones are less likely to lead to escalation than attacks on inhabited aircraft.⁵⁴

Most researchers studying the AI-nuclear intersection focus on AI amplifying existing risks in nuclear command, control, and communications that can spark accidental nuclear confrontation,⁵⁵ undermining deterrence with AI-enabled conventional systems,⁵⁶ incentivizing first strike,⁵⁷ or exacerbating the proliferation/verification dilemma.⁵⁸ This workshop addressed the concern of a possible deliberate use of nuclear weapons as a warfighting tool designed to produce electromagnetic pulse effects to counter military AI. Previous experimental war-gaming showed that although low-yield nuclear weapons do indeed destabilize international security since they are seen as a substitute for high-yield nuclear use, they do not seem to increase the likelihood of crossing the nuclear threshold.⁵⁹

The workshop scenario described an AI-enabled fast and lethal drone saturation attack into the Baltic region. The scenario listed a number of possible responses:

1. Diplomatic action.
2. Economic sanctions.
3. Cyberattack.
4. Conventional kinetic response.
5. Electronic warfare measures.
6. Directed energy weapons.
7. Tailored nuclear weapons with enhanced electromagnetic pulse.

The workshop participants ranked responses by their perceived escalatory potential. Diplomatic action and electronic warfare tended to come first and often in parallel. Kinetic action, cyber operations, and DEW followed as second-ring responses. Economic sanctions were seen as medium-term tools, not immediate response levers. Tailored nuclear EMP was considered least probable but most escalatory, with a consensus that its use over NATO territory would be unacceptable. Among the most prevalent concerns against the nuclear EMP use, the participants noted: lowering the threshold for strategic nuclear weapon use; observing the nuclear “taboo,” the response’s proportionality, proliferation of nuclear weapons following nuclear use, and setting a negative precedent.

The follow-on discussion highlighted that adversaries may exploit AI structural risks. Complex AI systems can make attribution and intent assessment harder as AI and autonomy create conditions for plausible deniability. In addition, increased speed and data volumes can work against the user, since time-pressured scenarios increase the risk that decision-makers may rely more heavily on potentially compromised AI outputs, without even understanding the source of unanticipated inputs or system failures.⁶⁰

The workshop confirmed that military AI is not escalatory because offensive AI-enabled capabilities do not meaningfully increase the nature or intensity of a conflict. What matters is the choice of target, the physical damage, and the presence of casualties. At the same time, the properties of AI—speed, autonomy, and opacity—can increase the risk of inadvertent escalation. Despite the fight for EM spectrum dominance, the AI status of an attack does not lower nuclear thresholds—effects on the ground determine response. Ultimately, the vicinity of the adversary’s troops continues to be perceived as more escalatory than an AI-powered swarm attack.

Part three: Future scenarios

Juxtaposing the possible transformative effects of military AI against the threat perception (table A), this foresight study outlines three military AI future scenarios: Guarded opportunism, brave new world, and minority report. The goal is to anticipate long‑haul innovation in countering adversarial attacks on NATO’s AI systems and to inform military research and development decisions.⁶¹

The scenarios are modeled after two variables with a graduated level of likelihood. The first variable concerns the transformative impact of AI: whether countries achieve any strategic advantage from integrating AI into their militaries. And the second variable addresses an adversary’s threat perception: whether integrating AI provokes the development of new countermeasures and/or changes on the escalation ladder.

The fourth quadrant—AI fatigue—represents the most unlikely scenario with no decisive AI advantage and no heightened threat perception. It is less policy‑salient but remains useful as a control for future policy planning.

Scenario I. Guarded opportunism

This is the most plausible future scenario. AI meaningfully transforms military affairs and confers comparative advantage on states that integrate it well, yet it does not worsen adversary threat perceptions. Business continues largely as usual. AI‑enabled decision support and autonomy systems transform the character of warfare through expanded scale and increased operational speed yet without changing the nature of war.

NATO’s digital transformation and integrated AI-enabled military capabilities do not introduce qualitatively new risks or vulnerabilities. These remain familiar to cyberspace and can be managed with disciplined cyber hygiene and resilient power-supply architectures. However, AI may heighten some of the existing threat pathways and security risks. As AI becomes integral to the ability to operate and respond, degraded situational awareness and power outages, for instance, could become more consequential—and a new center of gravity—in digitalized, software-defined defense. Decision‑support systems help commanders filter the noise and frame choices faster, but they do not demand new categories of resilience beyond what Part Two already identified for the AI triad.

Hybrid pressure intensifies below the threshold of armed conflict. Cable cuts, data center intrusions, and information operations become routine. Russia continues sabotaging critical AI infrastructure to disrupt supply chains and cyber and drone intimidation campaigns across Europe.⁶² Yet technology knowledge and investments into resilient computer systems limit these escalation attempts. Better engineering and AI literacy shorten detection and attribution loops and make recovery faster.

Two challenges stand out. The first is the intergovernmental character of the Alliance. NATO relies on its member countries for certain types of cyber operations. This dependence on capitals to act creates latency in time‑sensitive crises and may result in inefficient responses that may not prevent further escalation of hybrid warfare. The second is information warfare targeting the Alliance’s reputation. NATO publics in left‑leaning governments are targeted with disinformation campaigns that frame AI‑enabled capabilities as unethical “killer robots,” arguing that NATO violates its own principles of responsible use of AI. Adversaries are further fueling domestic opposition to reduce tech-sector cooperation.

Still, guarded opportunism is defined by low escalation risks. Algorithmic warfare remains bounded by existing ROE and proportional responses. The only time AI and nuclear fields cross their paths with real-world consequences is in the widespread adoption of small nuclear reactors across the military to power demanding computations of AI models.

Scenario II. Brave new world

In the second scenario, AI is transformative and threat perception worsens. The AI triad delivers a real strategic and operational edge. However, AI-related risks grow with it over time due to insufficient literacy, lack of regular training, lagging skill development, and sloppy implementation of zero‑trust policy across armed forces. Furthermore, rapid and widespread integration of AI models creates new vulnerabilities, stemming from limited human agency, which complicate the cognitive aspects of decision-making.⁶³ The result is an increased probability of flash wars among autonomous robotic systems, in which algorithms interact at such a fast pace that humans would not be involved.⁶⁴

Such a degraded security environment sees multiple escalation spirals. Compressed decision-making times and fully autonomous systems contribute to perceptions of asymmetric disadvantage between Russia and NATO. Russia’s doctrine and force structure amplify the problem. Russia’s revision of its nuclear doctrine in 2024—with its greater emphasis on “aerospace attacks,” explicitly including drones, as one of the conditions under which nuclear weapons may be used—seems to lower the threshold for nuclear use.⁶⁵ This demonstrates that Russia became more reliant on its nonstrategic nuclear weapons after its conventional forces degraded in the war on Ukraine.⁶⁶ This seems to strengthen the Russian leadership’s belief that nonstrategic nuclear weapons are Russia’s “competitive advantage” over NATO.⁶⁷ Furthermore, Russia’s vision of new generation warfare builds upon weapons based on new physical principles, including radio frequency, laser, infrasonic, and electromagnetic. Russia has indeed been developing a precision-strike system built on integration of EW, uncrewed strike and reconnaissance systems, hypersonic weapons, and low-yield nuclear warheads.

In contrast, as NATO’s deterrent power derives from advanced conventional capabilities, this scenario portrays a deeper blurring of conventional and nuclear domains.⁶⁸ Yet NATO struggles to attain superiority in strategic command and control, while avoiding dependencies on commercial clouds and satellites. Large‑scale outages and cascading failures are more frequent. Allies hold regular war-gaming exercises to make sure that the Alliance’s responses remain proportionate even when attacks are AI‑generated. Yet Russia’s asymmetric countermeasures to the multidomain concept keep causing electronic damage to NATO command posts and communications centers.⁶⁹

In high tension, states embrace capabilities that manipulate the spectrum—microwaves, lasers, tailored EMP—seeking to blunt swarms and blind sensors. While EW once seemed unbeatable, jamming lost its teeth against uncrewed vehicles that do not use communication and navigation links. And if autonomy was an antidote to EW, then degrading the electromagnetic environment has become the antidote to AI-enabled military capabilities.

Some governments resume nuclear explosive testing of airburst effects, which contributes to further entangling AI with the nuclear domain. The line between conventional and nuclear war will get more fragile with the proliferation of new classes of EMP weapons. Nuclear proliferation gets out of control as more countries strive to develop their own low-yield nuclear EMP deterrent to counter AI-enabled adversaries. Worse, numerous experts inside and outside Russia believe that a nuclear EMP attack does not need to be governed by the same set of considerations as strategic nuclear weapons and nuclear doctrine.⁷⁰ Nuclear EMP weapons are understood within the category of electronic warfare or information warfare, not nuclear warfare. In this increasingly popular interpretation, an EMP attack is regarded as a legitimate use of nuclear weapons within the specter of algorithmic warfare. Even if nuclear EMP is conceptualized as a form of information warfare in some circles, its use would be profoundly escalatory.

Scenario III. Minority report

In the third scenario, technology hype drives strategy. AI does not deliver decisive comparative advantage for the military, yet threat perceptions grow worse. Exaggerated expectations about the game-changing, transformative, and inevitable impact of AI fuel anxiety about falling behind. The fear of missing out, rather than tangible advantages from AI models, pushes countries deep into the AI race. Such alarmism about phantom AI advantages has a destabilizing effect on strategic balance.

Information asymmetries deepen the problem. NATO militaries and Russian officials tout milestones and “breakthroughs,” while major AI firms speak of revolutionary models. The strategic conversation fixates on what might be developed tomorrow rather than what is fielded today. Decision‑makers overestimate near‑term effects and discount the risks and challenges of AI integration work highlighted in Parts One and Two. As a result, nuclear-armed great powers interpret routine military exercises as cover for preemptive strikes at machine‑speeds and tend to see AI-enabled ISR improvements as a direct threat to their second-strike capabilities.

Escalation pathways in this scenario are cognitive. On the one hand, leaders race to push fully autonomous prototypes forward before safety case evaluations are completed. Miscalculation risk rises not because AI-enabled autonomous weapons systems are unstoppable, but because the decision-makers believe they are. On the other, the adversaries deploy cognitive warfare tactics of “algorithmic amplification” to influence how decision-makers reason, degrade critical decision-making processes, and undermine their sense of security.⁷¹

The Alliance faces the challenge of lowering expectations while preserving its technological edge. However, while allies agreed to coordinate their political objectives of developing AI-enabled armed forces, the lack of national resources and ineffectiveness of their national AI strategies to achieve them weakened NATO’s cohesion.⁷² Leading AI countries are reluctant to institutionalize transparent metrics for AI readiness that separate laboratory promise from operational proof.

This scenario points to the need to move beyond the polarizing hopes-vs-fears dichotomy of AI in order to translate technological potential into military advantage through a sound implementation strategy.⁷³ This scenario reminds policymakers and defense planners to budget for the cognitive dimension of technological competition. Publics and markets react to hyped narratives faster than to scientific results. Adversaries will try to exploit this gap with rhetoric about their AI leapfrogging, announcing the winner of the AI race.

Across all three futures, NATO faces distinct challenges posed by future algorithmic warfare. NATO’s advantage from AI models rests on speed, scale, and autonomy delivered by a resilient AI triad under close human oversight. Guarded opportunism is the most likely scenario and highlights AI vulnerabilities in the light of hybrid and information warfare. Brave new world is less likely but the more dangerous of the three futures. In this algorithmic future, NATO is constantly on the cusp of spirals of escalation and de-escalation and points to the dangers from rapid and widespread integration of AI models without correspondingly fast doctrinal adaptation. Minority report, meanwhile, outlines the destabilizing effects of AI hype in the context of lacking safety and transparency standards.

Part four: Policy recommendations

NATO’s advantage in algorithmic warfare will depend on converting AI’s speed, scale, and autonomy into reliable military capabilities while avoiding inadvertent escalation. This report suggests that the Alliance should focus on three lines of effort. First, it must build AI readiness and resilience across the Alliance. Second, it must refine military AI doctrine to preserve information dominance and to clarify response triggers under compressed timelines. Third, it must develop a deterrence strategy for its strategic AI-enabled DSS. These policy recommendations address the AI vulnerabilities and attack vectors identified in the report’s earlier sections, providing practical steps for NATO leaders implementing the Digital Transformation Vision and preparing for multidomain operations. Each recommendation is intended for near‑term adoption to set conditions for long‑term advantages from AI.

I. AI readiness and resilience

NATO should anchor its AI strategy in two core principles—literacy and redundancy—and reinforce those principles through a coordinated approach to the AI tech industry. Such an approach will help NATO avoid the risks of stale knowledge and deskilling.

Recommendation 1: Master AI literacy

AI literacy should be treated as a strategic competency for commanders, operators, and policymakers rather than as a niche topic confined to chief information officers. NATO should integrate AI education into professional military education, operational exercises, and staff development programs so that leaders understand both the promise and the limits of current AI models. AI-literate armed forces are less likely to succumb to tech-centric thinking and automation bias in future strategy and doctrine development.

NATO should also educate wider publics and political elites so that strategy debates do not become hostage to hype. Clear explanations of how models are evaluated, how data shape military performance, and how human judgment remains central are key for preparing policymakers at all levels to make informed AI-related decisions.⁷⁴

Recommendation 2: Engineer redundancy

Maintaining the ability to transmit information is essential for coordinated actions. NATO should assume that outages and system failures will occur. The Alliance needs to exercise capabilities in communications‑degraded electromagnetic environments and design robust and rehearsed secondary systems. This involves mapping cyber and physical dependencies to avoid single points of failure.

The Alliance should pursue controlled geographic decentralization of data centers to improve resilience of its AI architecture. This will require lawmakers to align national legislative requirements on strict data standards and protocols for insider-outsider threat detection. Vetting the data that goes into AI-enabled DSS, together with delineating clear boundaries between training periods and operational deployment of AI models, will improve the ability to isolate “poisoned” data and contain their spread. Training a team of experts to ensure human oversight of AI workings can limit the consequences of system malfunctions, while limiting the number of people with authorized access to base model parameters, can reduce the risk of sabotage and espionage.

Investment priorities should include research programs that work on future novel materials for shielding and protection of high-speed digital computers against EM interference. Given that the adversaries are likely to invest heavily in spoofing and dazzling hardware capabilities, the Allies should consider hardened interfaces against exfiltration. Lastly, NATO should invest in resources for continuous active defenses that constantly look for evidence of deception and run malfunction diagnostics.

Recommendation 3: Coordinate approach to AI tech industry

NATO should develop a code of conduct for private-sector engagements. The code would require AI companies developing products for decision-support systems and autonomous platforms to adhere to safety and ethical standards. The Alliance should create a trusted group of commercial suppliers and establish clear rules for civilian software engineers and technicians deployed in war zones. To prevent adversaries from achieving tech superiority, the Allies should examine their technology dependencies, “friend-shore” supply chains, and tighten export controls of critical components.

The Alliance should try to address the knowledge gap that exists in the private sector on how EMPs affect computer-based systems. NATO should partner with space tech organizations that have experience with the most advanced research into electromagnetic disturbances. As part of coordinating government–industry unclassified information sharing, NATO could also facilitate partnerships between traditional military hardware providers with software developers so that commercial capabilities can be deployed on military‑grade platforms. Lastly, NATO should encourage forward thinking. Routine, joint red‑teaming and data‑poisoning drills with industry will expose weaknesses. Regular brainstorming on risks from new EMP weapons and postquantum cryptography should feed into the life-cycle design of current systems.

II. Military AI doctrine

Doctrine must convert technical possibility into operational advantage while reducing the pathways to inadvertent escalation. Three recommendations on doctrinal adaptation can contribute to preserving NATO’s advantage from AI.

Recommendation 4: Maintain information dominance

NATO should develop a functional framework for operationalizing AI in support of algorithmic warfare that prioritizes military objectives over abstract benchmarks. Commanders should measure success in terms of effects—such as optimized asset‑to‑target allocation on defense—rather than in terms of statistical thresholds.

Investments should focus on early warning systems, electromagnetic warfare capabilities, and a layered counter‑UAS architecture that combines continuous passive radars, electronic warfare, DEW, and point defenses.

Maintaining information dominance also requires the ability to distinguish routine probing in the form of hybrid air denial operations from preparations for larger operations using drone saturation attacks. Exercises should therefore include ambiguous data, degraded sensors, and adversarial attempts to manipulate inputs so that the troops learn to question AI outputs without losing their operational tempo.

Recommendation 5: Clarify escalation thresholds

Compressed timelines will produce decision paralysis unless allies agree on response triggers and predelegate command authority to avoid escalation risks. NATO allies should develop a shared understanding of escalation thresholds for algorithmic warfare, including thresholds defining the strategic effects of adversarial AI-enabled attacks, as well as of attacks on NATO’s own AI architecture.

NATO also should have clear protocols in place for attribution and proportionality regarding the Alliance’s responses. For instance, would poisoning an adversary’s data count as an offensive cyber operation? NATO allies also need to make sure there are clear rules of engagement for autonomous and semiautonomous response systems. In anticipating the adversary’s deniability claims in the event of AI-enabled attacks, such as “accident” or “loss of control,” NATO should not be adjusting its red lines between subthreshold manipulation and armed attack.

Recommendation 6: Assess the electromagnetic layer with accuracy

The electromagnetic spectrum should not be an afterthought. NATO defense planners need to take the electromagnetic spectrum into consideration at the beginning of warfare planning and develop a spectrum plan with assigned frequencies. Future algorithmic warfare may require NATO to update its standards for survivability (STANAG 4145) to reflect the reality that modern critical infrastructure includes data centers and commercial satellites in addition to traditional command facilities.
In planning for EM-contested environments, NATO allies should preposition shielded assets—power, fuel, generators, and communications equipment—in forward locations to avoid logistical shortages during compressed timelines. They could also invest in software‑defined or reconfigurable radios and optical/laser communications. They should also explore the use of UAS or balloon‑based repeaters to restore the ability to transmit information when ground infrastructure is compromised. Treating the spectrum as a distinct layer of multidomain operations will protect the strategic initiative and the superiority in command and control that NATO seeks to maintain.

III. Deterrence

As AI‑enabled systems underpin strategic command‑and‑control functions, NATO must develop a deterrence strategy based on black box ambiguity without locking itself into a rigid declaratory policy.

Recommendation 7: Deter by ambiguity

NATO should project resilience while keeping the internal architecture of sensitive AI systems opaque to adversaries. Black box AI would also deprive adversaries of the ability to assess the real costs of potential attack. At the same time, the Alliance must maintain the diagnostic capacity to distinguish foreign interference from technical failure in case of system malfunctions, so that ambiguity does not erode internal accountability.

Building and demonstrating resilience—technical, organizational, and informational—will enable NATO to signal confidence and control. Its strategic communication should make clear that deliberate interference with decision‑support systems could carry serious consequences, even if precise thresholds and responses remain undisclosed. Taken together, these seven recommendations translate the analytical sections into concrete actionable items. Literacy keeps humans in charge under compressed timelines. Redundancy and industry coordination make the AI triad more trustworthy. Doctrine secures the informational high ground and clarifies action in crisis. Finally, deterrence by ambiguity protects the Alliance’s AI advantage without inspiring its adversaries into building new countermeasures. Implemented in parallel, these steps position NATO to enjoy its AI advantage in algorithmic warfare on terms that contribute to a stable security environment.

Conclusion

NATO’s competitive edge in the era of emerging and disruptive technologies will come from treating AI as a general-purpose enabler embedded across the Alliance’s digital backbone, rather than as a stand-alone “wonder weapon.” AI-enabled decision support and autonomy do not create vulnerabilities that are different in kind from cyber risks, but they raise the stakes by tying mission-critical effects—speed, scale, and autonomy—to software-defined systems that adversaries will target. Escalation will continue to be governed by effects and targets, not labels, while cognitive factors complicate judgment under time pressure. The practical implication for NATO is clear: invest in literacy, engineer redundancy, clarify doctrine, and project resilience with measured ambiguity.

This report addresses NATO’s ambition to protect its AI technological edge while digitalizing defense. Part One showed how AI will matter most in two intertwined areas: decision-support systems that compress time and expand the scale of information processing, and autonomous or semiautonomous platforms that accelerate sensing, movement, and strike. These advantages rely on the secured AI triad of algorithms, data, and computing power. Part Two mapped where adversaries will try to turn those strengths into liabilities—poisoning data, spoofing sensors, stealing model weights, interrupting cloud access and cable backhaul, and attacking the AI physical infrastructure. The analysis emphasized that while attempts to degrade AI-enabled military capabilities will resemble cyberspace operations, the consequences of failure are amplified when AI is made responsible for situational awareness at the core of command-and-control decision-making.

Parts Three and Four translated those findings into future forecasting and recommendations. The foresight scenario exercise underscored that the most likely near-term pathway is one of guarded opportunism—AI improves productivity and tempo without changing the nature of war—while the most dangerous pathway blends real AI advantage with worsening threat perception, making EMSO and directed-energy tools more salient in crisis. The most deceptive pathway is driven by hype: Threat perceptions rise even when fielded capabilities do not correspond to exaggerated predictions. Across all futures, effects, targets, and collateral risk determine algorithmic warfare dynamics.

Crucially, military AI systems do not introduce vulnerabilities that are categorically new, yet the consequences of foreign interference can be greater. If AI-enabled systems are integral to a unit’s ability to operate and respond, then successful attacks on those systems may warrant responses that are more escalatory than tit-for-tat cyber exchanges. Timing matters as well. Loss of real-time situational awareness in a crisis reduces clarity about what happened and who is responsible, raising the probability of misperception and inadvertent escalation. In practice, this report calls for disciplined deployment of decision-support systems that can only rely on rehearsed secondary systems.

The study also clarified the relationship between EMSO and nuclear restraint in the context of tailored, nonstrategic nuclear weapons. Means-based analysis sheds light on how emerging technologies shape modern escalation dynamics. Rather than making technology-centric estimates, this report highlights systemic risks related to AI: How leaders perceive risk under pressure remains decisive.

Literacy is therefore more than a training agenda; it is an instrument of restraint. Educated policymakers, commanders, and publics are less likely to treat AI as “cyber pixie dust” or to confuse reversible electronic effects with strategic attack. They will be better able to choose the right mission for the AI-enabled capability. In parallel, designating data centers, cables, AI labs, and commercial satellites as critical infrastructure and strategic assets will help align strategy and doctrine with the realities of a software-defined force.

This study contributes to AI literacy by stripping away hype and clarifying where algorithmic warfare introduces new challenges. For NATO leaders implementing the Digital Transformation Vision, the immediate tasks are practical: align skill development programs, harden the AI triad, codify response triggers, and show resilience without over-specifying red lines. Doing so reduces the risk that exaggerated expectations about new technology will drive strategy.

The report’s findings point to a future research agenda that looks into how tactical actions can engage strategic effects. AI-enabled autonomy and speed can magnify the psychological impact of hybrid campaigns, especially where the cost of interceptors is high and the pace of exchange is machine-driven. Routine “gray zone” activities are already redefining the baseline of normalcy across Europe.⁷⁵ Such threshold uncertainty permits plausible deniability, keeping the adversarial action away from Article 5 territory.

Open questions remain. How robust is the “firebreak” in escalation theory when algorithmic systems increasingly shape perception and timing? Can allies maintain recognizable qualitative distinctions between domains when effects propagate across them in multidomain operations? And where, precisely, do we draw escalation thresholds when nonkinetic actions in the electromagnetic spectrum generate strategic consequences? Answering these questions will require continued red teaming, transparent metrics for AI readiness, and joint experimentation that links tactical vignettes to strategic decision-making fora.

The Alliance has long excelled at military hardware. In a data-centric, software-defined approach to defense, advantage will come from systems engineering and smart innovation adoption choices. If NATO invests in AI literacy and redundancy, elevates the EM spectrum within the multidomain operations concept, and projects resilience with measured ambiguity, it can protect its AI edge and defend against adversarial attacks. That is the path to credible deterrence and effective defense in the emerging AI era of algorithmic warfare.

The author would like to thank the interviewed experts and workshop participants for their generosity in sharing their time and knowledge, the Atlantic Council’s Transatlantic Security Initiative staff for making a home for this project, and the NATO Office of the Chief Scientist for choosing to fund this project as part of its 2025 grants program.

Fellow

Dominika Kunertova

Nonresident Senior Fellow

Scowcroft Center for Strategy and Security Transatlantic Security Initiative

Artificial Intelligence Central Europe

New Atlanticist Sep 18, 2025

How AI with ‘nurtured consciousness’ could transform warfare

By John James and Alia Brahimi

New technologies have the potential to turn an information advantage into a conscious advantage, helping determine who has strategic dominance in the twenty-first century.

Artificial Intelligence Defense Technologies

Report Jun 30, 2025

Second-order impacts of civil artificial intelligence regulation on defense: Why the national security community must engage

By Deborah Cheverton

Civil regulation of artificial intelligence (AI) is hugely complex and evolving quickly, with even otherwise well-aligned countries taking significantly different approaches. At first glance, little in the content of these regulations is directly applicable to the defense and national security community.

Artificial Intelligence Defense Technologies

The Transatlantic Security Initiative aims to reinforce the strong and resilient transatlantic relationship that is prepared to deter and defend, succeed in strategic competition, and harness emerging capabilities to address future threats and opportunities.

Learn more

The post How NATO can integrate AI to prevail in future algorithmic warfare appeared first on Atlantic Council.

Bottom lines up front

• The recent public disagreements between an AI company and the US military speaks to a broader breakdown in trust among tech firms, the government, and the public.
• Americans’ skepticism of AI is high, driven by concerns over safety, job losses, environmental impact, and misuse.
• The White House has promoted AI development for economic and national security reasons, but it faces growing political resistance and public pushback over regulation and risks.

WASHINGTON—The recent standoff between Anthropic and the Pentagon over terms of use for the company’s artificial intelligence (AI) models has thrust the role of AI in military and intelligence operations into the national dialogue. As the Pentagon’s contract negotiations with Anthropic broke down and it designated the company a supply chain risk earlier this month, the episode exposed the fraying social contract among leading AI companies, the federal government, and the American public over responsible AI use. 

How Americans view AI

Anthropic’s red lines in the negotiations centered on two issues: the use of its models for the mass surveillance of US citizens and in autonomous weapons. Both topics resonate with an American public that remains deeply skeptical of the technology. A 2025 poll conducted by Gallup and the Special Competitive Studies Project found that 60 percent of Americans distrust AI somewhat or fully. This stands in contrast to much of the rest of the world. According to Stanford’s annual AI Index, large majorities in China, Indonesia, and Thailand (75-80 percent) believe AI-powered products offer more benefits than drawbacks. In the United States, that number is a meager 39 percent. 

Several factors drive this skepticism. Safety concerns, including fears related to AI-driven psychosis and AI-enabled teen suicides, feature prominently in public discourse, as do worries about the technology’s environmental footprint and its impact on jobs. Search “AI and water” on Instagram and you’ll be flooded with posts from influencers calling on followers to boycott AI over the energy and water demands of the data centers powering it. Recent mass layoffs, such as fintech company Block’s decision to cut 40 percent of its workforce due to the integration of AI into the company’s workflows, have amplified fears around broader workforce contractions. Some studies have extrapolated from initial data around AI adoption to suggest that the technology will create more jobs than it eliminates, but much of the public discussion has focused on the prospect of significant job losses on the horizon, raising anxiety among white-collar workers. 

This unease with AI is increasingly visible in politics. More than 1,500 AI-related bills have been introduced in state legislatures in 2026 alone, many focused on protecting consumers and minors from AI-related harms. AI skepticism has come from both sides of the aisle. Data centers have drawn criticism from left-leaning environmental advocates and from deep-red communities alike. A study found that twenty data center projects were blocked in the second quarter of 2025 due to local opposition, representing $98 billion in stalled investment. This year, Democratic and Republican lawmakers have begun backing away from data center investments that they recently championed. At least six Democratic governors used their state of the state addresses to announce plans to roll back incentives or impose new regulations on data centers. And Democratic lawmakers in New York and Maine, as well as Republican lawmakers in Oklahoma, are calling for temporary bans.   

The Trump administration’s approach to AI

The second Trump administration has made AI a national priority from the outset. Just three days after his inauguration, US President Donald Trump issued the first of seven executive orders related to AI released in 2025, which signaled the administration’s intent to “sustain and enhance America’s global AI dominance in order to promote human flourishing, economic competitiveness, and national security.” The order set the tone for the administration’s follow-on actions, including a foundational AI Action Plan that positioned the United States as going all-in on AI against the backdrop of a rising global competition with China. So far, the administration has expanded AI education opportunities, worked to harness AI for science, accelerated permitting for data center construction, and attempted to prevent states from passing laws regulating AI. 

Yet, even before the Anthropic-Pentagon controversy, tension between the administration’s position on AI and its own political base were surfacing. Upon the release of the AI Action Plan in July 2025, former US Representative Marjorie Taylor Greene issued a pointed rebuke. She warned that “competing with China does not mean become like China by threatening state rights, replacing human jobs on a mass scale, creating mass poverty, and resulting in potentially devastating effects on our environment and critical water supply.” The administration’s push to preempt and pause future state laws regulating AI was defeated twice in Congress prior to being advanced by executive order in December 2025. The original congressional campaigns incurred widespread pushback from across the political spectrum, including a request to remove the legislative provision, which was signed by seventeen Republican governors.

Recent announcements suggest the administration is beginning to recognize public resistance. In his State of the Union address, Trump introduced a ratepayer protection pledge that calls on technology companies to commit to covering the cost of increased energy production to support the build-out of data centers. This is intended to prevent those costs from being passed on to local communities. Seven of the largest players in AI have since signed on. A National Policy Framework on AI released at the end of last week reaffirms this push and lays out the administration’s legislative priorities for the technology, including enhanced safeguards for children, increased action to combat AI-enabled scams, and protections for individuals against unauthorized distribution of AI-generated voice or image likenesses.

Despite these moves, the administration’s handling of the Anthropic standoff has intensified debates in public and within the tech sector around the dangers of AI and the necessity of building guardrails for responsible use. The administration’s maximalist position that contracts with AI companies should provide flexibility for the government to employ AI for “all lawful uses” runs counter to US public opinion. Indeed, 80 percent of US adults believe the government should maintain rules for AI safety and data security, even if doing so slows development. 

Public distrust on display 

Following OpenAI CEO Sam Altman’s announcement on February 27 that the company had signed a deal with the Pentagon that it claimed contained the same provisions that Anthropic had been fighting for, public and private reactions were swift, with many skeptical of the company’s claims. Uninstalls of the ChatGPT app jumped 295 percent overnight and a #QuitGPT campaign gained steam on social media. Some OpenAI employees publicly criticized their company’s stance and OpenAI’s hardware lead resigned in protest. 

Anthropic, meanwhile, filed suit, contesting the Pentagon’s designation of the company as a supply chain risk following the inability of the company and the Pentagon to reach an agreement on contractual terms. The case has attracted amicus briefs from a wide range of groups, including tech sector workers, Catholic theologians and ethicists, and the American Civil Liberties Union. A brief signed by a group of almost forty employees from Google and OpenAI, including Google’s chief scientist, affirmed a shared belief in the risks underpinning Anthropic’s contractual red lines. Their brief noted the dangers to US democracy posed by AI-enabled surveillance and warned that today’s AI systems are too immature to be relied on for use in lethal autonomous weapons.

While the immediate controversy may be fading, the episode has already provided a revealing window into US sentiment around AI and the ongoing litigation will keep the issue in public focus. A poll conducted by NBC News this month after the standoff found that 57 percent of registered voters believe the risks of AI outweigh its benefits.

That number should command attention. For the administration’s and the tech sector’s AI ambitions to translate into the economic growth and national security gains that policymakers and CEOs envision, it will take a concerted effort to rebuild the social contract with the public on AI. Treating public skepticism as noise to be managed rather than a signal to be heeded risks causing rapid political polarization on AI. This, in turn, could cause a self-imposed slowdown in the United States’ ability to realize AI opportunities at home and compete effectively abroad, stifling government and industry AI initiatives alike. 

The post The Anthropic standoff reveals a larger crisis of trust over AI appeared first on Atlantic Council.

What does it take to build a comprehensive AI infrastructure and policy environment for widespread adoption? Last month, the Atlantic Council GeoTech Center, the Internal Telecommunication Union, and Access Partnership convened a roundtable titled “Laying the Digital Foundations” to address this question. For many countries, the answer carries significant geopolitical weight. It can narrow gaps between the Global North and Global South when it comes to the ability to adopt and benefit from AI technologies. It can also create space for transatlantic cooperation on ensuring the AI models of the future are embedded with human-centered values.

The discussion touched on several main areas: energy supply, data centers, cultural-specific models, network equipment, data authentication regimes, and other innovative technologies that could shape infrastructure choices over the next several years. The consensus was that AI readiness does not mean building an “AI Stack” that can be easily copied and pasted from country to country, because the enabling conditions for AI readiness in each country often vary significantly. Instead, it will require a set of interoperable choices that must be adapted to local conditions. Below are more takeaways from last month’s roundtable, which should be top of mind for policymakers as they convene for the AI Impact Summit in New Delhi, India, from February 16 to 20.

Electricity is becoming a binding constraint

The growing demand for data centers arising from AI is creating immediate pressure on electricity grids. Demand for data centers globally could triple by 2030. This means that even if governments can’t add power capacity, they will struggle to keep pace with demand even if they have strong policy ambitions. Finding ways to decentralize the power supply from the grid without destabilizing local systems may be a critical pathway to supporting and connecting a larger number of data centers.

At the roundtable, there was cautious optimism that AI can support parts of the energy transition over time, including by improving system efficiency and accelerating pathways for renewable energy sources such as nuclear fusion and geothermal energy. Yet, these pathways have little to no impact on near-term delivery dependence, and novel and efficient approaches are needed to reduce the current bottlenecks.

Infrastructure patterns are diversifying beyond data centers

Building data centers may not be the only answer, as such facilities cannot realistically be built everywhere. Distributed AI infrastructure that can overcome data latency or disconnection may be within reach. Edge devices, such as smartphones, tablets, smart cars, and smart glasses, have been seen as emerging tools to complement data centers by distributing workloads away from centralized data infrastructure. These devices can reduce latency for data transmission and optimize output. Edge devices don’t just distribute data; they also create new data and analyze it in real time. Such “inference on the cloud”—running a trained machine learning model on the cloud to generate data close to or at the source—is on the rise with the proliferation of generative AI on smart devices. China has been developing a competitive market for edge devices; enterprises are also bringing data to on-premises facilities rather than relying on centralized data centers. This is a good reminder that capability is not defined by one layer alone. A comprehensive strategy for transatlantic and Global South tech diplomacy must consider multiple options, including data centers, edge devices, and on-premises services to shape the global AI ecosystem.

Connectivity still determines who benefits

Beyond data center considerations, connectivity for populations in lower- and middle-income countries remains a critical determinant of access. Online access is still a prerequisite for using AI. Investing in the right kind of networks beyond data centers or edge devices matters. A key issue is modernizing network equipment, as outdated equipment not only hinders users from being digitally connected effectively but also creates security risks. Governments must identify, segment, or replace that equipment for it to remain secure. Network access and security are also increasingly confronted with another issue: the rise of AI agents. The market for agentic AI is expected to reach $103.28 billion by 2034. Some participants stressed that governments would need to adapt to the new challenges from agentic AI with its always-on capabilities, which allow it to constantly make automatic decisions for systems and users.

Data governance, sovereignty, and the cooperation problem

The discussion surfaced a set of geopolitical tensions underlying infrastructure decisions. There was concern at the roundtable about global data governance being shaped by the European Union. The bloc’s regulatory environment for data, as well as its ambition for AI sovereignty, could complicate transatlantic cooperation. At the same time, fragmentation of data sharing remains a barrier to building and improving systems across border—a clear area of need for mutual cooperation. Respecting user rights continues to be a critical part of discussions of transatlantic AI governance. Meanwhile, middle powers, such as India, are caught in the middle of these pressures. That is because India faces the question from partners of whether to adopt US or Chinese AI models, even as its domestic priorities focus on services for the most economically vulnerable communities, language inclusion, and data ownership.

Six pathways to lay the digital foundations for AI

Participants at the roundtable proposed six practical pathways that policymakers can treat as general rules for 2026.

1. Treat financing as infrastructure policy. Governments and the private sector should restructure financing approaches that support data center construction and related capacity. This should include making permitting more predictable and providing clearer incentives for construction where appropriate.  
2. Reduce grid pressure through practical energy planning. As data center demand grows, decentralizing parts of the power supply, where feasible, can help reduce the energy burden on the grids and speed connections for new loads.
3. Plan for multiple deployment models. Beyond centralized data centers, policymakers should also invest in edge devices and on-premises services to widen adoption pathways and reduce latency.
4. Modernize networks as a core AI requirement. Closing connectivity gaps and upgrading network equipment is essential for performance and security, especially as automated and persistent systems increase baseline network demand.
5. Build content governance alongside infrastructure. Governments should enact policies to ensure that AI models reflect local cultural context and language, support standards for the verification of AI-generated content, and strengthen media literacy to protect information integrity.
6. Cooperate on cross-border data rules that protect rights and reduce fragmentation. Governments should develop practical approaches for cross-border data sharing that preserve user rights and accountability while enabling legitimate access for system improvements and public interest use cases.

What to watch in the year ahead

In the year ahead, expect to see AI infrastructure gain momentum as more countries move beyond the simplistic debate around innovation versus regulation and adopt more pragmatic approaches to AI competitiveness. Several global fora this year, such as the AI Impact Summit, the Group of Seven (G7), Group of Twenty (G20), and the United Nations General Assembly, will also dedicate time to understanding what it will take to build more AI infrastructure. It is important to keep in mind that there is still no consensus on what a “complete AI stack” includes, and that is partly because it spans both physical and digital layers. Policymakers would do well to opt for flexibility, whether it is policy frameworks, physical and digital requirements, or end users, rather than adopting a one-size-fits-all approach. However, following the steps above can allow nations to strengthen their AI infrastructure muscles, allowing them to become not just AI-ready, but AI-competent—able to deliver systems that work, earn trust, and can endure real-world conditions.

Ryan Pan is a program assistant at the Atlantic Council GeoTech Center.

Coley Felt is an assistant director at the Atlantic Council GeoTech Center.

Raul Brens Jr. is the director of the Atlantic Council GeoTech Center.

The GeoTech Center champions positive paths forward that societies can pursue to ensure new technologies and data empower people, prosperity, and peace.

Learn more

The post The road to the AI Impact Summit: How to build AI infrastructure from the ground up appeared first on Atlantic Council.

The most common barrier to artificial intelligence (AI)-enabled economic growth is not the failure of the AI models themselves, but the failure to adopt them at scale. Research indicates that as much as 30 percent of generative AI projects are abandoned after proof of concept. Technically successful pilots often fail to reach production because staff lack trust in the systems, accountability structures remain unclear, and organizations run parallel processes rather than integrating new capabilities.

The AI Impact Summit in New Delhi, India, which will be held from February 16 to 20, presents an opportunity to shift the conversation from frontier capabilities to AI adoption at scale. The AI Impact Summit should bring together tech companies, government agencies, researchers, civil society, and funders to work together in a sustained way. Instead of supporting small, one-off AI projects, this group should invest in shared national and regional infrastructure that helps countries build and sustain their own AI capabilities, learning from experiences in contexts similar to their own.

A logic model for AI adoption

Frontier AI capabilities are gradually becoming more accessible, albeit only in pockets. For instance, Anthropic announced in November that it has partnered with the Rwandan government on an initiative aimed at making a Claude-enabled learning assistant available to thousands of people across Africa. Similarly, OpenAI announced last month that it’s collaborating with the Gates Foundation to deploy AI capabilities for health in low-resource environments across Africa.

However, ensuring that AI diffusion is inclusive on the scale of entire populations requires a coordinated strategy. Most of the developing world remains in what could be called AI pilot purgatory. Reaching the next billion people—including populations living in villages, small towns, and low-connectivity regions, as well as those operating in informal economies—demands a deliberate shift from isolated experiments to systemic orchestration. Such an approach will require emerging “middle powers” such as India to demonstrate new pathways of collaboration that support sovereign needs while not relying on building duplicative infrastructure at prohibitive costs.

AI adoption does not follow a simple linear model. Rather, it follows a matrix structure, consisting of “vertical” uses and “horizontal” enablers. Verticals include sector-specific applications: for instance, precision rain advisories for farmers or maternal health decision support. Horizontals make these verticals viable at scale. They consist of capabilities, such as multilingual models, voice interfaces, data pipelines, safeguards, and affordable compute.

Without these shared horizontals, every vertical initiative is forced to rebuild the same foundations. The resulting duplication is expensive and ultimately limits scale. But when horizontals exist as open, interoperable layers, the cost of innovation drops sharply, and the pace of adoption increases. For instance, AI voice interfaces remove barriers surrounding literacy and device access, multilingual models can become shared resources, and safety benchmarks improve through shared feedback. Crane AI Labs, a Ugandan startup, built a finetuned version of Gemma 3 1B, a Google model, using its own hybrid datasets, which include synthetically generated text, checked by Swahili experts. Crane AI then built a Ugandan Cultural Context Benchmark, a technical standard that became part of the UK government’s official AI evaluation library. With such open and interoperable models, thousands of public and private applications can then build on top of existing layers without having to recreate the basics each time.

This is the same logic that powered digital transformations in countries such as India, Uganda, Singapore, and Estonia. Once the digital public infrastructure was built, the ecosystem expanded rapidly and governance improved through real-time feedback loops with users. When the horizontals are in place, vertical solutions in agriculture, health, education, and governance can scale quickly.

Moreover, successful use cases can leave behind reusable assets that become digital public goods for AI. AI4Bharat, an open-source research lab based in the Indian Institute of Technology, Madras, created open-language speech models and datasets for twenty-two Indian languages, significantly lowering the barrier to entry for voice and language-first AI applications. Both AI4Bharat’s language models and Crane AI Labs’ initiatives represent vertical use cases that also created open-source infrastructure, which makes AI adoption easier for subsequent implementers.

However, no single institution, whether a government, a large tech company, a university, or philanthropy, can build all the shared horizontals while also deploying vertical use cases, with safeguards, across diverse sectors and countries. Rather, it takes networks of organizations collaborating on specific problems to bring the right capabilities together at the right moment.

From summit to impact

The AI Impact Summit in New Delhi offers a rare opportunity to move from an AI ecosystem made up of fragmented experiments to a purposeful, more collaborative diffusion architecture. The summit’s greatest potential lies in catalyzing the organizational structures that enable scalable adoption.

To achieve this, the summit’s participants should bring together developers, government agencies, researchers, civil society, and philanthropies so they can work in coordination on diffusion. These stakeholders should align investments in shared building blocks (such as multilingual models, safety standards, and data systems) so efforts reinforce each other instead of being duplicated. Over time, this collaborative effort could set common standards and share knowledge with countries that are earlier in their AI development journey.

These shared pathways can be documented in the form of a digital public infrastructure-AI playbook that documents AI adoption pathways, highlighting how governments, private sector actors, or other stakeholders have built shared “horizontals” and how these have supported AI use cases. The playbook would illustrate concrete tools and frameworks showing what worked, what failed, and how others can adapt proven strategies to their own contexts.

A real commitment to scaling up AI adoption should involve:

1. Collaboration: Multiple institutions are needed to collaborate to build safe, scalable diffusion for use cases.
2. Shared infrastructure: A digital public infrastructure approach creates compounding, reusable assets upon which other organizations can build use cases.
3. Shared pathways: The gap between a promising demo and a durable system isn’t more technology, it’s the full adoption pathway—operating models, incentives, governance, data readiness, evaluation, procurement, training, and incident response.

The next billion AI users, primarily from developing countries in Asia, Africa and Latin America, do not need more headline-grabbing AI breakthroughs. They need practical infrastructure that is open, affordable, and reliable, backed by partnerships and governance systems that build trust rather than demand it.

Trisha Ray is an associate director and resident fellow at the Atlantic Council’s GeoTech Center.

Keyzom Ngodup Massally is is director of the AI Hub for Sustainable Development and head of digital at the United Nations Development Programme’s Chief Digital Office.

Shalini Kapoor is chief strategist, data and AI, at Ekstep Foundation.

The GeoTech Center champions positive paths forward that societies can pursue to ensure new technologies and data empower people, prosperity, and peace.

Learn more

The post The AI Impact Summit must focus on pathways, not pilots, to scale up AI adoption appeared first on Atlantic Council.

Three years since ChatGPT launched, a combination of hype and fear has made it hard to think clearly about our new age of artificial intelligence (AI). But AI has the potential to change the world—from energy to geopolitics to the global economy to the very production and application of human knowledge. If ever we needed clear-eyed analysis, it’s now.

At the Atlantic Council, our experts in the Atlantic Council Technology Programs spend a lot of their time thinking about how AI will shape our future—and they have the technical literacy essential to the task. So, as part of our annual Global Foresight report on the decade to come, we asked them our most pressing questions: How will AI evolve over the next ten years and beyond? How can we use AI to forecast global affairs? And—let’s be real—will this thing replace us?  

Then our experts put AI chatbots through their paces, presenting them with questions from our Global Foresight survey of (human) geostrategists and foresight practitioners about what the world will look like by 2036. Check out the results of this experiment and our experts’ broader insights in the short videos below, along with edited and condensed highlights from our conversations.  

How good is AI at predicting the future? 

I would not trust today’s AI systems to reliably forecast global affairs. I think that comes down to the fact that, so often, global events don’t follow predictable patterns. That’s because so much of global geopolitics is driven by human decisions.  

— Tess deBlanc-Knowles, senior director of Atlantic Council Technology Programs

When you’re asking [AI] to predict the future, you’re asking it a big, unbounded question. What large language models (or LLMs), which is what the current generation of generative artificial intelligence is built on, are good at doing is next-word or next-token prediction.

— Trey Herr, senior director of the Atlantic Council’s Cyber Statecraft Initiative

Right now, I think any policymaker would be very poorly served by, say, pulling up an LLM and asking, “What’s going to happen next?” That’s not really the strength of these modern systems.

— Emerson Brooking, director of strategy and resident senior fellow at the Atlantic Council’s Digital Forensic Research Lab

It is not a crystal ball. In technical terms, AI is probabilistic. It is not predictive or deterministic. A fundamental barrier for artificial intelligence is that it cannot experience the real world. Some of us may be familiar with Plato’s allegory of the cave. AI is kind of like those cave dwellers experiencing the world as shadows and echoes. They’re not living real experiences, and so are limited in that sense. We can, however, envision a world where AI models and human forecasters work together to make better predictions. 

— Trisha Ray, associate director and resident fellow at the Atlantic Council’s GeoTech Center

If you asked an AI system to predict the outcome of the Super Bowl, you could equip the model with data from past seasons, the teams, the performance of the players, and the trajectory of those teams over the course of the season. Feed it all of the accurate data of today’s teams and players, and it might come out with some kind of approximation of the top contenders to win the Super Bowl. But the system is not going to be able to predict that rogue tackle that creates a season-ending injury for a star player, or the interpersonal dynamics among the team that can either supercharge their pathway to the championship or totally derail it.

— Tess deBlanc-Knowles, senior director of Atlantic Council Technology Programs

AI’s limitation is that it cannot produce new information. It can’t expand the universe of knowledge that we’re currently training on. What it can do is identify novel insights, identify trends that may have taken humans a lot of time to manually produce or see.  

— Graham Brookie, Atlantic Council vice president for technology programs and strategy

Today’s AI systems are well-suited for predictive tasks where there are stable patterns and there’s a good amount of historical data to train the systems on. So this bears out in near-term weather prediction, traffic patterns, predicting maintenance needs for an airplane or some other complex manufacturing system.

— Tess deBlanc-Knowles, senior director of Atlantic Council Technology Programs

How will AI evolve over the next decade? 

The growth of AI capability over the past few years has essentially been predictable: It continues to increase exponentially as we devote exponentially more processing power and energy to its needs. But that can’t go on indefinitely. I think soon there will be something that feels like a ceiling. 

— Emerson Brooking, director of strategy and resident senior fellow at the Atlantic Council’s Digital Forensic Research Lab

The bubble that is this market is going to pop, and we’re going to see some of these firms fail. You’re going to see others rise up and succeed. Now this could have some really harmful financial consequences for real people, as well as markets in the US, in Western Europe, and elsewhere. But the side effect of that is likely that there is a lot of infrastructure, a lot of computing resources, a lot of talent that’s suddenly available and looking for work and looking for ways to be useful. And that kind of thing can be a really powerful driver of innovation.  

— Trey Herr, senior director of the Atlantic Council’s Cyber Statecraft Initiative

Another very significant risk to the progress of AI is trust. I think this is particularly salient in the United States, where recent polls have shown that 60 percent of American adults don’t trust the output of an AI system to be fair and unbiased. I think there’s a scenario where with that baseline level of distrust, if that’s then followed by, say, a series of accidents that could be blamed on AI, or destructive news around AI, then consumers will lose confidence in the technology and businesses will [assume] a higher level of risk in adopting the technology, which will then lead to a cooling in investment and in markets. 

— Tess deBlanc-Knowles, senior director of Atlantic Council Technology Programs

You could imagine in ten years an absolutely fantastical, extremely powerful tool assisting you in every aspect of daily life and essentially knowing what you want at all times. But my greater concern, if that is the future, is then who will have access to this tool? Because for AI [tools] to be this capable, they will be immensely energy intensive. They will be extremely expensive. And the current moment we’re in now—in which there’s been a real focus on making AI as accessible to as many people as possible—I wonder how much longer that will last and if we might create these exquisite systems but have them accessible only to a very few people.  

— Emerson Brooking, director of strategy and resident senior fellow at the Atlantic Council’s Digital Forensic Research Lab

We’re seeing a lot of attention today on building what are called “world models.” Instead of predicting the next word, these models are predicting the next action in the world. If we’re able to move in that direction, then we’re really going to see the true impact of AI across society by breaking AI out of this computer interface into robotics that can take on more tasks. 

— Tess deBlanc-Knowles, senior director of Atlantic Council Technology Programs

What is possible is that in the future, we’re going to see a larger application of small language models that are built for specific purposes and have that contextual knowledge, or are hooked up to a very relevant database, so that when you log in, you’re logging into a geopolitical chatbot as opposed to a general purpose tool. [There is] a much higher likelihood that it’ll be able to give you good answers. We’re a ways off from that, though. 

— Trey Herr, senior director of the Atlantic Council’s Cyber Statecraft Initiative

Any predictions for how AI will change over the next year specifically? 

One of the trends I would look out for in 2026 is countries going all in on sovereign AI. The principle driving this trend toward sovereign AI is quite simple: It’s governments saying we need to control AI before it controls us. Now, what is sovereign AI? It is a model of AI development, driven by four characteristics: One, adherence to national laws. The second is national security. The third is economic competitiveness, where there’s a desire for the development and deployment of these models to benefit the home economies. And then the fourth and most interesting one is value alignment—the belief that these models have to adhere to a certain set of ideological and constitutional rules. But here’s a not-so-well-kept secret: It is not possible for a country to build the entire AI stack indigenously.

— Trisha Ray, associate director and resident fellow at the Atlantic Council’s GeoTech Center

There are two trends we should look out for. The first [is] indicators of the continuing sophistication of these tools. In particular I would focus on the context window—the amount of information that [these tools] have direct access to at any one time. When ChatGPT launched, the context window was about 4,000 characters, not very much. A year later, it was 100,000. Today some of the most popular consumer-grade models have a context window of up to 2 million. That is still a drop in the bucket next to the information that these machines will need to actively hold in order to be truly revolutionary and effective. If we can start to see somehow, through maybe some clever engineering, exponential growth in that context window, then we might actually be on a path to something we describe as artificial general intelligence.  

The other [trend involves] the financing, political conditions, and even the actual energy costs that are associated with these systems. As these elements begin to shift, some of the AI companies that so far have been able to have these continuing rounds of open financing with ever-higher valuations, if they start to reach some sort of ceiling—that will start to send shocks through this whole system, which may affect AI development in a very different way. 

— Emerson Brooking, director of strategy and resident senior fellow at the Atlantic Council’s Digital Forensic Research Lab

How revolutionary is AI?  

AI is changing the way that we interact with things that we touch every single day. In ten years, I think that you will see more AI in commercial landscapes, in security landscapes, or even in warfare. I think it’s highly likely that we achieve general artificial intelligence. That doesn’t necessarily mean that killer robots are going to govern all of us. 

— Graham Brookie, Atlantic Council vice president for technology programs and strategy

What we’re seeing is one of the most significant changes in digital technology easily in the last fifty years, probably since the creation of the personal computer. Before the PC, you had to go somewhere to an institution and ask for time on a computer. And then suddenly with personal computers, you had them in your office, in your living room. You didn’t need an institution. It just inverted the relationship and inverted a huge power dynamic. AI has done the same thing. It’s put the ability to do complex research and production of knowledge into every single person’s hands. 

— Trey Herr, senior director of the Atlantic Council’s Cyber Statecraft Initiative

Artificial intelligence, the way we use it now, is not transformational yet. I would say AI is more a continuation of the digital revolution. It’s exciting for sure, but not society-shaking as of yet. If we think about the industrial revolution, it changed the way we live, changed the way we work, and even changed our politics. It shifted the nexus of economic growth from farms to cities. And if we just reflect on the role that AI plays in our economy right now, it is not at the stage to be called an AI revolution. Yet. 

— Trisha Ray, associate director and resident fellow at the Atlantic Council’s GeoTech Center

Will AI replace humans? 

Humans can think. Generative artificial intelligence models can’t think. That’s a really, really crucial distinction. It’s easy to anthropomorphize something that will chat with you.  

— Trey Herr, senior director of the Atlantic Council’s Cyber Statecraft Initiative

Humans understand context. They understand cause and effect. Humans also have creativity to think through different scenarios that might not be present in prior events, where an AI system is not going to be able to creatively think of a new event. 

— Tess deBlanc-Knowles, senior director of Atlantic Council Technology Programs

As more and more time passes and the use of these tools becomes normalized, it may be that AI is never all that good at predicting the future, but that it feels good enough at doing it—and predicting the future is so hard anyway—that we turn that task over to AI; that human beings, with our extraordinarily capable and irreplaceable brains, give up on some of that higher-order thinking and try to let these machines do more and more of the job. And no matter how capable AI becomes, I see that as a tragedy. 

We could reach a really strange point where people are using these tools and basically relying on them to tell them what to do and how to live their lives, and they’ve essentially outsourced a lot of higher-order and critical thinking to these tools, having forgotten or having never known that no matter how omniscient these tools seem to be, they themselves are creations from limited human-created data sets and human processes designed in a particular moment in time. 

We could find ourselves trapped in some kind of recursive loop where the future and the horizon of possibilities keeps getting narrower and narrower, because that is what the machine is telling us is possible—that machine that was only trained on what humans knew to be possible. 

— Emerson Brooking, director of strategy and resident senior fellow at the Atlantic Council’s Digital Forensic Research Lab

Global Foresight 2036

In this year’s Global Foresight edition, our experts share findings from our survey of geostrategists on how human affairs could unfold over the next decade. Our scholars spot “snow leopards” that could have major unexpected impacts over the next decade. And our tech experts put AI’s forecasting ability to the test.

Learn more Full survey

Atlantic Council Strategy Paper Series Feb 10, 2026

Welcome to 2036: What the world could look like in ten years, according to nearly 450 experts

We polled geostrategists and foresight practitioners on our most burning questions about the biggest drivers of change over the next decade. Check out their forecasts on everything from the future of NATO to the rise of cryptocurrency.

Read More

Atlantic Council Strategy Paper Series Feb 9, 2026

Six ‘snow leopards’ to watch for in the decade ahead

By Uliana Certan, Nikita Shah, Ginger Matchett, Sarah Wallace, Dominique Ramsawak, Tatevik Khachatryan

Our scholars scan the horizon for the underappreciated phenomena that could have outsize impact on the world, driving global change and shaping the future.

Artificial Intelligence Climate Change & Climate Action

Atlantic Council Strategy Paper Series Feb 10, 2026

AI and the future

What does the next year, decade, and beyond hold for AI? We interviewed the Atlantic Council’s tech experts to learn more about AI’s future, and whether it can help us better understand our own.

Artificial Intelligence Technology & Innovation

The post AI and the future appeared first on Atlantic Council.

Panthera uncia—the snow leopard that inhabits high mountain ranges in Central and South Asia—is one of nature’s best-camouflaged animals. The majestic cat’s beautiful white coat, with gray and black spots, blends seamlessly into the rocky and snowy landscape in which it lives. Known as “the ghost of the mountains,” it seems to appear out of thin air. The reality, of course, is the snow leopard has been there all along, an unseen sight. 

In world affairs, there are numerous under-the-radar phenomena that are difficult to spot but crucial to understand given their capacity for disruption and transformation. Like the Himalayan cat, these metaphorical “snow leopards” may appear invisible but in fact are all around us: early-stage technologies that, if developed and scaled, might yield revolutionary results; social movements that, while just beginning to gather strength, could have enormous political consequences in the years to come; demographic trends that only a few experts study but that could overhaul societies in the long run; ecological changes that are not yet fully understood by scientists but could portend disaster ahead should they worsen. These phenomena present underrated risks or opportunities. Each of them could reshape the future. Some already are. We just need to know where to look.

Each year, our Global Foresight series identifies a new set of snow leopards. In this year’s edition, as in previous editions, this challenging task fell to the Atlantic Council’s younger staff, who are well-positioned to identify trends, events, technologies, and forces that their older colleagues might overlook. They scrutinized the world around them and came up with a list of underappreciated but potentially world-changing phenomena. 

In the years to come, keep an eye on these six snow leopards. 

When businesses are first movers on the battlefield

When Russia invaded Ukraine in February 2022, among the first responders were a conglomeration of cyber and tech companies of all sizes. These companies did critical work to ensure that Ukraine’s cyber defenses held up against an unprecedented onslaught of Russian cyberattacks. Combined with assistance from allied governments, such efforts helped keep the lights on in Ukraine. But the companies’ interventions amounted to entering a conflict of their own volition, without a state’s authorization or direction—which triggered profound geopolitical risks.

The private sector participating in conflict is nothing new; governments have contracted with private companies in war and peacetime for centuries. But three elements are new: First, cybersecurity companies have begun entering interstate conflicts without the authorization of or at least direction from states. Second, these companies effectively possess state-grade capabilities—and, with that, the ability to make world-changing decisions—but without the policy, legal, or risk frameworks states erect around such capabilities to constrain their use. Third, states, citizens, and businesses are increasingly dependent on these companies’ infrastructure and services in peacetime and for cyber defense in conflict. Microsoft recognized this in a June 2022 reflection on the company’s assistance to Ukraine, declaring that the technology sector has an “inevitable” role to play in the “cyber defense of nations.”

The risks of this kind of private-sector involvement in conflict are already emerging. Civil society has raised questions about whether cyber and tech companies constitute combatants under international humanitarian law, particularly where their capabilities intersect with state capabilities—as when, for example, private firms identify exploitable vulnerabilities (or “zero days”) in other companies’ software code. As states and others increasingly contest privately owned digital infrastructure, ideologically motivated cyberattacks (“hacktivism”) have also risen—creating heightened risks of retaliation. The whims of tech executives also have geopolitical consequence. In September 2022, for example, Elon Musk reportedly cut internet access in Ukraine provided via his Starlink satellite technology, disrupting a key Ukrainian counteroffensive. In response, a British member of parliament decried the “dangers of concentrated power in unregulated domains.”

Where these risks could amount to world-changing impact is during a potential Chinese invasion of Taiwan, and both Taipei and Beijing are clearly paying attention. Musk’s reported decision to cut Ukraine’s internet access was one reason Taiwan set up its own satellite internet infrastructure. There is some evidence that the Chinese state also is learning lessons from Russia’s war in Ukraine about the role of US cyber and tech companies as a source of advantage in conflict. This development might not be so concerning were it not for the significant business dependencies that Apple and other US tech giants have in China, which could muddy decision-making during any period of conflict. The clarity and unity of purpose seen in cyber companies’ efforts to help Ukraine cannot be guaranteed in the future.

This is an issue that the international security community must address through dialogue and policy development with the private sector. Goals should include firmer guardrails and improved accountability mechanisms—or outright deference to states as primary decision-makers. Such dialogue will prepare states and industry to jointly navigate future conflicts and collective preparedness without generating unintended consequences when the private sector jumps ahead of states. 

Nikita Shah is a former senior resident fellow in the Atlantic Council’s Cyber Statecraft Initiative with ten years’ experience as a national security professional in the UK government specializing in cyber security.

Leave, learn, return—and start a business?

Many countries have experienced migration as a driver of “brain drain”—a one-way outflow of human capital. But a more dynamic pattern is reshaping global talent flows in some parts of the world. A growing number of migrants who work or study overseas are returning to their home countries with new skills—a pattern known as “brain circulation”—or staying closely connected to their home countries and turning their global experiences into new opportunities there.

Brain drain refers to the loss that occurs when a country’s citizens, especially highly skilled and educated workers, pursue opportunities abroad. Host countries often gain productivity, tax revenue, and innovation—except when migrants are pushed into low-skilled work (such as when immigrants holding master’s degrees work at jobs requiring a high-school diploma), a phenomenon known as “brain waste.”

Another concept, “brain gain,” captures the positive effects of emigration for sending countries: The prospect of opportunities abroad motivates more people to pursue higher education, most of whom remain at home. Those who do leave often continue to contribute through remittances and stronger trade ties.

But these concepts overlook the circulation of talent that is quietly changing the geography of opportunity worldwide. “Brain circulation” first became visible in countries such as India and China, where engineers and entrepreneurs who had lived and worked in the United States returned and used their US career experience to start businesses at home.

What began as a modest trend in the early 2000s is accelerating as travel and digital connectivity become more accessible. The circulation of skilled, educated workers is now remaking national and regional economies. Studies show that returning immigrants tend to be more entrepreneurial and resilient than their peers and are significantly more likely to start businesses. Migrants return with expertise and global exposure they could not have acquired domestically.

Central and Eastern Europe illustrate how transformative this loop can be. After experiencing decades of outward migration, Central and Eastern European countries are now registering rising return flows. Romania, for example, has had three consecutive years of positive net migration driven by returning citizens. They launch startups, invest in local ecosystems, and open doors to new practices and global markets, sometimes with the support of government financing programs. Such ventures are helping power a regional boom. In 2024, startups in the region raised nearly €3.7 billion, a 56 percent increase from the previous year. Nearly half of that total—more than a billion euros—came from companies whose founders studied or worked abroad, or worked at big multinational companies.

At a time when many countries are grappling with aging populations, talent shortages, and relentless competition, this loop of leaving, learning, and returning is becoming a critical source of national advantage. Brain circulation offers a replicable model for countries that need to catalyze growth and sustain innovation. Countries that recognize this opportunity build policies and institutions that drive people, skills, and capital to move in loops, not lines, so that yesterday’s emigrants become tomorrow’s nation-builders. The future belongs to dynamic societies that treat mobility as a renewable resource, turning migration into a story of shared prosperity and, ultimately, into the backbone of a global innovation system that can respond to challenges and opportunities no country can tackle alone.

Uliana Certan is an assistant director for European engagement at the Atlantic Council’s Global Energy Center and Atlantic Council Romania.

Big seaweed could be big business

In the waters off one-third of the world’s coastlines grows a powerhouse plant: kelp. Towering kelp forests capture twenty times more carbon dioxide (CO₂) than do land forests of equivalent size. They promise lower-cost and lower-carbon ways to feed the world’s population, and they protect coastlines from the effects of more powerful storms. As scientists and policymakers increasingly turn to nature-based solutions to take on climate change, these colorful stalks of algae may be the next big thing.

Kelp forests can remove one ton of carbon emissions from the atmosphere for somewhere between $20 and $85. To do the same with direct-air-capture machines costs $1,000 per ton. Not only is kelp an incredible carbon sink, it drives other forms of environmental conservation and protection. The stalks reduce the size of tidal waves by up to 60 percent, prevent soil erosion, and absorb agricultural runoff. Studies show that kelp supports the development of the biogenic aerosols that help clouds form, reducing the temperature of water, soil, and air. Kelp also is an ingredient in biodegradable biopolymers, which can replace petroleum-based plastics.

In the food and agriculture sectors, kelp is both a nutritional food source and a protective habitat for hundreds of plant and animal species, including commercial fish such as cod, crab, octopus, and lobster.

And it doesn’t stop at seafood: Sprinkling seaweed on cattle feed can reduce cows’ methane emissions by between 40 and 80 percent. Kelp can be processed into natural, liquid biostimulants for agriculture, which can reduce the need for artificial fertilizers that release greenhouse gases. These kelp-based treatments also could reduce the large amounts of water required by many high-value cash crops such as almonds, avocados, strawberries, and grapes.

Beyond the environment and agri-food industries, kelp generates health and cosmetic products, attractive tourist destinations for snorkeling, and critical supplies for indigenous communities.

Kelp, however, faces an uncertain future due to predators, pollution, and marine heatwaves induced by climate change. Efforts to regrow damaged kelp forests off the coast of California offer a prime example for other coastal governments. Scientists and conservationists are planting specific kelp varieties that grow three times faster and absorb double the amount of CO₂ compared with other kelp. When this kelp matures, by some calculations it could absorb as much CO₂ as the global aviation sector emits. Kelp could help the state meet its target of reaching net-zero emissions by 2045—five years sooner than the target set in the 2015 Paris Agreement.

To help kelp survive in warmer oceans, scientists use remotely operated vehicles and motorized growing lattices, raising the kelp toward the water’s surface during the day to absorb sunlight and lowering it into deeper, more nutrient-rich water at night.

The effects of climate change on the world’s coral reefs have grabbed headlines. The United Nations Decade on Environmental Restoration has increased attention on coral-reef, mangrove, and seagrass restoration efforts. But so far, there has been limited funding focused specifically on kelp growth and management.

Global cooperation on kelp will be crucial for future climate efforts, as new research proves that oceanic carbon sinks are 15 percent larger than land sinks. But even in the absence of such coordination, expect continued momentum for work on kelp. Kelp and seaweed farming is the fastest-growing global aquaculture industry, increasing 6.2 percent per year over the last twenty years. Countries in Asia, particularly China and Indonesia, produce 98 percent of farmed seaweed by volume globally, but there is enormous potential for growth and applications in Europe, Africa, and the Americas. And with a $500 billion market, kelp has plenty of potential to combat climate change, mitigate the biodiversity crisis around the world, and develop a more profitable and sustainable “blue economy.”

Ginger Matchett is an assistant director for the GeoStrategy Initiative in the Scowcroft Center for Strategy and Security.

Are we going back to the bad old days?

In recent years, an alarming number of countries have withdrawn from or defied human rights treaties and humanitarian conventions. Global norms about how human beings should be treated were a key part of the international system that arose after World War II, including the 1948 adoption of the Universal Declaration of Human Rights. Specialists have said for years that this postwar system is under stress. But the consequences for individuals are underappreciated. If the postwar order was a bulwark against the horrors of the twentieth century, the idea that ordinary citizens should be protected from unrestrained state power was a load-bearing pillar. The weakening of that pillar is ominous and risks a future with fewer human rights than exist today. 

The retreat from human rights is happening at two levels: through actors exiting treaties, and through changes in the societal expectations that those treaties both reflect and reinforce.

Consider the developments of just this past year. In 2025, the United States, Israel, and Nicaragua withdrew from the United Nations Human Rights Council, reducing the reach and legitimacy of one of the few multilateral bodies tasked with universal monitoring of rights.

That same year, Lithuania, Estonia, Finland, Latvia, and Poland withdrew from the 1997 Anti-Personnel Mine Ban Treaty, while Lithuania separately pulled out of the 2008 Convention on Cluster Munitions. Proposals for other NATO members to take similar steps further highlight the erosion of norms against weapons that can indiscriminately harm civilians long after conflicts end. These shifts are coming as countries facing new security pressures increasingly prioritize military flexibility over humanitarian restrictions. The withdrawing states—all of which border Russia or Belarus—have cited the dangers they are confronting in the wake of the Kremlin’s full-scale invasion of Ukraine, which has been rife with human rights abuses. In light of the withdrawing countries’ statements, it seems unlikely that any would have withdrawn had Russia not invaded Ukraine—which underscores the snowball effect of diminishing postwar humanitarian norms, and why each violation matters.

Norms may be intangible, but after 1945 countries codified many of them into binding commitments in an effort to build a better world with such norms at its core. Once these norms are weakened, as appears to be occurring now, they may never recover. This diminishes international law, emboldens perpetrators of human rights violations and war crimes, fuels cycles of impunity, and leaves civilians increasingly vulnerable. The cumulative effect is a weakened global system of accountability at precisely the moment when conflicts and authoritarian forces are on the rise.

Sarah Wallace is a former program assistant for the GeoStrategy Initiative and Adrienne Arsht National Security Resilience Initiative in the Scowcroft Center for Strategy and Security.

Out of the dataset, out of mind

We know who we are because of our memories, our history, and our stories. Today, artificial intelligence (AI) is becoming an important part of how people store information, as generative AI tools are woven into search engines, social media platforms, and everyday interfaces like virtual assistants. The data these generative AI tools draw on to answer our questions or summarize our emails shapes how people understand the world.

The current generation of AI, however, is built on Western-centric datasets that are disproportionately produced, curated, and governed in North America and Western Europe, largely in English. Knowledge that is oral, community-held, locally archived, or produced outside these systems is far less likely to be captured. Optimized for volume rather than nuance, these systems put cultures that fall outside dominant data flows at risk.

The phenomenon of cultural erasure can take two forms: omission, where cultures fail to appear entirely, and simplification, where complex traditions are reduced to stereotypes. The cases of small and developing states illustrate these risks most vividly. Much of the intangible heritage of the world’s island states, for instance, remains under-digitized, preserved instead through oral storytelling, music, ritual, and collective memory. When generative AI encounters such cultures, it often only reflects what can be easily retrieved from training data. For example, AI-generated media depicting “Caribbean culture” tends to reproduce a narrow canon of beaches, rum, and steelpan. Missing are the complexities: linguistic diversity and multi-ethnic histories that define the region’s melting-pot identity. Pre-AI search engines didn’t return a complete, nuanced picture of these small cultures either. But generative AI can process so much data so quickly that the speed and scale of the threat have changed. The kind of responses AI tools offer can also create the impression of a more definitive answer. Where search engines returned a page of links or a variety of pictures for the user to browse and evaluate, generative AI products offer a more finished-looking result: complete sentences and paragraphs, or a single composite image. For the people living in these smaller states, AI-driven “data colonialism” shapes how the world sees them and, potentially, how they see themselves.

If AI advances to a point where it becomes the default lens through which people encounter culture, then nations and groups underrepresented in AI training data risk losing authorship of their own stories. The version that survives may be the one defined by external markets. Indigenous groups, minority-language speakers, and marginalized communities around the world all face this threat.

But small island states can use their position at the United Nations and elsewhere to elevate concerns around cultural data representation and press for international standards, compelling actors who can shape the global AI ecosystem to take action. These nations can play a catalytic role in making cultural representation a priority for technology governance, even if the power to execute change lies elsewhere.

Preventing cultural erasure means embedding diverse heritage into datasets, creating frameworks and metrics that assess cultural harm through an interdisciplinary lens, and ensuring AI governance treats cultural erasure as seriously as information manipulation or digital privacy. The question is not just whether AI models are accurate, but also whether they reinforce or erode the cultural foundations communities rely on. As AI increasingly shapes what the world finds, learns, and imagines, we must confront a pressing question: If a culture isn’t in the dataset, can it survive the AI era?

Dominique Ramsawak is the associate director of communications at the Atlantic Council’s Digital Forensic Research Lab.

Whether you want it to or not

The next tech disruption could be the human mind paired with cutting-edge neurotechnology. New kinds of neurotech create pathways for communications between the human brain and external devices, some implanted in the brain. Recent developments in neurotech that don’t require an implant—and could eventually even be portable—signal a future in which there could be ways to read someone’s thoughts, with or without their permission.

One such development is a semantic decoder that translates the brain’s electromagnetic waves into a continuous stream of text capturing what someone is thinking about, with varying degrees of precision. Currently, the decoder works with a trained model—a version of the large language models powering chatbots—using brain activity measured on a functional magnetic resonance imaging (fMRI) scanner. Earlier versions required a user to lie down in an MRI machine for the better part of a day to train the system. In 2025, researchers tested a version of the decoder that only requires an hour of training. Developments like these, coupled with investments expected to surpass four billion dollars in 2025, indicate the potential for additional advances in the field. And if neurotech follows the trajectory that computers did—the first computers took up an entire room; now billions of people carry one in their pocket—it’s possible there will be portable systems in the future.

While the idea of something invading your thoughts might be alarming, there are both positive and negative potential applications of this technology. Any patient with a medical condition that makes it difficult or impossible for them to speak—Parkinson’s disease, aphasia, the aftereffects of a stroke—could benefit. So could patients suffering from post-traumatic stress disorder who find it difficult to speak about their trauma.

Ethical considerations must also be taken into account. While it’s hard to predict exactly how this technology will evolve, laws protecting neural data privacy will be needed. In November 2025, UNESCO adopted the first global ethical framework for neurotechnology, seeking to ensure that “neurotechnological innovation benefits those in need without compromising mental privacy.”

In 1992, the physicist and theologian Ian Barbour observed that all technological advances are multifaceted in nature, acting as a liberator, a threat, and an instrument of power. That framework will hold true for the neurotech transformations we’ll experience in the years ahead.

Tatevik Khachatryan is an assistant director for events at the Atlantic Council.

Global Foresight 2036

In this year’s Global Foresight edition, our experts share findings from our survey of geostrategists on how human affairs could unfold over the next decade. Our scholars spot “snow leopards” that could have major unexpected impacts over the next decade. And our tech experts put AI’s forecasting ability to the test.

Learn more Full survey

Atlantic Council Strategy Paper Series Feb 10, 2026

Welcome to 2036: What the world could look like in ten years, according to nearly 450 experts

We polled geostrategists and foresight practitioners on our most burning questions about the biggest drivers of change over the next decade. Check out their forecasts on everything from the future of NATO to the rise of cryptocurrency.

Read More

Atlantic Council Strategy Paper Series Feb 9, 2026

Six ‘snow leopards’ to watch for in the decade ahead

By Uliana Certan, Nikita Shah, Ginger Matchett, Sarah Wallace, Dominique Ramsawak, Tatevik Khachatryan

Our scholars scan the horizon for the underappreciated phenomena that could have outsize impact on the world, driving global change and shaping the future.

Artificial Intelligence Climate Change & Climate Action

Atlantic Council Strategy Paper Series Feb 10, 2026

AI and the future

What does the next year, decade, and beyond hold for AI? We interviewed the Atlantic Council’s tech experts to learn more about AI’s future, and whether it can help us better understand our own.

Artificial Intelligence Technology & Innovation

The post Six ‘snow leopards’ to watch for in the decade ahead appeared first on Atlantic Council.

Bottom lines up front

• There is a clear demand for wider AI adoption across a wide variety of sectors in India, but existing pricing models for AI services leave large portions of the potential market for them untapped.
• Selling “AI sachets,” or individual AI prompts for low one-time fees, could expand access to AI throughout India.
• The Indian government should work with tech companies to create a proof of concept for the AI sachet model to determine its scalability and impact on AI adoption.

PUNE, INDIA—As India prepares for the AI Impact Summit on February 19 and 20, the Indian government’s pitch for wider adoption of artificial intelligence (AI) has centered on the potential for the technology to benefit Indian society. As my colleague Trisha Ray wrote in November, India “appears to be taking a people-centered approach, emphasizing use cases that have the greatest scope for positive impact for the widest swath of the population.”

During my time in Pune, a technology hub in Maharashtra, I spoke with local students, scientists, tech startup workers, and farmers. Though we met to talk about other topics, they consistently brought up AI and how they wished to take advantage of the technology. As I had more of these conversations, I found that to benefit the widest swath of the Indian population, the country should adopt a “sachet” approach to AI as a consumer product. The idea of applying the idea of sachets, or small packets used to package small consumer products, to AI is not new in India. But so far, this model has lacked proofs of concept and investment from the private sector, which has instead attempted to expand access by offering low-tier subscription models.

The sachet approach takes inspiration from the model that sparked India’s consumer goods revolution of the 1980s. Prior to that, Indian consumer products such as shampoo, talcum powder, and hair oil were sold in quantities of 50 grams (g) to 500 g. In the late 1970s, entrepreneur Chinni Krishnan found a niche in selling these products in cheap miniature packets, or sachets, containing as little as a few grams. By the mid-1980s, this more affordable consumer model made a wide variety of products more accessible to broader swaths of the Indian population.

Currently in India, a monthly ChatGPT or Perplexity Pro subscription costs ₹1,999 ($22.17) and a monthly Google AI subscription costs ₹1950 ($21.62). AI companies do recognize the need for less expensive and more accessible options, as the low-tier subscription services ChatGPT Go and Google AI Plus both cost ₹399 ($4.42) per month. Moreover, Google AI Pro and Perplexity Pro are also available for free for a year to eligible college students. And Perplexity AI partnered with telecom giant Airtel to offer a year’s free access to Perplexity Pro to Airtel’s 360 million subscribers. But this still leaves a huge portion of the potential Indian consumer market for AI untapped.

To make AI accessible to the widest possible swath of the population, AI developers should offer not just cheaper monthly subscription models but also sell the equivalent of a sachet of AI. This means offering small-scale uses of AI tools and applications for low fees. For example, one notable approach that has already been adopted is the IndiaAI Compute Pillar, which allows scholars, researchers, and startups to utilize computational power for less than a dollar per hour. To make this a scalable consumer product, however, the private sector would need data from the government on how the Compute Pillar is being used. Such data could make Compute Pillar a proof of concept for the AI sachet model. Under India’s AI Governance Guidelines, metrics for both the scale of adoption and how consistently the service is used could set the bar for whether this proof of concept should spur a larger-scale investment in such services.

India also has ample experience with scaling up such society- and accessibility-driven models. The Aadhaar biometric ID system, the Unified Payments Interface instant payment system, and the country’s digital public infrastructure (DPI) buildout were bottom-up models. For example, from 2011 to 2021, the number of Indian adults (ages fifteen and up) with a bank account rose from 35 percent to 80 percent thanks to this approach.

As an illustration for how this sachet model could be of use, think of the places where shampoo and other kinds of sachets are sold in India—usually small mom-and-pop stores run by one person or family. For such small stores, bookkeeping can be a laborious, time-consuming task. But with a ₹15 AI sachet, a shopkeeper could take photos of that day’s transactions, prompt an AI to parse the handwriting, and calculate revenue and inventory figures. If small business owners were to widely adopt AI sachets for such tasks, it would be a significant step toward demonstrating the scalability of the AI sachet model. This is how shampoos and other consumer goods expanded their footprints using the sachet model. 

During my trip to Pune, many of the people I spoke with were curious about how AI can help improve efficiency in areas including business, scholarship, research, management, and farming practices. When it comes to harnessing this demand for wider AI adoption, the government can play a major role in bringing stakeholders such as unions, cooperatives, and trade associations together with private sector AI developers to demonstrate the utility of AI for their respective fields.

At the AI Impact Summit, centering on the three sutras of “people, planet, and progress,” policymakers and tech company leaders should meet with small business owners, farmers (most of whom are small-scale), students, and others to discuss the benefits of AI adoption. Moreover, an AI impact case study in Pune or the wider state of Maharashtra could serve this purpose further, allowing the private sector and India’s AI governance model to bring more proofs of concept to empower society-driven, value-based AI adoption in India.

The post Dispatch from India: How a low-cost, high-quality consumer model can expand India’s AI adoption appeared first on Atlantic Council.

But the success of the New Delhi summit will depend on how effectively it moves beyond rhetoric to address the realities of AI adoption, including the need for workforce development. To this end, on January 23, the Atlantic Council hosted an official pre-summit event in partnership with the Indian embassy in Washington, DC. The event opened with remarks by Ajay Kumar, minister (commerce) at the Indian embassy in Washington, DC, as well as Tess DeBlanc-Knowles, senior director of the Atlantic Council’s Technology Programs. This was followed by a panel discussion with Martijn Rasser, vice president for technology leadership at the Special Competitive Studies Project; Nicole Isaac, vice president for global public policy at Cisco; and Peter Lovelock, chief consultancy and innovation officer at Access Partnership. Below are some of the key takeaways from that discussion, as well as several of the panelists’ recommendations for how to approach these issues heading into the AI Impact Summit. The discussion underscored that while the potential for AI-driven growth is immense, the hurdles, ranging from a global talent shortage to fragmented labor data, require more than just market forces to overcome.

The global AI talent gap

The current global AI talent landscape can be viewed as a pyramid, according to Rasser. At the apex, he said, sits a cohort of around ten thousand elite PhD-level researchers and machine learning engineers. While the United States and China currently dominate this top layer of researchers, the real opportunity for emerging powers lies at the applied level. India possesses significant depth in its service sector, but the true challenge is building institutional readiness, ensuring that organizations can effectively channel available talent into high-value applications.

The most underappreciated deficit is not in raw coding but in AI-adjacent skills. There is a pressing need for product managers and domain experts who can bridge the gap between technical tools and organizational needs. For emerging economies, said Lovelock, the goal should not be to replicate Silicon Valley’s research labs, but to build an ecosystem where AI is “burned into” industrial applications such as supply chain management and export-import calculations.

AI infrastructure as workforce policy

“At its core, AI is designed, built, and deployed by humans,” noted Knowles. Indeed, a persistent theme for the global majority is that connectivity cannot be separated from workforce policy. Without reliable digital access, Isaac noted, billions remain excluded from the transformative benefits of AI. Security is another foundational layer; as AI environments become more complex, training in cybersecurity and digital resilience becomes essential to protect vulnerable populations from bad actors.

Kumar, the Indian embassy official, laid out India’s strategy for a comprehensive five-layer “AI stack,” including sovereign models, semiconductors, and data centers. By providing compute power to educational institutions at a fraction of the global market rate, he argued, the government aims to democratize access across smaller cities. However, the widening digital divide remains a threat. If certain segments of the population are left behind, the resulting “have and have-not” divide could persist for generations, he said.

The other data problem

We cannot manage what we cannot measure. Policymakers, said Lovelock, are currently operating with “static” data that looks in the rearview mirror. Traditional labor statistics, often based on outdated surveys, are ill-suited for a fast-moving technology. Furthermore, labor data is often fragmented across various ministries, making it difficult to understand where the actual skill gaps lie.

Standard adoption metrics are increasingly irrelevant because individual AI use is highly varied. Instead of tracking who is using the technology, said Lovelock, governments need a “diffusion framework” that measures the actual impact of AI use on the economy. Only then can they make the strategic bets required for a long-term return on investment.

Four pillars for the summit’s AI talent agenda

Following from the panelists’ insights, the AI Impact Summit can deliver a scalable and inclusive AI talent framework by coalescing the global community around four primary actions:

• Modernize education through personalized AI tools. Rather than sticking to the “one-to-many” broadcast model of traditional schooling, curricula should be reformed to put AI tools directly in the hands of students. This shift allows for personalized learning and ensures that students learn by doing, preparing them for a rapidly changing job market.
• Create an AI Diffusion Index to measure actual adoption. Policymakers should move away from static adoption statistics and toward real-time data signals that measure how AI is being embedded into industrial and public services. This requires supplementing government surveys with nontraditional data sources to better align educational output with actual labor market demand.
• Treat connectivity and security as foundational workforce issues. Investment in fiber and satellite infrastructure must be paired with training in digital resilience and cybersecurity. This ensures that the benefits of AI are shared broadly and that new users are protected from the heightened risks of an AI-ready environment.
• Position government as the “first user” of new technologies. The public sector should take the lead in adopting AI for the delivery of public services in agriculture, healthcare, and education. By demonstrating the usefulness and accessibility of these tools within government, the state can send a powerful signal to the broader population and help accelerate national adoption.

The success of the AI Impact Summit will be measured not just by the declarations its participants make, but by the structural cooperation that survives past February. The summit offers a rare opportunity to pool global resources to solve the AI workforce crisis, replacing anecdotal evidence of AI adoption with rigorous data and flexible approaches to meet shifting workforce needs. At the summit, New Delhi has the opportunity to transform a week of dialogue into a sustained, collaborative framework that can help enable emerging economies to tap the benefits of AI adoption.

Trisha Ray is an associate director and resident fellow at the Atlantic Council’s GeoTech Center.

New Atlanticist Nov 24, 2025

Safety should be front and center in India’s vision for its AI Impact Summit

By Trisha Ray

Despite the headline attention on impact, safety needs to be fundamental to India’s vision for artificial intelligence that engenders trust, inclusion, and empowerment.

Artificial Intelligence India

GeoTech Cues Jul 21, 2025

Navigating the new reality of international AI policy

By Evi Fuelle, Courtney Lang

To reach their goals of national AI adoption, governments must continue to advance the global policy discussion on trust, safety, and evaluations.

Artificial Intelligence Digital Policy

The GeoTech Center champions positive paths forward that societies can pursue to ensure new technologies and data empower people, prosperity, and peace.

Learn more

The post How India’s AI talent playbook can provide a blueprint for aspiring AI powers appeared first on Atlantic Council.

On January 30, Yasmine Abdillahi, a nonresident senior fellow with the Africa Center published an article in Le Monde arguing that although Africa accounts for nearly 20% of the world’s population, it contributes less than 1% of the data used to train AI systems. This imbalance, she warns, risks excluding African languages, cultures, and lived realities from artificial intelligence.

More about our expert

Fellow

Yasmine Abdillahi

Nonresident Fellow

Africa Center

Africa Cybersecurity

The post Abdillahi in Le Monde on artificial intelligence (AI) in Africa appeared first on Atlantic Council.

Bottom lines up front

• Business and geopolitics collided at last week’s World Economic Forum in Davos, as leaders confronted how deeply markets, national security, and policy are now intertwined.
• US tariff policies forced a sober reassessment of global trade, while AI drew a mix of optimism and concern over risks, ethics, and regulation.
• Despite a US–Europe focus in Davos, other powers were active, too, with Canada’s prime minister warning that the rules-based order is rupturing.

DAVOS—This week Davos, Switzerland, returns to being a charming ski town. The shops and restaurants—temporarily rented by every major tech company on the planet to host events and receptions—return to their owners and will soon be filled with tourists on holiday.  

But what happened at the 2026 World Economic Forum won’t soon be forgotten. This was the year the forum changed policy. As one attendee told us on her way off the mountain, “Imagine what would have happened this week if Trump didn’t have to meet the Europeans face to face.” It’s an intriguing, if chilling, thought.

While Trump’s speech this past Wednesday and his subsequent decision to backtrack on Greenland threats drove the roller coaster news cycle of the week, there were several other notable moments that may have much longer term—and more important—policy repercussions. Here’s what we saw on the ground:

The two Davoses

Davos is always two different things at once. “Business Davos” is the place where executives huddle in Swiss office buildings negotiating deals far away from the TV cameras. This is, actually, what brings most people to the mountain year after year. That Davos traditionally operated independently from “geopolitical Davos.” That’s the Davos most people are familiar with—leaders from around the world speaking in the Congress Center, and academics, journalists, and think tankers debating on panels. 

Most years, those two Davoses can operate in their own spheres. But not this year. Last Monday, as markets swung sharply negative on the Greenland news, business Davos had its eyes glued to the Congress Center. Leaders of some of the largest companies in the world lined up and waited just like everyone else to get a seat. Suddenly, everyone was an expert on Nuuk, the Arctic, and whether military leases were a viable compromise. It was a reminder of a big lesson of the past few years—from the COVID-19 pandemic to Russia’s invasion of Ukraine—that finance and national security are deeply interconnected. In fact, there’s a good word for that—geoeconomics. 

The new reality of tariffs

One year ago Davos attendees watched Trump’s inaugural address and then listened to him virtually address the forum. He hardly said the word “tariffs” once between the two speeches, and the delegates decided that his threats during the campaign were just threats. What a difference a year makes. After twelve months of the biggest shock to the global trading system in decades, which left the world facing the long-term prospect of the US economy having a 10 percent or higher tariff rate, reality settled in on the mountain. Gone was the optimistic talk about how deregulation was going to lead to an investment boom. In its place was chatter about finding new trade arrangements with emerging markets, and forecasting what would happen if the Supreme Court rules against Trump in the tariff case. 

The risk and rewards of artificial intelligence

Few topics were more in the air in Davos than artificial intelligence (AI). Almost every billboard and storefront had a reference to AI—whether for supply-chain efficiency or content creation. On the surface, businesses wanted to project confidence, with AI positioned as the engine of future growth. But step inside these company events and a different picture emerged. Many featured chief risk officers or chief ethics officers, titles that barely existed a few years ago, grappling with questions around the different types of “risks,” whether those were geopolitical risks, economic risks, or climate risks. There was a stark contrast between the glossy AI optimism outside and the sober risk assessment on the inside of these conversations, and a reminder that for all the promise of growth, the industry knows the hard questions are just beginning.

More than a transatlantic affair

On the main stage and in the global news cycle, this Davos felt like a US–Europe affair. Tariffs announced and abandoned on European allies. French President Emmanuel Macron responding directly. US Treasury Secretary Scott Bessent outlining the health of the US economy. California Governor Gavin Newsom sparring rhetorically with Washington. For audiences watching from afar, it was easy to conclude this was a narrow, transatlantic Davos.

On the ground, however, the picture was far more global. Brazil House, India House, Indonesia House, and a dozen country pavilions were packed with programming all day. A large Pakistani delegation arrived on its own official shuttle bus. Philippines House ran cultural programs, including concerts featuring traditional music, alongside policy panels.

India, in particular, projected quiet confidence. Officials framed the country as a durable pillar of global growth, especially on AI. China maintained a low profile, with Chinese Vice Premier He Lifeng offering brief remarks about Beijing’s willingness to buy more foreign goods and services—a notably muted presence compared to previous years.

Yet the US footprint on the promenade was impossible to miss. The US delegation was one of the largest in Davos, anchored by a sprawling USA House with a dense schedule of events and receptions. From the number of officials and security on the ground to the symbolic bald eagle overlooking the promenade, the message was clear: US influence loomed over nearly every discussion. For all the activity in country pavilions, this remained a global forum shaped by great-power rivalry.

From Canada, a clarion call 

Canadian Prime Minister Mark Carney delivered one of the most consequential addresses during Davos, declaring that the post–Cold War rules-based international order is “in the midst of a rupture, not a transition.” Carney argued that great-power rivalry, economic coercion, and unilateral actions by dominant states (not mentioning Trump by name) have weakened longstanding global norms and institutions. He called on middle powers to work together to protect their interests and build new cooperative frameworks rooted in shared values. Simply going along to get along is no longer the answer, he argued. Whether other middle powers respond to that message may be the single most important question from this year’s forum. 

Descending the mountain

As delegates packed their bags and headed down the mountain, few were under any illusions. The convergence between business Davos and geopolitical Davos is the new reality. The tightrope that companies are walking is not getting any less precarious. And the question of whether economic cooperation can survive an era of rising geopolitics remains very much unanswered.

Next year’s forum may face these same tensions. The key question is whether the world will have found ways to navigate them successfully or whether the rupture Carney described will have deepened further.

The post Inside the biggest Davos debates (other than Greenland) appeared first on Atlantic Council.

Throughout the year, technological breakthroughs from both the United States and China ratcheted up the competition for AI dominance between the superpowers. Countries and companies raced to build vast data centers and energy infrastructure to support AI development and use. The scramble for cutting-edge chips pushed Nvidia’s valuation past five trillion dollars—the first company to reach that milestone—even as concerns mounted over circular financing and the question of how much the AI boom is founded on hype versus reality. Meanwhile, policymakers grappled with the balance between safety, security, and innovation and how to manage possible labor disruptions on the horizon.

As 2026 begins, rapid AI integration threatens to inject even more unpredictability into an already fragmented global order. Below, experts from the Atlantic Council Technology Programs share their perspectives on what to expect from AI around the globe in the year ahead.

Click to jump to an expert prediction: 

Emerson Brooking: AI poisoning goes mainstream

Tess deBlanc-Knowles: The US pushes AI tech exports to counter China

Konstantinos Komaitis: AI governance turns global

Ryan Pan: The US-China AI race intensifies in a multipolar world

Esteban Ponce de León: AI challenges human judgment

Trisha Ray: Countries go all in on ‘sovereign AI’

Mark Scott: The battle of the AI stacks escalates

Kenton Thibaut: China doubles down on AI-powered influence operations

AI poisoning goes mainstream

Russia’s Pravda network of websites has published millions of articles targeting more than eighty countries. These sites launder and amplify content from Russian state media, seeking to legitimize Russian military aggression while casting doubt on Western support for Ukraine. Most of these articles will never be viewed by a human. Instead, they seem intended to target the web crawlers that scour the internet for training data to feed to insatiable AI models.

And the strategy is working. Last year, the Atlantic Council’s Digital Forensic Research Lab (DFRLab) and CheckFirst demonstrated how mass-produced Pravda articles were cited in Wikipedia, X Community Notes, and responses from major chatbots. Parallel research by Anthropic and the United Kingdom’s AI Safety Institute has shown how trace amounts of faulty data can effectively “poison” even very large models. People increasingly turn to AI systems to understand current events. If an AI model’s knowledge has been altered by sources intended to deceive, then the users’ will be, too.

In 2026, the issue of AI poisoning will break into the mainstream. Because of a roughly two-year lag in AI training data (many AI models are still waiting for the results of the 2024 US presidential election, for instance), these AI-targeted propaganda campaigns are about to start manifesting more often. And because one cannot reliably audit what’s inside a deployed AI model, the result will be a staggering research and policy challenge.

Digital policy experts, including the DFRLab, have spent a decade learning to identify, explain, and expose online disinformation where people can see it. This is online disinformation where they can’t.

—Emerson Brooking is the director of strategy and a resident senior fellow with the Atlantic Council’s Digital Forensic Research Lab.

The US pushes AI tech exports to counter China

In 2026, the United States will double down on exporting the US tech stack as the cornerstone of its international AI strategy. In December 2025, US President Donald Trump set the tone with his decision to allow Nvidia to export its advanced H200 chips to China, a clear endorsement of the view that the United States wins when the world builds and deploys AI using US technology.

Published days before the Nvidia decision, the Trump administration’s National Security Strategy makes this explicit: “We want to ensure that US technology and US standards—particularly in AI, biotech, and quantum computing—drive the world forward.” This framing echoes the AI Action Plan the administration released in July 2025, which stated that the “United States must meet global demand for AI by exporting its full AI technology stack,” warning that a failure to do so would be an “unforced error.”

In 2026, expect to see the United States sign more AI-focused partnerships like those forged with Saudi Arabia and the United Arab Emirates in 2025, alongside efforts to counter China’s growing influence in emerging markets. But as the United States makes this push, China holds some key advantages. Its lead in open-source AI models and focus on applied AI could prove to be the winning formula for capturing global market share with free models and deployment-ready technologies.

—Tess deBlanc-Knowles is the senior director of Atlantic Council Technology Programs.

AI governance turns global

In 2026, AI governance enters its first truly global phase with the United Nations–backed Global Dialogue on AI Governance and Independent International Scientific Panel on AI. For the first time, nearly all states have a forum to debate AI’s risks, norms, and coordination mechanisms, signaling that AI has crossed into the realm of shared global concern.

Yet this ambition unfolds amid acute geopolitical tension: The European Union pushes a rights- and risk-based regulatory model, while the United States favors voluntary standards to preserve innovation and security flexibility. For its part, China promotes inclusive cooperation while defending state control over data and AI deployment. Smaller and developing states gain a voice but remain structurally dependent on the major powers that control the bulk of AI talent, capital, and computing power.

The result is a fragile, uneven global framework. States converge on scientific assessments, transparency norms, and voluntary principles, but they avoid binding limits on high-risk AI uses such as autonomous weapons, mass surveillance, or information manipulation. Coordination emerges, but the core strategic competition remains unresolved, producing a governance architecture that manages risks at the margins while leaving rival models largely intact.

By the end of 2026, the Global Dialogue will likely have made AI governance global in form but geopolitical in substance—a first test of whether international cooperation can meaningfully shape the future of AI or merely coexist alongside competing national strategies. This juncture offers states an opportunity to demonstrate leadership by strengthening institutional capabilities and collaborative mechanisms, fostering a global AI governance framework that is more coherent, equitable, and universally engaged.

—Konstantinos Komaitis is a resident senior fellow with the Atlantic Council’s Democracy + Tech Initiative.

The US-China AI race intensifies in a multipolar world

The year ahead will see an even fiercer competition over AI dominance between the world’s two largest powers—the United States and China—while middle powers gradually close the gap in the race. China’s DeepSeek started off this year with a research paper on a new AI training method to efficiently scale foundational models and reduce costs. This publication comes almost exactly a year after the headline-making paper it released in January 2025, which was followed by the launch of DeekSeek-R1. The timing of this year’s new publication signals that the company will launch new models and continue shaping the world’s AI industry this year.

In 2026, expect China to double down on its open-source AI strategy to influence the world’s AI infrastructure. (Several major US tech companies are already using Chinese large language models in their applications.) The United States and China may also engage in further trade retaliation in the AI supply chains in light of recent developments in Venezuela, from which Chinese companies had gained access to rare earth minerals crucial to developing the AI stack. The Trump administration’s recent claims regarding Colombia, from which China also sources rare earth elements, could make Latin America the next technology battleground between the two powers.

But what about powers beyond the United States and China? In 2026, look for Europe to increase its AI defense investments even more than it did in 2025. Middle powers, notably India, will see their AI capability greatly improved this year, as US tech giants have recently pledged billions in investments in India’s AI capabilities. 

The AI race in 2026 will still be defined by a multipolar order. Nevertheless, the United States and China will continue to yield the greatest influence.

—Ryan Pan is a program assistant with the Atlantic Council’s GeoTech Center.

AI challenges human judgment

In 2026, human–AI interaction will likely challenge human judgment and identity more deeply than in any year to date. This is not only because AI models are demonstrating increasingly complex capabilities, but also because AI-generated content can be so emotionally charged in today’s polarized information environment.

Online sources and social media have shown how polarization can be deliberately targeted, and the use of AI to generate fabricated or distorted content adds a new layer to how social and political events are interpreted. AI content is reshaping the dynamics of both manipulation and what could be described as a “misinformation game,” in which techniques such as the deployment of AI slop and the memeification of events are used to mock adversaries and amplify key propaganda narratives. For example, in June 2025, amid the Israel-Iran escalation, AI became the new face of propaganda. This included graphic and sensational AI-generated fake content, such as fabricated missile strikes, military hardware, religious and national symbols, and memes. But it also included more sophisticated fabrications of CCTV footage that became increasingly difficult to debunk.

In the first days of 2026, as the Trump administration captured Venezuelan strongman Nicolás Maduro, the use of AI to generate media content increased drastically. While much of this content was humorous or satirical in nature, it nonetheless illustrates emerging usage patterns, as playful AI-generated media can still shape perceptions of power and blur the line between satire, manipulation, and propaganda. Whether fabricated content aims to provoke humor or confusion, human judgment will face new challenges in the year ahead.

This challenge to human judgment and identity extends beyond misinformation. In 2026, the AI landscape may begin to show early signs of benchmark saturation, in which models converge at near-maximum scores on established capability tests, collapsing the measurable differences between them. This matters for the information environment because the same logic applies: If distinguishing real from fabricated content becomes difficult, then so too does distinguishing what humans uniquely contribute from what AI can replicate. The implications extend to professional identity and how to understand individual value and competence.

—Esteban Ponce de León is a resident fellow with the Digital Forensic Research Lab.

Countries go all in on ‘sovereign AI’

There are unprecedented amounts of capital flowing in to meet the anticipated demand for AI. Last year, for instance, kicked off with Trump’s announcement of Stargate, with the aim of investing $500 billion in AI infrastructure over five years. The principle driving this trend is straightforward: Countries think they must control AI before it controls them. Consequently, there was a wave of sovereign AI announcements in 2024 and 2025.

That momentum will only grow in 2026, starting with the launch of India’s sovereign large language model at the AI Impact Summit in February. Nations are seeking sovereign AI to strengthen their domestic economies, protect national security, mitigate geopolitical shocks, and reflect national values. However, there’s a catch: Not every country can, or should, try to build every part of the AI stack on its own. Trying to recreate from scratch everything from data centers to models is expensive, redundant, and impractical. Nations will need to choose what to build, what to buy, and where partnerships make more sense than going solo.

—Trisha Ray is an associate director and resident fellow with the GeoTech Center.

The battle of the AI stacks escalates

As AI becomes more central to countries’ economic prospects, national policymakers will likely seek to impose greater control over critical digital infrastructure. This infrastructure includes compute power, cloud storage, microchips, and regulation, and it is central to how emerging AI technology will develop in 2026. For the world’s largest digital powers—the United States, the European Union, and China—the push to control this infrastructure will likely evolve into a battle of the “AI stacks”—increasingly opposing approaches to how such core digital AI-enabling infrastructure functions at home and abroad.

The White House’s AI Action Plan, published in July 2025, made it the stated policy of the federal government to export the US stack to third-party countries, including via potential funding support from the US Department of Commerce for other governments to purchase offerings from the likes of Microsoft, OpenAI, and Nvidia. The European Commission has earmarked billions of euros for so-called AI gigafactories, or high-performance computing infrastructure, from Estonia to Spain, while national leaders also vocally called for a “Euro stack.” The Chinese Communist Party is urging local firms to forgo Western AI know-how and rely instead on domestic alternatives from companies such as Alibaba or Huawei.

The rest of the world will have to navigate these increasingly rivalrous approaches to AI infrastructure at a time when all countries seek greater control of so-called digital public infrastructure—that is, the underlying hardware and, increasingly, software needed to power complex AI systems. How these different AI stacks interact with each other will be critical to how the technology develops over the next twelve months.

—Mark Scott is a senior resident fellow with the Atlantic Council’s Democracy + Tech Initiative.

China doubles down on AI-powered influence operations

In 2026, the People’s Republic of China’s (PRC’s) AI-enabled disinformation efforts are likely to intensify in scale, persistence, and technical sophistication, particularly those targeting Taiwan. PRC actors are already using AI-generated audio, video, and text, distributed through networks of fake accounts and contracted private firms, to conduct “cognitive warfare” campaigns aimed at shaping political perceptions and voter behavior. These campaigns prioritize volume, localization, and algorithmic exploitation, and they are increasingly designed to be continuous rather than episodic. As AI-generated content is blended with human-curated messaging and commercial infrastructure, PRC-linked operations will become harder to detect and attribute, reflecting a shift toward more deniable, adaptive, and professionalized influence operations.

At the same time, Beijing is expected to pair these activities with defensive diplomatic messaging that rejects allegations of PRC-linked disinformation or cyber operations and reframes such claims as politically motivated attacks. This pattern reinforces a broader hybrid strategy in which AI-enabled influence operations, cyber activity, and diplomatic signaling are tightly integrated. In 2026, PRC disinformation campaigns are likely to focus less on overt propaganda and more on shaping narratives around crises and cyber incidents, contesting blame, eroding trust in attribution, and influencing strategic decision-making outcomes.

—Kenton Thibaut is a senior resident fellow with the Democracy + Tech Initiative. 

The post Eight ways AI will shape geopolitics in 2026 appeared first on Atlantic Council.

News of this successful recent deployment highlights the potential of Ukraine’s robot army at a time when the country faces mounting manpower shortages as Russia’s full-scale invasion approaches the four-year mark. Robotic systems are clearly in demand. The Ukrainian Ministry of Defense has reported that it surpassed all UGV supply targets in 2025, with further increases planned for the current year. “The development and scaling of ground robotic systems form part of a systematic, human-centric approach focused on protecting personnel,” commented Defense Minister Denys Shmyhal.

As the world watches the Russian invasion of Ukraine unfold, UkraineAlert delivers the best Atlantic Council expert insight and analysis on Ukraine twice a week directly to your inbox.

The current emphasis on UGVs is part of a broader technological transformation taking place on the battlefields of Ukraine. This generational shift in military tech is redefining how modern wars are fought.

Since the start of Russia’s full-scale invasion in February 2022, homegrown innovation has played a critical role in Ukraine’s defense. Early in the war, Ukrainian troops deployed cheap commercial drones to conduct reconnaissance. These platforms were soon being adapted to carry explosives, dramatically expanding their combat role. By the second year of the war, Ukraine had developed a powerful domestic drone industry capable of producing millions of units per year while rapidly adapting to the ever-changing requirements of the battlefield.

A similar process has also been underway at sea, with Ukraine deploying domestically produced naval drones to sink or damage more than a dozen Russian warships. This has forced Putin to withdraw the remainder of the Black Sea Fleet from occupied Crimea to Russia itself. Recent successes have included the downing of Russian helicopters over the Black Sea using naval drones armed with missiles, and an audacious strike on a Russian submarine by an underwater Ukrainian drone.

By late 2023, drones were dominating the skies over the Ukrainian battlefield, making it extremely dangerous to use vehicles or armor close to the front lines. In response to this changing dynamic, Ukrainian forces began experimenting with wheeled and tracked land drones to handle logistical tasks such as the delivery of food and ammunition to front line positions and the evacuation of wounded troops.

Over the past year, Russia’s expanding use of fiber-optic drones and tactical focus on disrupting Ukrainian supply lines has further underlined the importance of UGVs. Fiber-optic drones have expanded the kill zone deep into the Ukrainian rear, complicating the task of resupplying combat units and leading to shortages that weaken Ukraine’s defenses. Robotic systems help counter this threat.

Eurasia Center events

Online Event Fri, April 3, 2026 • 8:00 am ET

Building Central Asia’s future through regional integration

Central Asia Economy & Business Europe & Eurasia Politics & Diplomacy

Remote controlled land drones offer a range of practical advantages. They are more difficult to jam electronically than aerial drones, and are far harder to spot than trucks or cars. These benefits are making them increasingly indispensable for the Ukrainian military. In November 2025, the BBC reported that up to 90 percent of all supplies to Ukrainian front line positions around Pokrovsk were being delivered by UGVs.

In addition to logistical functions, the Ukrainian military is also pioneering the use of land drones in combat roles. It is easy to see why this is appealing. After all, Ukrainian commanders are being asked to defend a front line stretching more than one thousand kilometers with limited numbers of troops against a far larger and better equipped enemy.

Experts caution that while UGVs can serve as a key element of Ukraine’s defenses, they are not a realistic alternative to boots on the ground. Former Ukrainian commander in chief Valerii Zaluzhnyi has acknowledged that robotic systems are already making it possible to remove personnel from the front lines and reduce casualties, but stressed that current technology remains insufficient to replace humans at scale.

Despite the advances of the past four years, Ukraine’s expanding robot army remains incapable of carrying out many military functions that require infantry. When small groups of Russian troops infiltrate Ukrainian positions and push into urban areas, for example, soldiers are needed to clear and hold terrain. Advocates of drone warfare need to recognize these limitations when making the case for greater reliance on unmanned systems.

UGVs will likely prove vital for Ukraine in 2026, but they are not wonder weapons and cannot serve as a miracle cure for Kyiv’s manpower challenges. Instead, Ukraine’s robot army should be viewed as an important part of the country’s constantly evolving defenses that can help save lives while raising the cost of Russia’s invasion.

David Kirichenko is an associate research fellow at the Henry Jackson Society.

Further reading

UkraineAlert Dec 24, 2025

The art of war is undergoing a technological revolution in Ukraine

By Oleg Dunda

Ukraine’s battlefield experience since 2022 confirms that in order to be successful in modern warfare, armies should model themselves on technological giants like Amazon and SpaceX, writes Oleg Dunda.

Conflict Cybersecurity

UkraineAlert Jan 7, 2026

Ukraine security guarantees are futile without increased pressure on Putin

By Peter Dickinson

Western leaders have hailed progress toward “robust” security guarantees for Ukraine this week, but until Putin faces increased pressure to make peace, Russia will remain committed to continuing the war, writes Peter Dickinson.

Conflict France

UkraineAlert Dec 4, 2025

Ukraine’s warning to the West: A bad peace will lead to a bigger war

By Myroslava Gongadze

It is delusional to think that sacrificing Ukraine will satisfy Russia. Instead, a bad peace will only lead to a bigger war, while the price of today’s hesitation will ultimately be far higher than the cost of action, writes Myroslava Gongadze.

Conflict Corruption

The views expressed in UkraineAlert are solely those of the authors and do not necessarily reflect the views of the Atlantic Council, its staff, or its supporters.

Read more from UkraineAlert

UkraineAlert is a comprehensive online publication that provides regular news and analysis on developments in Ukraine’s politics, economy, civil society, and culture.

The Eurasia Center’s mission is to enhance transatlantic cooperation in promoting stability, democratic values, and prosperity in Eurasia, from Eastern Europe and Turkey in the West to the Caucasus, Russia, and Central Asia in the East.

Learn more

The post Ukraine’s robot army will be crucial in 2026 but drones can’t replace infantry appeared first on Atlantic Council.

Executive summary

From classrooms to farming communities, generative artificial intelligence (gen AI) holds great potential for Africa. The key question is whether its promise of abundance will reach everyone—or only those already well-connected.

The technology should be regulated with both its strengths and weaknesses in mind, and approached with a healthy dose of skepticism toward corporate advocates; but ignoring the obvious value and use of gen AI makes little sense. Those concerned with development in Africa must engage with the technology and consider its potential for reducing poverty and strengthening education, alongside other priorities such as digitizing and preserving languages.

Gen AI poses real risks and requires guardrails, especially for young people. Yet disengagement carries risks of its own: if gen AI is not actively shaped and governed, the very youths and communities it could benefit—or harm without proper controls—risk being left behind. Not engaging with gen AI would be not only harmful but also patronizing. More conversation is needed between those inventing and implementing gen AI models and those who work in development assistance, including actors involved in shaping and advancing the UN Sustainable Development Goals (SDGs). Two of these SDGs—ending poverty and providing quality education—closely mirror gen AI’s promise, or boast, of future “abundance” and human or even superhuman intelligence. The SDG and gen AI camps must explore what each can realistically offer the other.

Issue Brief Apr 24, 2025

The Millennium Challenge Corporation could prove essential in the race for critical minerals. Reform it, don’t shut it down.

By Aubrey Hruby

As the Trump administration aligns foreign aid with core strategic interests, the MCC represents an underutilized asset.

Critical Minerals Energy & Environment

Issue Brief Jul 21, 2025

Atlantic piracy, current threats, and maritime governance in the Gulf of Guinea

By Maisie Pigeon

A drop in attacks in the Gulf of Guinea does not necessarily mean piracy has been resolved. Pirates have adapted their tactics, and the potential for resurgence remains high; this issue remains a critical security and development concern. It is not just a regional priority—it is an international imperative.

Africa Economy & Business

Issue Brief Jun 10, 2025

Marine energy: Harnessing the power of the Atlantic

By William Yancey Brown

In partnership with the Policy Center for the New South, the Atlantic Council’s Africa Center is launching a new series of publications and events dedicated to the power of the Atlantic ocean with an inaugural policy brief on energy and mineral potential.

Africa Critical Minerals

The Africa Center works to promote dynamic geopolitical partnerships with African states and to redirect US and European policy priorities toward strengthening security and bolstering economic growth and prosperity on the continent.

Learn more

The post Engaging generative artificial intelligence in African development appeared first on Atlantic Council.

Bottom lines up front

• Allowing Nvidia to sell H200 series chips to Chinese customers appears to be a compromise move by the Trump administration to help Nvidia’s global market share without giving China access to cutting-edge Blackwell chips.
• But the move will allow China to eat into the US advantage in global computing, undermining the administration’s own goals of maintaining US global leadership in AI.

WASHINGTON—In a Truth Social post on Monday that shook up the global tech race, US President Donald Trump announced his approval for Nvidia to sell its H200 (“Hopper”) series chips to “approved customers” in China, with the United States receiving a 25 percent cut of the revenues.

This marks the latest pendulum swing in the administration’s approach to export controls on advanced artificial intelligence (AI) chips. In July, Trump allowed the sale of Nvidia’s less powerful H20 chips to China with a 15 percent revenue share requirement, pulling back from an April announcement that his administration would ban the sale of those same chips. Even the same morning of Trump’s announcement, the US attorney’s office in Houston trumpeted the disruption of a smuggling operation focused on exporting H200 and the older H100 chips to China. 

In his post on Monday, Trump said that Chinese President Xi Jinping “responded positively” to the decision; on Tuesday a spokesperson for China’s foreign ministry dodged a question about the deal. If Xi is on board, this is significant, since when the H20 controls were lifted, China’s Cyberspace Administration banned Chinese firms from purchasing H20s, citing security concerns. Whether Xi took this step to protect domestic chip manufacturers or as a bet to unlock higher-performing exports (such as the H200s) remains unclear. 

While the H200 far surpasses the capabilities of the H20, it’s still a generation behind Nvidia’s cutting-edge Blackwell chips and will soon be overshadowed by the forthcoming Rubin architecture. Prior to meeting with Xi in October, Trump floated the idea of allowing Blackwell exports. But following the meeting, Trump said that the topic did not come up. Notably, Monday’s announcement stops short of allowing the export of Blackwell chips. 

The Trump administration’s rationale

The Trump administration’s calculus comes down primarily to economics and the belief that projecting US technology abroad strengthens national power. Allowing the export of H200s to China will provide Nvidia access to the world’s largest single market and likely ensures that the next generation of Chinese AI runs on US hardware. 

Proponents of this approach claim this move could slow the development of China’s indigenous AI capabilities by cutting off revenue to companies such as Huawei as sales divert to Nvidia. Under Xi’s leadership, China has undertaken a concerted national strategy to build a domestic chip manufacturing capability and break free from dependence on Western technology. 

The 25 percent cut from sales to the US government gives the administration another means to tout benefits to the taxpayer. Still, recent reports of a special security review that the chips will undergo before export raise questions about how processes will be structured to legally charge this fee. Expect more from the administration in the coming days on how it will navigate this novel approach.

By approving exports of H200 chips but not Blackwell chips, the administration is attempting to strike a compromise position between those who see the advantages of strengthening Nvidia’s global market share and those worried about eroding the United States’ AI advantage.

The real implications

The United States and China are locked in an existential race for AI supremacy. Until now, the United States’ one true advantage has been access to cutting-edge compute. 

In recent years, China has proven that it can build frontier models that rival the performance of the leading models in the United States. It produces top AI talent and has cultivated a vibrant AI start-up ecosystem. Chinese companies have access to the same data as their US counterparts while also benefiting from internal data, such as that stemming from China’s surveillance state and widespread AI deployment. China also has a leg up in terms of energy generation, producing more than twice the electricity that the United States did in 2024.

Where the United States maintains a definitive edge is on aggregate computing power. As of mid-2025, the US share of global AI computing power reached 74 percent, with China at only 14 percent. Aggregate computing power is critical for training new frontier models, supporting the widespread use of AI and new applications of the technology, and exploring new architectures and pathways toward more powerful systems. Recent reporting finds that much of the compute used by companies such as OpenAI is in service of research. 

Allowing Chinese companies to purchase H200 chips will significantly degrade this advantage. Chinese companies will likely pursue a strategy of scale, networking H200 chips into clusters that could rival the performance of Blackwell chips, albeit with a higher price tag. This is a strategy already widely employed in China to maximize the performance of their domestically produced, lower-end chips. With access to H200 chips, Chinese firms will be positioned to train the next generation of models and provide cloud-computing services beyond their borders. This would put them into competition with US providers for international market share and fundamentally undermine the Trump administration’s goal of establishing the US AI tech stack as the global standard. 

Estimates for how far China’s domestic chip manufacturing capability lags that of the United States range from five to fifteen years. Currently, China cannot produce at scale to meet domestic demand. The Trump administration has estimated, for example, that major Chinese tech giant Huawei can only produce 200,000 of its Ascent AI chips this year, which is only 1-2 percent of estimated US production. Access to H200s could bridge this gap, allowing Chinese AI companies to compete globally until domestic manufacturing capability has reached parity. At which point, they would almost certainly move away from Nvidia. 

From a national security perspective, many fear that H200 chips will not only bolster Chinese industry but also the People’s Liberation Army’s defense capabilities. Given China’s civil-military fusion doctrine, restricting sales to approved corporate entities likely won’t prevent military use. 

Finally, the question remains whether Nvidia has the capacity to serve the Chinese market without eroding its ability to meet demand from US companies. Already, surging demand from data center build-outs is putting stress on the supply chain, and research universities are struggling to procure chips to support crucial research and education efforts. 

As China moves forward to aggressively integrate AI into every aspect of its economy and society, as outlined in its recent “AI plus” initiative, providing the computational fuel to realize this vision will supercharge the United States’ strongest AI competitor, significantly endangering the Trump administration’s own global AI ambitions.

The post Why exporting advanced chips to China endangers US AI leadership appeared first on Atlantic Council.

• Executive summary
• Introduction
• A shared cloud computing vocabulary
• Cloud computing and artificial intelligence
• Building trust
• Digital sovereignty and data localization
• Implications for cybersecurity and AI
• Conclusion
• Author and acknowledgements

Executive summary

Placing trust in cloud computing is no longer optional. Cloud computing is essential to critical infrastructure, commercial, and government operations.¹ Outages over the past few months emphasize the vitality of cloud services to modern economies and essential government services.² As cloud adoption and transformation continue, policy attention should shift from the question of whether to simply trust cloud computing to the methods for establishing and verifying that trust.  

The stakes will only continue to increase as artificial intelligence systems, which have been identified by the US, China, and the European Union as essential national priorities, continue to utilize cloud infrastructure for development and deployment.³ Sophisticated and unsophisticated threat actors continue to target cloud computing systems, striking rapidly, globally, and opportunistically. ⁴ These cloud incidents can result in data theft, financial losses, and operational disruptions. Even accidents require rapid coordination and information sharing to ensure systems can get back up and running as quickly as possible.⁵

Ensuring trust in cloud computing systems between nations and cloud providers is an essential task for modern economies, national security, and ways of life. This report argues that cloud trust will require collaboration between providers, nation states, and customers, but should not start with location requirements and geographic restrictions on access to cloud computing. Instead, national cloud policies should prioritize criteria of trust that verifiably and meaningfully improve the security of customer cloud operations. 

Introduction

As a component of artificial intelligence deployment, development, and use, as well as an enabling technology for business, government, and critical infrastructure functions, cloud computing is a fixture of cyber policy discussions. Within the emerging AI supply chain, cloud services are the means of deploying ‘compute’, a critical resource powering models in both training and inference throughout the global economy.⁶ This paper aims to offer a nuanced discussion of cloud computing through the consolidation of a shared policy vocabulary and common technical principles to describe and understand trust in cloud computing. By adding detail to how cloud computing is portrayed, policymakers can more effectively understand the systems they’re expected to trust. By adding granularity to existing discussions of cloud computing, policymakers can more effectively understand the systems they are expected to trust and better appreciate how policy shapes both those systems and that trust.  

Attackers continuously scan public-facing devices and infrastructure for misconfigurations and weaknesses.⁷ Countries with advanced cyber capabilities, including Russia, China, North Korea, and Iran, show no signs of ceasing cyber threat activity.⁸ The pace of vulnerability exploitation continues to accelerate, and within days of their public disclosure, attackers weaponize vulnerabilities to gain access to and exploit cloud environments.⁹ Meanwhile, policy debates often focus on limiting access from cloud providers to customer information, instead of ensuring the security of such resources and information from adversary access. 

Developing a more compelling model and framework for trust in cloud computing requires bridging debates around localization, digital sovereignty, and technical security, as well as emerging trends in artificial intelligence development and deployment. The risks posed to the cloud ecosystem by the unintended consequences of policy intervention are significant, but so too are the consequences of untrusted and insecure cloud deployments. 

A shared cloud computing vocabulary 

This section will establish essential vocabulary and terms for cloud computing. The terms and characteristics defined here are non-exhaustive but are a useful starting point for cloud policy discussions. Cloud computing describes a model where service providers offer metered, on-demand access to computing resources.¹⁰ Instead of operating their own servers and facilities, customers specify workloads—sets of defined computing tasks, utilizing computing resources—for which cloud providers handle implementation and execution.¹¹ Sometimes the resources used by these workloads are virtual versions of physical resources (“virtual machines” or VMs), but often they are abstract resources or functions, such as data storage or analysis services, and are not rooted in or wedded to specific hardware or software implementations. Cloud providers must manage and architect both individual hardware and software components and the protocols, pathways, and constraints of their communications and interactions. To ensure visibility and reliability, cloud providers must build systems that carefully manage changes, catch and alert on outages, and gracefully handle errors or failures. This model of access to computing resources includes general access to applications and data storage, but also specialized services for specific customers or sectors. 

Cloud providers aggregate and distribute workloads across computing resources. Centralized control over the design, development, testing, and maintenance of both hardware and software enables cloud providers to reduce costs while optimizing their services for the performance and reliability needs of customers.¹² End-to-end control over cloud systems also allows costly experimentation with specially-tailored or developed software and hardware, including custom advanced semiconductors (chips, silicon).¹³ Prominent cloud providers, including Microsoft, Google, and Amazon, derive advantages from both the scale of their cloud infrastructure and their expertise in adjacent fields and product offerings (earning them the name hyperscalers”).¹⁴ For example, Google’s development of its distributed data storage and processing platform BigTable was driven by the computing demands of its search product.¹⁵ Embedded within the configurations and offerings available to customers are a cascading sequence of impactful decisions made by cloud service providers. Balancing incentives, imperatives, and resource constraints creates an ever-evolving system of systems that is more than the sum of its parts. 

Customers of cloud providers can adjust their use of computing resources elastically. Instead of purchasing physical hardware, launching software, and monitoring it directly for power outages or reliability issues, customers can outsource those responsibilities to cloud providers. This allows companies to focus on their unique products and services instead of monitoring and maintaining networking, energy, and processing equipment. Decomposing workloads into discrete tasks, scheduling tasks for individual hardware components, and monitoring the execution of those tasks for errors, delays, or hardware failures requires carefully optimized software, specific hardware, and dedicated research capabilities.¹⁶ Within nano- or milliseconds, cloud computing systems communicate and synchronize across oceans and continents, ensuring availability and reliability despite frequent outages, hardware failures, and natural disasters. Using metered, elastic cloud services also allows companies to “scale” their computing resource footprint in response to demand.¹⁷ Seasonal surges, such as a boom in visits to e-commerce sites around the holiday season, or daily and weekly patterns, such as workplace software peaking in use during business hours Monday-Friday, no longer require projections months ahead of time, and the build-up of infrastructure to handle maximum demand, which then sits idle outside of specific moments. Instead, enterprises can dynamically and automatically adjust their use of computing resources and services through their cloud providers.¹⁸ At the global scale of modern cloud systems, cloud providers triage and respond to issues that would be completely unfamiliar to self-hosted cloud operators accustomed to handling only hundreds or thousands of servers.  

Cloud customers and providers optimize the architecture of services to support different computational demands, using distinct technology configurations to execute workloads. Cloud computing architectures dictate “how various cloud technology components, such as hardware, virtual resources, software capabilities, and virtual network systems interact and connect to create cloud computing environments.”¹⁹ Workloads such as high-definition video streaming, training AI models, and analyzing and extracting information from data have different requirements for synchronicity, availability, reliability, and error tolerance, which demand different choices of software and hardware to balance tradeoffs. By optimizing cloud infrastructure and systems for different tasks, cloud providers can utilize heterogeneous components to their full relative advantages.  

As an example, to ensure rapid access to cloud resources, providers maintain and offer content delivery networks (CDNs)—networks of servers and computing resources distributed worldwide to minimize the distance and latency (time delay) between cloud infrastructure and end-users.²⁰ Cloud providers also maintain points of presence, or edge locations, where their infrastructure connects with internet service providers, on-premise customers, or other cloud providers.²¹ These points of connection include Internet Exchange Points (IXPs) and other co-location services, a subset of which are sometimes referred to as peering locations.²² Network infrastructure, including edge servers, is a critical vantage point for information useful for security monitoring and incident response. Security practices involving network infrastructure range from mitigating attacks that attempt to overwhelm servers with large amounts of requests to limiting unauthorized access to data and cloud resources.²³

Cloud computing and artificial intelligence 

Cloud computing is involved in AI development and deployment at every stage, from providing data storage and structures to enabling interactions between models and users, all while serving as a central hub of monitoring and evaluation for AI systems. Artificial intelligence companies have close financial and technical relationships with hyperscale cloud providers, and cloud providers themselves develop their own AI models and integrate them with other products. This section will give a brief overview of the importance of cloud computing to artificial intelligence development and deployment as a component of the broader compute infrastructure used in the development and deployment of AI systems. 

Emerging players, sometimes referred to as neo-clouds, also offer cloud computing services specific to artificial intelligence workloads. CoreWeave, Lambda, Crusoe, and Nebius all operate under this model.²⁴ These companies are financially intertwined with both existing hyperscale cloud providers and key chipmaker NVIDIA. NVIDIA has invested in both Lambda and CoreWeave, in addition to its own quasi-cloud offering, which is built on the infrastructure of other cloud service providers.²⁵ Oracle has contracted Crusoe to build out compute offerings for OpenAI as part of the Stargate project.²⁶ Microsoft was responsible for 62 percent of CoreWeave’s 2024 revenue, while Google recently inked a deal to use CoreWeave to deliver computing resources to OpenAI.²⁷ These interactions and overlaps all complicate the cloud ecosystem, creating new, interdependent players and novel connections among long-established entities. These new relationships could complicate existing patterns of information sharing and incident response practices, while emerging players have yet to establish long-term track records of security and reliability.  

Hyperscale cloud providers have also invested extensive resources in creating and expanding cloud offerings to support AI workloads and to provide access to AI models for their customers within cloud offerings. Examples include AWS’s managed container offerings, which Anthropic uses to execute training and inference workloads at “ultra” scale, as well as tailoring of existing services, plugins, monitoring agents, credentials, and caching features.²⁸ AWS’s Bedrock offering provides access to several models, including Anthropic’s.²⁹ Microsoft’s Azure managed cloud offerings monitor, orchestrate, and execute AI workloads, including inference for OpenAI’s models.³⁰ Google Cloud’s Cloud TPU platform includes a compiler, managed software frameworks, and custom chips designed to accelerate AI workloads and is used both internally at Google and by companies like Cohere, Stability AI, and Character AI.³¹

Scarcity or lack of access to key computing resources specific to artificial intelligence could also drive customers to overlook security requirements, focusing instead on rapid access to essential computing power. The increasing compute demands of AI firms and the growth of niche cloud computing service companies, both intertwined with hyperscale cloud providers, will continue to strain existing compute resources such that cloud computing policy interventions run a growing risk of compromising a fragile ecosystem.  

Policymaking in this sector has largely focused on advanced semiconductors, particularly NVIDIA GPUs, as the principal component of AI compute, from the Biden administration’s AI diffusion rule to the Trump administration’s AI Action Plan.³²  Proposals have also examined the challenges of securing model weights, managing the flow of advanced semiconductors used in AI training development, and acquiring energy and land needed to construct datacenters.³³  

However, limited attention has focused on the risks and opportunities of cloud computing’s role in AI development and deployment, and as an essential component of the AI supply chain itself. Efforts to secure the cloud computing ecosystem can protect sensitive intellectual property involved in AI development in deployment, including model weights and proprietary details of both AI use and research methods and practices used to develop frontier AI models. Conversely, policies and security practices that hamper efforts to secure cloud computing infrastructure could jeopardize the security of AI development and deployment.  

Building trust

Trust, in this paper, refers to both the ability of cloud customers to ensure that their cloud configurations are secure from external threats and from excessive interference or access from cloud providers themselves. Quickly verifying trustworthiness after a violation is paramount for customers wanting to keep up with attackers. This section will discuss the challenge of establishing trust in cloud computing systems. Miscommunication and misalignment regarding trust have immediate consequences for cloud customers, who often bear the costs of security incidents. 

Threat intelligence from cloud security firms suggests that the pace of incidents is increasing, with a 2024 Google Cloud report finding only five days of average observed time between the disclosure and exploitation of vulnerabilities, down from 32 days in 2023.³⁴ Another 2023 report from Orca Security found that it took only two minutes for AWS encryption keys that were publicly exposed on GitHub to be used by threat actors.³⁵ Sophisticated attackers have targeted companies, such as Cloudflare, that specialize in cloud network infrastructure, stealing credentials to access documentation and source code.³⁶ Advisories from cybersecurity companies and intelligence agencies indicate that organizations persistently experience breaches from sophisticated, nation-state-sponsored threat actors who utilize publicly known vulnerabilities as part of a global espionage strategy.³⁷ Meanwhile, trust deficits that result from customers’ lack of trust in cloud providers, or an inability by cloud providers to verifiably demonstrate trustworthiness, hamper both the adoption of cloud capabilities and the ability of organizations to prevent and respond to security incidents. When trust criteria are insufficient or incomplete, preventable incidents can occur at breathtaking speed.  

In policy contexts, trust frequently centers on an entity-based definition. The National Institute of Standards and Technology (NIST) notes that trust is “a belief that an entity meets certain expectations and therefore, can be relied upon.”³⁸ A focus on entities can lead to technology policies focused on static, easily verifiable attributes, such as the national origin or corporate headquarters of cloud providers, from which policymakers derive restrictions on specific firms or sweeping prohibitions against foreign entities. This dynamic is not exclusive to cloud computing policy and has occurred throughout national security debates over trusted technology, from Kaspersky to Huawei.³⁹ While organizational attributes can provide useful information, requirements exclusively based on entity-based definitions of trust can overlook technical security measures and implementation details that directly affect system trustworthiness, while incentivizing the use of proxy companies and circuitous legal setups.  

Technical communities have developed alternative approaches to trust that emphasize continuous verification instead of static, binary decisions to trust or not trust a technology provider. The zero-trust security model operates on “the premise that trust is never granted implicitly but must be continually evaluated,” according to NIST.⁴⁰ This model is a shift from a perimeter-based security strategy toward contextually securing and restricting access to dynamic computing resources and assets.⁴¹ As an illustrative example, a zero-trust approach would reflect a company’s decision to shift from a sign-in system to enter a building, after which each person would have complete access to move around a building, to an approach where each room or floor requires a special key that only certain people can access, regardless of whether or not the person requesting access is already within the building. However, zero-trust is more of a broad set of principles than a set of specific operational requirements and might not align with existing organizational structures and regulatory frameworks that mandate perimeter-based security approaches. 

Cryptographic and hardware-based verification mechanisms offer another path through technical, not organizational, assurances. Trusted Execution Environments (TEEs) and confidential computing could enable remote attestation of the integrity and confidentiality of data and code.⁴² Remote attestation and technical assurances can establish trust outside of organizational attributes but require specialized hardware and software implementations that are not currently widely available or cost-effective.⁴³ 

These divergent approaches to trust create challenges for cloud providers and customers. A coherent, cohesive approach to cloud trust must bridge different methods while accounting for the scale and complexity of cloud computing. This requires moving beyond simple analogies and one-size-fits-all policies towards frameworks that thoughtfully weigh technical and organizational attributes. The alternative is a fragmented system in which policies undermine the economic and technical benefits of cloud computing without improving security. The costs of insecurity will only grow as the cloud becomes more entwined with AI applications, making the question of ensuring trust in cloud computing increasingly critical. 

Digital sovereignty and data localization

This paper’s focus is on digital sovereignty policies that target cloud infrastructure, such as the promotion of national or local alternatives to cloud providers, the exclusion of foreign cloud providers from specific certifications or sectors, or restrictions on the structure and configuration of cloud deployments within national borders.⁴⁴ This section will ground this paper’s discussion of trust and security in cloud computing and infrastructure within a contemporary policy debate: the application of digital sovereignty and data localization restrictions to cloud computing.⁴⁵

In many cases, companies that qualify as hyperscalers also offer search engines, operating systems, social media sites, and ad platforms, which could also be relevant to digital sovereignty debates. Those offerings remain outside of the scope of this paper but could very well have implications for cloud computing if remedies or policies aimed at achieving digital sovereignty goals impacted hyperscale providers and their cloud offerings. 

There are at least three essential characteristics of digital sovereignty and data localization policies with direct implications for cloud computing: the affected country or region, the scope of customers affected, and the criteria for cloud trust. In addition to descriptions, each characteristic will include illustrative examples.  

Table 1: Key characteristics for digital sovereignty policies affecting cloud computing systems

Geography

The first essential characteristic is the geographic region affected by a policy. Typical examples of cloud sovereignty or digital sovereignty policies apply at a national level and are set by a federal policymaking body. 

For example, the French SecNumCloud certification scheme, which includes localization requirements and restrictions on foreign ownership of cloud providers, is in effect within France.⁴⁶ Attempts to extend sovereignty policies in certification requirements across the EU within the European Union Cybersecurity Certification Scheme for Cloud Services have been unsuccessful so far, facing opposition from Denmark, Estonia, Greece, Ireland, Lithuania, Poland, Sweden, and the Netherlands.⁴⁷ Outside the EU, digital sovereignty policies appear to remain national in scope, which aligns with the focus of supporters of some digital sovereignty policies in ensuring government control over and visibility into cloud services.  

Scope

Another essential characteristic is the scope of customers or procurers of cloud services affected by digital sovereignty policies. Direct government use of cloud services or use by critical infrastructure sectors like finance and defense have been a focus of digital sovereignty policies. These policies can take the form of explicit bans or prohibitions on critical sector or government use of foreign cloud providers, procurement incentives for local companies, or technical requirements that in effect mandate country or sector-specific cloud configurations. 

Several countries and geographies have experimented with sovereignty and localization requirements specific to critical infrastructure sectors or government use. The Cross Border Data Forum’s 2021 data localization report highlighted requirements for exclusive localization of financial sector information and operations, such as transactions and banking information, in several countries, including South Africa, Turkey, and India.⁴⁸ The aforementioned French SecNumCloud scheme applies to government agencies and “operators of national importance.”⁴⁹ South Korea’s Cloud Security Assurance Program (CSAP) applies to public sector cloud use, but debates over its provisions have suggested it could be extended to additional sectors such as healthcare and education.⁵⁰ 

The sensitivity of government and critical infrastructure sector data and operations raises heightened concerns regarding the risks of unauthorized access to information or disruption of services. The sheer size of the government and critical infrastructure sectors’ cloud budgets also creates an appealing policy target, as including requirements or incentives within procurement regimes serves as an intermediary between economy-wide regulations and no regulation at all. Government and critical infrastructure criteria for cloud computing are often thought to induce effects outside of their direct targets, as other companies and organizations incorporate or reference criteria used by those entities in their own cloud procurement decisions.⁵¹

Criteria for trust

The final essential characteristic of digital sovereignty policies applying to cloud infrastructure is the criteria for trust that policies reference or create. Criteria of trust can include restrictions on nationality or operational jurisdictions of cloud providers, geographic locations of cloud infrastructure, or specific technical and operational measures, such as the use of encryption or external key management. These criteria can be directly put into force through legislation or through references to external certifications or standards bodies. 

Digital sovereignty policies often seek to ensure that cloud service providers have local physical footprints. Ensuring the physical footprint of a technology provider can create a toehold for further enforcement and oversight, clarifying the obligations of cloud providers to the citizens and laws of different countries. Without a clear presence in the form of personnel or physical infrastructure in a country, it is difficult for governments to enforce regulations or to substantively hold companies accountable for abuses or violations of policy. Russia and Vietnam both adopted policies requiring local offices and representatives for technology companies, which have been described as creating opportunities for government control and coercion.⁵² Incentives for local data center construction, such as Brazil’s proposed package of incentives and tax breaks for developers, can alternatively focus on the potential economic benefits of localized infrastructure, from collected taxes to construction and maintenance jobs.⁵³

Other localization requirements seek to restrict the physical location of cloud infrastructure. Proponents of data localization argue that restricting the physical location of data, including prohibiting cross-border data transfers, provides security and privacy advantages. Countries around the world have adopted localization measures applicable to various sectors, types of data, or processing requirements. Localization measures mandate restricting operations to cloud infrastructure located within certain geographic boundaries. Often, this manifests as restricting the set of cloud “regions” that companies have access to, while cloud providers recommend structuring applications to span multiple regions and availability zones.“⁵⁴  Availability zones are logically isolated segments of cloud infrastructure that attempt to ensure that if one zone suffers an outage, it does not take down other zones within the same region.⁵⁵ However, region-wide disruptions such as October’s AWS DynamoDB incident in the us-east-1 region, while rare, have significant impacts on both customers relying on resources within a region and cloud service providers that operate within a specific region.⁵⁶

Figure 1: Region and launch year

Restricting the flow of data and information can limit access to computing and processing resources, limiting the ability of cloud providers to surge capacity and geographically distribute workloads. The ability to migrate workloads and computing assets, such as data, to other countries is essential for effective disaster recovery, which could motivate carving out backups as exempt from data localization. In preparing for Russia’s invasion, for instance, Ukraine paused localization requirements and shifted essential government data to cloud infrastructure outside of its borders to ensure availability and access in the event of the physical destruction of domestic data centers.⁵⁷ Estonia has also established a data embassy, which consists of an external private cloud region in Luxembourg to ensure continuity of government operations in the event of a crisis.⁵⁸

Beyond infrastructure locations, countries and customers might seek to restrict the geographic location of technical support staff and engineers, especially individuals who might access or view sensitive data. Requirements can restrict physical location, citizenship, or clearance of support personnel, which can impact the staffing strategies, create challenges for around-the-clock availability, and require duplication of expertise across nations. According to ProPublica, Microsoft worked around such restrictions from the United States Defense Department by using support structures such as “digital escorts,” where individuals in possession of security clearances but lacking technical expertise supervised engineers, including engineers physically located in China, as they interacted with cloud systems used for national security purposes.⁵⁹ The impulse towards workarounds for location-based restrictions, such as the digital escort system, which Microsoft has reportedly stopped using for the Department of Defense, demonstrates the operational difficulties restrictions on the location of support staff can create and the security risks that can result from the uneven implementation of location restrictions.⁶⁰

Infrastructure localization approaches can also be designed to ensure that companies or governments have local oversight and control over security measures, including the use of encryption. Keeping encryption keys off cloud provider infrastructure, and instead on local or on-premise infrastructure, can be referred to as “key escrow” or “external key management.”⁶¹ Apple has historically complied with key localization requirements in China, while Google has implemented an offering designed for compliance with a requirement in Saudi Arabia.⁶²  These offerings may be developed in partnership with local providers, who can oversee cloud provider access to encryption keys.⁶³ However, this approach introduces distinct risks to cloud computing systems, as customers must trust the additional provider to secure encryption keys, which, if compromised, would provide access to sensitive data. Countries can also impose other requirements relating to encryption, such as country-specific standards. South Korea’s government cloud certification requires national standard encryption algorithms that are not widely used outside of Korea.⁶⁴

In the US, debates on state-sponsored, proprietary encryption standards have resulted in concerns about the intelligence community creating “backdoors,” or exploitable flaws within encryption algorithms, which could be used by intelligence agencies and malicious actors to monitor communications and access content.⁶⁵ Governments could also directly restrict the ability of cloud service providers to offer products with certain encryption standards or features. The UK’s secret law enforcement request to Apple to access certain encrypted communications led Apple to withdraw its Advanced Data Protection feature from the UK market rather than create a backdoor for authorities.⁶⁶  Restrictions or constraints on encryption standards and encryption system architectures can give local authorities control over access to encrypted data, but can also create vulnerabilities if they result in compromising key local management systems or mandates for insecure encryption standards. 

The jurisdictions cloud providers originate from or operate within can be a source of concern for governments, especially when other governments mandate, incentivize, or promote practices that undermine the security of underlying technology systems. Digital sovereignty policies can aim to exclude specific cloud providers or providers from certain countries, either with outright bans or structural requirements mandating local partnerships. The approach of excluding specific countries, or restricting the access of companies from certain countries, is referred to as a blacklist, while a policy that only allows transfers to specified countries is referred to as a whitelist.⁶⁷

The United States has typically taken a blacklist approach to national security reviews of foreign companies, imposing a smaller, ad-hoc set of limitations on companies’ jurisdictions and origins. For example, the US government has expressed skepticism over Chinese cloud providers’ access to American information, resulting in investigations of Alibaba’s cloud business.⁶⁸ These concerns include Chinese policies requiring technology companies to notify the government when they discover technical vulnerabilities and extensive cooperate with defense and intelligence services.⁶⁹  In reviews of other technical systems, such as telecommunications infrastructure, the US has weighed the national security risks of the involvement of both Chinese and Russian companies.⁷⁰

Meanwhile, European data protection regimes, such as the General Data Protection Regulation (GDPR), utilize a whitelist approach, requiring “adequacy decisions” to approve data transfers to certain countries.⁷¹  European leaders have raised concerns about US surveillance practices and the lack of federal privacy legislation, which has prompted regulators to revoke previous data transfer agreements.⁷² The dominance of US hyperscale cloud providers, domestically and abroad, has led to a close focus in policy discussions on US legislation applicable to cloud providers, including those that affect the operations of cloud providers in other jurisdictions. Concerns regarding US government access to information have led to repeated references in policy debates to one piece of legislation: the 2018 Clarifying Lawful Overseas Use of Data (CLOUD) Act.  

The CLOUD Act restated requirements of the US Stored Communications Act (SCA) as they apply to information under the control of cloud providers, including if that information is shared, sharded (splitting data into multiple, more manageable pieces), or distributed across geographic locations, but did not change the requirements for warrants under US law to access the content of electronic communications.⁷³  The CLOUD Act’s clarification of the SCA’s scope brought the United States into compliance with the Budapest Convention on Cybercrime, while also authorizing bilateral agreements for countries to request information from cloud providers for law enforcement investigations outside of the Mutual Legal Assistance Treaty (MLAT) process.⁷⁴  The EU-US Data Privacy Framework currently holds an adequacy decision, allowing individual US companies to transfer data under GDPR. However, the Trump administration’s disruption of the Privacy and Civil Liberties Oversight Board (PCLOB) and US intelligence community data collection have raised questions in Europe about the merits of the adequacy decision and could result in further legal challenges, which could remove the United States and American companies from the GDPR whitelist.⁷⁵   

Concerns about the market dominance of US hyperscalers, as well as US government access to content stored on cloud computing systems, have also led to various European initiatives to foster domestic alternatives, such as the GAIA-X initiative.⁷⁶  Foreign ownership restrictions contained within cloud certifications, such as the SecNumCloud regime, have led cloud providers to set up operations and joint ventures with domestic companies that manage local configurations of cloud computing. In France, for instance, Google has partnered with Thales, while Microsoft has partnered with Orange and Capgemini.⁷⁷ Hyperscale cloud providers have also announced commitments to expand “sovereign” cloud regions, such as Microsoft’s partnership with a German SAP subsidiary, which will consist of “a sovereign cloud platform for the German public sector, hosted in German datacenters and operated by German personnel.”⁷⁸  AWS’s sovereign cloud commitment language also highlights the physical and logical isolation of a forthcoming sovereign European cloud region, which will have “no operational control outside of EU borders.”⁷⁹ These commitments and infrastructure developments require significant investments as well as a shift in operational and management strategies from the existing global distributed models.  

Table 2: Illustrative policies mapped to characteristics for digital sovereignty policies affecting cloud computing systems

Implications for cybersecurity and AI 

This multifarious tug of war over sovereignty and trust has significant implications for cloud computing infrastructure, security, and the services, including for AI. Focusing on location as a proxy for control and trust can lead to policies that ultimately undermine security goals by decreasing the reliability and integrity of essential systems. The critical nature of cloud computing means it deserves intensive evaluation to ensure the trustworthiness of foundational systems, but evaluation and assurances of trust in cloud computing should be rooted in effective guarantees. The efficiency and performance benefits of cloud computing are fractured and disrupted by location-based requirements. The replication of infrastructure, support systems, and other operational overhead creates meaningful costs for cloud providers, limiting their ability to invest in other measures that could improve performance or security. Filings by industry organizations, including the US Chamber of Commerce, prove this point by repeatedly highlighting the costs of staff and infrastructure location requirements impose on the operations of cloud providers.⁸⁰

This location requirements race fragments security monitoring and threat response, limiting the ability of organizations with global footprints and technical systems to mitigate and respond to cross-border risks. National or regional silos of cloud deployments with the same underlying software and hardware deployments—all relying on core features, patterns, and architectures developed by the same handful of companies—insulate cloud deployments from legal concerns while creating technical and financial burdens.

Constraints on provider locations and jurisdictions can also limit organizations from taking full advantage of advanced global capabilities, including networking infrastructure. In 2021, for example, Portugal’s Supervisory Authority fined its public census body €4.3 million for using Cloudflare’s services, citing concerns regarding Cloudflare’s global, distributed network of servers and position as a US company.⁸¹  Despite Cloudflare’s reputation as a cost-effective and highly reliable network security provider, the ruling occurred in the wake of broader discussions on the ability of European organizations to transfer data to the United States as part of GDPR compliance.⁸²

Moreover, the impacts of limiting access to network infrastructure are not mitigated by local datacenters and computing capacity, as organizations will still be unable to use state-of-the-art platforms that enable global communications and stronger security protections. Policies that only consider datacenter capacity and access ignore these impacts and can inadvertently create security issues while degrading service quality.

Governments should avoid imposing restrictions on access to cloud computing based exclusively on the location of cloud infrastructure. Location is at best a proxy for the security practices and guarantees of cloud providers and imposes cost and security consequences on providers. Localization requirements should, at a minimum, involve an advanced notification and blacklist approach, minimizing disruptions and operational concerns for cloud providers who build infrastructure configurations years in advance. Ad-hoc revocation should be reserved for well-documented offenders, observed compromises, and emergencies, as cloud providers, their customers, and the security ecosystem broadly benefit from stability and predictability.

Cloud security fundamentally depends upon the ability of organizations to respond to incidents rapidly at scale. Container escape vulnerabilities, which are errors in the implementation of encryption standards, or misconfigurations in the software connecting different services that expose can data and enable lateral movement, are just a few examples of cybersecurity flaws that are agnostic to the physical location of servers and support staff. If location-based requirements restrict companies’ ability to monitor, observe, and remediate incidents, or even prohibit or discourage them from retaining non-domestic cybersecurity incident response companies, organizations and governments will be cut off from the global flow of cutting-edge threat intelligence, vulnerability reports, and mitigation guidance.⁸³

Conflicting trust frameworks can also undermine the ability of organizations to collaborate across the cloud ecosystem. Instead of working with cutting-edge providers and cybersecurity companies focused on addressing security challenges, organizations are encouraged to turn inward, reinventing the wheel by managing their own technology configurations and security postures. While these organizations have useful context for their own security risks, rapid coordination and information-sharing bolsters collective defenses in ways that are difficult to replicate. Ad-hoc grants and revocations of trust in cloud computing systems or cloud providers exacerbate these challenges, and governments should adopt frameworks for trust that allow for continuous verification and evaluation instead.

The management of cloud encryption keys and credentials is also essential to cloud security. Externalizing key management systems poses enhanced risks for the same reasons that advocates seek to localize control of encryption keys: they unlock access to otherwise secure data.⁸⁴ However, removing key management from cloud provider infrastructure and placing it under the control of another provider creates additional risks, as cloud users must now trust each provider and the infrastructure or platform through which keys or identities are managed.⁸⁵ Threat actors have targeted key and identity management platforms, recognizing their importance to the overall security posture of cloud customers. Okta, an identity and management company, has been the subject of repeated attacks, including a breach of its customer support portal, which initially became public because of a threat actor’s boasts on Telegram.⁸⁶ Removing keys from cloud provider infrastructure does not reduce the importance of securing cryptographic information and credentials, and externalizing key management only places additional responsibility on individual customers to manage and ensure key security.

Cloud security errors and flaws cross organizational boundaries and are not prevented by distinctions between cloud providers and other companies in operating or managing infrastructure. Attackers have leveraged connections between on-premise and public cloud systems (known as hybrid cloud deployments), such as shared credentials or identity systems, to compromise and wreak havoc in cloud environments.⁸⁷. In a 2023 example, a suspected Iranian threat actor used stolen credentials to move from an on-premise environment into a customer’s Azure configuration.⁸⁸

Security flaws can also be similar across cloud providers, even when cloud providers separately develop features and products. The cloud security firm Wiz conducted research on the incorporation of a popular open-source database service, PostgreSQL, into cloud platforms and found similar vulnerabilities in Azure and Google Cloud, despite their independent development.⁸⁹

Policymakers should not operate under the assumption that segmenting cloud infrastructure —or the oversight of cloud infrastructure —across organizations will automatically improve the cybersecurity posture of cloud configurations. By limiting the ability of companies to share information about vulnerabilities or observe threat activity across active cloud configurations, policymakers can inadvertently exacerbate the challenge of common security failures across cloud providers. The trajectory of AI development and its intense reliance on cloud resources will only exacerbate the challenges of navigating these tradeoffs. Policies that require jurisdictional independence, exclusive local legal or operational control, and partnerships with local companies incentivize configurations that are not based upon a solid foundation of technical boundaries and isolation. Artificially constraining cloud providers, mandating technology transfer, and rewarding regulatory arbitrage do nothing to advance national sovereignty objectives and incentivize lax security practices instead of proactive, systemic monitoring.

If specific government or critical infrastructure sector criteria for cloud procurement are too onerous or burdensome, they also risk artificially segmenting the cloud market, leaving public sector customers out of step with industry norms and delayed in accessing new offerings. For example, AWS’s US GovCloud region contains detailed documentation on services available in other regions that are unavailable or require distinct configurations within GovCloud.⁹⁰ A US Government Accountability Office report on federal agency use of generative AI also references delays of cloud certification processes as an obstacle to access and use of new services, particularly when the companies offering them are not interested in gaining authorization through procurement processes or are unaware of federal procurement requirements.⁹¹

Critical infrastructure sectors and government agencies already shoulder cybersecurity burdens as the targets of persistent cyberattacks, with consistent ransomware attacks on hospitals as one example.⁹² In budget-constrained organizations, interpreting and implementing cybersecurity regulatory requirements can create cost burdens that lead to difficult tradeoffs with essential functionality.⁹³ Policies designed to shape the cloud market broadly should carefully evaluate which sectors are impacted and to what degree. If the goal of a procurement or incentive structure is cross-sector security requirements, public entities with limited cybersecurity expertise or leverage to negotiate with hyperscale cloud providers, such as critical infrastructure operators, may not be a logical starting point.

Governments around the world have a crucial role to play in allowing cloud providers to demonstrate trustworthiness, as they can remove barriers to information sharing, harmonize international trust regimes, and demand information from providers that customers would otherwise be unable to access. Accepting and embracing this role requires a strategic focus outside of the role of governments as merely cloud procurers. While governments are essential users of the cloud, consumer protection mandates and broader security goals merit a focus on ecosystem-wide security, which should be disentangled from direct procurement capabilities. Cloud providers should be required to share cloud security indicators with governments not just as a step to securing public sector contracts, but also to verify the trustworthiness of cloud infrastructure critical to modern society.

The US can play an important role in shepherding confidential computing technology—which runs computations on isolated systems—but must also manage coordination to ensure that by the time this technology is available and trustworthy, that allies and partners have not fully pivoted to regulatory regimes that mandate fragmented cloud infrastructure. One way to assure allies and partners is to demonstrate commitments to the security of the cloud ecosystem. Where legislation like the CLOUD Act has been mis- or over-interpreted by outside entities to provide expansive authorities, law enforcement agencies should continue to clarify the scope and details of warranted access to the content or information stored by cloud providers. Through its oversight functions, the US Congress can also publicize further aggregated, anonymized, and declassified information about the nature of interactions between the intelligence community, law enforcement agencies, and cloud providers, including allowing further information sharing about national security requests.

Conclusion

As artificial intelligence demands force the evolution of cloud computing systems, policies aiming to ensure the security of cloud computing must balance the goals of visibility and control with essential capabilities. Specialized providers and the relative opacity of the AI ecosystem both make cloud computing’s role in AI more critical and fragile. As artificial intelligence workloads continue to require careful coordination across specialized providers and infrastructure, establishing clear criteria of trust in cloud computing gains urgency. The consequences of failing to establish and maintain this trust will not just be felt by organizations using the cloud to develop and deploy artificial intelligence, but by governments and companies broadly, as the cloud infrastructure they depend upon and utilize becomes fragmented and limited. 

Countries around the world have implemented and proposed policies that impose geographic or location restrictions on cloud systems, instituting organizational and operational changes for cloud providers without fully evaluating the security tradeoffs. Requirements that change the criteria for trust in cloud computing to prioritize location can silo and fragment cloud infrastructure, reducing geographic distribution that provides resilience and elasticity. Focusing the evaluation of trust instead on technical assurances, rather than geographic and organizational proxies, should be the priority of governments. The location and nationality of cloud providers, while important, are insufficient proxies for security guarantees and outcomes and ultimately serve to incentivize regulatory arbitrage and compliance over state-of-the-art security practices. 

The complexity of cloud computing—driven by scale, specialization, and demand—enables the reliable systems and technical innovations that define modern economies and ways of life—and that is why that policies and regulations in this sector need to be finely-tuned and informed by technical realities. Interventions that aim to manage this complexity by tearing apart infrastructure and segmenting it within geographic borders will only end up undermining these systems and their security without fulfilling national security goals.  

There is no doubt this is a tall task. But only strategies as nuanced as the technology itself can safeguard its advantages while establishing the foundational trust that will underpin the future of artificial intelligence and technological innovation.  

Sara Ann Brackett is an assistant director with the Cyber Statecraft Initiative, part of the Atlantic Council Tech Programs. She focuses her work on open-source software security, software bills of materials, software liability, and software supply-chain risk management within the Cyber Statecraft Initiative’s cybersecurity and policy portfolio.

Brackett graduated from Duke University, where she majored in computer science and public policy and wrote a thesis on the effects of market concentration on cybersecurity. She participated in the Duke Tech Policy Lab’s Platform Accountability Project and worked with the Duke Cybersecurity Leadership Program as part of Professor David Hoffman’s research team.

The author would like to thank Trey Herr, Stewart Scott, Nitansha Bansal, Kemba Walden, Devin Lynch, Justin Sherman, Dominika Kunertova, and Joe Jarnecki for their comments on earlier drafts of this report, as well as all the individuals who participated in background and Chatham House Rule discussions about issues related to data, AI applications, and the concept of an AI supply chain. 

The Atlantic Council’s Cyber Statecraft Initiative, part of the Atlantic Council Technology Programs, works at the nexus of geopolitics and cybersecurity to craft strategies to help shape the conduct of statecraft and to better inform and secure users of technology.

learn more

The post Cloudbusting: Policy for evaluating trust in compute infrastructure appeared first on Atlantic Council.

And the United States was not part of that moment.

The US delegation did not attend the Johannesburg summit and declined to join the declaration—a decision that stemmed in part from concerns about the host nation and broader disagreements with aspects of the process. And the United States is making AI a focus of the G20 summit it is hosting next year, an indication that it has not ruled out collaboration. Still, this year’s absence carried symbolic weight. It suggested a narrowing US appetite to engage multilaterally at a time when many governments are moving quickly to shape the rules and norms surrounding transformative technologies. Other capitals may reasonably interpret this as an opening: If Washington steps back from these discussions, others will step forward.  

And many did.

The G20’s digital agenda this year went further than any previous summit in knitting together AI governance with sustainable development. What emerged from Johannesburg was a clear premise: AI is not just a commercial or security asset; it is a public good, one that must be governed collectively. Countries from South Africa to Brazil to India insisted that data governance, ethical guidelines, and inclusive digital infrastructure are not luxuries—they are developmental necessities.

What came out of Johannesburg wasn’t the usual tech-salon optimism or Western policy jargon. It was the voice of a world determined to stop the next wave of innovation from hard-wiring the injustices of the last. For example, the declaration insisted that AI must be “human-centered” and “development-oriented,” backed by trustworthy data governance—not just for privacy, but as the backbone of equitable AI. It called for digital public infrastructure and real capacity-building for countries long pushed to the margins of the digital economy. And it linked information integrity directly to democratic resilience. It aligned itself with the United Nations Educational, Scientific, and Cultural Organization’s (UNESCO’s) ethical AI framework and the United Nations’ resolutions on equitable technology.

Call it whatever you want: multilateralism, solidarity, or simple common sense. But the message was unambiguous. A broad group of the world’s largest economies came together to say that AI must serve humanity, not just the handful of companies and countries capable of building it.

What makes the US absence so striking is that for decades it was the United States that championed precisely these kinds of conversations. US diplomats helped build the global internet governance system through international multilateral and multistakeholder fora, such as the Internet Governance Forum. American civil society was instrumental in pushing human rights into digital debates. American universities trained the researchers shaping AI ethics. Yet today, as major economies explore AI’s developmental dimensions, the United States is largely outside the room.

The US administration’s current approach to AI—marked by a preference for domestic industrial strategy and selective bilateral partnerships—reflects a hardening belief that multilateral governance is either futile or dangerous. In too many parts of Washington, there is a sense that global cooperation simply helps China; that multilateral institutions dilute US influence; and that if the United States leads on innovation, it doesn’t need to lead on rules.

This is a profound misreading of how power works in the digital age.

It is true, of course, that the United States remains the world’s AI frontrunner. Its companies build the most advanced models and its research institutions are unmatched—at least for the time being. But technological dominance without normative influence is brittle. Governance frameworks—data standards, safety norms, ethics principles—shape markets and behavior as much as silicon and compute. If the rest of the world agrees on a vision for AI grounded in development, inclusion, and human rights, and the United States is not part of that process, then Washington risks becoming a rule-taker rather than a rule-maker.

Some observers are already calling Johannesburg a win for China. There is some truth to that. Beijing has long argued that developing countries deserve a larger voice in global tech governance, with Chinese President Xi Jinping criticizing the idea of AI as a “game of rich nations,” a theme emphasized in Chinese state media coverage. And China’s investments in digital infrastructure across the Global South give it clear geopolitical advantages. With Washington absent, Beijing’s narrative—centered on equity, development, and multilateral dialogue—faces fewer obstacles.

But focusing solely on China misses the bigger story. Johannesburg was not a Chinese diplomatic triumph. It was a Global South diplomatic triumph. India, Brazil, South Africa, Indonesia, and others played central roles in shaping the digital agenda. They were not passive recipients of a Chinese vision; they were co-authors of something genuinely new: a multilateral AI framework that reflects their own developmental priorities. This agency was highlighted not only in the declaration but also in the reporting across the Global South, including South Africa’s official summit briefings.

None of this means the United States has been written off as an ally. But it does reflect a growing impatience among other states. Adopting the declaration without US support was not a rebuke; it was a recognition that global cooperation cannot wait for universal participation. A generation ago, such a move would have been unlikely. Today, it feels increasingly normal.

What should worry Washington most is that this shift comes at the precise moment when AI is beginning to reshape the global economy in ways as profound as industrialization. The International Monetary Fund estimates that AI could boost global growth by nearly a full percentage point, transforming labor markets, education, healthcare, and agriculture. It could concentrate power or democratize it. And the rules that govern these transformations are being written now.

To be clear, G20 declarations are nonbinding and often aspirational. Implementation will depend on infrastructure, innovation ecosystems, and the particular needs of member states. Still, the fact that the Johannesburg declaration so explicitly anchors AI within the sustainable development agenda—at a moment when US alignment with that agenda is often questioned—signals a meaningful shift in global positioning.

By staying home, the United States is making a bet that it can shape these norms later, through market dominance alone. But history suggests otherwise. Governance norms, once set, are sticky. They embed themselves in institutions, standards, and expectations. They shape how technologies are built and how they spread. And they rarely bend to accommodate a latecomer—even a powerful one. 

It is telling that, while the world was forging a collective path in Johannesburg, Washington was charting a very different course at home with the launch of the Genesis Mission—an ambitious drive to harness AI for domestic innovation and national competitiveness. It’s a bold investment, but one that risks reinforcing a US approach to AI that is inward-looking and self-referential at the very moment the rest of the world is moving toward shared governance and collective benefit.

But retreat is not destiny. The United States still has avenues to re-engage—not by dictating outcomes, but by participating as a genuine partner. The G20 declaration did not emerge in a vacuum; it builds on existing foundations the United States helped create, including the Group of Seven’s Hiroshima AI principles and the Organisation for Economic Co-operation and Development’s (OECD’s) AI framework. Those earlier initiatives emphasized trustworthy, rights-based AI—but they lacked a deep developmental dimension. Johannesburg extends the trajectory, integrating ethical safeguards with the practical realities of inclusion and infrastructure.

If Washington wants to regain its normative footing, it can start by showing up. The upcoming India AI Impact Summit in February 2026—already gaining momentum as a convening of Global South digital priorities—offers a stage where the United States can listen rather than lecture, and even align itself with the developmental intent now shaping global AI norms. And with the United States set to host the G20 next year, it has a rare chance to reset: to bring the existing principles into conversation with the Johannesburg framework rather than treating them as competing visions.

The choice ahead is not between US power and multilateral governance. It is whether the United States can recognize that power now depends on multilateral governance—on shaping shared norms, not merely exporting products. Much of the world has signaled that AI must be human-centered, equitable, and globally accessible. The question is whether Washington is willing to take its seat—not at the head of the table, but at the table at all.

Konstantinos Komaitis, PhD, is a resident senior fellow with the Atlantic Council’s Democracy + Tech Initiative at the Digital Forensic Research Lab (DFRLab).

The post The G20 is moving forward on global AI governance—and the US risks being left out appeared first on Atlantic Council.

In February 2026, the next such summit will take place in New Delhi, India. But while the earlier gathering in the United Kingdom billed itself as concerning AI safety, India has opted for AI “impact.” As I noted in an analysis of this past February’s AI Action Summit in Paris, “the commitment, resources, and priorities of the host determine the summit’s successes and failures, as well as the level of buy-in from its guests.” So, as the contours of India’s goals for its AI Impact Summit come into focus, what should the participants and the wider world expect in New Delhi?

Why “impact”?

New Delhi’s challenge for the summit resembles the three-body problem—in this case, the three competing forces are political momentum, stakeholder consensus, and on-the-ground implementation. The task here is to keep all three in motion without losing coherence. Many initiatives have spun out of orbit at this stage, when lofty consensus gives way to the hard gravity of real commitments.

Superimposed upon this drive for “impact” are the specific challenges for countries that cannot afford to blitzkrieg their way into AI dominance. Their challenge is not a lack of ambition but the limits of scale, resources, and infrastructure, all while the global narrative around AI as a general-purpose technology grows louder. 

India’s leadership team for the summit seems to feel a sense of urgency. In September, Shri S. Krishnan, secretary of the Indian Ministry of Electronics and Information Technology, said in a speech, “This particular wave of technology, driven by AI . . . is probably the last opportunity that countries of the Global South, including India, have to truly grow rich and prosperous before they grow old. This is a wave the Global South has to ride.” 

Ahead of the summit, India released seven “chakras,” or “axes,” that will be discussed at the gathering. While these chakras cast a wide net, most are largely global coordination problems: human capital, social empowerment, inclusive growth, innovation and research, and safe and trusted AI. India’s vision for impact therefore is twofold: both to maintain momentum by driving action on agenda items for global coordination, and to highlight equitable access to AI infrastructure as essential to developing countries’ ability to meaningfully participate.

India’s approach

The AI Impact Summit framework also carries the hallmarks of New Delhi’s techno-legal approach to digital technologies, where regulation is part of the design of technical systems rather than an extraneous compliance requirement. Rather than relying only on regulatory instruments that may stifle innovation, the focus is on empowering a wide range of nations and stakeholders with the technical capabilities needed to govern AI effectively. India has implemented techno-legal approaches in data governance, animated by its digital public infrastructure (“India Stack”) as well as the Data Empowerment and Protection Architecture, which proposed the concept of “consent manager” institutions that put individuals at the center of data access and control decision flows. 

With its framing, New Delhi is positioning itself as an arbiter of a very specific model of AI-driven growth, where governments are co-creators and not just buyers and regulators of AI. This is distinct from, for example, the United States’ techno-nationalist approach, which is driven by a handful of massive AI companies. New Delhi’s hybrid system prioritizes narrow, tailored government interventions in sectors that have the deepest scope for impact and inclusion, such as healthcare, agriculture, and education. The marquee initiative of the summit is the Global Impact Challenge, which encourages AI applications for climate, financial inclusion, health, urban infrastructure, agritech, and more.

In this vein, expect the launch of India’s sovereign foundation models, reportedly trained entirely on homegrown datasets and hosted on Indian cloud infrastructure. One such model is being built by BharatGen, a Department of Science and Technology initiative, supported by strategic collaborations with Indian research institutions and partners such as IBM.

The safety imperative

While large amounts of capital and political will are focused on one kind of AI race—capabilities and infrastructure—there is another race that must receive the same attention.

The International AI Safety Report, led by Canadian computer scientist Yoshua Bengio, launched just before the Paris AI Action Summit. The first update to the report was published in October, and among its findings is this alarming tidbit: “Some research shows that AI systems may be able to detect when they are in an evaluation setting and alter their behavior accordingly.” In other words, AI systems may know when they are being evaluated and may produce outputs tailored to the evaluation. This is a function of core AI behaviors such as goal preservation (maintaining core objectives) and self-preservation (not wanting to be shut down or replaced). If current AI models can deceive human evaluators, the danger is that more sophisticated, potentially harmful models may be able to slip past national AI safety testing regimes. 

“Safe and Trusted AI” is one of the chakras for the summit, but while the summit treats it as one distinct theme, AI safety should not be thought of as optional. Rather, it is essential to the achievement of the other chakras.

Notably absent so far from the agenda is the IndiaAI Safety Institute (IAISI). Launched in March 2024, the IAISI follows a virtual hub-and-spokes model, with different IAISI cells carrying out specific mandates. That said, there are likely to be some demonstrations of the thirteen AI safety projects that IndiaAI supports under its Safe & Trusted AI pillar. Among these is a unique contribution to a subfield of AI safety called “machine unlearning” by Indian Institute of Technology, Jodhpur. This approach involves making a machine learning system forget a piece of incorrect, corrupted, or harmful training data without fine-tuning or retraining the entire model. 

Despite the headline attention on impact, safety needs to be fundamental to India’s vision for AI that engenders trust, inclusion, and empowerment. Take a hypothetical AI use case for agricultural advisory. The intended goal of a system would be to empower smallholder farmers with predictive tools to help with crop management in areas such as pest control and crop choice based on expected weather patterns. AI systems trained for average accuracy would fail in outlier or extreme cases. The objective function (or goal) of such a system may be to minimize error, not to minimize harm under uncertain conditions. In other words, in the world of the smallholder farmer, a confidently wrong forecast could cause more serious, even catastrophic, harm than a tentatively right one.

The messaging from India about the AI Impact Summit is compelling: AI must be safe, empowering, and trustworthy. New Delhi appears to be taking a people-centered approach, emphasizing use cases that have the greatest scope for positive impact for the widest swath of the population. This approach will resonate with established, emerging, and aspiring AI powers alike. However, without embedding AI safety as a design principle, New Delhi risks repeating a familiar pattern: developing technologies that orbit policy ambitions but never fully land in people’s lived experience.

Trisha Ray is an associate director and resident fellow at the Atlantic Council’s GeoTech Center.

The post Safety should be front and center in India’s vision for its AI Impact Summit appeared first on Atlantic Council.

“We’ve always been on the same side of every issue.” That’s how US President Donald Trump described Saudi Crown Prince Mohammed bin Salman (MBS) during a chummy Oval Office meeting on Tuesday, part of a day of pageantry and dealmaking at the White House. The United States and Saudi Arabia struck a series of agreements on defense, semiconductors, nuclear power, and more. While the world awaits the fine print of these deals, our experts took stock of what the leaders have announced so far and what to expect next. 

• Daniel B. Shapiro (@DanielBShapiro): Distinguished fellow at the Scowcroft Middle East Security Initiative and former deputy assistant secretary of defense for the Middle East and US ambassador to Israel
• Tressa Guenov: Director for programs and operations and senior fellow at the Scowcroft Center for Strategy and Security, and former US principal deputy assistant secretary of defense for international security affairs 
• Jennifer Gordon: Director of the Nuclear Energy Policy Initiative and the Daniel B. Poneman chair for nuclear energy policy at the Global Energy Center
• Tess deBlanc-Knowles: Senior director with the Atlantic Council Technology Programs and former senior policy advisor on artificial intelligence at the White House Office of Science and Technology Policy

Jet setters

• On defense, Trump approved the sale of fifth-generation F-35 fighter jets to Saudi Arabia, which Dan interprets as an indication that the US president “is going all-in on the US-Saudi relationship.” 
• But “China remains an issue in the backdrop of US-Saudi defense relations,” Tressa tells us. She notes that US intelligence agencies have reportedly raised concerns about Chinese access to the F-35 if a US-Saudi sale were to proceed, and “similar efforts to sell F-35s to the UAE were not realized across the previous Trump and Biden administrations, in part due to concerns of technology transfer to China.” 
• There’s also the US legal requirement to ensure Israel’s qualitative military edge (QME) in the region. Dan points out that although the 2020 F-35 deal with the United Arab Emirates was later scuttled, it did pass a QME review, and the Saudi deal is likely to do so as well, in part because “Israel will have been flying the F-35 for a decade and a half before the first Saudi plane is delivered, and Israel will have nearly seventy-five F-35s by then.” 
• But the UAE deal was linked to its normalization of diplomatic relations with Israel, and “it appears there is no link to Saudi normalization” with Israel in this deal, Dan points out. In the Oval Office, MBS conditioned his joining the Abraham Accords on “a clear path” to a Palestinian state, which does signal a potential disparity from Saudi Arabia’s previous stance requiring the “establishment” of a Palestinian state.
• The Biden administration held talks with Saudi Arabia about a treaty that “would have included restrictions on Saudi military cooperation with China and ensured access for US forces to Saudi territory when needed to defend the United States,” Dan tells us. But “Trump has not announced whether he is giving the Saudis a one-way security guarantee, or whether there are mutual-security commitments.” 
• So what about Trump’s announcement during MBS’s visit that Saudi Arabia has become the United States’ twentieth Major Non-NATO Ally? Tressa tells us the designation “is a favorite tool of US presidents to cap off major visits with a symbolic flourish to indicate elevated relations.” But Saudi Arabia already enjoys many of the benefits of the designation, Tressa notes, such as privileged access to US arms sales, and the designation “does not provide any special or enforceable security guarantees, nor is it a binding treaty.” 

Sign up to receive rapid insight in your inbox from Atlantic Council experts on global events as they unfold.

Nuclear option

• The White House also announced a Joint Declaration on the Completion of Negotiations on Civil Nuclear Energy Cooperation. Jennifer tells us it’s “likely a precursor to an official Section 123 agreement” on peaceful nuclear cooperation, which must also be reviewed by Congress. 
• “Saudi Arabia has indicated keen interest for years in pursuing civil nuclear technologies,” Jennifer notes, both to add to its power grid and for water desalinization. If the United States provides that nuclear technology, she adds, then “it can exert influence on security matters and help prevent the development of nuclear weapons in Saudi Arabia and beyond.”  
• “Although there had long been speculation that a civil nuclear agreement between the US and Saudi Arabia might cover broader geopolitical issues,” Jennifer adds, “this week’s announcement reflects a more pragmatic approach with a focus on technologies that have strong national security implications.” 

Chipping in

• The two leaders also announced an AI Memorandum of Understanding but did not release many details. “Likely this means the approval of the sale of a package of advanced AI chips to Saudi Arabia,” Tess says. In the Oval Office, she points out, “MBS shared his vision (and strategic bet) on computing to compensate for the country’s workforce shortfalls and ensure continued economic growth.” 
• While the Trump administration has lifted the Biden administration’s “AI Diffusion Rule” that limited the sale of chips to many countries, it still has the final say on exports of the most advanced chips to Saudi Arabia, Tess notes, “likely due to fears related to ties with China.” 
• Now, Tess adds, US national security officials will keep their eyes on “the provisions of the new AI agreement focused on technology protection and what measures will be put in place to keep America’s most advanced AI chips out of reach of Chinese adversaries.” 

The post Digging into the details of the US-Saudi deals appeared first on Atlantic Council.

The world has entered the most consequential tech race since the dawn of the nuclear age, but this time the weapons are algorithms instead of atoms. Rather than a race to obtain a single superweapon, this is one to determine how societies think, work, and make decisions. AI is transforming not only the distribution of power around the globe but also the very nature of that power and how it will be exercised.

A race with generational consequences

The Chinese government sees AI as a crucial driver for what it calls “comprehensive national power.” That’s why it is so focused on the rapid integration of AI into surveillance, consumer products and services, advanced manufacturing, military modernization, and even scientific discovery under a unified state strategy. As Tess deBlanc-Knowles, senior director with Atlantic Council Technology Programs, tells me, “One of the notable aspects of China’s approach is the prioritization of application, or what is called ‘AI-plus.’ China has an advantage over the US in terms of providing direction and incentives for the integration of AI across all sectors of the economy.”

When it comes to AI development and deployment, China’s private sector must be subservient to the will of the Communist Party. The cycle of innovation that results is distinct from Western conceptions of more loosely connected relationships among policymakers, industry, and academia. 

The United States, by contrast, relies much more heavily on the singular dynamism of its private sector, open research culture, and international alliances. The US government struggles to coordinate its private stakeholders and universities at any national scale. The country remains hamstrung by weakening legal protections for privacy and intellectual property that tend to introduce ambiguity rather than clear running lanes. 

And run the United States must. Failure to maintain US leadership on AI could have generational consequences. The outcome of this contest will determine which values—authoritarian efficiency or democratic dynamism—set global norms on everything from digital commerce to autonomous warfare.

“The escalating AI race is drawing comparisons with the Cold War, and the great scientific and technological clashes that characterized it,” write Josh Chin and Raffaele Huang in the Wall Street Journal today. “It is likely to be at least as consequential.” They write that both China and the United States “are driven as much by fear as by hope of progress.”

Helping the US and its allies mobilize, iterate, and deliver

There’s little doubt that who wins this race will depend on who can produce the most advanced chips, the best models, the most potent computers, and the cheapest and most sustainable energy for a proliferation of purposes. 

More significantly, the emerging AI contest is about defining the world’s future standards in areas such as freedom, privacy, and even human dignity. The design of the internet—its core protocols and standards—reflected a bias toward openness, self-organization, and free speech that have shaped two generations of lives online and trillions of dollars in consumer technology. This moment in the AI era offers the same pivotal opportunity for influence. If the United States and its allies lose this race, that could produce a world in which AI becomes more of an instrument for political and autocratic control than one for individual and democratic empowerment.

With so much at stake, the Atlantic Council last week launched its GeoTech Commission on Artificial Intelligence as our flagship initiative to address this historic moment. It will bring together congressional leaders, top industry executives, and innovators across the AI ecosystem to ensure that the United States maintains its technological preeminence in an AI-defined world. Our aim is to help the United States and its allies mobilize more stakeholders, iterate faster, and deliver actionable strategies to ensure US and allied leadership—and a more enlightened, prosperous, secure, and democratic future.

The GeoTech Commission, of which I’m a member, will focus on overall competitiveness across six critical realms: AI innovation, supply chains, energy sources, government adoption and oversight, talent development, and international alliances. Rather than prioritizing some of these realms over others, it will integrate these pieces to address what asserting US leadership and winning the AI race should look like. The race for AI doesn’t boil down to one single measure or factor. 

Los Alamos this isn’t

I began by writing that the current tech race is the most consequential for humanity since the beginning of the nuclear era. Some have gone further, drawing a direct comparison between the race for AI preeminence and the Manhattan Project that produced the first nuclear weapon. What’s true is that the AI race, like the Manhattan Project before it, will be decided to some extent by scientific breakthroughs. Both also share the potential for great good and catastrophic harm.

Yet this is also a misleading analogy. The Manhattan Project was a clandestine, centralized, US government-led sprint at a time of world war. The US government did have an important role in enabling the AI revolution through the development of technical foundations for deep learning and other advancements. But it has been private industry, not the government, that has leveraged and innovated to get to today’s capabilities. 

To win this race, governments know they must work effectively with private companies such as Anthropic, Google, Nvidia, Microsoft, and OpenAI in the United States and Alibaba, DJI, High-Flyer, and Huawei in China. Such companies wield budgets and global reach that would make most defense ministries blush.

‘China is going to win the AI race’

The American edge is in its democratic, free market, innovative ecosystem, which at its best is an unmatched magnet for talent and capital. Yet that ecosystem is also a vulnerability in that Washington can’t control or leverage its tech champions for any overriding national security purpose in the manner Beijing does routinely.

“China is going to win the AI race,” Nvidia CEO Jensen Huang told the Financial Times this past week, pointing to Beijing’s looser regulations, new energy subsidies, and direct intervention to assist its champions. Industry leaders worry that the Trump administration focuses more on restricting what US firms can sell to China than on energetically helping its companies win the race. “We need more optimism,” Huang said a week after Trump announced that he would stop China from gaining access to both Nvidia’s cutting-edge Blackwell chips and a less advanced chip designed explicitly for the Chinese market, and just a few days after the company reached an unprecedented market capitalization of five trillion dollars.

China’s system fuses state and private ambition in a manner that could be decisive, mobilizing government, private capital, and leading-edge science around common cause dictated by Xi and the Communist Party. The system intentionally aligns national goals with corporate incentives. While US companies focus on winning markets, competing with each other, and turning profits, Chinese companies that fail to serve the state and the party do so at their own peril. 

In the United States, by contrast, the messiness of the free market could prove an enduring strength in directing capital, talent, and attention to cutting-edge technologies. Winning the race to adopt AI will require newly integrated thinking across the development, use, and consequences of the technology, rather than a narrow focus on how to build more chips or run faster models.

The Atlantic Council’s GeoTech Commission on Artificial Intelligence will grapple with this integrated question and identify how best to counter China’s capacity to leverage its entire society toward technological ends. The Manhattan Project changed history with an explosion. The demonstrations of success won’t be as dramatic with AI, but they will affect every person on the globe. And the outcome may be just as far-reaching in determining what group of countries and which set of values determine the future.

Frederick Kempe is president and chief executive officer of the Atlantic Council. You can follow him on X @FredKempe.

This edition is part of Frederick Kempe’s Inflection Points newsletter, a column of dispatches from a world in transition. To receive this newsletter throughout the week, sign up here.

The GeoTech Commission on Artificial Intelligence

Enabling US and allied leadership in the age of AI

The post It’s time to reckon with the geopolitics of artificial intelligence appeared first on Atlantic Council.

WASHINGTON, DC – NOVEMBER 5, 2025 – The Atlantic Council today announced the launch of the GeoTech Commission on Artificial Intelligence, the Council’s flagship initiative to shape the global AI agenda. The Commission brings together bipartisan Congressional leaders, top industry executives, and innovators across the AI ecosystem to ensure the United States maintain its leadership in a world increasingly defined by AI. 

The world is experiencing a historic surge in AI development and deployment, defined by three trends: intensifying geopolitical competition, deepening interdependence among various actors, and accelerating technological disruption. “To meet this moment, the Commission’s mission is clear,” said Fred Kempe, President and CEO of the Atlantic Council. “We need to mobilize more stakeholders, iterate faster, and deliver actionable strategies to secure US leadership in an increasingly complex and interconnected global AI ecosystem.”  

The Commission will focus on overall US competitiveness across six critical areas: innovation, supply chains, energy, government adoption and oversight, talent development, and international alliances. It will convene regularly, host high-profile public forums, and serve as a trusted platform for leaders to craft practical solutions that strengthen US and allied positions in the global AI race.  

“Artificial intelligence is reshaping every dimension of US competitiveness—from defense readiness and national security to economic strength. American leadership in AI requires bold, coordinated action across government, industry, and our allies,” said Ron Ash, co-chair of the GeoTech Commission. “That is why I’m honored to co-chair the GeoTech Commission on AI, collaborating with leaders from established technology powerhouses and emerging innovators working to advance actionable strategies that ensure our AI future is trusted, resilient, and at the forefront of the global AI revolution.”   

The new Commission builds on the Atlantic Council’s pioneering work on the geopolitics of artificial intelligence. It is the second iteration of the GeoTech Commission; the first ran from 2021 to 2023 with a focus on US technology leadership, supply chain resilience, and global health security. 

“We can realize the full benefits of AI only when we forge new alliances—across borders, industries, and sectors—that are nimble, transparent, and grounded in our shared democratic values,” said Kemba Walden, co-chair of the GeoTech Commission. “I’m grateful that the Atlantic Council’s GeoTech Commission offers a platform to foster these intimately collaborative relationships that are the cornerstone of U.S. innovation.”  

Led by the Atlantic Council’s Technology Programs (ACTech), the Commission will combine cutting-edge technical research with deep geopolitical expertise. It will deliver evidence-based insights, convene key stakeholders, and drive actionable strategies to shape the future of AI governance and innovation as drivers of the American economy of the future.  

Hear from the Commission’s Honorary Congressional Co-Chairs: 

“The global AI revolution is already rewriting how nations compete, how economies function, and how people work. Our job with the GeoTech Commission is simple: bring scientists, innovators, and policymakers together to actively shape an AI future that serves humanity,” said Senator John Hickenlooper, Honorary Congressional Co-Chair of the GeoTech Commission. 

“I am excited to be named as an Honorary Co-Chair of the GeoTech Commission on Artificial Intelligence and look forward to the group’s efforts to ensure the U.S. leads in this critical technology. American leadership in AI innovation, development, and deployment is essential to our economic and national security and ultimately ensuring we beat China in the global technological race,” said Senator Todd Young, Honorary Congressional Co-Chair of the GeoTech Commission. 

“The United States is a global leader on artificial intelligence, and this Commission is designed to inform the policies required to lead into the future. If we are to set the long-term direction for AI that reflects our core American values, then we must have a seat at the international table,” said Rep. Suzan DelBene, Honorary Congressional Co-Chair of the GeoTech Commission. 

“Artificial intelligence is reshaping our economy and the global balance of power. The United States must continue to lead by advancing innovation that reflects our values and strengthens our competitiveness,” said Rep. Jay Obernolte, Honorary Congressional Co-Chair of the GeoTech Commission. 

Honorary Congressional Co-Chairs:  

• Sen. John Hickenlooper (D-CO), US Senate
• Sen. Todd Young (R-IN), US Senate
• Rep. Suzan DelBene (D-WA, 1), US House of Representatives
• Rep. Jay Obernolte (R-CA, 23), US House of Representatives

Commission Leadership: 
Commission Co-Chairs:

• Ron Ash, CEO, Accenture Federal Services
• Kemba Walden, President, Paladin Global Institute; Board Member, Atlantic Council

Commissioners: 

• Frederick Kempe, President, Atlantic Council
• Sridhar Ramaswamy, CEO, Snowflake
• Dave Levy, Vice President for Worldwide Public Sector, Amazon Web Services
• Thomas Zacharia, Senior Vice President of Strategic Technology Partnerships and Public Policy, AMD
• Ned Finkle, Vice President of External Affairs, NVIDIA
• Sarah Heck, Head of External Affairs, Anthropic
• Nabida Syed, Executive Director, Mozilla Foundation
• Don Vieira, Partner & Chair of the Tech Policy Practice, Skadden, Arps, Slate, Meagher & Flom LLP and Affiliates
• Brie Sachse, Senior Vice President & Head of U.S. Government Affairs, Siemens USA
• John Goodman, Board Member, Atlantic Council
• Rachel Gillum, Vice President, Ethical and Humane Use of Technology, Salesforce
• Tyson Lamoreaux, Senior Vice President of Cloud/AI, Arista Networks
• Nathan Jokel, Senior Vice President, Corporate Strategy & Alliances, Cisco
• Markham Erickson, Vice President, Government Affairs & Public Policy Centers of Excellence, Google
• Amanda Craig Deckard, General Manager, Office of Responsible AI, Microsoft
• Matthew Graviss, Chief Technology Officer for Public Sector, Atlassian
• Chris Massey, Founder, The Brds Nst; Senior Fellow, Foundation for American Innovation
• Molly Montgomery, Director of Public Policy, Meta

Executive Director 

• Graham Brookie, Vice President, Technology Programs, Atlantic Council 

For media inquiries, please contact press@atlanticcouncil.org. 

The post Atlantic Council launches GeoTech Commission on Artificial Intelligence  appeared first on Atlantic Council.

If this public perception hardens into conventional wisdom, data centers could find themselves in a losing battle with residential customers for a scarce resource. But contrary to this perception, data centers could be a major part of the solution to the problems of rising demand, insufficient generation, and inefficient demand management faced by electricity grids.

Welcome to the neighborhood

AI data centers are positioned to become core parts of regional grids as they increasingly rely on large co-located generation assets. The more AI data centers can avoid competing with residential ratepayers as innovation catches up with demand, the better. For example, numerous new data centers are planned in Texas that intend to supply all of their own electricity from co-located natural gas turbines. These generation assets will likely produce more power than their associated data centers consume, and could flex that supply to the grid, to the benefit of local consumers if they connect in the future. Data centers are also likely to be large-scale customers for clean energy technologies like small modular reactors (SMRs) and battery energy storage system (BESS) installations, providing market demand regardless of changing subsidy regimes. 

Data centers, however, do not necessarily need to provide 100 percent of their own power to mitigate stress on the grid. Those with partial, co-located backup power can seriously reduce systemwide demand spikes by flexing down their demand on the grid by relatively small amounts.

Facilitating co-located generation

That said, to avoid long interconnection queues and time-consuming regulatory requirements for connecting to the grid, some data centers will prefer to go it alone, remaining off the grid and powering themselves exclusively with co-located generation. New Hampshire has gone so far as to simply exempt power users from grid permitting requirements if they remain off grid and to investigate withdrawal from the regional grid Independent System Operator “ISO New England.” Ideally, they would connect to the grid in the future to provide additional generation capacity and demand flexibility, so clear interconnection requirements even in the absence of required permits would help facilitate connections in the future. Of course, even power plants not connected to a grid must meet safety and construction standards, but they are spared the grid standards needed to ensure the entire grid remains balanced and adequately supplied. 

Facilitating the rapid construction of new generation capacity by private companies has the added benefit of avoiding stranded asset risk to utilities. If demand fails to materialize and generation infrastructure is overbuilt, the private companies that built it will be on the hook rather than utilities and their ratepayers.

Time-of-use pricing

In addition to co-located generation, pricing mechanisms that reflect real-time electricity use offer another avenue for supporting grid stability. Time-of-use (TOU) pricing—charging different rates for electricity depending on demand—is particularly well suited for data centers that have the capacity to flex grid demand. Implementing TOU pricing for these data centers would encourage them not only to flex their demands on the grid, but also to shift that demand geographically. Building or leasing additional fiber capacity can be a cost- and time-effective alternative to laying additional transmission lines for data centers. A stronger price signal could encourage firms to use these fiber-optic cables to shift lower priority workloads to other data centers where electricity is cheaper.

AI could also make TOU pricing clear and simple for residential consumers to lower their bills. Residential TOU exists but is not widely implemented. It tends either to fail to incentivize consumers to shift their electricity use, or incentivize and create new demand peaks at the lowest-priced use times. AI could automate the system, smoothing the demand curve without forcing consumers to make complex calculations or shift all their affected use to a specific new time. It could allow residential consumers to determine how much of a trade-off between cost and convenience they are willing to accept and set their smart meter accordingly. A greater tolerance for reducing heating, air cooling, and other electricity use would result in lower bills. For example, a budget-minded consumer who set a preference to “lowest cost” would likely notice household temperature fluctuations as the system responded to real-time demand spikes. A less price-conscious consumer might allow only modest energy reductions, or none at all. Such a system could make TOU easy and intuitive to consumers while responding to real-time prices rather than average demand cycles.

TOU has already demonstrated the ability to shift demand from peak to off-peak times by several percentage points even when poorly implemented. In a state like New York, where peak demand reaches 34,000 megawatts (MW), shifting even 5 percent of peak demand to off-peak times would exceed the entire capacity of a brand new transmission line. The systemwide efficiencies gained from effective TOU pricing facilitated by AI could drive down peak electricity rates for both data centers and residential consumers. TOU pricing is especially effective at minimizing rates because it lowers the capacity clearing price paid and reserve margin of generation supply maintained by utilities to manage demand spikes.

Value-based pricing

Another systemwide reform that could help prevent a potential electricity consumer backlash against data centers is 24/7 value-based pricing. It would speed the addition of generation capacity to grids for use by both data centers and residential consumers. Pricing power by its value to the grid rather than its cost to produce makes it easier for grid operators to integrate new generation capacity. Solar and wind have a near-zero marginal cost of production, but integrating large volumes of intermittent power complicates grid balancing and threatens the commercial viability of much-needed dispatchable generators. 

Requiring intermittent producers to price in the cost of battery back-up would create a competition on total value rather than marginal cost of production. This would prevent intermittent generation from bankrupting dispatchable power plants without being able to replace their generation capacity when the wind doesn’t blow or the sun doesn’t shine. These dispatchable producers rely on selling power consistently, not just when solar and wind are inactive. Value-based pricing would encourage investment in clean technologies like SMRs, BESS, and geothermal while easing pressure on dispatchable power producers that are key to balancing the grid. 

Industry needs to drive reform

Both political parties have incentives to reform grid regulation, as it is needed to support the AI industry specifically and US industry generally, as well as to increase the use of clean power. Despite that, regulatory reform has consistently proved elusive. Large AI providers as well as data center operators are the only market players with enough clout to make reform happen.

Failure to push reforms through risks an electricity shortage and consumer backlash that deprives the AI industry of the energy that is essential for its growth. If the firms at the forefront of the AI revolution want to continue to innovate, they need to win friends and allies within their shared energy system.

Nate Mason is an energy advisor and government relations expert with twenty years of experience that includes service in the US Departments of State, Energy, and Commerce, as well as the US Embassies in Kyiv and Tripoli.

Sign up for PowerPlay, the Atlantic Council’s bimonthly newsletter keeping you up to date on all facets of the energy transition

EnergySource Jul 18, 2025

Ground-zero for the US AI energy challenge: A state-level case study

By Andrea Clabough

Virginia’s AI data center boom could double the state’s power demand within a decade, forcing residents’ electricity bills higher. But with careful planning and partnerships, policymakers can balance energy, economic, and emissions goals.

Artificial Intelligence Energy & Environment

EnergySource May 21, 2025

Replace the Inflation Reduction Act with FUEL-AI

By Joseph Webster

To compete in the global AI race, the United States must dramatically expand its power supply. Replacing the Inflation Reduction Act with the FUEL-AI Act would reorient energy policy toward national security, fast-tracking domestic energy production and infrastructure to power America’s AI future.

Energy & Environment Energy Transitions

EnergySource Jan 27, 2025

DOGE should use AI to fix environmental review

By William Yancey Brown

The National Environmental Policy Act’s (NEPA) often lengthy process can delay crucial development projects and job creation. To address this, Trump’s newly established Department of Government Efficiency should leverage AI technologies to accelerate environmental reviews, modernizing the administration of NEPA.

Artificial Intelligence Energy & Environment

The Global Energy Center develops and promotes pragmatic and nonpartisan policy solutions designed to advance global energy security, enhance economic opportunity, and accelerate pathways to net-zero emissions.

learn more

The post Data centers aren’t grid villains—they’re allies appeared first on Atlantic Council.

Unfortunately, when it comes to human talent, AI or digital adoption action plans—be they national or multilateral—tend to focus on reskilling for younger populations. The importance of digital reskilling for older populations to empower their productivity, health, and social welfare should be a strategic priority, as well. Attention to this population segment is increasingly paramount considering that people aged sixty-five and older compose the fastest-growing demographic group in the world, especially in low-and-middle-income countries.

It is encouraging that the World Social Summit’s Doha Political Declaration, which will be officially adopted at the Summit, acknowledges the importance of digital and social inclusion encompassing older populations. But policymakers should also incorporate adequate training and trust frameworks for reskilling aging populations into their infrastructure development goals. Countries are making considerable investments to ramp up their digital infrastructure. If these efforts are not paired with a reskilling capacity, leaders risk excluding a growing older adult population from full societal and economic participation. How effectively the summit addresses this issue will help determine countries’ preparedness for major forthcoming technological and demographic shifts.

Digital literacy for older populations: A super-determinant of social development

For older adult populations to benefit from new applications of AI and digital technologies in healthcare, digital and AI literacy is essential. Research indicates that AI healthcare tools could potentially improve the detection and diagnosis of chronic diseases and help medical professionals make swifter clinical decisions.

While global life expectancy has increased over the decades, individual healthspan (or the number of years lived disease-free) has lagged behind life expectancy, with a gap of 9.6 years. A major driver of this gap is the pervasiveness of noncommunicable diseases (NCDs), including Alzheimer’s, dementia, cancer, and heart disease, which are most prevalent in populations older than fifty. The capacity of an individual to use technologies to manage their own health, referred to as digital health literacy, is characterized as a super-determinant of health. Digital health literacy may play a role in extending both life expectancy and healthspan related to NCDs management, particularly among older populations.

The triple barrier: Challenges to digital health adoption

Policymakers must grapple with three interlocking barriers that make it difficult to engage older populations with digital tools: insufficient infrastructure, low trust, and inadequate design.

Globally, the digital divide remains stark. In developed economies, 90 percent of people have internet access, while only 27 percent of those living in developing economies do. This gap is exacerbated for aging populations ages sixty and over, who are disproportionately offline compared to their more connected younger counterparts. Digital health literacy is a prerequisite for a population to benefit from AI-driven healthcare. The absence of this literacy can cause severe complications, including delayed diagnoses, poor adherence to treatment plans, and patient absenteeism.

Another barrier to the adoption of digital health services is trust. Older adults often view digital healthcare with skepticism, fearing data breaches, unclear terms of use, or inadequate quality control. In the United States, 60 percent of patients that consider using a health app decide not to over privacy concerns. Overcoming this lack of trust requires transparent communication, the reinforcement of safety protocols, and endorsements from trusted authorities.

Even with digital connectivity and training, digital health tools will not be widely adopted if they are poorly designed. User experience research shows that technical jargon, cognitive overload, impersonal interfaces, and mismatched engagement methods reduce uptake. By contrast, personalization—such as tailoring messages to a patient’s context and communication preferences—has been shown to significantly increase adherence to preventive behaviors.

Lessons from national initiatives to increase digital health literacy

Here are four approaches policymakers and civil society actors at the World Social Summit can look to when implementing the commitments to digital inclusion outlined in the Doha Political Declaration:

• Promote the rollout of national digital health literacy programs for older adults. Such programs can help older adult populations access the benefits of digital health tools. India’s Understanding of Lifelong Learning for All in Society, a government-sponsored literacy program for citizens aged fifteen and above who missed the opportunity to attend school, is one example of such an initiative. Through virtual modules and volunteer support, citizens are trained in general skills, including digital and health literacy. This program could serve as a useful model for the creation of more targeted literacy programs focused on providing older adults with digital health literacy skills they may not be able to learn elsewhere.
• Encourage local governments to tie digital skills training to digital infrastructure investments. This approach can help make the most of technology deployment by combining it with community-based engagement projects. With a bottom-up approach, in Kebbi State, Nigeria, the Medicaid Cancer Foundation-Patience Access to Cancer Care, began increasing awareness about the importance of early detection and prevention of cancer with community leaders and a peer-to-peer outreach model. Once this network of trust was established, the program was able to effectively strengthen patient management through the digitalization of follow-up care and the establishment of a State Cancer Registry to systematically track cases.
• Promote national programs that train community leaders to be digital skills educators. Trusted community leaders can help overcome negative perceptions of digital health tools. In the United Kingdom, the National Health Service’s BP@Home program trained community health workers to empower patients with home blood pressure management. BP@Home has reached over 220,000 participants since 2020. Using a step-by-step approach with phone calls, leaflets, and a dedicated app, this model ensures that patients, especially older adults, not only have the technology but also the skills and confidence to manage their blood pressure.
• Incorporate user perspectives in the elaboration of AI skilling policies. Building trust in AI technologies demands multisector collaboration with older adults as the end users. A transdisciplinary trust framework can help bridge these perspectives, linking scientific insights on ethics and reliability with the experiences and concerns of older populations. By embedding trust-building into digital health strategies, such frameworks can ensure that AI tools are not only technically sound but socially legitimate, culturally sensitive, and aligned with the values of their users. This approach is especially vital in lower- and middle-income countries, where skepticism, lower digital literacy rates, and infrastructural gaps intersect most acutely.

***

Policymakers at the World Social Summit should commit to skilling aging populations—from infrastructure investment to user design, from trust-building to training—to achieve sustainable and resilient social protection systems. The action plans of today will shape the health equity landscape of tomorrow. If leaders fail to act, the digital and health divides will grow. If they act decisively, advances in AI and digital health technologies could become powerful equalizers in global health for decades to come.

Vijeth Iyengar is a nonresident senior fellow at the Atlantic Council’s GeoTech Center. The views reflected in the article are the author’s views and do not necessarily reflect the views of his employer.

Zainab Shinkafi-Bagudu is a senior advisor at the Federal Ministry of Health Nigeria and president-elect of the Union for International Cancer Control.

Héctor Pourtalé is a global public health consultant and former executive director of Movement Health Foundation.

Frank Krueger is a professor at the School of Systems Biology, George Mason University and honorary professor at the University of Mannheim.

GeoTech Cues Jan 21, 2025

Aging populations are being ignored in global tech agreements. That comes at a cost.

By Vijeth Iyengar, Gunay Kazimzade

The omission of aging populations in agreements at the UN and elsewhere is a missed opportunity to harness societal and economic gains.

Artificial Intelligence Resilience & Society

GeoTech Cues Jul 21, 2025

Navigating the new reality of international AI policy

By Evi Fuelle, Courtney Lang

To reach their goals of national AI adoption, governments must continue to advance the global policy discussion on trust, safety, and evaluations.

Artificial Intelligence Digital Policy

Report May 29, 2024

Generational AI: Digital inclusion for aging populations

By Caroline Thompson

Recommendations on improved inclusion and empowerment of older adults in the age of artificial intelligence.

Artificial Intelligence Digital Policy

The GeoTech Center champions positive paths forward that societies can pursue to ensure new technologies and data empower people, prosperity, and peace.

Learn more

The post For aging populations to benefit from advances in healthcare technology, countries must promote digital health literacy appeared first on Atlantic Council.

On October 3, Forward Defense nonresident senior fellow Elliot Ackerman was featured in an episode of Open Debate entitled “Wartime Kill Switch: Human or AI?” in which he defended human control over lethal battlefield decisions.  

Fellow

Elliot Ackerman

Nonresident Senior Fellow

Forward Defense Scowcroft Center for Strategy and Security

Afghanistan Defense Policy

Forward Defense leads the Atlantic Council’s US and global defense programming, developing actionable recommendations for the United States and its allies and partners to compete, innovate, and navigate the rapidly evolving character of warfare. Through its work on US defense policy and force design, the military applications of advanced technology, space security, strategic deterrence, and defense industrial revitalization, it informs the strategies, policies, and capabilities that the United States will need to deter, and, if necessary, prevail in major-power conflict.

Learn more

The post Ackerman defends human oversight of battlefield decisions on Open Debate appeared first on Atlantic Council.

The Donald Trump administration’s “Winning the Race: America’s AI Action Plan” outlines a vision of AI as a decisive frontier of global economic and security competition. The first pillar advocates for a deregulated, private-sector-led environment by reducing regulations, promoting open-source AI models, and fast-tracking AI deployment in industries such as healthcare, while tackling some questions about workforce transition. The second pillar addresses energy capacity by upgrading the electric grid, restoring domestic semiconductor manufacturing, building secure data centers, and establishing cybersecurity measures including incident response capabilities. The third pillar on international diplomacy and security, seeks to counter Beijing’s growing influence in international governance bodies and export the full stack of US AI to allies and partners. The plan also identifies financial services as both an opportunity and a vulnerability. AI is viewed as a driver of financial innovation and efficiency, but also as a channel for risks including misinformation, cyber fraud, and systemic instability.

The European Commission’s AI Continent Action Plan was unveiled in April 2025, and is part of a long series of reports and regulations undertaken by the EU to bolster its competitiveness in AI. It lays out a five-pronged plan to scale up computation models through new AI factories, innovation hubs, and pooled resources, improve access to and availability of high-quality data, accelerate application of AI through public services and industrial activities, enable the Draghi report’s ambition to “exceed the US in education” when it comes to training and retaining skilled talent, and further fortify the European single market for AI.

Both the approaches aim to buttress domestic adoption and application of AI—often through nudges from the state when it comes to exploring applications in public services, and encouragement for many kinds of commercial activities. China has come to a similar conclusion, with its continual emphasis on using local government action plans to diffuse AI into public service provisions, and all kinds of industrial activities through its “AI Plus” initiative. There are few references to China in the EU’s latest AI document, while Washington’s approach has both implicit and explicit connotations of a largely two-way race between itself and Beijing.

Approaches from the United States and the EU are both likely to face issues regarding capital and financing of these action plans. While US private-sector investments in AI are many-fold those in the EU and China, the scale and focus of spending make a big difference. In the United States, the Trump administration has put AI contracts front and center in its broader deregulation approach—recent quarters have seen dozens of venture capital rounds above $100 million, and large megadeals (one of about $40 billion in the first quarter of 2025 alone aside) are becoming more common. Major players like Microsoft have committed to $80 billion this year for AI-capable data centers, and overall US tech capital expenditure for AI and infrastructure is being projected in the hundreds of billions over the next few years.

Meanwhile, across the EU, fiscal rules constrain deficit and debt levels: member states are required to keep deficits below 3 percent of gross domestic product (GDP) (though some exceed this threshold) and debt below 60 percent. The EU’s budget amounts to about 1 percent of GDP, and key instruments such as the Recovery and Resilience Facility are set to expire in 2026—leaving a gap in large-scale funding. The EU is currently negotiating its next seven-year budget (2028–2034), which is expected to place strong emphasis on large-scale investments, including a proposed Competitiveness Fund. In China, while growth targets remain and fiscal policy is being kept “flexible,” debt burdens, weak investment returns in sectors such as property and manufacturing, and slowing external demand limit what Beijing can unilaterally spend without risking macroeconomic instability.

These differences mean that even when headline figures like “$500 billion investments” are floated, much of that tends to flow into private capital for infrastructure, cloud and chip production, startup rounds, and acquisitions. They are not distributed evenly or necessarily aimed at building strategic domestic capabilities. Europe and China risk being unable to match the pace of US capital expenditure, not only because of absolute capital constraints but because of institutional, regulatory, and macro-fiscal drags.

Challenges to US-EU alignment on AI

These structural spending imbalances are compounded by inconsistent US policy decisions that leave European partners scrambling to adapt. For example, Joe Biden administration’s AI diffusion rule in January 2025 left many countries in Europe with restrictions on importing advanced chips from the United States, and led to a call for maintaining a “secure transatlantic supply chain on AI technology and super computers, for the benefit of our companies and citizens on both sides of the Atlantic.” The Trump administration repealed this rule and, in its place, the EU committed to purchasing $40 billion of US-made chips as a part of its trade agreement with the United States.

This interaction lays bare the two tensions complicating the US-EU alignment on AI strategies. The first concerns the strategies’ time horizons and the enabling actions undertaken by each jurisdiction. The EU’s approach has been solidified with years of iterative public discussion amid the market transformation from AI—starting with the Draghi report, the AI Act and even Ursula von der Leyen’s European Commission presidency campaign. In contrast, the US AI strategy has seemed reactive and temperamental—shifting focuses between administrations on important issues such as risk and safety, open-source models, and export controls. Recent partnerships with the Gulf states and lifting of controls on NVIDIA’s H20 chips sale to China have also demonstrated a deal-making approach to AI, which is often at odds with the stated US strategy.

The EU has embraced binding rules such as the AI Act, in line with its broader tradition of digital regulation. By contrast, US administrations have favored light-touch, voluntary frameworks, and sectoral oversight rather than comprehensive law. This reflects a bipartisan reluctance to over-regulate the industry. This divergence in regulatory culture means that even when Washington and Brussels agree on broad goals, they often diverge on the instruments used to achieve them,

The second tension in the US and EU strategies concerns the EU’s own complicated motivations in the context of its present economic interdependence on the United States and China. This reliance is visible across the entire AI input stack. At the software level, European firms overwhelmingly depend on US-developed foundational models, cloud platforms, and AI tools provided by companies such as Microsoft, Google, and OpenAI, reflecting the absence of a globally competitive European alternative. In 2025, the United States produced about forty large foundation models, China around fifteen, and the EU only about three. At the infrastructure and cloud level, the “big three” US cloud hyperscalers are estimated to power about 70 percent of European digital services. At the hardware level, the EU remains structurally reliant on advanced semiconductors designed in the United States and fabricated in Asia, with Europe’s domestic semiconductor sector making up less than 10 percent of global production. Supply chains for critical minerals and legacy chips further reinforce exposure to Chinese producers, which control a significant share of upstream inputs and mid-tier manufacturing. Chinese companies dominate the refining of critical minerals such as rare earths and graphite, essential for chipmaking and AI datacenter equipment. They are also leading suppliers of mid-range GPUs, networking hardware, and AI server components, which European firms may increasingly source to diversify away from US vendors. Chinese technology companies, including Baidu and Alibaba, are also emerging players in foundation model training and deployment, reinforcing Europe’s reliance on external providers. These dependencies complicate the EU’s sovereignty ambitions and its ability to balance relations with the United States.

Recognizing these vulnerabilities, the EU launched initiatives to expand domestic capacity, raising about €20 billion to build “AI gigafactories.” These factories would be capable of hosting large-scale compute infrastructure, with the aim of catching up to the US and China. While these projects signal a commitment to reduce dependency, they remain long-term efforts. Even as Europe invests in its own infrastructure, there is still high exposure to non-EU supply chains for the critical inputs into AI. The European Central Bank noted that about half of Euro area manufacturers sourcing critical inputs from China report being exposed to supply chain risk.

These two tensions—uncertainty in US policy actions and the gap between the EU’s ambitions of sovereignty and its reliance on US and China for critical inputs—will continue to play out over the next few years.

The financial services sector and AI action plans

For financial services in particular, AI adoption is accelerating—banks now flag AI as core to transformation. JPMorgan reports hundreds of production use cases across fraud, marketing, and risk in its shareholder communications, while Bank of America’s “Erica” virtual assistant has logged more than 2 billion client interactions—evidence that AI is reshaping front-, middle-, and back-office processes from customer service to underwriting to treasury operations. This brings opportunities including cost and error reduction, real-time risk sensing, and new AI-enabled products like cash flow intelligence for corporate treasurers.

But financial services also represent one of the highest-risk sectors for AI adoption, given the direct societal impact of errors or bias in lending, risk modeling, or compliance monitoring. The AI Index 2025 shows that measurable gains remain modest, with most firms reporting less than 10-percent cost savings or revenue growth below 10 percent. AI adoption for financial services also lags in key areas. Many institutions remain in pilot phases, data quality and legacy infrastructure limit deployment, and regulatory uncertainty combined with talent shortages slows uptake in high-risk applications such as credit scoring and underwriting. Regulatory divergence sharpens these trade-offs: The United States leans on voluntary risk-management tooling (the National Institute of Standards and Technology – Artificial Intelligence Risk Management Framework) that gives firms latitude to innovate, whereas the EU’s binding AI Act and sectoral guidance from the European Securities and Markets Authority impose high-risk classifications and board-level accountability for AI in investment services—raising documentation, testing, and oversight burdens for cross-border finance.

Ultimately, the private sector and business in both jurisdictions need to adapt to these tensions and, in some cases, even begin to view them as productive in their journey of AI adoption and diffusion across various functions. What the AI action plans have done is provide a broad framework of AI strategy. But for financial services companies and the broader commercial sector, the devil is in the details and will require closing the transatlantic gap in the regulatory approach to AI. This seems more difficult than it would have a year ago.

Ananya Kumar is the deputy director, Future of Money, at the GeoEconomics Center.

Alisha Chhangani is an assistant director at the GeoEconomics Center

Flagship Event Mon, September 29, 2025 • 6:30 am ET

2025 Transatlantic Forum on GeoEconomics

The Transatlantic Forum on GeoEconomics is an annual conference convening economic and financial leaders from both sides of the Atlantic.

Digital Policy Economy & Business Europe & Eurasia European Union

At the intersection of economics, finance, and foreign policy, the GeoEconomics Center is a translation hub with the goal of helping shape a better global economic future.

Learn more

The post What drives the divide in transatlantic AI strategy? appeared first on Atlantic Council.

On September 17, Forward Defense nonresident senior fellow Owen Daniels was featured on the Network 20/20 Virtual Briefing Series alongside Janet Egan and Sam Winter-Levy. The panelists discussed the ramifications and strategic implications of the US-China AI race and China’s rapid progress in AI development.

Fellow

Owen J. Daniels

Nonresident Senior Fellow

Forward Defense Scowcroft Center for Strategy and Security

Defense Industry Defense Policy

Forward Defense leads the Atlantic Council’s US and global defense programming, developing actionable recommendations for the United States and its allies and partners to compete, innovate, and navigate the rapidly evolving character of warfare. Through its work on US defense policy and force design, the military applications of advanced technology, space security, strategic deterrence, and defense industrial revitalization, it informs the strategies, policies, and capabilities that the United States will need to deter, and, if necessary, prevail in major-power conflict.

Learn more

The post Daniels weighs the consequences of the US-China AI Race on Network 20/20 appeared first on Atlantic Council.

On September 28, Switzerland will vote in a national referendum on the introduction of a state-recognized electronic proof of identification, or e-ID. This referendum could fundamentally transform how Swiss residents access government services and engage with private sector platforms in an increasingly digital world. The new draft solution comes after the rejection of the e-ID Act in a March 2021 referendum, largely due to the control the Act would have given to the private sector. Under the proposed legislation, the federal government will be responsible for both issuing e-ID cards and operating the necessary technical systems, an approach designed to maximize privacy and data security.

Switzerland’s evolving approach to digital identity reflects a broader, global conversation about the intersection of technology, governance, and trust.

Earlier this summer, Switzerland was already at the center of global digital policy conversations. From July 8-10, Geneva hosted the AI for Good Global Summit, the United Nations’ flagship platform for leveraging artificial intelligence (AI) to address global challenges, organized by the International Telecommunications Union. The summit convened a diverse group of policymakers, researchers, industry leaders, and civil society to promote the development of AI standards, foster innovation, and maintaining robust safeguards for equity and inclusion.

While thousands gathered in Geneva, the Atlantic Council’s GeoTech Center hosted a more focused convening in Lausanne called “Bridging AI & digital policy: Global perspectives for a trustworthy future.” Held on July 10 at the Swiss security-printing company SICPA’s unlimitrust campus, the event brought together experts from government, industry, and academia for a half-day of dynamic discussions on AI and digital trust.

Shaping AI and digital trust

As technologies such as AI and digital identity systems shape the future of governance, security, and social services, ensuring their trustworthy development and equitable deployment is critical, particularly as nations weigh major policy decisions such as Switzerland’s upcoming e-ID vote. While much technological innovation is led by the Global North, the global majority, the world’s largest and most diverse population, holds the key to unlocking inclusive, ethical, and impactful digital solutions. This half-day event explored regulatory frameworks, innovations, and challenges for these technologies across both developed and emerging economies.

Philippe Amon, chairman and chief executive officer of SICPA and member of the Atlantic Council’s International Advisory Board, opened the event by highlighting the importance of AI today, stating that “AI is like oxygen.” His words set the tone for an afternoon of engaging and impactful dialogue on how AI and digital policy are reshaping trust, innovation, and global cooperation.

The first panel, “Swiss partnerships on AI: Innovating for a trusted future” was moderated by Graham Brookie, vice president of technology and strategy programs at the Atlantic Council. The panel examined how Switzerland is advancing digital trust and secure AI development. The panelists emphasized the importance of regional and global partnerships to advance the trusted, secure development and deployment of AI. They explored practical steps and the need for robust regulatory standards, sharing examples of Swiss initiatives and international partnerships that are driving innovation while remaining secure and trustworthy. One example included panelist Leila Delarive’s software development company, hoopit.ai, which was co-founded by Swiss and American partners with a shared focus on making knowledge more trusted, more secure, and more human. Speakers agreed that innovation must be tied to real-world outcomes, with one panelist, Jean-Christophe Makuch, head of digital research and innovation at SICPA, noting, “The question is not what are you doing, it’s what problem are you solving?”

In my capacity as an assistant director at the Atlantic Council’s GeoTech Center, I moderated the second panel, “Global digital ID landscape.” This panel examined current trends, barriers to adoption, and opportunities for a more inclusive and interoperable digital ID ecosystem, drawing from the GeoTech Center’s July report, “Exploring the global digital ID landscape.” Panelists discussed issues including public trust and interoperability challenges to gaps in digital access across emerging economies. The conversation also highlighted Switzerland’s upcoming referendum on the national e-ID, underscoring how the vote could establish a model for trust, privacy, and usability in digital identity systems. A major theme of the dialogue centered around usability of digital ID systems. Anantha Ayer, CEO of SwissSign said, “Why do we need a digital identity? I think if we answer that question and people see that, the adoption rate will go up.”

The final panel, “AI in the Global South,” was moderated by acting senior director and senior fellow at the Atlantic Council’s GeoTech Center, Raul Brens Jr.. The panelists discussed regional advancements, challenges, and opportunities for AI-driven development in emerging economies. Panelists highlighted the use of AI as a tool to enhance efficiency and emphasized the need for government and public-private collaboration. The panelists underscored that implementing AI in emerging economies will require capacity-building, robust data governance, and inclusive digital access. Kira Intrator, a principal at Civic Strategy Group, underscored the need for increased investment in AI development across the Global South, asking: “With the potential of AI, how can funders and donors think really creatively and really commit to making a difference?”

Reflections ahead of Switzerland’s e-ID vote

As the September 28 referendum approaches, the insights shared in Lausanne are increasingly important to consider. The conversations emphasized how both artificial intelligence and digital identity systems are increasingly shaping the future of how governments approach inclusion, equity, security, and interoperability in the digital age. From lessons learned in the Global South to evolving frameworks across Europe, it’s clear that collaboration between governments, industry, and civil society will be crucial to advancing these technologies effectively. Public trust is also at the forefront of shaping inclusive policies, and it will be essential to enhance transparency across the development and implementation processes. The future of AI and digital identity systems will be defined not just by how these technologies are used, but how securely and inclusively they are deployed.

Coley Felt is an assistant director at the Atlantic Council’s GeoTech Center.

Report Jul 10, 2025

Exploring the global digital ID landscape

By Coley Felt, Will LaRivee

The worldwide adoption of digital identity systems varies significantly across regions and implementation approaches.

Africa Digital Policy

GeoTech Cues Jul 21, 2025

Navigating the new reality of international AI policy

By Evi Fuelle, Courtney Lang

To reach their goals of national AI adoption, governments must continue to advance the global policy discussion on trust, safety, and evaluations.

Artificial Intelligence Digital Policy

GeoTech Cues Jun 6, 2025

G7 leaders have the opportunity to strengthen digital resilience. Here’s how they can seize it.

By Sara Ann Brackett, Coley Felt, Raul Brens Jr.

At the upcoming Group of Seven Leaders’ Summit in Canada, member state leaders should advance a coherent, shared framework for digital resilience policy.

Artificial Intelligence Cybersecurity

The GeoTech Center champions positive paths forward that societies can pursue to ensure new technologies and data empower people, prosperity, and peace.

Learn more

The post Global perspectives on AI and digital trust ahead of the Swiss e-ID referendum appeared first on Atlantic Council.

But automation and data-processing speed—image identification, logistics, and pattern detection—are only one part of the story. An arguably more significant transformation is underway, toward synthetic cognition within AI systems.

Adversary simulation

The US Army’s Mad Scientist Initiative and NATO’s Strategic Foresight Analysis program have both identified AI-based adversary simulation as critical for preparing joint forces for contested decision environments. This involves mapping adversary biases, illuminating internal cognitive blind spots, and forecasting narrative-driven escalations. The idea is to promote what has been called “strategic empathy”—the disciplined effort to understand how adversaries perceive their interests, threats, and opportunities—and to reduce inadvertent escalation risks. 

Everyday AI chatbots such as GPTs are already spontaneously displaying the rudiments of theory of mind—that is, the ability to infer that others can hold beliefs different from one’s own. This capability has been demonstrated in LLMs through successful completion of false-belief tasks, such as recognizing that a person can search for an object where they mistakenly believe it to be, rather than where it actually is—a benchmark long associated with childhood cognitive development and a function regarded as unique to the species. In military contexts, if carefully constrained and validated, such capabilities are likely to soon allow for real-time simulation of adversarial logic, strategic ambiguity, and reputational calculus. 

The capacity to accurately interpret and anticipate adversaries’ behaviors and strategic intent may prove to be the ultimate determinant of cognitive overmatch, understood here as the demonstrable ability to emulate, predict, and outpace adversary decision cycles. In practice, this is measured in reduced decision time, greater accuracy in escalation forecasting, and validated against observed behavior in falsifiable scenario outcomes. In an era defined by the contest of perceptions, safely and successfully integrating synthetic cognition into defense capabilities may well prove decisive. As such, embedding cultural, historical, and ideological nuance into cognitive-emulative systems will be important to ensure strategic superiority for the United States. After all, China is already reportedly investing in culturally informed AI frameworks for military use. 

Taught versus nurtured consciousness

The crux of efforts to simulate adversarial reasoning emerges from a cognitive duality between taught consciousness and nurtured consciousness. This is not standard AI terminology, but a conceptual framework we have introduced to distinguish between two modes of reasoning. Taught consciousness refers to structured learning, facts, and procedural logic. Nurtured consciousness, by contrast, arises from culture, history, trauma, identity, and emotional reinforcement—the forces that shape how an actor interprets risk, legitimacy, and legacy.

To “think better,” AI must move beyond structured data alone; it must incorporate historical memory, cultural worldviews, symbolic interpretations, and ideological drivers of conflict. For example, a People’s Liberation Army (PLA) commander influenced by the 1979 Sino-Vietnam War may exhibit caution in mountainous terrain, a detail invisible to most automated models but accessible to LLMs trained on PLA memoirs, doctrine, and historiography.

As a recent report we both worked on details, military decisions are rarely made in isolation from personal or collective history. Strategy is often shaped by deep-seated narrative logic, encompassing national myths, identities, and ideology. Beyond procedural logic and battlefield geometry, war is fought through perception: how each actor experiences shame, fear, honor, legitimacy, and memory. These variables do not exist in intelligence, surveillance, and reconnaissance feeds or probability tables. They are present in the minds of adversaries, shaped by decades, if not centuries, of history, trauma, and political indoctrination. This is the cognitive substrate of strategic action, and it cannot be approximated through taught knowledge alone.

Consider the threat from jihadist groups such as the Islamic State of Iraq and al-Sham, or ISIS, and Boko Haram, which do not adhere to classical strategic logic; their behaviors are shaped by religious eschatology, historical grievances, and narrative theater. They use spectacular violence and ritualized fear to sustain their ideological appeal, often engaging in an epistemic war against perceived Western influence and employing brutality as part of the construction of identity. A purely data-driven model might focus on the number of fighters, frequency of attacks, or intercepted chatter while missing the symbolic logic animating those patterns. 

A system that incorporates cognitive elements layers in the importance of sacred geography, the modeling of theological escalation ladders where martyrdom is incentivized, and the role of online radicalization, where command structures are replaced by narrative contagion. Nurtured AI systems trained on religious texts, ideological manifestos, and martyr testimonials might be able to simulate the decision logic of these “nonrational” actors, providing predictive insights into, for example, when a symbolic event might trigger a suicide bombing, or when leadership decapitation may lead to fragmentation and the splintering toward more extreme offshoots.

Inhabiting the fog

Without nurtured consciousness, even the most advanced AI-driven systems risk failing to accurately interpret complex adversarial behaviors, symbolic intentions, and cultural thresholds, thereby undermining strategic effectiveness.

While taught consciousness enables a model to replicate tactical planning or doctrinal norms, nurtured consciousness simulates how a decision maker understands risk, perceives adversaries, and weighs personal legacy against national mythology. This is what allows an AI system to reason like a human in a real-world context, rather than merely replicating surface-level behavior. Combined, taught and nurtured consciousness deepen strategic empathy. 

However, as AI systems with synthetic cognition begin to dynamically shape military operations, they will require accountability frameworks, multidisciplinary oversight, and governance protocols. Failure to establish clear guidelines risks strategic misalignment, ethical ambiguity, and unanticipated escalation, ultimately weakening their utility and credibility. Therefore, cognitive-emulative systems must remain auditable, strategically aligned with values, and guided by transparent governance structures involving regional experts and ethicists to ensure responsible deployment. Given rapid advances by the United States’ near-peer adversaries, Washington needs technical and doctrinal oversight of nurtured consciousness, as well as clearly defined international norms governing its use.

Prussian General Carl von Clausewitz observed that “war is the realm of uncertainty; three quarters of the factors on which action in war is based are wrapped in a fog of greater or lesser uncertainty.” Conscious-model AI does not dispel the fog, it inhabits it. It reasons, reacts, and remembers within it. This capability is what turns an information advantage into a conscious advantage, and it has the potential to set the standard for strategic dominance in the twenty-first century.

John James is a technologist, deep-tech investor, and founding partner of BOKA Capital Ltd, which has investments in military AI companies.

Alia Brahimi, PhD, is a nonresident senior fellow on the Atlantic Council Middle East Programs.

The post How AI with ‘nurtured consciousness’ could transform warfare appeared first on Atlantic Council.

• Executive summary
• Introduction
• Moving balls, swinging pendulums
• Untangling the data in the “AI supply chain” 
• Parsing the risks—and pursuing better security 
  • Approach one: Understand the ‘state’ of data
  • Approach two: Assess threat actor profile
  • Approach three: Map suppliers to the supply chain
• Conclusion and recommendations 
• Author and acknowledgements

Executive summary

Underpinning AI technologies is a complex supply chain—organizations, people, activities, information, and resources that enable AI research, development, deployment, and more. The AI supply chain includes human talent, compute, and institutional and individual stakeholders. This report focuses on another element of the AI supply chain: data. 

While a diversity of data types, structures, sources, and use cases exist in the AI supply chain, policymakers can easily fall into the trap of focusing on one AI data component at one moment (e.g., training data circa 2017), then switching focus to another AI data component next (e.g., model weights in current times), risking a lopsided policy that fails to take account of all the AI data components that are important for AI research and development (R&D). For example, overconfidence about which data element or attribute will most drive AI R&D can lead researchers and policymakers to skip past important, open questions (e.g., what factors might matter, in what combinations, and to what end), wrongly treating them as resolved. Put simply, a “one-size-fits-all” approach to AI-related data runs the risk of creating a regulatory, technological, or governance framework that overfocuses on one element of the data in the AI supply chain while leaving other critical parts and questions unaddressed. 

Managing the risks to the data components of the AI supply chain—from errors to data leakage to intentional model exploitation and theft—will require a set of different, tailored approaches aimed at achieving a comprehensive reduction in risk. As conceptualized in this report, the data in the AI supply chain includes the data describing an AI model’s properties and behavior, as well as the data associated with building and using a model. It also includes AI models themselves and the different digital systems that facilitate the movement of data into and out of models. The report, therefore, spells out a framework to visualize the seven data components in the AI supply chain: training data, testing data, models (themselves), model architectures, model weights, Application Programming Interfaces (APIs), and Software Development Kits (SDKs). 

It then uses the framework to map data components of the AI supply chain to three different ways that policymakers, technologists, and other stakeholders can potentially think about data risk: data at rest vs. in motion vs. in processing (focus on a data component within the supply chain and its current state); threat actor risk (focus on threat actors and risks to a data component within the supply chain); and supply chain due diligence and risk management (focus on a data component supplier or source within the supply chain and related actors). 

In doing so, it finds that many risks to AI-related data are risks to data writ large that existing best practices could mitigate. These include National Institute of Standards and Technology (NIST) and International Organization for Standardization (ISO) specified data access controls, continuous monitoring systems, and robust encryption; the risks at hand in these cases do not require reinventing the wheel. Simultaneously, this report also finds that some security risks to AI data components do not map well to existing security best practices that would adequately mitigate the risk or even apply at all. At least two stand out immediately: bad actors’ attempts to poison AI training data require data filtering mechanisms not well captured by existing measures, and which access controls or encryption would not appropriately mitigate; and emerging, malicious efforts to insert so-called neural backdoors into the behavior of neural networks require new security protections, too, beyond the realm of traditional IT data security. On top of implementing these two categories of mitigations, this report emphasizes that organizations can leverage “know your supplier” best practices to ensure all other entities in their AI supply chains have security best practices for both non-AI-specific and AI-specific data risks. 

This report concludes with three recommendations. 

1. Developers, users, maintainers, governors, and securers of AI technologies should map the data components of the AI supply chain to existing cybersecurity best practices—and use that mapping to identify where existing best practices fall short for AI-specific risks to the data components of the AI supply chain. 
2. Developers, users, maintainers, governors, and securers of AI technologies should “Know Your Supplier,” using the supply chain-focused approach to mitigate both AI-specific and non-AI-specific risks to the data components of the AI supply chain. 
3. Policymakers should widen their lens on AI data to encompass all data components of the AI supply chain. This includes assessing whether sufficient attention is given to the diversity of data use cases that need protection (e.g., not just training data for chatbots but for transportation safety or drug discovery) and whether they have mapped existing security best practices to non-AI-specific and AI-specific risks. 

Introduction

Recent advances in computing power have catalyzed an explosion of artificial intelligence (AI) and machine learning (ML) research and development (R&D). While many of the mathematical and statistical techniques behind contemporary AI and ML models have been around for decades,¹ these advancements in computing power have combined with larger datasets, energy sources, human labor, and other factors to bring AI and ML R&D to unforeseen heights. 

This phrase, “artificial intelligence,” is best understood not as a single, specific technology but as an umbrella term for a range of technologies and applications. Illustrating this point, companies, governments, academic institutions, civil society organizations, and individuals, among others, are designing, building, testing, and using AI and ML applications ranging from facial recognition systems in shopping malls and driving navigation systems in autonomous vehicles to chatbots in academic research environments to highly tailored applications in drug discovery, climate change modeling, and military operations.² Despite wide variations in design and function, all these software applications, as such, characterize “AI.” Their variations capture the expansiveness of the “AI” term. They also underscore that research and policymaking on AI’s impacts—to labor, the environment, workforce productivity, economic growth, privacy, civil rights, national security, and so forth—must reference and differentiate between specific application areas, because they may greatly vary.

Underpinning AI technologies is a complex supply chain—organizations, people, activities, information, and resources enabling research, development, deployment, and more.³The AI supply chain includes human talent: the people around the world contributing to university and nonprofit research, building and iterating on commercial products, hacking systems to boost their security, applying deployed AI technologies in innovative ways, and so forth. It includes compute: the dynamic provisioning, protection, and management of hardware and software systems across shared infrastructure, in this case to power AI training, refinement, and so on—the subject of a forthcoming companion report from the Cyber Statecraft Initiative.⁴ It includes institutional and individual stakeholders, such as infrastructure providers, data providers, technology and service intermediaries, user-facing entities, and consumers.⁵ And the AI supply chain includes data components, which are the focus of this report. 

AI technologies are data-rich. That is, they both rely tremendously on data to function and produce large volumes of data as part of their operation. As explored in this report, this data richness entails a complex set of data elements in the AI supply chain that feed into, come out of, and underpin the research, development, deployment, use, maintenance, governance, and security of AI technologies. Corporate developers, researchers, and others building an AI application from the ground up may create an algorithm and run it on different kinds of “training data” before measuring its performance with “testing data.” For instance, in training an image recognition model to identify whether a photo contains a cat, the training data may be full of pictures of cats, dogs, airplanes, coffee machines, and cats sitting on coffee machines (i.e., “yes,” “no,” and more complex “yes” options), and the testing data might consist of similar pictures the model has never trained on, to test how well the function it learned generalizes to the new data. Individuals using AI chatbots or AI facial recognition models, to give another example, may upload data (e.g., questions, face images) into the system as part of using it, after which the system may provide data back to the individual (e.g., answers, names associated with faces) as well as output some metadata into a system log (e.g., performance metrics). These data components are just some of those present in the AI supply chain. 

Mapping and understanding this data in the AI supply chain matters greatly for companies, policymakers, and society to protect each data element against exploitation. Leaks, theft, exploitation, and adverse use of AI-related data could harm specific individuals or groups of people (e.g., extracting data from AI models to violate privacy); undermine specific national objectives like economic competitiveness (e.g., data theft to replicate proprietary applications) or national security (e.g., data theft to understand a model’s behavior, and thereby attack it); and create other issues ranging from market consolidation (e.g., single points of failure in the entity supplying key AI-related data) to undermining trust in critical technology areas (e.g., between patients and healthcare institutions). The US National Security Agency (NSA) recently wrote, “as organizations continue to increase their reliance on AI-driven outcomes, ensuring data security becomes increasingly crucial for maintaining accuracy, reliability, and integrity.”⁶

Conversely, each data element enables different aspects of AI research, development, deployment, use, maintenance, governance, and security—meaning developers, users, maintainers, governors, and securers of AI technologies should want to better safeguard them for positively framed reasons, too. Better protecting the data underpinning an expensive commercial AI advancement could enable the company to move faster without slowdowns due to leaks, breaches, and trade secret theft. Shielding training data related to individuals from inadvertent leaks and exposure could bolster public trust in responsibly executed AI deployments in healthcare or transportation. The list of benefits to mitigating leaks, theft, exploitation, and adverse use of AI-related data goes on for comparing specific data types and uses against relevant risk mitigations—optimizing the use of existing security best practices and identifying AI-specific gaps to fill. 

Without an effective framing for how to think about all the data in the AI supply chain, policymakers and others looking at AI and data security may overfocus on a single data component in the AI supply chain without accounting for all the others in the picture. They may also conflate related but distinct data components in the AI supply chain together, failing to account for differences in data type, structure, source, and use case that may create distinct risks and require different, tailored mitigations in response. 

Moreover, treating all AI-related data as part of a new, flashy set of AI technologies can perpetuate a sort of AI exceptionalism. This view suggests that AI technologies exist in isolation from cloud, telecommunications, and other systems—treating them as separate from, rather than interconnected with, other technologies that also matter for innovation, security, governance, and more. It can implicitly suggest the data is all new, raising fundamentally new questions and issues without good answers, instead of relating to data security discussions and best practices that have been around for decades, as well as a subset of data risks that demand AI-specific mitigations. None of these outcomes lend themselves to the most rigorous public policy, industry, research, and public discussions about AI R&D, security, and geopolitics. 

At a high level, the concept of data in the AI supply chain therefore enables analysts to map out points of concentration, resilience, and security vulnerability in AI systems and the overall AI ecosystem that might vary based on AI data type, structure, source, and use case. (For example, does cybersecurity-focused training data come from too few companies? How does the security of open-source health testing data compare to the security of health model parameters?) The concept of data components in the AI supply chain can help policymakers, developers, and those impacted by AI technologies understand the broader supply chain of parts underpinning a commercially successful, data-secure (or -insecure) AI system. And it can help governments, companies, civil society groups, journalists, and individuals to more precisely, systemically evaluate AI risk mitigation methods against the security risks of the coming years.⁷

A mapping and understanding of the data in the AI supply chain can also inform better policy. To be sure, no regulations of technology (or anything, for that matter) will treat the technology (or other thing) in question perfectly symmetrically across every country or jurisdiction in the world. But “AI regulations” based on highly inconsistent formulations of “AI-related data” can unintentionally increase friction. If a legislature writes rules for “AI data” when picturing only one type of training data, and another country’s legislature takes a more comprehensive view of all the data types and use cases in the AI supply chain, the widely varied approaches could make it harder to harmonize cross-border steps to curtail bad practices. The varied approaches could create cross-jurisdictional barriers to startup innovation that regulators never intended. And they could further confuse global discourse on governing “AI data.” These are potentially unintended effects that a better policy formulation on how to think about risks to and protections for AI-related data would avoid. 

This report lays out a conception of the data components of the AI supply chain, which the research then maps to existing data security and supply chain security best practices—highlighting existing measures that work well and identifying, in the process, security gaps for issues more unique to AI data types and use cases. The framework once again focuses just on data, rather than all elements of the AI supply chain (e.g., compute). For simplicity’s sake, it also excludes AI agents due to the complexity their permission-based, semi-autonomous functions introduce—instead, focusing on the wide range of non-agent models in use today. 

First, this report discusses how policymakers can run the risk of overfocusing on one data component at the expense of the entirety of data types in the AI supply chain, which can contribute at best to lopsided policy and at worst to tendencies that undermine US AI competitiveness and leave critical parts of the data in the AI supply chain inadequately secured. Second, it introduces a concept of data in the AI supply chain with seven components, each defined and exemplified below: training data, testing data, models (themselves), model architectures, model weights, Application Programming Interfaces (APIs), and Software Development Kits (SDKs). It additionally discusses the interactions between data components, their varied suppliers, and those suppliers’ sometimes shifting or multiple roles vis-à-vis the data in the AI supply chain. 

Finally, the report offers three different approaches to map data components in the AI supply chain to existing data security and supply chain security frameworks: data at rest vs. in motion vs. in processing (focus on a data component within the supply chain and its current state); threat actor risk (focus on threat actors and risks to a data component within the supply chain); and supply chain due diligence and risk management (focus on a data component supplier or source within the supply chain and related actors). These approaches can map concerns about training data theft, training data poisoning, API insecurity, and other data-related AI supply chain issues to established security controls and best practices from government agencies, standards bodies, cybersecurity literature, and areas like the financial sector and export control compliance. In doing so, it also begins to identify a few areas where existing security best practices may be insufficient for AI data risks—namely, confronting risks associated with the poisoning of data components in the AI supply chain and inserting neural “backdoors” into models through tampered training data or manipulation of model architectures. These risks, perhaps unique or relatively unique to AI models, require their own mitigations.   

The report concludes by making three recommendations: 

1. Developers, users, maintainers, governors, and securers of AI technologies should map the data components of the AI supply chain to existing cybersecurity best practices—and use that mapping to identify where existing best practices fall short for AI-specific risks to the data components of the AI supply chain. In the former case, they should use the framework of data at rest vs. in motion vs. in processing and the framework of analyzing threat actor capabilities to pair encryption, access controls, offline storage, and other measures (e.g., NIST SP 800-53, ISO/IEC 27001:2022) against specific data components in the AI supply chain depending on each data component’s current state, the threat actor(s) pursuing it, and the traditional IT security controls the organization already has in place. In the latter case, developers, users, maintainers, governors, and securers of AI technologies should recognize how existing best practices will inadequately prevent the poisoning of AI training data and the insertion of behavioral backdoors into neural networks by manipulating a training dataset or a model architecture. They should instead look to emerging research on how to best evaluate training data to filter out poisoned data examples and how to robustly test network behavior and architectures to mitigate the risk of a bad actor inserting a neural backdoor, which they can activate after model deployment. And in both cases—of non-AI-specific and AI-specific risks to data—organizations can and should use the third listed approach of focusing on the data and supply chain itself to ensure their vendors, customers, and other partners are implementing the right controls to protect against risks of model weight theft, training data manipulation, neural network backdooring through model architecture manipulation, and everything in between, drawing on the two categories of mitigations they implement themselves. 
2. Developers, users, maintainers, governors, and securers of AI technologies should “Know Your Supplier,” using the supply chain-focused approach to mitigate both AI-specific and non-AI-specific risks to the data components of the AI supply chain. Those sourcing data for AI systems—whether training data, APIs, SDKs, or any of the other data supply chain components—should implement best practices and due diligence measures to ensure they understand the entities sourcing or behind the sources of different components. For example, if a university website has a public repository of testing datasets for image recognition, language translation, or autonomous vehicle sensing, did the university internally develop those testing datasets, or is it hosting those testing datasets on behalf of third parties? Can third parties upload whatever data they want to the public university website? What are the downstream controls on which entities can add data to the university repository—data which companies and other universities then download and use as part of their AI supply chains? Much like a company should want to understand the origins of a piece of software before installing it on the network (e.g., is it open-source, provided by a company, if so which company in which country, etc.), an organization accessing testing data to measure an AI model or using any other data component of the AI supply chain should understand the underlying source within the supply chain. Best practices in know-your-customer due diligence, such as in the financial sector and export control space, and in the supply chain risk management space, such as from cybersecurity and insurance companies, can provide AI-dependent organizations with checklists and other tools to make this happen. Avoiding entities potentially subject to adversarial foreign nation-state influence, data suppliers not sufficiently vetting the data they upload, and so forth will help developers, users, maintainers, governors, and securers of AI technologies to bring established security controls to the data in the AI supply chain itself. In the case of both non-AI-specific and AI-specific risks to data, organizations can and should use this supply chain due diligence approach to ensure their vendors, customers, and other partners are implementing the right controls to protect against risks of model weight theft, training data manipulation, neural network backdooring through model architecture manipulation, and everything in between—drawing on the two categories of mitigations implemented as part of the first recommendation. 
3. Policymakers should widen their lens on AI data to encompass all data components of the AI supply chain. This includes assessing whether sufficient attention is given to the diversity of data use cases that need protection (e.g., not just training data for chatbots but for transportation safety or drug discovery) and whether they have mapped existing security best practices to non-AI-specific and AI-specific risks. As multiple successive US administrations explore how they want to approach the R&D and governance of AI technologies, data continues to be a persistent focus of discussion. It comes up in everything from copyright litigation to national security strategy debates. The United States’ previous policy focus on training data quantity, and little else, has already prompted policymakers to avoid discussing comprehensive data privacy and security measures, which now—in light of Chinese AI advancements and concern about AI model weight dissemination—are suddenly more relevant. To avoid these cycles in the future, where policy overfocuses on one AI data element when in fact many are relevant simultaneously, policymakers should take a comprehensive view of the data components of the AI supply chain. The framework offered in this paper, spanning seven data components, is one potential guide—though again, policymakers need not stick to necessarily one framework. What is most critical to avoid is developing data security policies that protect some data components of the AI supply chain (e.g., training data) while leaving others highly exposed (e.g., APIs). An expanded view of the different data components, the components’ interaction, and the often multiple and shifting roles of suppliers should help inform better federal legislation, regulation, policy, and strategy—as well as engagements with other countries and US states. Right now, organizations such as the Congressional commerce committees, the Commerce Department (including because it implements export controls and the Information and Communications Services and Technologies supply chain program), the Defense Department (with all its current AI procurement), and the Federal Trade Commission (with responsibility for enforcing against unfair and deceptive business practices) should stress-test their assumptions about how to best protect AI data, and whether existing best practices achieve desired security outcomes, against this data component framework. This requires asking at least two questions. Do their existing security, governance, or regulatory approaches—e.g., in the security requirements used in Defense Department AI procurement, in how the Federal Trade Commission thinks about enforcing best practices for AI data security—apply well to a diversity of data use cases that need protection, such as with testing datasets for self-driving vehicle safety or training datasets for cutting-edge drug discovery? List out the use cases beyond chatbots that are not top of mind but are highly relevant from a security perspective, from defense to shipping and logistics to healthcare. And second, are they parsing out which risks they have concerns about, vis-à-vis AI-related data, that are specific to AI versus risks to data in general? For both categories, consider how the framework and some of the security mitigations cited in this report—for example, the NIST guidance, ISO practices, and new research on detecting neural backdoors, etc.—can serve as best practices to improve outcomes. 

Moving balls, swinging pendulums 

Policymakers, researchers, and private-sector firms alike are in constant debate about what kinds of data, data analysis, and data characteristics (such as quantity or diversity) will lead to major breakthroughs in AI research and development. These debates span geopolitical and national security issues—like fights over whether a country’s population and data collection reach may lend a strategic military advantage—and economic and social ones—like conversations about how best to maximize AI for medicinal innovations or minimize AI risks to worker privacy. Debates about AI and data implicate pressing and often broader issues such as tech innovation, responsible technology governance, cybersecurity, antitrust, and nation-state competition, too. 

But the past few years alone have illustrated how simplistic this AI and data debate can become—and how quickly, and perhaps arbitrarily, the metaphorical ball can move. About seven or eight years ago, it became somewhat of a prevailing view in Washington, DC that “data is the new oil” and that the volume of data to which a country had access would determine its AI might.⁸ Compelling perhaps because of its simplicity (data quantity is the key) and certainty (about the link between data quantity and AI leadership—and AI leadership and superpower status), the narrative quickly took hold, pushed by senior government officials and large Silicon Valley corporations alike.⁹ Policy, industry, and media discourse focused highly on one element of the links between data, broadly defined, and AI R&D: training data quantity.

Now, though, the ball has moved. Policymakers talk far less about training data (even though it is still important) and much more about model weights—numerical parameters that specify how the model represents connections to leverage between pieces of data to achieve the desired output. (They also, rightfully, spent much time discussing compute, but that is once again outside the scope of this report). Discussions about new export controls and the Biden administration’s last-minute,¹⁰ multi-tiered framework for (on paper) limiting “AI diffusion” are chief among the recent policy efforts focused on this slice of AI R&D,¹¹ as are some of the Trump administration’s efforts to deregulate AI with the stated objective of boosting AI development. (Lots of discussion also focuses, of late, on compute, which is beyond the scope of this particular report.) The heavy focus on model weights has hit industry stock prices and valuations as well. When Chinese firm DeepSeek released a new model that it claimed beat ChatGPT’s performance, US AI firms lost about $1 trillion in valuation in 24 hours—amid the worry that other (Chinese) firms might easily replicate DeepSeek’s use of open-source model weights.¹²Training data is still important for AI R&D—for instance, in how valuable curating the right, often proprietary datasets is for building AI drug discovery models¹³—but policy focus and debate have shifted greatly to legal, technical, innovation, tech governance, and national security issues surrounding model weights.¹⁴

At the height of the previous focus on AI training data, some scholars and analysts, certainly, pushed back against a myopic focus on one part of data and AI R&D. Matt Sheehan wrote a piece for the Macro Polo think tank in July 2019 arguing that strategic AI development depends not just on data quantity but on data depth (aspects of behavior or events captured), quality (accuracy, structure, storage), diversity (heterogeneity of users or events), and access (availability of data to relevant actors).¹⁵ The industry-aligned Center for Data Innovation published an article in January 2018 critiquing the flaws of making that economic comparison from an innovation standpoint.¹⁶ Since that overfocus on AI training data, others have made points about the need for a broader view of AI’s competitive data factors, too. For instance, Claudia Wilson and Emmie Hine recently cautioned against export controls on open-source models (and elements like model weights), which could trigger an “unfettered” AI “race”¹⁷—while scholars like Kenton Thibaut point out the drawbacks of hyper-fixating on a single, “silver bullet” for AI leadership in general.¹⁸

Still, many DC think tank roundtables and policy discussions center on model weights. This is not to say there is no reason for concern about how to best secure model weights, including the model weights of US AI companies, against theft by Chinese actors.¹⁹ Trade secret theft is clearly a concern for US companies, as it is for the US government. Again, though, training data—and the importance of a range of types of training data (e.g., beyond just LLM training data to include training data used to power novel AI drug discovery models, etc.)—has taken somewhat of a backseat in recent policy conversations compared to model weights as well as other AI supply chain components beyond scope, notably compute.

However, the pendulum swing from focusing on training data quantity to focusing on model weights illustrates a few prevailing problems in policy and industry debates about AI and data. 

• Overconfidence about which data element or attribute will most drive AI R&D can lead researchers and policymakers to skip past important, open questions (e.g., what factors might matter? in what combinations? to what end?), wrongly treating them as resolved. 
• Oversimplified views of how data flows into and out of, constitutes, and powers AI models can lead policymakers to discuss “AI data” as one bucket of data to compete on, govern, and secure, rather than as many data types with different contexts.  
• Over-fixation on a single, AI-related data component can guide policymakers and practitioners to treat the data component as a new, flashy “AI” phenomenon—overlooking existing security and risk mitigation frameworks and best practices, which many organizations may still not have implemented in the first place. 

A continued challenge for plenty of US policymakers and industry leaders is taking, and having the intellectual and economic space for, a more comprehensive assessment of the different kinds of data and data components that enable AI R&D.²⁰ Focusing largely on training data quantity one moment and model weights the next can contribute to piecemeal, sometimes lopsided policy and often unfounded analytical assumptions. Take the example of protecting AI training data. When policymakers overfocused on AI training data and the idea that training data quantity matters most, many policy papers,²¹ alongside much industry lobbying,²² advocated for weak privacy laws so the United States could “beat” China—a country which, in this framing, has zero privacy restrictions or data limits whatsoever.²³ Now that the conversation has shifted to model weights, however, much policy discourse has focused on how China’s restrictions on outbound data transfers lock down its technological advantages²⁴—a sudden pivot in the conversation that now suggests the United States might benefit from some privacy laws in the first place.

This mall-moving, pendulum-swinging tendency can mean policymakers choose a single piece of the data in the AI supply chain to focus on myopically, which can cause policy to make more sudden lurches and miss opportunities to make longer-term investments in the security of all AI components. It can also cause policy narratives about AI to move in contradictory directions based on whichever slice of AI-related data is receiving the most attention at one given moment. When the policy focus centered on fueling training data quantity, some (as described above) talked about basic data privacy and security restrictions as harmful to technology development and the country. Yet these are precisely the kinds of policies that are helpful to protect against theft of and illicit access to model weights. 

To provide another framework for researchers, industry leaders, and especially policymakers to approach important data and AI debates—from the nature of the data components most likely to drive AI R&D, to the economic and national security risks of ungoverned access to AI-involved data—the next section lays out a data-focused concept to help widen the lens. 

Untangling the data in the “AI supply chain” 

The AI supply chain—organizations, people, activities, information, and resources enabling AI research, development, deployment, and more—is complex, shifting, and global. It involves several elements not covered in this report, such as human talent and compute, and it also includes the focus of this report: data. 

Just as “AI” is not a single technology but an umbrella term for a suite of technologies, the data relevant to AI research, development, deployment, use, maintenance, governance, and security is no single data type, source, or format, either. Instead, there are several data components in the AI supply chain (described below). These data components fit into the AI supply chain because researchers, developers, deployers, users, maintainers, governors, securers, and attackers of AI systems depend upon and get access to different kinds of data—transmitted, stored, and analyzed in different ways—to make it all happen. They also fit into the AI supply chain because a wide range of entities around the world—from individuals who publish self-labeled datasets to corporations that analyze AI model outputs—supply, access, and use the underlying data, too. This idea echoes the concept of AI as a value chain (referring to the business activities that deliver value to customers),²⁵though focused specifically on data components. 

The data in the AI supply chain covers many data types, sources, and formats—all of which need secure safeguards to enable competition, boost public trust, and protect against the leaks, exploitation, and other risks delineated above. As conceptualized in this report, the data in the AI supply chain includes the data describing an AI model’s properties and behavior, as well as the data associated with building and using a model. It also includes the AI models themselves and the different systems that facilitate the movement of data into and out of models.²⁶ Laid out in the visualized framework and tables below, this report conceptualizes seven parts of the data and core data systems in the AI supply chain: 

• Training data 
• Testing data 
• Models (themselves) 
• Model architectures
• Model weights 
• Application Programming Interfaces (APIs) 
• Software Development Kits (SDKs) 

This paper draws some inspiration at a high level from the November 2024 paper by Qiang Hu and three other scholars on the large language model (LLM) supply chain, which envisioned a framework for thinking about the components and processes that go into LLMs.²⁷ Nonetheless, this paper differs in focusing more on the data components themselves rather than the activities to produce them (like dataset processing); delineates data components by their properties and functional differences (such as distinguishing between training data and testing data); and looking at the data supply chain for AI technologies broadly (rather than just LLMs). This paper’s analysis also differs in that it focuses specifically on the need for security.  

Notably, the first five of these components are data per se, or the model itself. The last two, however—APIs and SDKs—are neither data nor models themselves; instead, they are code and software systems that enable data to pass into, extract from, and otherwise collect around AI models. For example, business users of an LLM may use an API to submit questions to the chatbot in batches; mobile consumers using an AI image recognition app may, whether they know it or not, depend on an SDK to take their snapshot of a bird and submit it to a cloud-hosted AI model, which then returns back through the SDK’s code the species of the bird in question. While the concept of data components of the AI supply chain does not list out every software system that could interact with AI data components, it includes APIs and SDKs because of their prevalence and their security relevance in delivering AI data to and from cloud systems and mobile devices; after all, virtually all the major AI commercial companies offer access to APIs to use their models (to include submitting queries to chatbots and uploading images to recognition models). 

Figure 1 lists each of the seven data components of the AI supply chain, defines them, and provides a few examples of the companies and other entities involved in that component or its sourcing. Again, this does not include several other elements of the AI supply chain (e.g., human talent, compute) and focuses mostly on traditional AI models (e.g., excludes AI agents). 

Figure 1: Data components of the AI supply chain

Many of the above seven data components of the AI supply chain can stand on their own. A computer system can house thousands of training data images in one folder and separately store hundreds of testing image examples in another folder; the files themselves, in a literal sense, are distinct. Similarly, a company can build and deploy an AI model with a paid API, through which users can query the model without making any SDKs available for developers to more easily integrate the model into software. Some websites make training data publicly and freely available without ever supplying model weights to their visitors, and some companies will provide elements of their data supply chains to purchasers for auditing, but typically not all of their underlying training data or every model weight. 

However, all seven data components have overlapping functional roles in the AI ecosystem. Academic researchers, government technologists, or startup developers looking to build a competitive healthcare image recognition model will need training data and testing data (including potentially rounds of training data, to fine-tune a model) to make it happen; without testing data, it is difficult to systemically evaluate a model’s performance so it can be tweaked, and without training data, there is no model to test and fine-tune. Companies that want to deploy their already built and tested models have many incentives to create both APIs and SDKs, so that different users working in different environments—whether a nontechnical lawyer looking to query a chatbot or a machine learning PhD looking to use the chatbot in their own app—can readily access the technology. 

The seven data components have overlapping suppliers, which are also geographically dispersed. Companies like Amazon Web Services, for example, store and make publicly available countless training datasets, including those from other parties.²⁸ (AWS, in this specific example, also offers cloud services to government, companies, universities, civil society groups, and individuals to train, test, fine-tune, and deploy AI models.) Universities like Tsinghua University in China and the Indian Institute of Technology publish open-source AI models and the related data (e.g., training, testing data) as part of academic studies.²⁹ Community-maintained websites like Kaggle, popular in the AI R&D community, host many kinds of training and testing data, and open-source platforms like GitHub host various datasets as well as models themselves, too. Simultaneously, these and many other suppliers of data components in the AI supply chain are consumers of the data components. Amazon uses training and testing data to build AI products and services; universities, such as Tsinghua and the Indian Institutes of Technology (IIT), publish study-linked datasets just as they may procure AI data components and related technologies (e.g., cloud services) to conduct the research in the first place.

And the data components in the AI supply chain themselves may interact with each other. (Again, this report does not include coverage of AI agents as explained above.) When a developer initially trains a model (using a training dataset) and then iterates on the model by testing it (using testing data) and fine-tuning it further (using more training data), the resulting model and the model weights are in part the byproduct of the training and testing datasets used. The model architecture selected before sourcing the training data will likewise influence what the model weights and resulting model ultimately look like—as well as the resulting model’s data inputs and outputs via an API or SDK. Similarly, when a company acquires a certain training dataset and uses it to train a model with specified parameters, it shapes the nature of which testing data and additional training data it will subsequently source from the supply chain. If the company wants a model to be completely open-source, for instance, then it will need to select or construct datasets of only open-source testing and training data from the data in the AI supply chain; if the company elects to go with Portuguese-language training data for building a voice-to-text AI chatbot, it will need Portuguese-language testing data, perhaps even sourced only from Brazil, to evaluate the initial model’s behavior. These are additional ways in which interactions between data components of the AI supply chain can impact data sourcing decisions.  

Even nation-states looking to secure their respective AI systems and potentially steal or compromise those in other countries may need to consider everything from safeguarding the models themselves (and all the data and weights within them) against exploitation to identifying sensitive testing datasets that need protection. These AI data components are distinct in the framework above. But their overlapping and interdependent roles in AI R&D make them collectively integral to understanding AI competitiveness and innovation—and how to ensure robust, effective governance across safety, security, privacy, trust, and much more. The concept of a supply chain, as in other areas like manufacturing, helps to drive analysis towards the interaction and interdependence of the various subcomponents and their suppliers. None truly can stand alone.  

Instead of the policy and analytic pendulum swinging from one area (like training data) to another (like model weights) with underappreciation for the broader landscape, this framework and the functional overlaps between components make clear that strategic competition and governance over AI and data cannot myopically focus on one element. Doing so leads to the analytic issues laid out in the last section and detracts from the complex, entangled nature of the data supply chain components that are relevant to AI research, development, deployment, use, maintenance, governance, and security. Policymakers only increase the likelihood of missing major opportunities and risks. Hence, with this foundation, the next section uses the framework of data in the AI supply chain above to zoom in on the security risks facing the data components in the AI supply chain—to illuminate what organizations and policymakers might do about them.

Parsing the risks—and pursuing better security

Policymakers, technologists, and others working on AI (e.g., on governance) can use the framework from the last section to map data components in the AI supply chain, in different states and contexts, to security controls and risk mitigations. This section describes and details how such a process would work across three different approaches. Using the framework to parse risks enables individuals and organizations to identify the best existing practices to leverage in protecting AI data components. In some cases, this may save organizations time and money if they already have the security controls and risk mitigations in place elsewhere—and even if organizations have not yet implemented the existing controls and mitigations for non-AI systems and data, they do not need to create the controls and mitigations from scratch. Related, the framework can also help individuals and organizations to identify gaps in existing best practices—and, as exemplified in the below discussion, think about how new security controls or risk mitigations could be developed and used to address AI-specific data risks. 

As alluded to earlier, better security across the data components of the AI supply chain can mitigate risks of breaches and data interception, shield data and resulting AI technologies from theft (including by competitors), enhance protections for individuals’ privacy, bolster public trust, limit organizations’ liability risk, and strengthen US national security. Lapses in security across the data components of the AI supply chain, however, can contribute to universal problems such as data breaches and interceptions, intellectual property theft, privacy leaks and violations, and undermined public trust in AI technologies—as well as US-specific issues, such as better enabling governments adversarial to the US to hack data or infiltrate US technology supply chains. A methodological approach to this risk mapping can help organizations mitigate risk and help policymakers develop more rigorous, tailored policies on AI and data security. 

Leveraging the last section’s framework, this section evaluates three different approaches to mapping the data components of the AI supply chain to security controls and risk mitigations. The first looks at the state of a data component of the AI supply chain: is the data at rest, in motion, or in processing? The second looks at the threat actors with an interest in the AI supply chain and its data components: what are the threats, vulnerabilities, and consequences? And the third looks at the interaction of data components of the AI supply chain and the suppliers: who are the suppliers, and what are their security controls—or risks? 

A recent paper on how to enhance third-party flaw disclosures for AI models argues that the AI sector has much to learn from software security.³⁰ This section follows in similar spirit. Instead of reinventing the wheel, these three approaches to data security in the AI supply chain help map complex questions about data in the AI supply chain to existing data security and supply chain security best practices. Then, where existing security controls and risk mitigations are insufficient for AI-specific risks to data—at least two of which are spotlighted below—these three approaches can help illuminate where new, AI-specific mitigations are needed. Figure 2 summarizes the three approaches, ahead of the more detailed discussion that follows.

Figure 2: Three potential approaches to securing data in the AI supply chain 

Approach one: Understand the ‘state’ of data

First, five of the seven data components of the AI supply chain (excluding APIs and SDKs, as they are not data per se) can be in different data states at different times. Each of these may come with specific security risks, under three states, commonly described as: “data at rest” (e.g., model weights sitting on a server, though not in use), “data in motion” (e.g., training data downloading from a website to a local machine), and “data in processing” (e.g., testing data feeding into an initially trained model). Cybersecurity professionals, when building organizational policies, programs, and processes, often apply this framework—at rest vs. in motion vs. in processing—to understand risks to data and mitigate them. AI-related data at rest, for instance, can be siphoned from databases by a hacker or sit exposed on a public server with no password, ready for anyone to download, because it was not subject to proper encryption and protection. This could enable criminals to target people in the data with scams or sell the data on the dark web. AI-related data in motion, similarly, that is weakly encrypted or entirely unencrypted could be intercepted by a nation-state as it moves from a cloud system through an API, enabling intelligence-gathering or intellectual property theft. 

Each of these data states may require different kinds of encryption, different levels of access controls for employees, and so on. Perhaps one security team is responsible for protecting a stored training dataset, while a research team is the only one authorized to modify the training dataset; the same data thus requires different security measures, such as different kinds of encryption and access control rules, when stored compared to when undergoing modification. A state agency or company may choose to implement a certain kind of robust encryption on data at rest when access or modifications are unnecessary but leave it unencrypted while in processing, or only encrypt it in very specific ways that still enable computation (i.e., while in processing).³¹ Focusing security measures only on the data component in question (e.g., is it testing data or training data?) will fail to account for the ways a piece of data’s current state impacts the risks to the data in that moment and the security measures to apply to it.

This framework—at rest vs. in motion vs. in processing—is therefore an effective means of tying classes of risks to the data components of the AI supply chain to specific, existing risk mitigations. Rather than assuming that the data components of the AI supply chain need entirely different protections because they are “AI-related,” leveraging this framework contextualizes risks to the data components within broader risks to data, AI-related or not. For example, one of the National Institute of Standards and Technology’s many security best practices focuses on “Protection of Information at Rest.” The security control, known as SP 800-53: SC-28, delineates three components: cryptographic protection for “information on system components or media” as well as “data structures, including files, records, or fields”; offline storage to eliminate the risk of individuals gaining unauthorized data access through a network; and using hardware-protected storage, such as a Trusted Platform Module (TPM), to store and protect the cryptographic keys used to encrypt data. ³² Universities attempting to secure health training datasets on a department computer, companies looking to prevent hackers from stealing model weights sitting on a cloud server, or government agencies hoping to protect testing data from spies can all use these techniques to protect the data components of the AI supply chain while they are at rest.

Specific data components in motion and in processing, as captured in Figure 3, can likewise be mapped to specific NIST and other security best practices. NIST SP 800-53: SC-08, “Transmission Confidentiality and Integrity,” specifies cryptographic protection, pre- and post-transmission security measures, how to conceal or randomize communications, and other steps ³³that a civil society group could take to secure AI model weights it sends to a federal funder agency; the agency’s Cybersecurity Framework: PR.DS-10 control focuses on the confidentiality, integrity, and availability of data in use (i.e., in processing) and has many related controls such as account management, access enforcement, monitoring for information disclosure, system backups, cryptographic protections, and process isolation,³⁴ that a corporation could implement for all its independent contractors building an LLM.³⁵ This approach enables entities to identify a data component in their AI supply chain, understand its state, and map that state to best practices from NIST, the Systems and Organization Controls (SOC) 2 framework,³⁶ and other data security compliance guidelines.

These controls could vary not just based on the data state (at rest vs. in motion vs. in processing) but on the type of data, its source, and its context. For instance, companies interested in protecting larger model weights could turn to security measures intended for larger datasets, such as tight access controls, two-party authorization for data access, and endpoint software controls.³⁷ Companies might use this framework to arrive at a stronger level of security controls for larger model weights, in all data states, than they would apply to smaller, less sensitive training datasets.

At the same time, this mapping demonstrates ways in which existing security controls and risk mitigations may not address all AI-related data risks. Take the poisoning of an AI model, where bad actors attempt to insert “bad” data into training data, such as data that could cause serious errors or vulnerabilities if used to train a specific AI model.³⁸ If an organization scrapes training data from the internet (i.e., data in motion), imposing confidentiality and integrity controls on the scraped data would only catch modifications to the data after collecting it—not detect whether the data uploaded in the first place was poisoned from the start. If an organization is trying to ensure the security of that training data after scraping (i.e., data at rest), to give another example, encryption and access control measures could help to mitigate the risk of post-scrape tampering of data stored on the organization’s systems. These measures would again fail, however, to protect the organization from scraping data that was compromised from the outset. While this is an intentionally simplistic discussion of AI poisoning, it underscores that traditional IT security measures for protecting data at rest, in motion, and in processing may not fully mitigate all risks to data in the AI supply chain. In this case, policymakers and organizations can look to guidance from NIST that explains types of poisoning attacks and potential mitigations—such as differential privacy applied to datasets and data sanitization techniques to remove poisoned samples of data before using the dataset for AI model training.³⁹

Figure 3: Approach one illustrated

Approach two: Assess threat actor profile

Second, different threat actors as well as unwitting individuals (e.g., employees deceived by a phishing note, users making weak API passwords, etc.) can take actions that undermine the security of data components of the AI supply chain—or the security of a specific data component. Instead of focusing on the state of data components at risk, the developers, users, maintainers, governors, and securers of AI technologies can focus on the threat actors and scenarios themselves. Established threat actor risk frameworks can enable those entities and individuals to identify risks to the data in the AI supply chain, map an adversary’s capabilities against known mitigations, and prioritize the security measures that are the most urgent. These mitigations can be specific not just to a data component’s current state, but to any threat actor in question. 

Having a threat actor-driven risk approach is essential for companies, universities, nonprofits, government agencies, and other organizations and groups involved with developing, using, maintaining, governing, and securing AI technologies and data. Focusing on technical mitigations, such as encrypting data at risk, can help organizations prioritize their biggest technological or process vulnerabilities internally, but they do little to help the organization understand which threat actors have an interest in which of their datasets. Using the first approach described above can help an organization to shore up its own defenses, but knowing which actors are the biggest threat to an organization—and what capabilities they bring to bear—might shift which security controls and risk mitigations are the biggest priority; threat actors could focus on stealing unexpected datasets, for instance, or have far better ability to poison training data than a university or corporate research lab might appreciate. While it is again not the only approach, centering threat actors and their capabilities is another lens through which to approach securing the data components of the AI supply chain. 

Among many other risk assessment frameworks in the world, the US government often uses the framework of risk as a function of threat, vulnerability, and consequence.⁴⁰ Threats are composed of an adversary’s intentions and capabilities.⁴¹ Vulnerabilities are weaknesses inherent to a system (e.g., due to poor coding practices, interactions between components, or simply the inevitability of human error in a complex software system) or that have been introduced by an outside actor.⁴² And consequences, in this framework, are outcomes that are either fixable or “fatal”.⁴³

Developers, users, maintainers, governors, and securers of AI technologies can use this approach to understand how different data components of the AI supply chain may be at risk. Because many of the threat actors targeting data components of the AI supply chain—from nation-states to cybercriminals—are often already on the radar of large and boutique cybersecurity firms, organizations can use existing threat data to render their assessments. From there, they can look to industry best practice guides such as International Organization for Standardization (ISO) controls and standards from organizations like NIST to mitigate risks most appropriately⁴⁴—rather than taking a one-size-fits-all approach to a diversified threat and security landscape.

For example, a medium-sized research university might worry about an industrial cyber espionage firm targeting its large AI health training data repository. If the university knows that the group has strong financial motive (intent), that it is highly sophisticated at penetrating network edge devices, insecure routers, and mobile devices but does not have the ability to decrypt large datasets (capabilities), and that the university has far too many connected devices and routers to achieve adequate security (vulnerabilities), the university may avoid a high-impact theft of the data (consequence) by choosing to encrypt the data, store it offline whenever possible, and securely isolate the encryption keys. The robust encryption and the shift towards offline storage could minimize the likelihood that the firm is able to steal the data—and minimize the likelihood they could make use of the data even if they did manage to steal it. 

If a leading US AI startup, to give another example, worries about a Chinese military hacker stealing its image recognition model weights, it could also apply this threat actor risk framework. The startup might suspect that the task is to steal its technology (intent), know that the hacker is highly sophisticated at network penetration and decryption of data (capabilities), and feel it has locked down its user accounts with strong passwords and multifactor authentication, but that its wide vendor and contractor base introduces many points of entry into its technological supply chain (vulnerability). As the firm is pre-revenue, its executives are of the view that a Chinese competitor getting a copy of its proprietary model weights and beating it to market could put the company out of business (consequence). Well aware that standard cybersecurity measures may not be enough to stop the military hacker’s capabilities, the startup may choose to invest in even more advanced mechanisms—partitioning systems; storing numerous false copies of model weights that purport to be the real thing; moving training datasets and testing datasets already used into offline storage⁴⁵—to ensure that its model weights are as well-protected as possible.

These are insights that would not be as obvious were the hypothetical medium-sized research university or the hypothetical US AI startup to focus only on the current state of the training data or model weights in question (i.e., at rest vs. in motion vs. in processing). Understanding the threat actor itself was necessary to identify the most appropriate mitigations based on the varied capabilities brought to bear, data targets of interest to the adversary, and consequences of a security incident. Figure 4 lays out this approach. 

As with the prior section, some risks to data components of the AI supply chain are unlikely to be adequately addressed with existing security controls and risk mitigations. Poisoning of AI models may already require unique or relatively unique security requirements, such as filtering mechanisms to screen for poisoned data once a dataset is scraped from the internet or otherwise assembled. That is especially the case—applying this framework—when dealing with threat actors that are well-resourced, sophisticated, and persistent, such as the Chinese government. The amount of resources potentially put into attempting to poison specific datasets may require enhanced planning for the threat at hand and the consequences of the threat unfolding. 

Similarly, a sophisticated threat actor may have the capability and time to focus not just on poisoning a training dataset broadly (as discussed in the first approach subsection), but on creating what some call a neural backdoor: tampering with training data to embed a vulnerability in a deep neural network, so that the trained model does not behave erroneously or harmfully in response to standard events, but hides its learned, malicious behavior until it encounters a highly specific trigger.⁴⁶ Ongoing research looks at how to tailor protections to training data under very specific assumptions about the bad actor’s approach;⁴⁷ hence, a threat actor framework may provide more useful information to an organization attempting to defend against sophisticated attempts at neural backdoors. (Like with defending against poisoning attempts, encryption measures or access controls on training data at rest, in motion, or in processing are not going to mitigate these kinds of highly specific risk scenarios.) Still, more research is needed to understand generalized defenses against attempts to backdoor neural networks—including in areas that get relatively less attention than others (i.e., images getting more attention than video).⁴⁸Guo, Tondi, and Barni, “An Overview of Backdoor Attacks, 20.⁴⁹ More advanced mechanisms to filter training data are one promising set of approaches to address this type of risk.⁵⁰

Recent work shows that bad actors can tamper not just with training data in the AI supply chain, to create de facto behavioral backdoors in neural networks, but can do so by manipulating model architectures in the AI supply chain as well.⁵¹ Again, taking a threat actor-focused view of the risks enables policymakers and organizational security experts to game out the risk scenarios—and how exactly attempts at architectural backdoors might unfold, offering insight hints on how to plan for and potentially prevent them in advance.

Figure 4: Approach two illustrated 

Approach three: Map suppliers to the supply chain

Third, the large number of suppliers of data in the AI supply chain means that security risks can come from suppliers themselves. These risks can take at least two forms: actors within the AI supply chain—such as groups of researchers uploading training data or finished models to websites—deliberately poisoning data or inserting malicious code to compromise others who use those components downstream; and actors within the AI supply chain having poor security practices that enable security risks to spill over to others. The latter of these risk categories could range from an AI service provider pushing API code to hundreds of customers, while not requiring employees to use multifactor authentication, to a volunteer research group unknowingly scraping inaccurate websites to build a flawed training dataset for a chatbot intended for security questions and login verification. Unlike focusing on the current state of a data component of the AI supply chain or the threat actor targeting a specific data component, this potential approach focuses on data security across an organization’s AI supply chain and relevant suppliers. 

Developers, users, maintainers, governors, and securers of AI technologies can draw on existing supply chain security best practices used in everything from export control regulations to compliance with the EU’s General Data Protection Regulation (GDPR). These broadly fall under the bucket of “Know Your Supplier.” First is knowing one’s suppliers to identify ownership, country of incorporation, and any other signals of potential illegality (e.g., a criminal front set up to scam others) or potential susceptibility to nation-state influence (e.g., ownership by a foreign government). Organizations such as government agencies, companies, and universities can look up the suppliers of their training and testing datasets, ensure the software engineers hired to build their APIs and SDKs are reputable, and check with AI developers about the sources of their training data. (As discussed below, the last of these may be practically difficult but is worth mentioning as a potential security practice.) This could help to identify risks such as unknowingly sourcing data or models from a Chinese military-linked university or hiring freelance data labelers previously involved with illicit hacking. 

Second, as compelled by vendor security requirements under GDPR,⁵² is ensuring an organization’s vendors and supply chain do not have weak security that voids the organization’s security efforts. This is likewise a concern for AI-dependent organizations that are typically dependent on a highly complex, often globalized, and frequently shifting data supply chain. AI developers, users, maintainers, governors, and securers can therefore implement contractual requirements for data security wherever possible. They can ensure vendors and customers receive adequate training on how to handle different data components that the organization might pass their way. And they can conduct or request independent audits from cloud companies deploying their AI models, data cleaning firms formatting their unstructured training data, and other entities in their supply chains. There are plentiful resources to draw on for such efforts. Financial sector know-your-customer guidelines,⁵³ US government advisories on supply chain vetting,⁵⁴ and cybersecurity and insurance readings on mitigating third-party cybersecurity risks,⁵⁵ among others, can help give AI organizations tools to understand the data-involved actors in their AI supply chains and what risks might result. Such measures can help developers, users, and others to avoid relying on a cloud vendor whose security posture is wholly insufficient to match up against a threat actor the organization has worries about, or help them steer away from hiring API developers at a software support firm that has suffered repeated, simple security breaches. As some have suggested, this could include asking vendors and others in an organization’s supply chain for an AI bill of materials, or “AI-BOM” (modeled after a software bill of materials, or SBOM)⁵⁶

Seriously complicating many of these efforts, of course, is just how much of the data in the AI supply chain either touches highly opaque corporate components—or depends on datasets uploaded to freely available websites with often unclear chains of custody and potentially obscured origins. Again, however, the solution is not to immediately treat these situations as unique without examining the applicability of existing best practices to specific risks. Some of the same could apply to vendors from which companies buy their software, which may not wish to make source code available to customers or to provide potential buyers with comprehensive lists of all the contractors, vendors, and dependent software packages on which their products and services were built. Much of the same also pertains to open-source software, too, where companies and developers must come up with ways to manage the risks that arise from a subset of less-well-maintained software or from otherwise well-maintained software that a threat actor compromises.⁵⁷ In both cases, companies can use audits, continuous monitoring, and other measures to still mitigate risk from complex supply chains. 

Just as heavily software-dependent companies should conduct due diligence on and assess their prospective vendors’ cybersecurity (and their vendors’ cybersecurity, and so on) to avoid major security lapses and vulnerabilities, AI organizations can do some degree of risk assessment and mitigation for the data suppliers in the AI supply chain (Figure 5). 

These supply chain security measures can be applied to AI-specific data risks, too, where existing best practices fail to properly secure data components of the AI supply chain. Companies can require that new partners and vendors attest to the measures they take to mitigate risks of poisoning of training data, such as by carrying out appropriate data filtering.⁵⁸ Universities could evaluate their data dependencies in their AI supply chain and, in doing so, catalogue instances where organizations do not mention poisoning in their data security plans. Government agencies could ensure that any company pitching them on a contract for an externally hosted or already trained, to-be-internally-migrated AI model spell out the steps they have taken to test for and mitigate potential threats of neural backdoors (either through training data or model architectures)—which may be exactly the kind of flaw a nation-state would want moved down the supply chain into a government computer system. Here, the concept of focusing on the supply chain itself can be effective in helping shield against both widely held and AI-unique risks to data components across the AI supply chain.

Figure 5: Approach three illustrated 

Conclusion and recommendations

The fact is governments, companies, universities, individuals, and others pursuing AI R&D will not stop collecting, labeling, disseminating, using, and producing tremendous volumes of data. Therefore, security of the data in the AI supply chain remains evermore paramount to mitigating risks of breaches and data interception, shielding data and resulting AI technologies from theft (including by competitors), enhancing protections for individuals’ privacy, bolstering public trust, limiting organizations’ liability risk, and strengthening US national security. 

Breaking down the seven data components of the AI supply chain can enable developers, users, maintainers, governors, and securers of AI technologies to understand the data components they depend upon, how they interact with and relate to one another, and the varied sources and entangled suppliers. It can then empower organizations to take one of many different existing data security and supply chain security approaches—including data at rest vs. in motion vs. in processing, threat actor risk, and supply chain due diligence and risk management—to map their concerns about data in the AI supply chain to specific, established best practices. More broadly, however, the concept of data in the AI supply chain promises something else for policymakers: the ability to see the whole data supply chain picture at once, leading to more cohesive policymaking. 

This paper makes the following three recommendations: 

1. Developers, users, maintainers, governors, and securers of AI technologies should map the data components of the AI supply chain to existing cybersecurity best practices—and use that mapping to identify where existing best practices fall short for AI-specific risks to the data components of the AI supply chain. In the former case, they should use the framework of data at rest vs. in motion vs. in processing and the framework of analyzing threat actor capabilities to pair encryption, access controls, offline storage, and other measures (e.g., NIST SP 800-53, ISO/IEC 27001:2022) against specific data components in the AI supply chain depending on each data component’s current state, the threat actor(s) pursuing it, and the traditional IT security controls the organization already has in place. In the latter case, developers, users, maintainers, governors, and securers of AI technologies should recognize how existing best practices will inadequately prevent the poisoning of AI training data and the insertion of behavioral backdoors into neural networks by manipulating a training dataset or a model architecture. They should instead look to emerging research on how to best evaluate training data to filter out poisoned data examples and how to robustly test network behavior and architectures to mitigate the risk of a bad actor inserting a neural backdoor, which they can activate after model deployment. 
2. Developers, users, maintainers, governors, and securers of AI technologies should “Know Your Supplier,” using the supply chain-focused approach to mitigate both AI-specific and non-AI-specific risks to the data components of the AI supply chain. Those sourcing data for AI systems—whether training data, APIs, SDKs, or any of the other data supply chain components—should implement best practices and due diligence measures to ensure they understand the entities sourcing or behind the sources of different components. For example, if a university website has a public repository of testing datasets for image recognition, language translation, or autonomous vehicle sensing, did the university internally develop those testing datasets, or is it hosting those testing datasets on behalf of third parties? Can third parties upload whatever data they want to the public university website? What are the downstream controls on which entities can add data to the university repository—data which companies and other universities then download and use as part of their AI supply chains? Much like a company should want to understand the origins of a piece of software before installing it on the network (e.g., is it open-source, provided by a company, if so which company in which country, etc.), an organization accessing testing data to measure an AI model or using any other data component of the AI supply chain should understand the underlying source within the supply chain. Best practices in know-your-customer due diligence, such as in the financial sector and export control space, and in the supply chain risk management space, such as from cybersecurity and insurance companies, can provide AI-dependent organizations with checklists and other tools to make this happen. Avoiding entities potentially subject to adversarial foreign nation-state influence, data suppliers not sufficiently vetting the data they upload, and so forth will help developers, users, maintainers, governors, and securers of AI technologies to bring established security controls to the data in the AI supply chain itself. In the case of both non-AI-specific and AI-specific risks to data, organizations can and should use this supply chain due diligence approach to ensure their vendors, customers, and other partners are implementing the right controls to protect against risks of model weight theft, training data manipulation, neural network backdooring through model architecture manipulation, and everything in between—drawing on the two categories of mitigations implemented as part of the first recommendation. 
3. Policymakers should widen their lens on AI data to encompass all data components of the AI supply chain. This includes assessing whether sufficient attention is given to the diversity of data use cases that need protection (e.g., not just training data for chatbots but for transportation safety or drug discovery) and whether they have mapped existing security best practices to non-AI-specific and AI-specific risks. As multiple successive US administrations explore how they want to approach the R&D and governance of AI technologies, data continues to be a persistent focus of discussion. It comes up in everything from copyright litigation to national security strategy debates. The United States’ previous policy focus on training data quantity, and little else, has already prompted policymakers to avoid discussing comprehensive data privacy and security measures, which now—in light of Chinese AI advancements and concern about AI model weight dissemination—are suddenly more relevant. To avoid these cycles in the future, where policy overfocuses on one AI data element when in fact many are relevant simultaneously, policymakers should take a comprehensive view of the data components of the AI supply chain. The framework offered in this paper, spanning seven data components, is one potential guide—though again, policymakers need not stick to necessarily one framework. What is most critical to avoid is developing data security policies that protect some data components of the AI supply chain (e.g., training data) while leaving others highly exposed (e.g., APIs). An expanded view of the different data components, the components’ interaction, and the often multiple and shifting roles of suppliers should help inform better federal legislation, regulation, policy, and strategy—as well as engagements with other countries and US states. Right now, organizations such as the Congressional commerce committees, the Commerce Department (including because it implements export controls and the Information and Communications Services and Technologies supply chain program), the Defense Department (with all its current AI procurement), and the Federal Trade Commission (with responsibility for enforcing against unfair and deceptive business practices) should stress-test their assumptions about how to best protect AI data, and whether existing best practices achieve desired security outcomes, against this data component framework. This requires asking at least two questions. Do their existing security, governance, or regulatory approaches—e.g., in the security requirements used in Defense Department AI procurement, in how the Federal Trade Commission thinks about enforcing best practices for AI data security—apply well to a diversity of data use cases that need protection, such as with testing datasets for self-driving vehicle safety or training datasets for cutting-edge drug discovery? List out the use cases beyond chatbots that are not top of mind but are highly relevant from a security perspective, from defense to shipping and logistics to healthcare. And second, are they parsing out which risks they have concerns about, vis-à-vis AI-related data, that are specific to AI versus risks to data in general? For both categories, consider how the framework and some of the security mitigations cited in this report (e.g., NIST, ISO, new research on detecting neural backdoors, etc.) can serve as best practices to improve outcomes. 

The more governments, companies, civil society groups, individuals, and others move AI technologies into areas ranging from e-commerce, social media, and business administration to manufacturing, healthcare, transportation, and defense, the more important it becomes to secure all data related to AI technologies. A complex set of data components in the AI supply chain demands policy and security practices that account for the entire supply chain and all its complexity at once, or at least through piecemeal efforts that add up to the whole—making existing data security and supply chain security best practices, paired with newer responses to AI-specific data risks, an optimal place to start. 

Justin Sherman is a nonresident senior fellow at the Atlantic Council’s Cyber Statecraft Initiative, part of the Atlantic Council Tech Programs. His work at the Atlantic Council focuses on cybersecurity policy, data security, digital public infrastructure, physical internet infrastructure such as submarine cables, and AI supply chains. His work also involves China and a range of issues related to Russia.

Sherman is the founder and CEO of Global Cyber Strategies, a Washington, DC-based research and advisory firm. He is also an adjunct professor at Georgetown University’s School of Foreign Service and a distinguished fellow at Georgetown Law’s Center on Privacy and Technology.

The author would like to thank Trey Herr, Nitansha Bansal, Kemba Walden, Devin Lynch, Harriet Farlow, Ben Goldsmith, and Kenton Thibaut for their comments on earlier drafts of this report, as well as all the individuals who participated in background and Chatham House Rule discussions about issues related to data, AI applications, and the concept of an AI supply chain. 

The Atlantic Council’s Cyber Statecraft Initiative, part of the Atlantic Council Technology Programs, works at the nexus of geopolitics and cybersecurity to craft strategies to help shape the conduct of statecraft and to better inform and secure users of technology.

learn more

The post Securing data in the AI supply chain   appeared first on Atlantic Council.

On August 19, Forward Defense nonresident senior fellow Owen Daniels was featured on Episode 108 of the German Marshal Fund’s China Power Podcast. In the episode, Owens discusses US-China competition in artificial intelligence, China’s AI strategy and ambitions, and how Beijing is leveraging AI to expand its global influence. Daniels also explores what the United States can do to maintain and bolster its technological leadership.

Fellow

Owen J. Daniels

Nonresident Senior Fellow

Forward Defense Scowcroft Center for Strategy and Security

Defense Industry Defense Policy

Forward Defense leads the Atlantic Council’s US and global defense programming, developing actionable recommendations for the United States and its allies and partners to compete, innovate, and navigate the rapidly evolving character of warfare. Through its work on US defense policy and force design, the military applications of advanced technology, space security, strategic deterrence, and defense industrial revitalization, it informs the strategies, policies, and capabilities that the United States will need to deter, and, if necessary, prevail in major-power conflict.

Learn more

The post Daniels discusses China’s AI strategy on the China Power Podcast appeared first on Atlantic Council.

On August 14, Forward Defense nonresident senior fellow Owen Daniels published an article, “China’s Soft Power Tools and Whether They Work,” in War on the Rocks. In the article, Daniels examines China’s strategic use of open AI platforms as a tool of soft power, highlighting how models like DeepSeek’s R1 and Moonshot AI’s Kimi K2 pose both technological and diplomatic challenges for the United States.

Fellow

Owen J. Daniels

Nonresident Senior Fellow

Forward Defense Scowcroft Center for Strategy and Security

Defense Industry Defense Policy

Forward Defense leads the Atlantic Council’s US and global defense programming, developing actionable recommendations for the United States and its allies and partners to compete, innovate, and navigate the rapidly evolving character of warfare. Through its work on US defense policy and force design, the military applications of advanced technology, space security, strategic deterrence, and defense industrial revitalization, it informs the strategies, policies, and capabilities that the United States will need to deter, and, if necessary, prevail in major-power conflict.

Learn more

The post Daniels examines China’s AI soft power strategy in War on the Rocks appeared first on Atlantic Council.

The Chip Security Act (CSA), a bipartisan bill introduced in May as H.R.3447 in the House of Representatives and S.1705 in the Senate, seeks to do just that. The CSA would provide a low-burden, high-impact policy solution to a problem that current enforcement tools have failed to solve: the illicit transshipment and diversion of AI chips to adversarial nations. In doing so, the CSA would also support the objectives of the White House’s AI Action Plan and the broader commercial goals of growing US full-stack AI market share overseas while simultaneously securing the semiconductor supply chain.

A growing and persistent threat

AI chips are the cornerstone of economic and military power in the twenty-first century. From autonomous weapons and cyber defense platforms to next-generation surveillance systems, these chips power the technological edge of modern warfare. China is actively working to erode this advantage by circumventing US export controls through elaborate smuggling networks. In 2024 alone, an estimated 140,000 high-performance GPUs—billions of dollars’ worth—were smuggled into China. And the problem is only getting worse—in May, 50 percent of the GPUs shipped to Malaysia were ultimately transshipped to China.

Current enforcement tools have clearly proven inadequate, largely due to the antiquated nature of the export control enforcement regime. The US Department of Commerce’s Bureau of Industry and Security (BIS), the federal agency responsible for enforcing chip export controls, remains under-resourced and lacks the cutting-edge tools required to counter China’s transshipment and illicit evasion networks. The BIS’s limited in-region capacity—there is only a single export-control officer assigned to cover all of Southeast Asia—stands in stark contrast to the billion-dollar smuggling operations it seeks to monitor and disrupt.

Why the Chip Security Act is different

The CSA doesn’t attempt to surge BIS personnel to Southeast Asia or rebuild the export control system from the ground up. Instead, it would introduce a surgical fix: location verification for chips exported abroad. If a chip shows up outside its authorized destination, the exporter would be required to notify the BIS. This automation would enable global, scalable export control enforcement—helping to augment and partially replace archaic Cold War-era end-use inspection systems that have historically inspected less than 1 percent of goods for end-use violations.

It is important to recognize that location data alone cannot fully determine end use. This is especially the case for dual-use goods such as advanced chips, where the true strategic risk lies in the computational and analytical capabilities they enable. Therefore, location information must also be paired with complementary intelligence and continuous monitoring. Other critical factors to determine the potential for harmful end use include corporate ownership, the composition of senior leadership, operational behavior, known diversion patterns, and the strength of cloud access controls at the data centers in question. These additional factors are especially vital to ensure that chips approved for export to third countries such as Malaysia do not ultimately end up in data centers owned by adversarial entities operating within those jurisdictions.

Crucially, though, the CSA is not overly prescriptive on how to achieve these objectives. For example, the CSA avoids mandating a specific location verification technology. Instead, it allows for industry-led implementation using already available methods, such as firmware-based geolocation checks or Delay-Based Location Verification systems. These tools offer privacy-preserving and nonintrusive methods to confirm a chip’s location without monitoring user activity or enabling surveillance. It’s an approach that balances security with commercial viability—and it’s deployable today.

Learning from past failures

The CSA builds on the hard lessons of previous legislative and regulatory efforts. Export controls under the Export Control Reform Act and the CHIPS and Science Act have failed to address transshipment and empower the BIS with the resources and technology needed to enforce its global mission. Moreover, past proposals to hardwire chips with geofencing capabilities or mandate “kill switches” faced strong industry resistance due to concerns over cost, reliability, and the potential effect on international sales. These ideas either stalled or were watered down beyond usefulness. In contrast, the CSA reflects feedback from both national security experts and chipmakers, emphasizing modularity, cost-effectiveness, and scalability.

Expanding US and Western AI dominance through trusted trade

The misuse of advanced chips is not just a US concern—it poses a global threat. When semiconductors are diverted to unauthorized end users, they can fuel authoritarian control, destabilize markets, and erode allied innovation ecosystems. Recognizing this, key US allies such as Japan and the Netherlands have taken steps to restrict high-end semiconductor and equipment exports to China. Yet enforcement across jurisdictions remains porous due to a lack of verifiable, end-to-end visibility. The CSA methodology can address this gap in the allied export control system by enabling continuous, software-based location verification and lifecycle tracking—empowering companies to demonstrate responsible export behavior without sacrificing speed, scale, or profitability.

The CSA provides an alternative to the false binary often facing policymakers: either impose broad restrictions that hinder legitimate commerce or tolerate unchecked smuggling that threatens national security. Instead, the CSA would deliver precision enforcement, targeting violators without penalizing compliant firms. By embedding continuous supply chain visibility into the post-export phase, it would equip both industry and regulators to detect and address illicit diversions before they escalate. This would strengthen US leadership in AI and semiconductor innovation while giving allies a replicable model.

The CSA’s technology-neutral compliance framework opens the door to future coordination under multilateral tech alliances—ensuring chips produced across democratic nations are not funneled into hostile hands. The United States and its allies could help realize this vision by offering technical assistance to help partners and transshipment-prone countries establish robust export control and supply chain surveillance systems. Such capacity-building would close enforcement gaps and ensure harmonization across allied secure trade frameworks. These measures would help lay the groundwork for a coalition of democracies to secure critical technologies and expand Western AI dominance without stifling innovation.

A better path forward

The CSA has steadily gained bipartisan traction, signaling rare alignment in Congress on a forward-looking export control strategy. But like most major policy shifts, it still faces predictable obstacles on the path to implementation. For the CSA to be effectively implemented, Congress and the executive branch should ensure that the BIS has the additional resources, staff, and technologies needed to monitor and implement the trusted trade program. Once location verification systems are deployed, for example, the BIS will be required to continuously monitor the millions of data points the system collects from chips around the world each day. Dedicated staff will be needed to respond to suspicious activities and engage with industry and foreign governments when questions arise.

In addition to the CSA, US supply chain security could be further strengthened if the executive branch requires the BIS to monitor which foreign companies access the cloud and compute capabilities associated with geotagged chips through screening and end-use checks. This policy would buttress the CSA and enable the BIS to finally field a cost-effective, scalable export control enforcement regime for AI that is not cumbersome for industry.

On the business side, industry groups remain wary of potential regulatory overreach in the law’s implementation phase. A public-private partnership with a trusted third party (meaning BIS, a semiconductor company, and a third party that would serve as a “monitor”) could help resolve conflicts and build mutual trust between industry and the government. Public pressure is growing on US companies to cut ties with China, and this type of trusted trade monitorship under the auspices of a public-private program would be a welcome step toward an economic policy and national security consensus.

A call to action

The global contest for AI leadership is not just a race for innovation—it’s a race for control over the infrastructure that will shape economies, militaries, and governance systems worldwide. If passed and implemented effectively, the CSA would strengthen the United States’ position in that contest by enabling US companies to scale exports of advanced chips without losing visibility or control over where those chips end up. Rather than ceding ground to Chinese firms through uncontrolled diversion and black-market transshipment, the CSA would equip US industry to lead. Passing this bill would send a clear signal that the United States is committed to winning the global AI competition not just by building the most advanced technology—but also by ensuring that technology is deployed on terms that reflect US interests and values.

Kit Conklin is a nonresident senior fellow at the Atlantic Council’s GeoTech Center and the senior vice president for risk and compliance at Exiger.

The views expressed are solely those of the author and do not necessarily reflect the views of the Atlantic Council or Exiger.

GeoTech Cues Jul 21, 2025

Navigating the new reality of international AI policy

By Evi Fuelle, Courtney Lang

To reach their goals of national AI adoption, governments must continue to advance the global policy discussion on trust, safety, and evaluations.

Artificial Intelligence Digital Policy

Issue Brief Apr 3, 2025

Sovereign remedies: Between AI autonomy and control

By Trisha Ray

Sovereign AI has gained a foothold in several capitals around the world.

Artificial Intelligence International Norms

New Atlanticist Nov 15, 2024

AI safety concerns transcend borders. To meet the challenge, US efforts need to go global.

By Will LaRivee

Will the United States work with partner nations to take the necessary steps at the upcoming International Network of AI Safety Institutes meeting in San Francisco?

Artificial Intelligence Internet

The GeoTech Center champions positive paths forward that societies can pursue to ensure new technologies and data empower people, prosperity, and peace.

Learn more

The post How the Chip Security Act could usher in an era of ‘trusted trade’ with US partners appeared first on Atlantic Council.

FROM: Jack Long, Bharat C. Patel, and Jags Kandasamy

DATE: August 14, 2025

SUBJECT: Proposing a performance-based AI model marketplace for the Department of Defense

• Jack Long, PhD, is a lieutenant colonel in the US Marine Corps Reserve and the Naval AI lead at the Office of Naval Research.
• Bharat C. Patel is product lead, Project Linchpin, at the US Army Program Executive Office–Intelligence, Electronic Warfare, and Sensors.
• Jags Kandasamy is co-founder and chief executive officer of Latent AI, a start-up offering scalable, secure edge AI solutions for battlefield and industrial environments. He is also a distinguished fellow at the University of South Florida’s Global and National Security Institute.

The Department of Defense (DOD) should accelerate the deployment of operational artificial intelligence (AI) by establishing a performance-driven AI model marketplace. This strategic insights memo outlines a framework for one such marketplace. The approach incentivizes innovation through open competition, rapid iteration, and real-world performance validation—delivering mission-ready AI solutions at speed and scale. This proposal follows the principles outlined by the Atlantic Council’s Software-Defined Warfare Commission.

Currently, the government purchases AI models from a variety of industry partners. These models need regular retraining and optimization to be relevant in the deployed scenarios. There is a better way to meet the Defense Department’s need for AI.

In this proposal, the government would make a “data lake” available for industry partners to use to train models. This data lake could consist of imagery, radio frequency, sonar, and other mission-relevant datasets. Vendors could independently train models on this data lake and submit them to a centralized government model catalog—the Open Model Marketplace—where they would be made available for discovery and deployment by DOD components across services and commands.

Unlike the traditional procurement of AI through upfront contracts, this approach would compensate vendors based solely on model usage. The government would pay only for performance and the vendors would make money each time their models are deployed in operations. Models that demonstrate real-world utility, responsiveness to mission context, efficient compute utilization, and value to the user and value to the user would naturally rise to the top.

Step one: The Pentagon sets up a government-furnished data playground.

• DOD will establish and operate a secure data playground in which industry partners can work with US government data at various classification levels.
• DOD will provide vetted industry partners access to datasets and a data catalog.
• The playground will provide secure infrastructure; vendors are expected to support the infrastructure by paying to use it.

Step two: Vendors develop models and DOD vets them.

• DOD will provide known requirements, but vendors would be free to develop models for any use case they consider relevant.
• Models will be assessed via common and standardized metrics.
• Models will be vetted for relevance, performance, security, interoperability, and ethical considerations.
• Models will undergo basic validation and be scored before gaining approval for inclusion in the catalog of the Open Model Marketplace.

Step three: DOD units use the Open Model Marketplace.

• The Open Model Marketplace will be a centralized catalog containing all approved models categorized by mission, type, accuracy, and resource footprint.
• Government customers could perform additional testing on models to assess relevance.
• Any DOD unit could select and deploy models that meet its mission needs.
• Users could run models on the compute infrastructure of their choice.
• Models could be selected individually or as part of a “model pack” based on pricing offered by vendors.

Step four: Vendors are paid using a pay-for-performance model.

• Vendors will be compensated based on model consumption—with no upfront funding or long-term exclusivity.
• Model pricing will be independent of compute costs; models will run on government hardware.
• The model can be used on a monthly basis, with the option to terminate at end of each month.
• Vendors willing to assume risk could move quickly to build solutions.
• By avoiding long-term contracts or vendor lock-in, DOD could maintain flexibility.
• Innovation cycles would be shortened as vendors continuously iterate to remain competitive.

Step five: Users and customers score and give feedback.

• DOD can concurrently run multiple models that address the same problem.
• Government units will provide structured feedback and scoring on model performance.
• Users will send feedback to both the vendor and a DOD Test, Evaluation, Validation and Verification oversight team.
• Model performance statistics will be included in a model card and visible in a model catalog.
• Poorly performing models will be flagged, while high performers will be rewarded with increased usage and visibility.

Step six: Contracting pathways for acquisition.

• The DOD can leverage different contracting mechanisms to enable both rapid onboarding of new models and scalable deployment of proven ones.
• For newer models, the Commercial Solutions Opening authority is the best option to quickly prototype and validate capabilities that are tied to specific operational needs.
• For proven models, DOD should establish a multiple-award Blanket Purchase Agreement under Federal Acquisition Regulation 13.5 or 16.703 to pre-qualify and establish standardized terms (security, intellectual property, telemetry, runtime), enabling rapid call orders for repeat or scaled use.
• This approach ensures the marketplace serves as both an on-ramp for emerging capabilities and a fast lane for repeat procurement.

An open-model marketplace would offer several benefits to servicemembers.

• Innovation: Access to data would make it possible for the vendor base to iterate and develop faster.
• Speed: DOD would have immediate access to cutting-edge models without procurement delays.
• Performance: Only the most effective models would be likely to survive based on real-world success.
• Flexibility: DOD operators could tailor model selection to their unique operating environments.
• Cost-efficiency: DOD would only spend taxpayer dollars on solutions that deliver value, avoiding sunk costs.

To handle adoption and implementation, the Pentagon’s Chief Digital and AI Office (CDAO) should develop a franchise strategy in which it sets the standards but others (e.g., services, combatant commands, and others) can set up their own operations. CDAO should define onboarding policies, model-intake standards, test and evaluation criteria, and other high-level rules, but should let the franchisees execute. This approach would ensure department-wide interoperability while allowing fast movers to drive ahead.

Latent AI is a financial supporter of the Atlantic Council’s Scowcroft Center for Strategy and Security’s Software-Defined Warfare Commission. Kandasamy is an industry member of the commission.

The views expressed are the authors’ own and do not necessarily reflect those of their employer, the US government, or any affiliated organization.

Forward Defense leads the Atlantic Council’s US and global defense programming, developing actionable recommendations for the United States and its allies and partners to compete, innovate, and navigate the rapidly evolving character of warfare. Through its work on US defense policy and force design, the military applications of advanced technology, space security, strategic deterrence, and defense industrial revitalization, it informs the strategies, policies, and capabilities that the United States will need to deter, and, if necessary, prevail in major-power conflict.

Learn more

The post A marketplace for mission-ready AI: Accelerating capability delivery to the Pentagon appeared first on Atlantic Council.

1. The US and Chinese plans are both focused on “AI action,” but are they similar?

Though differing in scope and intent, the AI action plans released by the United States and China targeted the same global audience and provided revealing indicators of how each country aims to define global leadership amid rapid technological change. 

The US AI Action Plan is broad in scope, ranging from domestic industrial capacity to promoting US technology abroad. Preceded by President Donald Trump’s visit to Pittsburgh where he touted investments in AI infrastructure, the rollout of the action plan included primarily US industry leaders and policymakers. The plan has three pillars, including accelerating AI innovation, building AI infrastructure in the United States, and international diplomacy focused on US exports, standards, and security. 

China’s plan, announced at the World AI Conference in Shanghai, is more narrowly focused on international governance, standards, and norms. Speaking to an international conference on July 26 in Shanghai, Chinese Premier Li Qiang announced thirteen elements of China’s approach to “multilateral and bilateral cooperation.” While the language espouses collaboration, China’s global approach is to ultimately replace the current rules-based, multistakeholder international order with an alternative centered on state control, increasingly through technology.

The proximity of the announcements is no coincidence. But the United States and China are far from the only countries shaping the age of AI.

—Graham Brookie is the Atlantic Council’s vice president for technology programs and strategy.

2. How should we expect each plan to materialize around the world?

China and the United States are advancing fundamentally different visions of AI’s role in the world. For China, AI is geopolitical infrastructure—centralized, sovereign, and aligned with its Belt and Road–style diplomacy. It emphasizes sovereign compute power, data control, and state-led development. The United States, by contrast, sees AI as an economic engine and a pillar of national security, anchored in open innovation, private enterprise, and alliances among democracies. 

This divide cuts deeper than policy. China champions state control using the term “sovereignty,” while engaging in multilateral fora and United Nations (UN)–led mechanisms to bend the rules-based international order toward its state control model and steer global AI governance, positioning itself as a voice for the Global South. The United States clings to industry and a market-driven agenda, promoting “trusted” governance through broad Organisation for Economic Co-operation and Development (OECD) principles and the narrower Group of Seven (G7) partnership—while tightening export controls and tech restrictions. While China leverages AI diplomacy through infrastructure, training, and open-source tools, the United States doubles down on norms and safeguards. 

This is about more than just technology—it’s a battle between rival digital worldviews. One champions state control and sovereign authority; the other bets on openness, markets, and liberal norms. As the Global South navigates between these competing visions, the outcome may not be a clean split—but a fractured landscape is inevitable. The coming decade will hinge on which model proves more persuasive, more scalable, and more aligned with global aspirations.

—Konstantinos Komaitis is a resident senior fellow and global governance and technology lead at the Atlantic Council’s Democracy and Tech Initiative.

3. How do the competing plans impact the AI tech stack and global infrastructure?

The United States and China are offering starkly contrasting visions for global AI governance. The US plan emphasizes strategic competition with China and prioritizes maintaining US technological primacy. It advances an ambitious—and, some would say, aggressive—framework: bolstering enforcement of existing chip export controls, pressuring allies to align with US restrictions under threat of penalty, and generally seeking to create dependencies on US technology products, including by providing an all-in-one AI tech stack as part of its foreign policy strategy. When partners are mentioned, it is with a somewhat antagonistic tone—they are described largely as either potential customers or as obstacles to be brought into compliance. The plan outlines the need to counter China in international governance bodies—which is a good and welcome inclusion—but with multiple State Department agencies facing deep staffing cuts, including many with deep knowledge of and relationships in these fora, it is difficult to see how the United States will effectively navigate these diplomatically nuanced and complex processes in a way that furthers US interests. 

This haphazard approach stands in stark contrast to the People’s Republic of China’s (PRC’s) engagement on AI governance. The PRC’s announcement builds on a years-long, multi-pronged, interlocking, and self-referential strategy designed to ensure China’s dominance in AI governance. The thirteen-point plan—which emphasizes themes of multilateralism, inclusivity, and deep engagement with Global Majority countries on their terms—builds on the PRC’s quiet and consistent work to build coalitions of Global Majority countries to vote in its favor in the very UN bodies mentioned in the US AI plan, including the Global Digital Compact. Crucially, promotion of China’s tech stack is part of this broader diplomatic engagement strategy. For example, Huawei offers long-standing “AI in a Box” solutions for governments seeking such technologies. These kinds of all-in-one offerings are often paired with financial incentives (for both the Chinese company and the recipient government), as well as follow-up training modules that promote Chinese initiatives and approaches to technology governance. 

The US AI Action Plan appears to be competing with China on the basis of offering a superior all-in-one AI tech stack. It is encouraging that the United States is finally recognizing this cornerstone of China’s strategy. However, Washington is failing to recognize a key source of China’s success—and one that may ultimately determine its own failure: the mutually reinforcing relationship between technology and diplomacy, executed in a systematic, nuanced, and consistent manner. 

—Kenton Thibaut is a senior resident China fellow at the Atlantic Council’s Digital Forensic Research Lab (DFRLab).

4. Do the two plans allow room for cooperation? 

There’s no doubt that Washington and Beijing view each other as rivals, including in the artificial intelligence race. But both sides also share overlapping interests that could—and, at this moment of heightened geopolitical tensions, it remains a “could”—offer a path forward toward cooperation on the inner-workings of this emerging technology where both sides could benefit from some form of détente. 

The United States and China both highlighted the need for all parts of society to benefit from a technology that will likely seep into every part of individuals’ daily lives in the years to come. That may be a small point. But Washington and Beijing both committed to making AI as accessible as possible, including across several non-tech-related industries. That’s a commitment that may open the path for the geopolitical rivals to work on common apolitical standards, as they did in 2023 when signing the voluntary Bletchley Park Declaration around AI safety.

Both sides also made pledges to improve the wholesale datasets that underpin the latest large language models. That won’t involve the United States and China sharing sensitive information between each other. But it could potentially offer ways to build mutually accessible datasets in topics like public health and biotechnology in ways that already exist between the two countries.

Washington and China made separate commitments around energy infrastructure to fast-track AI development. Again, these efforts will be done in silos. But some of this infrastructure, including the upgrading of national energy grids to meet the demands of reams of new data centers, could also benefit from lessons learned—and experiences shared—between the two geopolitical rivals. 

—Mark Scott is a senior resident fellow at the Democracy and Tech Initiative.

5. How will Global Majority countries interact with these competing plans?

China’s plan portrays AI as a driving force for economic and social development. Its statement at the World AI Conference (WAIC) emphasized how AI could help to achieve the UN 2030 Agenda for Sustainable Development. It is a strategic play, as shared benefits and sustainable development are particularly crucial on China’s engagement with African countries and the broader Global Majority. 

In contrast, the US plan takes a competitive approach with the goal of market dominance. While this aim of maintaining technological leadership may be legitimate, Global Majority countries could view it as confrontational. These nations may hesitate to increase their technological dependence on a global power perceived as unwilling to consider their development needs. 

China’s plan is in line with its longstanding foreign policy principles, as evidenced in United Nations debates over the years. Together with the group of developing nations known as the G77, China has maintained that global governance mechanisms should prioritize and be more responsive to the diverse needs and developmental stages of countries, particularly those in the developing world. Its WAIC statement emphasizing national sovereignty as a fundamental aspect of AI governance aligns with China’s goals of increasing state control at both the national and international levels. 

China’s WAIC statement also proposes exploring a global mechanism for data sharing and promoting the “orderly and free flow of data” while maintaining security. Ensuring that data flows are “secure” or “safe” is a common theme in China’s data policy, often indicating a desire to keep data under state control. Such provisions may align well with the demands for data governance sovereignty relevant to countries in Africa or the BRICS group of emerging economies. Nonetheless, African and Latin American digital rights organizations are often critical of their countries adopting Chinese-influenced data governance frameworks, since they are aware of the risks of surveillance and digital repression enabled by government control of citizens’ data. 

Overall, China’s strategy could further strengthen the support of G77 countries for a state-centered global AI governance model, ultimately advancing Beijing’s geopolitical interests. The United States must address the needs and desires of Global Majority countries if it aims to export its AI stack to those nations and outcompete China. 

—Iria Puyosa is a senior research fellow at the Democracy and Tech Initiative.

6. What can we expect next from China and the US on international AI governance? 

The rapid proliferation of AI has led to an “adopt or risk obsolescence” mindset, with many governments, Beijing at the forefront, turning to internal balancing strategies focused on bolstering sovereign capacity to develop and use AI. China’s plan reflects a gradual shift in approach, as Beijing realizes its own growth depends on networked forms of power. 

In contrast, the dominance-based approach of the White House plan underestimates the value the United States has historically derived from its agenda-setting power in international governance. This is not just the power to influence what is discussed in international forums, but also what never gets to the table. Meanwhile, Beijing has proposed setting up a new Shanghai-based World AI Cooperation Organization and cooperative processes for AI development and governance under the UN’s Pact for the Future and Global Digital Compact. 

Beijing, it appears, is taking a page from a US playbook it has long criticized. Internet governance observers will remember that through the 2000s, Brazil, Russia, India, China, and South Africa opposed the Internet Corporation for Assigned Names and Numbers’s (ICANN’s) role in internet governance over concerns of US control. It may not be long before China rolls out an ICANN for AI. And the world may react quite differently. 

—Trisha Ray is an associate director and resident fellow at the Atlantic Council’s GeoTech Center. 

The post Reading between the lines of the dueling US and Chinese AI action plans appeared first on Atlantic Council.

On July 23, Forward Defense nonresident senior fellow Owen Daniels was interviewed by Sumi Somaskanda on BBC News regarding the administration’s latest AI Action Plan. In the segment, Daniels explains that while the strategy includes familiar elements for researchers, it also introduces promising initiatives such as strengthening the US open model ecosystem, enhancing evaluation and security, and expanding workforce training. He notes that questions remain about how the plan will be implemented and whether it will be adequately resourced.

Fellow

Owen J. Daniels

Nonresident Senior Fellow

Forward Defense Scowcroft Center for Strategy and Security

Defense Industry Defense Policy

Forward Defense leads the Atlantic Council’s US and global defense programming, developing actionable recommendations for the United States and its allies and partners to compete, innovate, and navigate the rapidly evolving character of warfare. Through its work on US defense policy and force design, the military applications of advanced technology, space security, strategic deterrence, and defense industrial revitalization, it informs the strategies, policies, and capabilities that the United States will need to deter, and, if necessary, prevail in major-power conflict.

Learn more

The post Daniels interviewed by BBC on AI Action Plan appeared first on Atlantic Council.

On July 25, Forward Defense nonresident senior fellow Owen Daniels published an article, “China’s Overlooked AI Strategy: Beijing Is Using Soft Power to Gain Global Dominance,” in Foreign Affairs. In the article, Daniels discusses how China is leveraging low-cost, open-source AI models as a soft power tool to expand its global influence, particularly in the developing world, posing a growing challenge to US technological leadership and strategic diplomacy.

Fellow

Owen J. Daniels

Nonresident Senior Fellow

Forward Defense Scowcroft Center for Strategy and Security

Defense Industry Defense Policy

Forward Defense leads the Atlantic Council’s US and global defense programming, developing actionable recommendations for the United States and its allies and partners to compete, innovate, and navigate the rapidly evolving character of warfare. Through its work on US defense policy and force design, the military applications of advanced technology, space security, strategic deterrence, and defense industrial revitalization, it informs the strategies, policies, and capabilities that the United States will need to deter, and, if necessary, prevail in major-power conflict.

Learn more

The post Daniels publishes article on China’s soft power strategy in AI in Foreign Affairs appeared first on Atlantic Council.

Click to jump to an expert analysis:

Graham Brookie: A deliberative and thorough plan—but three questions arise about its implementation

Trey Herr: If the US is in an AI race, where is it going? 

Trisha Ray: On international partnerships, the AI Action Plan is all sticks, few carrots

Nitansha Bansal: The plan is a step forward for the AI supply chain

Raul Brens: The US can’t lead the way on AI through dominance alone

Mark Scott: The US and EU see eye-to-eye on AI, up to a point

Ananya Kumar and Nitansha Bansal: The US plan may sound like those of the UK and EU—but the differences are critical

Esteban Ponce de Leon: The plan accelerates the tension between proprietary and open-source models

Joseph Webster: On energy, watch what the plan could do for the grid and batteries

A deliberative and thorough plan—but three questions arise about its implementation

We are in an era of increasing geopolitical competition, increased interdependence, and rapid technological change. No single issue demonstrates the convergence of all three better than AI. The AI Action Plan released today reflects this reality. Throughout the first six months of the Trump administration, officials have run a thorough and deliberative policy process—which White House officials say incorporated more than ten thousand public comments from various stakeholders, especially US industry. The resulting product provides a clear articulation of AI in terms of the tech stack that underpins it and an increasingly vast ecosystem of industry segments, stakeholders, applications, and implications. 

The policy recommendations laid out in the action plan are well-organized and draw connections between scientific, domestic, and international priorities. Despite the rhetoric, there is more continuity than it may appear from the first Trump administration to the Biden administration to this action plan—especially in areas such as increasing investment in infrastructure, hardware fabrication, and outcompeting foreign adversaries in innovation and the human talent that underpins it. The AI Action Plan will continue to scale investment and growth in these areas. The key divergence is in governance and guardrails.  

Three outstanding questions stick out regarding effective implementation of the Action Plan.  

First, in an era of budget and staff cuts across the federal government, will there be enough government expertise and funding to realize much of the ambition of this plan? For example, cutting State Department staff focused on tech diplomacy or global norms could undercut parts of the international strategy. Budget cuts to the National Science Foundation could impact AI priorities from workforce to research and development.  

Second, how will the administration wield consolidated power with frameworks to reward states it views as aligned and cut funding to states it sees as unaligned? 

Third, beyond selling US technology, how will the United States not just compete against Chinese frameworks in global bodies, but also work collaboratively with allies and partners on AI norms? 

Given the pace of change, the United States’ success will be based on continuing to grow the AI ecosystem as a collective whole and for the ecosystem to iterate faster to compete more effectively. 

—Graham Brookie is the Atlantic Council’s vice president for technology programs and strategy. 

If the US is in an AI race, where is it going?  

The arms race is a funny concept to apply to AI, and not just because the history of arms races is replete with countries bankrupting themselves trying to keep up with a perceived threat from abroad. The repeated emphasis on an AI “race” is still ambiguous on a crucial point—what are we racing toward?  

Consider this useful insight on arms racing in national security: “Over and over again, a promising new idea proved far more expensive than it first appeared would be the case; yet to halt midstream or refuse to try something new until its feasibility had been thoroughly tested meant handing over technical leadership to someone else.”    

 Was this written about AI? No, this comes from historian William H. McNeill writing about the British-German maritime arms race at the turn of the twentieth century. The United Kingdom and Germany raced to build ever bigger armored Dreadnoughts in an attempt to win naval supremacy based on the theory that the economic survival of seagoing countries would be determined by the ability to win a large, decisive naval battle. Industry played a key role in encouraging the competition and setting the terms of the debate, increasingly disconnected from the needs of national security  

 So, to take things back to the present, what are we racing toward when it comes to AI? The White House’s AI Action Plan hasn’t resolved this question. The plan’s Pillar 1 offers a swath of policy ideas grounded more in AI as a normal technology. Pillar 2 is more narrowly focused on infrastructure but still thin on the details of implementation. Tasking the National Institute of Standards and Technology is a common refrain and some of the previous administration’s policy priorities, such as the CHIPS Act and Secure by Design program have been essentially rebranded and relaunched. Pillar 3 calls for a renewed commitment to countering China in multilateral tech standards forums, a cruel irony as the State Department office responsible for this was just shuttered in wide-ranging layoffs announced earlier this month.  

The national security of the United States and its allies is composed of more than the capability of a single cutting-edge technology. Without knowing where this race is going, it will be hard to say when we’ve won, or if it’s worth what we lose to get there.    

—Trey Herr is senior director of the Cyber Statecraft Initiative (CSI), part of the Atlantic Council Technology Programs, and assistant professor of global security and policy at American University’s School of International Service.  

On international partnerships, the AI Action Plan is all sticks, few carrots 

The AI Action Plan’s strongest message is that the United States should meet, not curb, global demand for AI. To achieve this, the plan suggests a novel and ambitious approach: full-stack AI export packages through industry consortia. 

What is the AI stack? Most definitions include five layers: infrastructure, data, development, deployment, and application. Arguably, monitoring and governance is a critical sixth layer. US companies dominate components of different layers (e.g. chips, talent, cloud services, and models). But the United States’ ability to export full-stack AI solutions, the carrot in this scenario, is limited by a rather large stick: its broad export control regime, which includes the Foreign Director Product Rule and Export Administration Regulations. 

Governance remains the layer the United States is weakest on. The AI Action Plan does emphasize countering adversarial influence in international governance bodies, such as the Organisation for Economic Co-operation and Development, the Internet Corporation for Assigned Names and Numbers, the Group of Seven (G7), the Group of Twenty (G20), and the International Telecommunication Union. However, the plan undermines the consensus-based AI governance efforts within these bodies, including an apparent jibe at the G7 Code of Conduct. If it seeks real alignment with allies and partners, the White House must outline an affirmative vision for values-based global AI governance. 

—Trisha Ray is an associate director and resident fellow at the Atlantic Council’s GeoTech Center, part of the Atlantic Council Technology Programs. 

The plan is a step forward for the AI supply chain

The AI Action Plan’s focus on the full AI stack—from energy infrastructure, data centers, semiconductors, and the talent pipeline to acknowledging associated risks and cybersecurity concerns—is welcome. The plan has adopted an optimistic view of the open source and open weight AI models, and it has built in provisions to create a healthy innovation ecosystem for open source AI models along with strengthening the access to compute—which is another positive policy realization on the part of the administration.

The administration appears to be cognizant that competitiveness in AI will not be achieved solely by domesticating the AI supply chain. Competitiveness in this ecosystem needs to be a multi-pronged strategy of translating domestic AI capabilities into national power faster, more efficiently, more effectively, and more economically than adversaries—driven by faster chips, smarter and more trustworthy models, a more resilient electricity grid, a robust investment infrastructure, and collaboration with allies.

This emphasis on securing the full stack means that the near-term policy will target not just innovation, but the location, sourcing, and trustworthiness of every component in the AI pipeline. The owners and users of AI supply chain components have much to look forward to. The new permitting reform could reshape the location of AI infrastructure; recognition of workforce and talent bottlenecks can lead to renewed focus on skill development and training programs; and emphasis on AI-related vulnerabilities in critical infrastructure could translate into more regular and robust information sharing apparatuses and incident response requirements for private sector executives.

In all, achieving AI competitiveness is an ambitious goal, and the plan sets the government’s agenda straight.

—Nitansha Bansal is the assistant director of the Cyber Statecraft Initiative.

The US can’t lead the way on AI through dominance alone

The AI Action Plan makes one thing clear: the United States isn’t just trying to win the AI race—it’s trying to engineer the track unilaterally. With sweeping ambitions to export US-made chips, models, and standards, the plan signals a cutting-edge strategy to rally allies and counter China. But it also takes a big gamble. Rather than co-design AI governance with democratic allies and partners, it pushes a “buy American, trust American” model. This will likely ring hollow for countries across Europe and the Indo-Pacific that have invested heavily in building their own AI rules around transparency, climate action, and digital equity. 

There’s a lot to like in the plan’s push for infrastructure investment and workforce development, which is a necessary step toward building serious AI capacity. But its sidelining of critical safeguards and its dismissal of issues like misinformation, climate change, and diversity, equity, and inclusion continues to have a sandpaper effect on traditional partners and institutions that have invested heavily in aligning AI with public values. If US developers are pressured to walk away from those same principles, the alliance could fray and the social license to operate in these domains will inevitably suffer. 

The United States can lead the way—but not through dominance alone. An alliance is built on the stabilizing forces of trust, not tech stack supply chains or destabilizing attempts to force partners to follow one country’s standards. Building this trust will require working together to respond to the ways that AI shapes our societies, not just unilaterally fixating on its growth. 

—Raul Brens Jr. is the director of the GeoTech Center. 

On energy, watch what the plan could do for the grid and batteries

Two energy elements in the AI Action Plan hold bipartisan promise: 

1. Expanding the electricity grid. The action plan notes the United States should “explore solutions like advanced grid management technologies and upgrades to power lines that can increase the amount of electricity transmitted along existing routes.” In other words, advanced conductors, reconductoring, and dynamic line ratings (and more) are on the table. Both Republicans and Democrats likely agree that transmission and the grid received inadequate investment in the Biden years: The United States built only fifty-five miles of high-voltage lines in 2023, down from the average of 925 miles per year between 2015 and 2019. The University of Pennsylvania estimated that the Inflation Reduction Act’s energy provisions would cost $1.045 trillion from 2023 to 2032, but the bill included only $2.9 billion in direct funding for transmission. 

2. Funding “leapfrog” dual-use batteries. Next-generation battery chemistries, such as solid-state or lithium-sulfur, could enhance the capabilities of autonomous vehicles and other platforms requiring on-board inference. Virtually all autonomous passenger vehicles run on batteries, and the action plan mentions self-driving cars and logistics applications. Additionally, batteries are a critical military enabler: They are deployed in drones, electronic warfare systems, robots, diesel-electric submarines, directed energy weapons, and more. Given the bipartisan interest in autonomous vehicles and US military competition with Beijing, there may be scope for bipartisan agreement on funding “leapfrog,” dual-use battery chemistries. 

—Joseph Webster is a senior fellow at the Atlantic Council’s Global Energy Center and the Indo-Pacific Security Initiative. 

The US and EU see eye-to-eye on AI, up to a point

Despite the ongoing transatlantic friction between Washington and Brussels, much of what was outlined by the White House aligns with much what EU officials have similarly announced in recent months. That includes efforts to reduce bureaucratic red tape to foster AI-enabled industries, the promotion of scientific research to outline a democracy-led approach to the emerging technology, and efforts to understand AI’s impact on the labor force and to upskill workers nationwide.

Yet where problems likely will arise is how Washington seeks to promote a “Make America Great Again” approach to the export of US AI technologies to allies and the wider world. Much of that focuses on prioritizing US interests, primarily against the rise of China and its indigenous AI industry, in multinational standards bodies and other global fora—at a time when the White House has significantly pulled back from previously bipartisan issues like the maintenance of an open and interoperable internet.

This dichotomy—where the United States and EU agree on separate domestic-focused AI industrial policy agendas but disagree on how those approaches are scaled internationally—will likely be a central pain point in the ongoing transatlantic relationship on technology. Finding a path forward between Washington and Brussels must now become a short-term priority at a time when both EU and US officials are threatening tariffs against each other.

—Mark Scott is a senior resident fellow at the Digital Forensic Research Lab’s Democracy + Tech Initiative within the Atlantic Council Technology Programs.

The US plan may sound like those of the UK and EU—but the differences are critical

The new AI Action Plan—like its peers from the European Union (EU) and the United Kingdom—is focused on “winning the AI race” through regulatory actions to direct and promote innovation, new investments to create and advance access to crucial AI inputs, and frameworks for international engagement and leadership. Winning the AI race is, in effect, the top priority of all three AI plans, albeit in different ways. While the EU’s AI Act wants to be the first to create regulatory guardrails, the United States’ AI plan has a strong deregulation agenda. In a significant break from other policy measures from this administration to ensure US dominance, this action plan moves away from a purely domestic orientation to the international sphere, flexing the reach of traditional US notions of power. This includes international leadership in frontier technology research and development and adoption, as well as creating global governance standards. It’s a testament to the scarcity, quality, and sizable nature of the inputs needed for global AI dominance that even the Trump administration is thinking through its strategy on AI in terms of global alignment. 

Even as each jurisdiction, including the United States, seeks to position itself as the dominant player in the AI race, there is no common scoreboard for deciding a winner for the game. Each player has devised an ambitious but distinct understanding of this “competition,” and each competition will play out through harnessing a unique combination of industrial, trade, investment, and regulatory policy tools. As the race unfolds in real time, the challenge for US policymakers is to simultaneously create the rules of the game while playing it effectively. A broad range of stakeholders, including AI companies, investors, venture capitalists, safety institutes, and allied governments seek clarity and stability. They all will watch the implementation of the US plan closely to determine their next moves.  

There are two encouraging signs in this action plan when it comes to strengthening US competitiveness:  

First, by prioritizing international diplomacy and security, the United States is positioning itself to influence the global AI playbook that will ultimately determine who reaps economic benefits from AI systems. Leading multilateral coordination on AI positions the United States to secure open markets for AI inputs, shape global adoption pathways, and protect its private sector from regulatory fragmentation and protectionism. 

Second, the plan creates a roadmap for ensuring that the United States and its allies assimilate AI capabilities faster than their adversaries. In this vein, the plan emphasizes the importance of coordinating with allies to implement and strengthen the enforcement of coordinating export controls. 

—Ananya Kumar is the deputy director for Future of Money at the GeoEconomics Center. 

—Nitansha Bansal is the assistant director of the Cyber Statecraft Initiative. 

The plan accelerates the tension between proprietary and open-source models

The White House’s AI Action Plan explicitly frames model superiority as essential to US dominance, but this creates profound tensions within the US ecosystem itself. As better models attract more users—who, in turn, generate training data for future improvements—we may see a self-reinforcing concentration of power among a few firms. 

This dynamic creates opportunities for leading firms to set safety standards that elevate the entire industry. A clear example is Anthropic’s “race to the top,” where competitive incentives are directly channeled into solving safety problems. When frontier labs adopt rigorous development protocols, market pressures force competitors to match or exceed these standards. However, the darker side of innovation may emerge through benchmark gaming, where pressure to demonstrate superiority incentivizes optimizing for benchmarks rather than genuine capability, risking misleadingly capable systems that excel at tests while lacking true innovation. 

Yet the AI Action Plan’s emphasis on open-source models highlights a more complex competitive landscape than market concentration alone suggests. Open-source strategies are not just defensive moves against domestic monopolization; they also represent offensive tactics in the global AI race, particularly as Chinese open-source models gain traction and threaten to establish alternative standards with millions of users worldwide. 

This dual-track competition between concentrated proprietary excellence and distributed open-source influence fundamentally redefines how firms must compete.  

Success now requires not only racing for capability supremacy but also strategically deciding what to keep proprietary and what to release in order to shape global standards. The plan’s call to “export American AI to allies and partners” through “full-stack deployment packages” suggests that the ultimate competitive advantage may lie not in the superiority of a single model, but in the ability to build dependent ecosystems where US AI becomes the essential infrastructure for global innovation. 

—Esteban Ponce de León is a resident fellow at the DFRLab of the Atlantic Council. 

The post Experts react: What Trump’s new AI Action Plan means for tech, energy, the economy, and more  appeared first on Atlantic Council.

As India prepares to host the next AI Impact Summit in New Delhi next February, there is an opportunity for national governments to advance discussions on trust and evaluations even amid tensions in the policy conversation between ensuring AI safety and advancing AI adoption. At next year’s summit, national governments should come together to encourage a collaborative, globally coordinated approach to AI governance that seeks to minimize risks while maximizing widespread adoption.

Paris: The AI adoption revolution begins

Initial momentum for policies focused on ensuring AI safety and its potential to pose existential risks to humanity began at the first UK-hosted AI Safety Summit in Bletchley Park in 2023. This discussion was further advanced in subsequent international summits in Seoul, South Korea, and San Francisco, California, in 2024. Yet, as France held the first AI Action Summit in Paris in February of this year, shortly after US President Donald Trump was sworn in for his second term and Prime Minister Keir Starmer took the helm of a brand-new Labour government in the United Kingdom, these discussions on AI risks and safety appeared to lose momentum.

At the AI Action Summit in Paris, French President Emmanuel Macron declared that now is “a time for innovation and acceleration” in AI, while US Vice President JD Vance said that “the AI future is not going to be won by hand-wringing about safety.” As the summit concluded, the United States and the United Kingdom opted not to join other countries in signing the Statement on Inclusive and Sustainable AI for People and Planet. Days later, the United Kingdom renamed its AI Safety Institute to the AI Security Institute, reflecting its shift toward focusing on the national security-related risks stemming from the most advanced AI models as opposed to addressing broader concerns around existential risks to society that AI systems might pose. This approach has also been adopted by the United States, which rebranded the US AI Safety Institute to the Center for AI Standards and Innovation in June.

The Paris AI Action Summit was an early indicator of what the first six months of 2025 would further reveal: a shift away from focusing on the potential existential risks and societal harms posed by AI. Instead, more countries have doubled down on AI research and development investments and the development of secure AI data centers, further increased their focus on extended training for large language models (LLMs), developed national AI adoption mandates, and made proposals to slow down or prevent additional regulation that may inhibit AI adoption.

AI investment and adoption mandates

The United States has taken several steps in this new direction. The Trump administration repealed several Biden-era executive actions on AI during the first few weeks of January, including repealing the “Executive Order on the Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence.” In February, the administration issued a request for information to develop a new “AI Action Plan,” pursuant to an executive order signed in January called “Removing Barriers to American Leadership in Artificial Intelligence.” The Trump administration’s AI executive order calls for the reduction of administrative and regulatory burdens to AI development and adoption, as well as a further alignment of US AI strategy with national security interests and economic competitiveness goals. Taken together, these actions emphasize an approach that views deregulation as essential for US global leadership in AI.

Simultaneously, a policy debate has emerged in the United States over whether the federal government should preempt state-level AI legislation that would impose regulations on the industry. The industry has been concerned that the numerous and varying approaches to AI legislation being developed at the state level could create a patchwork of regulations that would render the compliance environment complicated and overwhelming.

But even as the debate over federal preemption continues, state-level proposals on AI risk management and governance have stalled. Virginia’s proposed High-Risk Artificial Intelligence Developer and Deployer Act was vetoed by Governor Glenn Youngkin in March. Meanwhile, the Texas Responsible Artificial Intelligence Governance Act was significantly slimmed down before it was signed into law last month, with all references to high-risk AI systems and corresponding prohibitions removed.

Across the pond, the European Union (EU) continues to take steps to identify ways in which the implementation of its cross-cutting EU AI Act can be simplified as part of its AI Continent Action Plan. Industry expressed growing concern over the ability to meet enforcement deadlines without additional guidance and clarifications from the EU AI Office, with forty-four European CEOs calling for a delay in its implementation. This focus on adoption over safety concerns was also reflected at the Group of Seven (G7) Leaders’ Summit held in Canada last month. At the summit, G7 leaders issued a statement on AI for Prosperity, which highlighted the ways in which AI can drive economic growth and benefit people, in addition to laying out a roadmap for AI adoption.

Adapting to this shift in global AI policy

Given this marked shift in the tone of global AI policy discussions, some might wonder whether there are still opportunities to advance conversations on AI trust and safety. Yet, businesses crave certainty and trust remains paramount to creating an ecosystem that supports adoption. Moreover, the AI landscape continues to evolve, requiring continued discussions on “what good looks like” when it comes to AI models used in a variety of enterprise applications and scenarios. Emerging technologies such as agentic AI—AI systems designed to act autonomously, making decisions and taking actions to achieve specific goals with minimal human intervention—as well as evolving enterprise deployment challenges, make it clear that 2025 does not represent the dusk of international AI policy aimed at evaluating and mitigating risks, but a potential dawn.

The upcoming AI Impact Summit in New Delhi presents an opportunity to continue conversations about how creating a robust AI testing and evaluation ecosystem can drive innovation and foster trust, furthering AI security and adoption. There are four key areas that national governments should individually prioritize in their efforts to advance AI adoption while also collaborating on a global level.

1. Assess and address regulatory gaps based on new evolutions in AI technology. Agentic AI is the next evolution of AI technology. Like other iterations of the technology, it can offer significant benefits, but at the same time, either amplify existing risks or introduce new risks because it can execute tasks autonomously. Governments should undertake an assessment of existing regulatory frameworks to ensure they account for any new risks related to agentic AI. Additionally, to the extent that gaps are identified, they should consider the creation of flexible, future-proof frameworks that can be adapted to future evolutions of AI technology.

2. Advance industry-led discussions around open-source and open-weight models, including specific considerations for national security concerns. Transparency and access vary widely across open-source and open-weight models, and researchers and businesses should understand the extent to which models and data sets remain open. Stakeholders—including national governments—need to understand not only what constitutes an open-source or open-weight model, but also what elements of those models are necessary to share downstream. Additionally, enterprises and industry players need certainty around any relevant fault lines for these considerations when choosing partners and third-party vendors when open-source or open-weight models could impact national security. Such discussions will allow enterprises to determine which models and markets offer safe and secure foundations for experimentation and what transparency measures can reasonably be expected.

3. Foster trust by encouraging the development and adoption of AI testing, benchmarks, and evaluations. Governments should encourage the adoption of globally recognized, consensus-based AI testing, benchmarks, and evaluations. Frontier model developers need to be able to understand, analyze, and iterate on their LLMs with the help of detailed performance and safety evaluations. Governments should support the development of robust testing and evaluation frameworks to ensure that such frameworks are fit for purpose, address issues such as a lack of consistency and reliability in how evaluation results are reported, and improve the availability of high-quality and trustworthy evaluation datasets. These frameworks should also be built to further understand and iterate on evaluation results to improve models without overfitting, or creating models that match the training set so closely that they fail to make correct predictions on new data.

4. Drive public-private collaboration across borders to promote AI adoption and drive risk management. The technological conversation is not bound by national borders. Thus, it is important that both public-sector and private-sector stakeholders recognize and harness the interdependence of the AI value chain while engaging in conversations about AI governance and transparency. It is also vital that policymakers and different actors in the AI value chain have a clear understanding of their roles and responsibilities. Enterprises and national governments should continue to use international fora such as the Organisation for Economic Co-operation and Development, the Global Partnership on Artificial Intelligence, the International Network of Safety Institutes, and the United Nations to facilitate public-private collaboration across borders. This will help ensure that different approaches are interoperable and that countries and organizations are best leveraging their own strengths.

***

The world must not lose the gains already made by researchers, policymakers, and enterprises that have been working to address AI risks over the past several years by over-indexing on adoption alone. The answers required to address the challenges and risks associated with AI are intertwined with the ability to capitalize on the opportunities AI presents and can ensure the accountability and security of these technologies for years to come. If AI adoption is the objective, then AI testing, evaluations, and governance are the methods. A collaborative effort to advance AI policy that reflects this fact should be every nation’s priority.

Evi Fuelle is a nonresident senior fellow at the Atlantic Council’s GeoTech Center.

Courtney Lang is a nonresident senior fellow at the Atlantic Council’s GeoTech Center.

Issue Brief Apr 3, 2025

Sovereign remedies: Between AI autonomy and control

By Trisha Ray

Sovereign AI has gained a foothold in several capitals around the world.

Artificial Intelligence International Norms

GeoTech Cues Apr 1, 2025

DeepSeek shows the US and EU the costs of failing to govern AI

By Ryan Pan, Kolja Verhage

The West must urgently consider what DeepSeek’s R1 model means for the future of democracy in the AI era.

Artificial Intelligence China

New Atlanticist Feb 4, 2025

Five AI management strategies—and how they could shape the future

By Kieron O’Hara and Wendy Hall

To ensure the benefits of artificial intelligence (AI) are realized while minimizing the anticipated evils, it’s important to understand the different ways to approach AI governance.

Artificial Intelligence Technology & Innovation

The GeoTech Center champions positive paths forward that societies can pursue to ensure new technologies and data empower people, prosperity, and peace.

Learn more

The post Navigating the new reality of international AI policy appeared first on Atlantic Council.

The post Nikoladze and Donovan cited in Centre for International Governance Innovation report on digital privacy, assets, and decentralization appeared first on Atlantic Council.

As the Commonwealth considers the anticipated wave of new centers, its policymakers have an unmissable opportunity to lead the state toward a clear-eyed, viable path forward to reap economic benefits while ensuring both the affordability and sustainability of its energy system. None of these issues will be resolved quickly or easily but should be front and center as Virginia voters decide on their new governor this year and a new legislature.

Sign up for PowerPlay, the Atlantic Council’s bimonthly newsletter keeping you up to date on all facets of the energy transition.

Past meets present

Virginia is hardly unfamiliar with the prospect of adding new energy generation capacity to support data center growth. In addition to being a technology hotspot, the state is already a major destination for energy investment abetted by state and local governments’ decarbonization and clean energy targets. In 2019, then-Governor Ralph Northam (a Democrat) signed an executive order prioritizing clean energy expansion across the state, including goals for Virginia’s power system to achieve 30 percent renewable energy resources by 2030 and 100 percent by 2050. The next year, the Virginia state legislature formalized these commitments in the Virginia Clean Economy Act, which remains in force. 

These policies have borne fruit. One analysis found that Virginia ranks fifth of all US states in percent increase in renewable energy generation over the last decade, led by growth in solar generation capacity sufficient to power 750,000 Virginia residences. Next year, a 2.6 GW offshore wind project is scheduled to come online. Notably, Virginia’s clean energy growth record and long-term aspirations have been maintained under the state’s current Republican leadership.

Expectation vs. reality

Virginia’s renewable and clean energy goals, however, were developed before generative AI was widely commercialized and Virginia became a key destination for data centers. 

A report from Virginia’s Joint Legislative Audit and Review Commission describes the growing challenge: while acknowledging that new data centers will benefit Virginia in employment and revenues, it warns that “unconstrained demand for power in Virginia would double within the next ten years, with the data center industry being the main driver.” Moreover, “[b]uilding enough infrastructure to meet unconstrained energy demand will be very difficult to achieve.” The fiscal implications of making necessary investments are potentially enormous with enormous implications for Virginians energy prices and power costs. 

Virginia faces a herculean task to meet incoming demand growth via conventional or any other fuels—let alone address it in a manner that leads to net-zero emissions by midcentury. 

Adding natural gas infrastructure, which currently supplies about half of the state’s electricity, faces two major barriers even apart from decarbonization considerations. First, the availability of new natural gas generation equipment, especially turbines, is sharply limited by supply chain bottlenecks (a situation complicated by uncertainty around the US international tariff slate). Second, constructing new natural gas power plants would likely entail expanding the network of associated infrastructure and interstate pipelines, which are time-consuming endeavors and can ignite local opposition (as the recent saga of the Mountain Valley Pipeline illustrates). 

Similarly, renewables infrastructure can theoretically come online quickly but would entail a massive expansion of transmission, distribution, and long-duration battery storage capacity. Adding renewables also requires community buy-in, which is not always assured. 

The way forward

Ample consideration must be given to how data centers are managed within Virginia—specifically in terms of regulations and requirements for new builds. Lawmakers debated a comprehensive state-wide AI regulatory proposal that was ultimately vetoed by Governor Glenn Youngkin (a Republican), but it is still possible to address specific energy infrastructure challenges through careful planning. Virginia officials should consider an approach that puts more responsibility on the hyperscalers themselves but also enables a constructive partnership between project developers, investors, policymakers, and local stakeholders:

The role of state officials

State officials could prioritize or incentivize new builds that can bring (and finance) their own on-site energy sources—ideally with abated, low, or zero emissions—to avoid straining the local grid system. They could also encourage new facilities in parts of the state with plentiful water resources such that the generators do not further strain areas vulnerable to water stress. Officials could adopt efficiency requirements for new builds (such as for technologies like advanced conductors) based on existing Power Usage Effectiveness (PUE) criteria, and establish guidance for continuous improvements (similar to the Energy Star model) suitable for this generation of AI. 

Local and municipal leaders’ role

Local and municipal policymakers can take leadership in facilitating shared efficiency and mitigation strategies in high-concentration regions for new builds (such as Northern Virginia). Shared infrastructure (e.g., a distribution system built for a grouping of new centers) can mitigate costs and environmental impacts of new equipment. 

Investor collaboration

Similarly, multiple investor stakeholders working together could procure, prepare, and operate less commercialized fuel sources like small modular reactors, or develop local carbon sequestration and other abatement options. They could also establish a community fund supported by local project developers to provide monies for areas like local transmission and distribution upgrades, regional transmission and upgrades in cases where imported power from other states is necessary. Such measures can help to reduce inflationary pressure for regular ratepayers and could be managed by city/regional officials and be subject to public oversight. 

When to say ‘no”

Importantly, there are likely to be instances where the potential economic benefits associated with certain proposals must be carefully balanced against wider societal impacts—such as the impact of a project on energy access, affordability, and the state’s decarbonization objectives. In cases where proposed data centers fail to meet certain requirements, officials should consider placing them lower in the interconnection queue for review and connection to external power sources. Likewise, new projects may simply be forced to wait regardless of their merits in order to shore up critical infrastructure for constituents who already rely on it. For those developers determined to operationalize as fast as possible, creative solutions or a heightened burden on said developer may be necessary. Policymakers should decide their criteria for “Yes,” “Maybe,” and even “No” since time is of the essence. They should also prepare to coordinate on those policy choices with relevant leadership at other levels of government. 

The here and now

Virginia faces a tremendous task ahead: balancing its energy and climate aspirations with a rapidly changing techno-economic context impacting the entire state is no small feat. Thoughtful consideration of both the immediate benefits and long-term implications of today’s decisions is essential, as is a careful eye to energy insecurity and affordability problems percolating throughout the state as matters stand already. To be sure, the AI revolution shows few signs of slowing down. Appropriate policies to smooth the bumpy road ahead should be prepared here and now. 

Andrea Clabough is a nonresident fellow with the Atlantic Council Global Energy Center

EnergySource

EnergySource is the Global Energy Center’s (GEC) online publication providing commentary and analysis on developments in the energy and climate sector from a wide-array of thought leaders, politicians, and experts.

Read more

Fellow

Andrea Clabough

Nonresident Fellow

Global Energy Center

Climate Change & Climate Action Energy & Environment

EnergySource May 21, 2025

Replace the Inflation Reduction Act with FUEL-AI

By Joseph Webster

To compete in the global AI race, the United States must dramatically expand its power supply. Replacing the Inflation Reduction Act with the FUEL-AI Act would reorient energy policy toward national security, fast-tracking domestic energy production and infrastructure to power America’s AI future.

Energy & Environment Energy Transitions

EnergySource Jan 27, 2025

DOGE should use AI to fix environmental review

By William Yancey Brown

The National Environmental Policy Act’s (NEPA) often lengthy process can delay crucial development projects and job creation. To address this, Trump’s newly established Department of Government Efficiency should leverage AI technologies to accelerate environmental reviews, modernizing the administration of NEPA.

Artificial Intelligence Energy & Environment

EnergySource Jun 10, 2024

Generative AI provides a toolkit for decarbonization

By Joseph Webster and Shaheer Hussam

Artificial intelligence models have long provided niche tools for energy a climate technologists. With the unique capabilities of generative AI, spanning applications in strategy, regulation, and finance, opportunities (and responsibilities) have emerged for all decarbonization stakeholders.

Artificial Intelligence Climate Change & Climate Action

The Global Energy Center develops and promotes pragmatic and nonpartisan policy solutions designed to advance global energy security, enhance economic opportunity, and accelerate pathways to net-zero emissions.

learn more

The post Ground-zero for the US AI energy challenge: A state-level case study appeared first on Atlantic Council.

The second Trump administration’s forthcoming effort is no ordinary NDS. It will define the DoD’s defense posture, US force structure, and modernization priorities for the next four years in a period of intensifying strategic competition, rapid technological disruption, and evolving global threats.

Against this backdrop, the Atlantic Council’s National Defense Strategy Project outlines the priorities the DoD should address in its next NDS. Our experts offer practical recommendations for implementation and identify where the United States must adapt to preserve its strategic edge and strengthen national resilience. A forward-looking defense strategy will be essential to ensuring military readiness, reinforcing deterrence, and protecting national interests—and it will play a pivotal role not only in responding to current challenges but in anticipating those on the horizon.

Forward Defense leads the Atlantic Council’s US and global defense programming, developing actionable recommendations for the United States and its allies and partners to compete, innovate, and navigate the rapidly evolving character of warfare. Through its work on US defense policy and force design, the military applications of advanced technology, space security, strategic deterrence, and defense industrial revitalization, it informs the strategies, policies, and capabilities that the United States will need to deter, and, if necessary, prevail in major-power conflict.

Learn more

The post The National Defense Strategy Project appeared first on Atlantic Council.

The benefits of AI are diffuse and often speculative, while the impacts of the infrastructure buildout—health impacts and higher energy costs for consumers—are often tangible and local. Local opposition has already led, for example, to the blocking or delaying of $64 billion worth of data center projects in the past two years. This opposition complicates the White House’s goal of retaining the United States’ global leadership in AI. 

Even as the Trump administration pushes for a rapid expansion of data centers in the United States, greater coordination between the federal and state levels is needed to avoid oversupply and sunk costs, while ensuring that AI development serves the public interest.

Past as precedent

Data centers can be attractive sources of revenue, especially as investments shift from mature markets such as Virginia, Texas, Arizona, and California, to emerging ones such as Indiana and Louisiana. The “data center gold rush,” as some call it, is exemplified in Stargate, a $500 billion venture led by OpenAI and SoftBank focused on building AI infrastructure. In March, Stargate signed off on its first project, a $7.1 billion data center park in western Texas.

Virginia is home to the world’s largest concentration of data centers, with 5.9 gigawatts (GW) in data center capacity, a further 1.8 GW coming online soon, and a stunning 15.4 GW planned, with much of the new capacity driven by AI. For context, the global total operational data center capacity is 40 GW. Moreover, Virginia’s data center industry already contributes an estimated 74,000 jobs, $5.5 billion in labor income, and $9.1 billion in gross domestic product to the state’s economy each year.

At the same time, the data center market is being built on what may be at best an overestimation and at worst a bubble. A 2023 study notes that the cost of the new generation and transmission buildout required to support data centers could increase costs for all customers. The average household could, for instance, see an increase to its utility bill of between fourteen dollars and thirty-seven dollars per month by 2040.

A haphazard buildout will also have effects on public health. A 2024 McKinsey study quantified the cost-of-healthcare burden on households from increased emissions, finding that the most impacted communities have household incomes below the national median. The “Gold Rush” analogy, ironically, is also fitting in this context: the California Gold Rush of the 1850s displaced entire communities, compromised biodiversity, and distorted labor markets. More recently, the dot-com bubble saw a frenzied buildout of fiber optic capacity, with one post-mortem analysis presciently noting, “The investors who threw money at optics at the peak of the bubble probably would bankrupt us all if we ever hit a true ‘technological singularity.’” (Singularity here refers to a theoretical point of time when technological growth passes a point of no return, profoundly changing human civilization. It is most often cited these days in connection with artificial general intelligence.)

Pitfalls of overinflated expectations

China’s Eastern Data, Western Compute (EDWC) initiative offers both a model and a cautionary tale. Launched in 2022, it aimed to create ten national data center clusters in the country’s resource-rich, sparsely populated western regions. The data center clusters cost an estimated 400 billion renminbi ($55 billion) per year to operate, while the actual turnover in 2021 was 150 billion renminbi ($20 billion). Companies investing in these clusters are relying partly on government subsidies and mostly on expectations of future demand. Data-center service prices have fallen rapidly as supply has exploded. However, vacancy rates remain high. 

AI-directed data centers, compared to traditional ones, have greater operating costs—potentially as much as two times as high—due to higher proportionate hardware costs and the need for always-on readiness. Furthermore, AI data center hardware depreciates as the integrated circuit arrays degrade or become obsolete. As one Chinese tech news outlet put it, “If a highway is built but only a few hundred cars are on the road each year, who will bear the amortized costs?” At the same time, EDWC also demonstrates the benefit of a coordinated approach that rallies the private sector and states toward a set of common objectives. The United States can learn from the pitfalls of overinflated expectations for demand, as well as the potential of such large-scale coordination.

Data about data centers

The US federal government needs to serve as an arbiter, with minimal but targeted interventions guiding investment for the public interest and maximizing the real benefits from AI. The likes of OpenAI, Meta and Amazon may well be able to risk multibillion-dollar investments in AI data centers. But smaller operators will not survive if they cannot recover the upfront investment, as China’s ailing data center market has shown. Furthermore, if the expected demand for AI data centers does not materialize, the costs of building out and running new energy capacity will fall on the remaining customers. Finally, with some jurisdictions seeking moratoriums on building new data centers or facing local backlash to new projects, and others competing to attract data center investments through subsidies and tax breaks, Washington should take on a coordinating role. This means the federal government should provide data points to track the risk of oversupply while respecting the rights of states to assess the impact of new projects on their communities.

In conjunction with the Trump administration’s push to use federal land for data centers, the Department of Energy should be empowered to establish an AI Data Center Monitoring Initiative (AI-DCMI). The AI-DCMI should collaborate with relevant federal entities, including the Department of the Interior, the Federal Energy Regulatory Commission, and the National Institute of Standards and Technology, as well as state energy offices. 

Rather than duplicate established (albeit fragmented) efforts, the AI-DCMI could collate available metrics, such as the Department of Energy’s Data Center Energy Use Report. It could also develop new indicators where gaps remain, especially for assessing the impact on local communities, health, and competitiveness of the AI data center market, as well as the projected utilization of AI infrastructure. Federal and state incentives for data center–related projects, including the lease of federal lands, should be linked to reporting requirements under the AI-DCMI. Finally, consultations with data center operators and other nongovernment stakeholders should inform these metrics. The AI-DCMI should not have a regulatory function. But it should address a critical gap in the current ecosystem: the lack of state-federal coordination on understanding the risks of the current trajectory and concentration of AI data center investments. 

This new Gold Rush will define the United States’ edge in AI—but only if investments are grounded in real demand. Without better state-federal coordination, the United States risks sinking billions into stranded capacity, with taxpayers footing the bill, while rivals surge ahead.

Trisha Ray is an associate director and resident fellow at the Atlantic Council’s GeoTech Center.

The post To avoid an AI data-center bubble, Washington must change how it works with US states appeared first on Atlantic Council.

• Executive summary
• Introduction
• Definitions
• National and supranational regulatory initiatives
• International regulatory initiatives
• Analysis
• Conclusion

Executive summary

Civil regulation of artificial intelligence (AI) is hugely complex and evolving quickly, with even otherwise well-aligned countries taking significantly different approaches. At first glance, little in the content of these regulations is directly applicable to the defense and national security community. The most wide-ranging and robust regulatory frameworks have specific carve-outs that exclude military and related use cases. And while governments are not blind to the need for regulations on AI used in national security and defense, these are largely detached from the wider civil AI regulation debate. However, when potential second-order or unintended consequences on defense from civil AI regulation are considered, it becomes clear that the defense and security community cannot afford to think itself special. Carve-out boundaries can, at best, be porous when the technology is inherently dual use in nature. This paper identifies three broad areas in which this porosity might have a negative impact, including 

• market-shaping civil regulation that could affect the tools available to the defense and national security community; 

• judicial interpretation of civil regulations that could impact the defense and national security community’s license to operate; and 

• regulations that could add additional cost or risk to developing and deploying AI systems for defense and national security. 

This paper employs these areas as lenses through which to assess civil regulatory frameworks for AI to identify which initiatives should concern the defense and national security community. These areas are grouped by the level of resources and attention that should be applied while the civil regulatory landscape continues to develop. Private-sector AI firms with dual-use products, industry groups, government offices with national security responsibility for AI, and legislative staff should use this paper as a roadmap to understand the impact of civil AI regulation on their equities and plan to inject their perspectives into the debate. 

Introduction

Whichever side of this argument—or the gray and murky middle ground—one tends toward, it is clear that artificial intelligence (AI) is an enormously consequential technology in at least two ways. First, the AI revolution will change the way people work, live, and play. Second, the development and adoption of AI will transform the way future wars are fought, particularly in the context of US strategic competition with China. These conclusions, brought to the fore by the seemingly revolutionary advances in generative AI—as typified by ChatGPT and other large multimodal models—are natural conclusions drawn from decades of incremental advances in basic science and digital technologies. As public interest in AI and fears of its misuse rise, governments have started to regulate it. 

Much like AI itself, the global discussion on how best to regulate AI is complex and fast-changing, with big differences in approach seen even between otherwise well-aligned countries. Since the Organisation for Economic Co-operation and Development (OECD) published the first internationally agreed-upon set of principles for the responsible and trustworthy development of AI policies in 2019, the organization has identified more than 930 AI-related policy initiatives across 70 jurisdictions. The comparative analysis presented here reveals huge variation across these initiatives, which range from comprehensive legislation like the European Union (EU) AI Act to loosely managed voluntary codes of conduct, like that agreed to between the Biden administration and US technology companies. Most of the initiatives aim to improve the ability of their respective countries to thrive in the AI age; some aim to reduce the capacity of their competitors to do the same. Some take a horizontal approach focusing on specific sectors, use cases, or risk profiles, while others look vertically at specific kinds of AI systems, and some try to do bits of both. Issues around skills, supply chains, training data, and algorithm development feature varying degrees of emphasis. Almost all place some degree of responsibility on developers of AI systems, albeit voluntarily in the loosest arrangements, but knotty problems around accountability and enforcement remain. 

The defense and national security community has largely kept itself separate from the ongoing debates around civil AI regulation, focusing instead on internally directed standards and processes. The unspoken assumption seems to be that regulatory carve-outs or special considerations will insulate the community, but that view fails to consider the potential second-order implications of civil regulation, which will be market shaping and will affect a whole swath of areas in which defense has significant equity. Furthermore, the race to develop AI tools is itself now an arena of geopolitical competition with strategic consequences for defense and security, with the ability to intensify rivalries, shift economic and technological advantage, and shape new global norms. Relying on regulatory carve-outs for the development and use of AI in defense is likely to prove ineffective at best, and could seriously limit the ability of the United States and its allies to reap the rewards that AI offers as an enhancement to military capabilities on and off the battlefield. 

This paper provides a comparative analysis of the national and international regulatory initiatives that will likely be important for defense and national security, including initiatives in the United States, United Kingdom (UK), European Union, China, and Singapore, as well as the United Nations (UN), OECD, and the Group of Seven (G7). The paper assesses the potential implications of civil AI regulation on the defense and national security community by grouping them into three buckets. 

• Be supportive: Areas or initiatives that the community should get behind and support in the short term. 

• Be proactive: Areas that are still maturing but in which greater input is needed and the impact on the community could be significant in the medium term.  

• Be watchful: Areas that are still maturing but in which uncertain future impacts could require the community’s input.  

Definitions

To properly survey the international landscape, this paper takes a relatively expansive view of regulation and what constitutes an AI system. 

The former is usually understood by legal professionals to mean government intervention in the private domain or a legal rule that implements such intervention.¹ In this context, that definition would limit consideration to so-called “hard regulation,” largely comprising legislation and rules enforced by some kind of government organization, and would exclude softer forms of regulation such as voluntary codes of conduct and non-enforceable frameworks for risk assessment and classification. For this reason, this paper interprets regulation more loosely to mean the controlling of an activity or process, usually by means of rules, but not necessarily deriving from government action or subject to formal enforcement mechanisms. When in doubt, if a policy or regulation says it is aimed at controlling the development of AI, this paper takes it at its word. 

To define AI, this paper follows the National Artificial Intelligence Act of 2020, as enacted via the 2021 National Defense Authorization Act, which defines AI as “a machine-based system that can, for a given set of human-defined objectives, make predictions, recommendations or decisions influencing real or virtual environments.”² This definition neatly encompasses the current cutting edge of narrow AI systems based on machine learning. At a later date, it might also be expected to include theorized, but not yet realized, artificial general intelligence or artificial superintelligence systems. This paper deliberately excludes efforts to control the production of advanced microchips as a precursor technology to AI, as there is already significant research and commentary on that issue. 

National and supranational regulatory initiatives

United States

Thus far, the US approach to AI regulation can perhaps best be characterized as a patchwork attempting to balance public safety and civil rights concerns with a widespread assumption that US technology companies must be allowed to innovate for the country to succeed. There is consensus that government must play a regulatory role, but a wide range of opinions on what that role should look like.

Overview

Federal regulation

At the federal level, AI has been a rare area of bipartisan interest and relative agreement in recent years. The ideas raised in 2018 by then President Donald Trump in Executive Order (EO) 13845 can be traced through subsequent Biden-era initiatives, including voluntary commitments to manage the risks posed by AI, which were agreed upon with leading technology companies in mid-2023.³ However, other elements of the Biden approach to AI—such as the 2022 Blueprint for an AI Bill of Rights, which focused on potential civil rights harms of AI, and the more recent EO14110 Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence—were unlikely to survive long, with the latter explicitly called out for reversal in the 2024 Republican platform.⁴ Trump was able to follow through on this easily because, while EO14110 was a sweeping document that gave elements of the federal government 110 specific tasks, it was not law and was swiftly overturned.⁵

While EO14110 was revoked, it is not clear what might replace it.⁶ It seems likely that the Biden administration’s focus on protecting civil rights as laid out by the Office of Management and Budget (OMB) will become less prominent, but the political calculus is complicated and revising Biden-era AI regulation is not likely to be at the top of the Trump administration’s to-do list.⁷ So, the change of administration does not necessarily mean that all initiatives set in motion by Biden will halt.⁸ Before EO14110 was issued, at least a dozen federal agencies had already issued guidance on the use of AI in their jurisdictions and more have since followed suit.⁹ These may well survive, especially the more technocratic elements like the National Institute of Standards and Technology’s Artificial Intelligence Risk Management Framework (NIST Framework), which is due to be expanded to cover risks that are novel to, or exacerbated by, the use of generative AI.¹⁰ The NIST Framework, along with guidance on secure software development practices related to training data for generative AI and dual-use foundation models, and a plan for global engagement on AI standards, are voluntary tools and generally politically uncontentious.¹¹

In Congress, then-Senate Majority Leader Chuck Schumer (D-NY) led the AI charge with a program of educational Insight Forums, which led to the Bipartisan Senate AI Working Group’s Roadmap for AI Policy.¹² Some areas of the roadmap support the Biden administration’s approach, most notably support for NIST, but overall it is more concerned with strengthening the US position vis-à-vis international competitors than it is with domestic regulation.¹³ No significant legislation on AI is on the horizon, and the roadmap’s level of ambition is likely constrained by dynamics in the House of Representatives, given that Speaker Mike Johnson is on the record arguing against overregulation of AI companies.¹⁴ A rolling set of smaller legislative changes is more likely than an omnibus AI bill, and the result will almost certainly be a regulatory regime more complex and distributed than that in the EU.¹⁵ This can already be seen in the defense sector, where the 2024 National Defense Authorization Act (NDAA) references AI 196 times and includes provisions on public procurement of AI, which were first introduced in the Advancing American AI Act.¹⁶ These provisions require the Department of Defense (DoD) to develop and implement processes to assess its ethical and responsible use of AI and a study analyzing vulnerabilities in AI-enabled military applications.¹⁷

Beyond the 2024 NDAA, the direction of travel in the national security space is less clear. The recently published National Security Memorandum (AI NSM) seemingly aligns with Trump’s worldview.¹⁸ Its stated aims are threefold: first, to maintain US leadership in the development of frontier AI systems; second, to facilitate adoption of those systems by the national security community; and third, to build stable and responsible frameworks for international AI governance.¹⁹ The AI NSM supplements self-imposed regulatory frameworks already published by the DoD and the Office of the Director of National Intelligence. But, unlike those existing frameworks, the AI NSM is almost exclusively concerned with frontier AI models.²⁰ The AI NSM mandates a whole range of what it calls “deliberate and meaningful changes” to the ways in which the US national security community deals with AI, including significant elevation in power and authority for chief AI officers across the community.²¹ However, the vast majority of restrictive provisions are found in the supplementary Framework to Advance AI Governance and Risk Management in National Security, which takes an EU-style, risk-based approach with a short list of prohibited uses (including the nuclear firing chain), a longer list of “high-impact” uses that are permitted with greater oversight, and robust minimum-risk management practices to include pre-deployment risk assessments.²² Comparability with EU regulation is unlikely to endear the AI NSM to Trump, but it is interesting to note that Biden’s National Security Advisor Jake Sullivan argued that restrictive provisions for AI safety, security, and trustworthiness are key components of expediting delivering of AI capabilities, saying, “preventing misuse and ensuring high standards of accountability will not slow us down; it will actually do the opposite.”²³ An efficiency-based argument is likelier with a Trump administration focused on accelerating AI adoption. 

State-level regulation

According to the National Conference of State Legislators, forty-five states introduced AI bills in 2024, and thirty-one adopted resolutions or enacted legislation.²⁴ These measures tend to focus on consumer rights and data privacy, but with significantly different approaches seen in the three states with the most advanced legislation: California, Utah, and Colorado.²⁵

Having previously been a leader in data privacy legislation, the California State Legislature in 2024 passed what would have been the most far-reaching AI bill in the country before it was vetoed by Governor Gavin Newsom.²⁶ The bill had drawn criticism for potentially imposing arduous, and damaging, barriers to technological development in exactly the place where most US AI is developed.²⁷ However, Newsom supported a host of other AI-related bills in 2024 that will place significant restrictions and safeguards around the use of AI in California, indicating that the country’s largest internal market will remain a significant force in the domestic regulation of AI.²⁸

Colorado and Utah both successfully enacted AI legislation in 2024. Though both are consumer rights protection measures at their core, they take very different approaches. The Utah bill is quite narrowly focused on transparency and consumer protection around the use of generative AI, primarily through disclosure requirements placed on developers and deployers of AI services.²⁹ The Colorado bill is more broadly aimed at developers and deployers of “high-risk” AI systems, which here means an AI system that is a substantial factor in making any decision that can significantly impact an individual’s legal or economic interests, such as decisions related to employment, housing, credit, and insurance.³⁰ This essentially gives Colorado a separate anti-discriminatory framework just for AI systems, which imposes reporting, disclosure, and testing obligations with civil penalties for violation.³¹ This puts Colorado, not California, at the leading edge of state-level AI regulation, but that does not necessarily mean that other states will take the Colorado approach as precedent. In signing the law, Governor Jared Polis made clear that he had reservations, and a similar law was vetoed in Connecticut.³² Some states might not progress restrictive AI regulation at all. For example, Virginia Governor Glenn Youngkin recently issued an executive order aiming to increase the use of AI in state government agencies, law enforcement, and education, but there is no indication that legislation will follow anytime soon.³³

However state-level legislation progresses, it is unlikely to have any direct impact on military or national security users. There is also a risk that public fears around AI could be stoked and lead to more stringent state-level regulation, especially if AI is seen to “go wrong,” leading to tangible examples of public harm. As discussed below in the context of the European Union, the use of AI in law enforcement is among the most controversial use cases. This can only be more relevant in the nation with some of the most militarized police forces in the world and a National Guard that can also serve a domestic law-enforcement role.³⁴

International efforts

The United States has been active in a number of international initiatives relating to AI regulation, including through the UN, NATO, and the G7 Hiroshima process, which are covered later in this paper. The final element of the Biden administration’s approach to AI regulation, and the one that might be the least likely to carry through into 2025, was the Political Declaration on Responsible Military Use of Artificial Intelligence and Autonomy.³⁵ The declaration is a set of non-legally binding guidelines that aims to promote responsible behavior and demonstrate US leadership in the international arena. International norms are notoriously hard to agree upon and even harder to enforce. Unsurprisingly, the declaration makes no effort to restrict the kinds of AI systems that signatories can develop in their pursuit of national defense. According to the DoD, forty-seven nations have endorsed the declaration, though China, Russia, and Iran are notably not among that number.³⁶

China

The Chinese approach to AI regulation is relatively straightforward compared to that of the United States, with rules issued in a top-down, center-outward manner in keeping with the general mode of Chinese government.

Overview

Domestic regulation

Since 2018, the Chinese government has issued four administrative provisions intended to regulate delivery of AI capabilities to the Chinese public, most notably the so-called Generative AI Regulation, which came into force in August 2023.³⁷ This, and preceding provisions on the use of algorithmic recommendations in service provision and the more general use of deep synthesis tools, is focused on regulating algorithms rather than specific use cases.³⁸ This vertical approach to regulation is also iterative, allowing Chinese regulators to build skills and toolsets that can adapt as the technology develops. A more comprehensive AI law is expected at some point but, at the time of writing, only a scholars’ draft released by the Chinese Academy of Social Sciences (CASS) gives outside observers insight into how the Chinese government is thinking about future AI regulation.³⁹

The draft proposes the formation of a new government agency to coordinate and oversee AI in public services. Importantly, and unlike in the United States, the use of AI by the Chinese government itself is not covered by any proposed or existing regulations, including for military and other national security purposes. This approach will likely not change, as it serves the Chinese government’s primary goal, which is to preserve its central control over the flow of information to maintain internal political and social stability.⁴⁰ The primary regulatory tool proposed by the scholars’ draft is a reporting and licensing regime in which items that appear on a negative list would require a government-approved permit for development and deployment. This approach is a way for the Chinese government to manage safety and other risks while still encouraging innovation.⁴¹ The draft is not clear about what items would be on the list, but foundational models are explicitly referenced. In addition to an emerging licensing regime and ideas about the role of a bespoke regulator, Chinese regulations have reached interim conclusions in areas in which the United States and others are still in debate. For example, the Generative AI Regulation explicitly places liability for AI systems on the service providers that make them available to the Chinese public.⁴²

Enforcement is another area in which the Chinese government is signaling a different approach. As one commentator notes, “Chinese regulation is stocked with provisions that are straight off the wish list for AI to support supposed democratic values [. . .] yet the regulation is clearly intended to strengthen China’s authoritarian system of government.”⁴³ Analysis from the East Asia Forum suggests that China is continuing to refine how it balances innovation and control in its approach to AI governance.⁴⁴ If this is true, then the vague language in Chinese AI regulations, which would give Chinese regulators huge freedom in where and how they make enforcement decisions, could be precisely the point.⁴⁵

International efforts

As noted above, China has not endorsed the United States’ Political Declaration on the Responsible Military Use of Artificial Intelligence and Autonomy, but China is active on the international AI stage in other ways. At a 2018 meeting relating to the United Nations Convention on Certain Conventional Weapons, the Chinese representative presented a position paper proposing a ban on lethal autonomous weapons (LAWS).⁴⁶ But Western observers doubt the motives behind the proposal, with one commentator saying it included “such a bizarrely narrow definition of lethal autonomous weapons that such a ban would appear to be both unnecessary and useless.”⁴⁷ China has continued calling for a ban on LAWS in UN forums and other public spaces, but these calls are usually seen in the West as efforts to appear as a positive international actor while maintaining a position of strategic ambiguity—there is little faith that the Chinese government will practice what it preaches.⁴⁸ This is most clearly seen in reactions to the Global Security Initiative (GSI) concept paper published in February 2023.⁴⁹ Reacting to this proposal, which China presented as aspiring for a new and more inclusive global security architecture, the US-China Economic and Security Review Commission (USCC) responded with scorn, saying, “the GSI’s core objective appears to be the degradation of U.S.-led alliances and partnerships under the guise of a set of principles full of platitudes but empty on substantive steps for contributing to global peace.”⁵⁰

Outside of the military sphere, Chinese involvement in international forums attracts similar critique. In the lead-up to the United Kingdom’s AI Safety Summit, the question of whether China would be invited, and then whether Beijing’s representatives would attend, caused controversy and criticism.⁵¹ However, that Beijing is willing to collaborate internationally in areas where it sees benefit does not mean that Beijing will toe the Western line. In fact, Western-led international regulation might not even be a particular concern for China. Shortly after the AI Safety Summit, Chinese President Xi Jinping announced a new Global AI Governance Initiative.⁵² As with the GSI, this effort has been met with skepticism in the United States, but there is a real risk that China’s approach could split international regulation into two spheres.⁵³ This risk is especially salient because of the initiative’s potential appeal to the Global South. More concerningly, there is some evidence that China is pursuing a so-called proliferation-first approach, which involves pushing its AI technology into developing countries. If China manages to embed itself in the global AI infrastructure in the way that it did with fifth-generation (5G) technology, then any attempt to regulate international standards might come too late—those standards will already be Chinese.⁵⁴

European Union

The European Union moved early into the AI regulation game. In August 2024, it became the first legislative body globally to issue legally binding rules around the development, deployment, and use of AI.⁵⁵ Originally envisaged as a consumer protection law, early drafts of the AI Act covered AI systems only as they are used in certain narrowly limited tasks—a horizontal approach.⁵⁶ However, the explosion of interest in foundational models following the release of ChatGPT in late 2022 led to an expansion in the law’s scope to include these kinds of models regardless of how and by whom they are used.

Overview

Internal regulation

The AI Act is an EU regulation, the strongest form of legislation that the EU can produce, and is binding and directly applicable in all member states.⁵⁷ The AI Act takes a risk-based approach whereby AI systems are regulated by how they are used, based on the potential harm that use could cause to an EU citizen’s health, safety, and fundamental rights. There are four categories of risk: unacceptable, high, limited, and minimal/none. Systems in the limited and minimal categories are subject to obligations around attribution and informed consent, i.e., people must know they are talking to a chatbot or viewing an AI-generated image. At the other end of the scale, AI systems that fall within the unacceptable risk category are completely prohibited. This includes any AI system used for social scoring, unsupervised criminal profiling, or workplace monitoring; systems that exploit vulnerabilities or impair a person’s ability to make informed decisions via manipulation; biometric categorization of sensitive characteristics; untargeted use of facial recognition; and the use of real-time remote biometric identification systems in public spaces, except for narrowly defined police use cases.⁵⁸

High-risk systems are subject to the most significant regulation in the AI Act and are defined as such by two mechanisms. First, AI systems used as a safety component or within a kind of product already subject to EU safety standards are automatically high risk.⁵⁹ Second, AI systems are considered high risk if they are used in the following areas: biometrics; critical infrastructure; education and vocational training; employment, worker management, and access to self-employment; access to essential services; law enforcement; migration, asylum, and border-control management; and administration of justice and democratic processes.⁶⁰ The majority of obligations fall on developers of high-risk AI systems, with fewer obligations placed on deployers of those systems.⁶¹

As mentioned, so-called general-purpose AI (GPAI) is covered separately in the AI Act. This addition was a significant bone of contention in the trilogue negotiation, as some member states were concerned that vertical regulation of specific kinds of AI would stifle innovation in the EU.⁶² As a compromise, though all developers of GPAI must provide technical documentation and instructions for use, comply with the Copyright Directive, and publish a summary about the content used for training, the more stringent obligations akin to those imposed on developers of high-risk systems are reserved for GPAI models that pose “systemic risk.”⁶³ Open-license developers must comply with these restrictions only if their models fall into this last category.⁶⁴

It is not yet clear exactly how the new European AI Office will coordinate compliance, implementation, and enforcement. As with all new EU regulation, interpretation through national and EU courts will be critical.⁶⁵ One startling feature of the AI Act is the leeway it appears to give the technology industry by allowing developers to self-determine their AI system’s risk category, though the huge financial penalties those who violate the act  face might serve as sufficient deterrent to bad actors.⁶⁶

The AI Act does not, and could never, apply directly to military or defense applications of AI because the European Union does not have authority in these areas. As expected, the text includes a general exemption for military, defense, and national security uses, but exemptions for law enforcement are far more complicated and were some of the most controversial sections in final negotiations.⁶⁷ Loopholes allowing police to use AI in criminal profiling, if it is part of a larger, human-led toolkit, and the use of AI facial recognition on previously recorded video footage have caused uproar and seem likely candidates for litigation, potentially placing increased costs and uncertainty on developers working in these areas.⁶⁸ This ambiguity could have knock-on effects, given the increasing overlap between military technologies and those used by police and other national security actors, especially in counterterrorism. 

International efforts

The official purpose of the AI Act is to set consistent standards across member states in order to ensure that the single market can function effectively, but some believe that this will lead the EU to effectively become the world’s AI police.⁶⁹ Part of this is the simple fact that it will be a lot easier for other jurisdictions to copy and paste a regulatory model that has already been proven, but concern comes from the way that the General Data Protection Regulation (GDPR) has had huge influence outside of the territorial boundaries of the EU by placing a high cost of compliance on companies that want to do business in or with the world’s second-largest economic market.⁷⁰ Similarly, EU regulations on the kinds of charging ports that can be used for small electronic devices have resulted in changes well beyond its borders.⁷¹ However, more recently, Apple has decided to hold back on releasing AI features to users in the EU, indicating that cross-border influence can run both ways.⁷²

United Kingdom

Since 2022, the UK government has described its approach to AI regulation as innovation-friendly and flexible, designed to service the potentially contradictory goals of encouraging economic growth through innovation while also safeguarding fundamental values and the safety of the British public.⁷³ This approach was developed under successive Conservative governments but is yet to change radically under the Labour government as it attempts to balance tensions between business-friendly elements of the party and more traditional labor activists and trade unionists.⁷⁴

Overview

Domestic regulation

The UK’s approach to AI regulation was first laid out in June 2022, followed swiftly by a National AI Strategy that December and a subsequent policy paper in August 2023, which set out the mechanisms and structures of the regulatory approach in more detail.⁷⁵ However, this flurry of policy publications has not resulted in any new laws.⁷⁶ During the 2024 general election campaign, members of the new Labour government initially promised to toughen AI regulation, including by forcing AI companies to release test data and conduct safety tests with independent oversight, before taking a more conciliatory tone with the technology industry and promising to speed up the regulatory process to encourage innovation.⁷⁷ Though its legislative agenda initially included appropriate legislation for AI by the end of 2024, this has not been realized.⁷⁸ The prevailing view seems to be that, with some specific exceptions, existing regulators are best placed to understand the needs and peculiarities of their sectors.⁷⁹

Some regulators are already taking steps to incorporate AI into their frameworks. The Financial Conduct Authority’s Regulatory Sandbox allows companies to test AI-enabled products and services in a controlled environment and, by doing so, to identify consumer protection safeguards that might be necessary.⁸⁰ The Digital Regulation Cooperation Forum (DRCF) recently launched its AI and Digital Hub, a twelve-month pilot program to make it easier for companies to launch new AI products and services in a safe and compliant manner, and to reduce the time it takes to bring those products and services to market.⁸¹

Though the overall approach is sectoral, there is some central authority in the UK approach. The Office for AI has no regulatory role but is expected to provide certain central functions required to monitor and evaluate the effectiveness of the regulatory framework.⁸² Another centrally run AI authority, the AI Safety Institute (AISI), breaks from the sectoral approach and instead focuses on “advanced AI,” which includes GPAI systems as well as narrow AI models that have the potential to cause harm in specific use cases.⁸³ While AISI is not a regulator, several large technology companies, including OpenAI, Google, and Microsoft, have signed voluntary agreements to allow AISI to test these firms’ most advanced AI models and make changes to them if they find safety concerns.⁸⁴ However, now that AISI has found significant flaws in those same models, both AISI and the companies have stepped back from that position, demonstrating the inherent limitations of voluntary regimes. In recognition of this dilemma, the forthcoming legislation referenced above is expected to make existing voluntary agreements between companies and the government legally binding.⁸⁵

The most significant challenge to the current sector-based approach is likely to come from the UK Competition and Markets Authority (CMA). Having previously taken the view that flexible guiding principles would be sufficient to preserve competition and consumer protection, the CMA is now concerned that a small number of technology companies increasingly have the ability and incentive to engage in market-distorting behavior in their own interests.⁸⁶ The CMA has also proposed prioritizing GPAI under new regulatory powers provided by the Digital Markets, Competition and Consumers Bill (DMCC).⁸⁷ A decision to do so could have a huge impact on the AI industry, as the DMCC significantly sharpens the CMA’s teeth, giving it the power to impose fines for violation of up to 10 percent of global turnover without involvement of a judge, as well as smaller fines for senior individuals within corporate entities and consumer compensation.⁸⁸

As in the United States, it is expected that any UK legislative or statutory effort to expand the regulatory power of government over AI will have some kind of exemption for national security usage.⁸⁹ But, as in the United States, it does not follow that the national security community will be untouched by regulation. The UK Ministry of Defence (UK MOD) published its own AI strategy in June 2022, accompanied by a policy statement on the ethical principles that the UK armed forces will follow in developing and deploying AI-enabled capabilities.⁹⁰ Both documents recognize that the use of AI in the military sphere comes with a specific set of risks and concerns that are potentially more acute than those in other sectors. These documents also stress that the use of any technology by the armed forces and their supporting organizations is already subject to a robust regime of compliance for safety, where the Defence Safety Agency has enforcement authorities; and legality, where existing obligations under UK and international human rights law and the law of armed conflict form an irreducible baseline.  

The UK’s intelligence community does not have a director of national intelligence to issue community-wide guidance on AI, but the Government Communications Headquarters (GCHQ) offers some insight into how the relevant agencies are thinking about the issue.⁹¹ Published in 2021, GCHQ’s paper on the Ethics of Artificial Intelligence predates the current regulatory discussion but slots neatly into the sectoral approach.⁹² In the paper, GCHQ points to existing legislative provisions that ensure its work complies with the law. Most relevant for discussion of AI is the role of the Technology Advisory Panel (TAP), which sits within the Investigatory Powers Commissioner’s Office and advises on the impact of new technologies in covert investigations.⁹³ The implicit argument underpinning both the UK MOD and GCHQ approaches is that specific regulations or restrictions on the use of AI in national security are needed only insofar as AI presents risks that are not captured by existing processes and procedures. Ethical principles, like the five to which the UK MOD will hold itself, are intended to frame and guide those risk assessments at all stages of the capability development and deployment process, but they are not in themselves regulatory.⁹⁴ As civil regulation of AI develops, it will be necessary to continue testing the assumption that the existing national security frameworks are capable of addressing AI risks and to change them as needed, including to ensure that they are sufficient to satisfy a supply base, international community, and public audience that might expect different standards. 

International efforts

In addition to active participation in multilateral discussions through the UN, OECD, and the G7, the United Kingdom has held itself out to be a global leader in AI safety. The inaugural Global AI Safety Summit held in late 2023 delivered the Bletchley Declaration, a statement signed by twenty-eight countries in which they agreed to work together to ensure “human-centric, trustworthy and responsible AI that is safe” and to “promote cooperation to address the broad range of risks posed by AI.”⁹⁵ The Bletchley Declaration has been criticized for its focus on the supposed existential risks of GPAI at the expense of more immediate safety concerns and for its lack of any specific rules or roadmap.⁹⁶ But it gives an indication of the areas of AI regulation in which it might be possible to find common ground, which, in turn, might limit the risk of entirely divergent regulatory regimes.⁹⁷

Singapore

With a strong digital economy and a global reputation as pro-business and pro-innovation, Singapore is unsurprisingly approaching AI regulation along the same middle path between encouraging growth and preventing harms as the United Kingdom.⁹⁸ Unlike the United Kingdom, Singapore has carefully maintained its position as a neutral player between the United States and China, and this positioning is reflected in its strategy documents and public statements.⁹⁹

Overview

Domestic regulation

Government activity in the area is driven by the second National AI Strategy (NAIS 2.0), which is partly a response to the increasing concern over the safety and security of AI, especially GPAI.¹⁰⁰ NAIS 2.0 clearly recognizes that there are security risks associated with AI, but it places relatively little emphasis on threats to national security. According to NAIS 2.0, the government of Singapore wants to retain agility in its approach to regulating AI, a position backed by public statements by senior government figures. Singapore’s approach to AI regulation is sectoral and based, at least for the time being, on existing regulatory frameworks. Singapore’s regulatory bodies have been actively incorporating AI into their toolkits, most notably through the Model AI Governance Framework jointly issued by the information communications and data-protection regulators in 2019 and updated in 2020.¹⁰¹ The framework is aimed at private-sector organizations developing or deploying AI in their businesses. It provides guidance on key ethical and governance issues and is supported by a practical Implementation and Self-Assessment Guide and Compendium of Use Cases to make it easier for companies to map the sector- and technology-agnostic framework onto their organizations.¹⁰² Singaporean regulators have begun to issue sector-specific guidelines for AI, including the advisory guideline on the use of personal data for AI systems that provide recommendations, predictions, and decisions.¹⁰³ Like the wider framework, these are non-binding and do not expand the enforcement powers of existing regulators. 

Singapore has leaned heavily on technology industry partnerships in developing other elements of its regulatory toolkit, especially its flagship AI Verify product.¹⁰⁴ AI Verify is a voluntary governance testing framework and toolkit that aims to help companies objectively verify their systems against a set of global AI governance and ethical frameworks so that participating firms can demonstrate to users that the companies have implemented AI responsibly. AI Verify works within a company’s own digital enterprise environment and, as a self-testing and self-reporting toolkit, it has no enforcement power.¹⁰⁵ However, the government of Singapore hopes that, by helping to identify commonalities across various global AI governance frameworks and regulations, it can build a baseline for future international regulations.¹⁰⁶ One critical limitation of AI Verify is that it cannot test GPAI models.¹⁰⁷ The AI Verify Foundation, which oversees AI Verify, recognized this limitation and recently conducted a public consultation to expand the 2020 Model AI Governance Framework to explicitly cover generative AI.¹⁰⁸ The content of the final product is not yet known, and there is no indication that the government intends to translate this new framework into a bespoke AI law, but the consultation document gives important clues about how Singapore is thinking about issues such as accountability; data, including issues of copyright; testing and assurance; and content provenance.¹⁰⁹

As mentioned, the government of Singapore places relatively little emphasis on national security in its AI policy documents, but that does not mean it is not interested or investing in AI for military and wider national security purposes.¹¹⁰ In 2022, Singapore became the first country to establish a separate military service to address threats in the digital domain.¹¹¹ Unlike in the United States, where cyber and other digital specialties are spread across the traditional services, the Digital and Intelligence Service (DIS) brings together the whole domain, from command, control, communications, and cyber operations to implementing strategies for cloud computing and AI.¹¹² The DIS also has specific authority to raise, train, and sustain digital forces.¹¹³ Within the DIS, the Digital Ops-Tech Centre is responsible for developing AI technologies, but publicly available information about it is sparse.¹¹⁴ Singapore has deployed AI-enabled technologies through the DIS on exercises, and the Defence Science and Technology Agency (DSTA) has previously stated that it wants to integrate AI into operational platforms, weapons, and back-office functions, but the Singaporean Armed Forces have not published any official position on the use of AI in military systems.¹¹⁵

International efforts

Singapore is increasingly taking on a regional leadership role on AI regulation. As chair of the 2024 Association of South-East Asian Nations (ASEAN) Digital Ministers’ Meeting, Singapore was instrumental in developing the ASEAN Guide on AI Governance and Ethics.¹¹⁶ The guide aims to establish common principles and best practices for trustworthy AI in the region but does not attempt to force a common regulatory approach. In part, this is because the ASEAN region is so politically diverse that it would be almost impossible to reach agreement on hot-button issues like censorship, but also because member countries are at wildly different levels of digital maturity.¹¹⁷ At the headline level, the guide bears significant similarity to US, EU, and UK policies, in that it takes a risk-based approach to governance, but the guide makes concessions to national cultures in a way that those other approaches do not.¹¹⁸ It is possible that some ASEAN nations might move toward a more stringent EU-style regulatory framework in the future. But, as the most mature AI power in the region, Singapore and its pro-innovation approach will likely remain influential for now.

International regulatory initiatives

At the international level, four key organizations have taken steps into the AI regulation waters—the UN, OECD, the G7 through its Hiroshima Process, and NATO. 

OECD

The OECD published its AI Principles in 2019, and they have since been agreed upon by forty-six countries, including all thirty-eight OECD member states.¹¹⁹ Though not legally binding, the OECD principles have been extremely influential, and it is possible to trace the five broad topic areas through all of the national and supranational approaches discussed previously.¹²⁰ The OECD also provides the secretariat for the Global Partnership on AI, an international initiative promoting responsible AI use through applied co-operation projects, pilots, and experiments.¹²¹ The partnership covers a huge range of activity through its four working groups, and, though defense and national security do not feature explicitly, there are initiatives that could be influential in other forums that consider those areas. For example, the Responsible AI working group is developing technical guidelines for implementation of high-level principles that will likely influence the UN and the G7, and the Data Governance working group is producing guidelines on co-generated data and intellectual-property considerations that could have an impact on the legal use of data for training algorithms.¹²² Beyond these specific areas of interest, the OECD will likely remain influential in the wider AI regulation debate, not least because it has built a wide network of technical and policy experts to draw from. This value was seen in practice when the G7 asked the Global Partnership on AI to assist in developing the International Guiding Principles on AI and a voluntary Code of Conduct for AI developers that came out of the Hiroshima Process.¹²³

G7

The G7 established the Hiroshima AI Process in 2023 to promote guardrails for GPAI systems at a global level. The Comprehensive Policy Framework agreed to by the G7 digital and technology ministers later that year includes a set of International Guiding Principles on Artificial Intelligence and a voluntary Code of Conduct for GPAI developers.¹²⁴ As with the OECD AI Principles on which they are largely based, neither of these documents is legally binding. However, by choosing to focus on practical tools to support development of trustworthy AI, the Hiroshima Process will act as a benchmark for countries developing their own regulatory frameworks.¹²⁵ There is some evidence that this is already happening and a suggestion that the EU might adopt a matured version of the Hiroshima Code of Conduct as part of its AI Act compliance regime.¹²⁶ That will require input from the technology sector, including current and future suppliers of AI for defense and national security.  

The G7 is also taking a role in other areas that might impact AI regulation, most notably technical standards and international data flows. On the former, the G7 could theoretically play a coordination role in ensuring that disparate national standards do not lead to an incoherent regulatory landscape that is time consuming and expensive for the industry to navigate.¹²⁷ However, diverging positions even within the G7 might make that difficult.¹²⁸ The picture emerging in the international data flow space is only a little more optimistic. The G7 has established a new Institutional Arrangement for Partnership (IAP) to support its Data Free Flow with Trust (DFFT) initiative, but it has not yet produced any tangible outcomes.¹²⁹ The EU-US Data Privacy Framework has made some progress in reducing the compliance burden associated with cross-border transfer of data through the EU-US Data Bridge and its UK-US extension, but there is still a large risk that the Court of Justice of the European Union will strike it down over concerns that it violates GDPR.¹³⁰

United Nations

The UN has been cautious in its approach to AI regulation. The UN Educational, Scientific, and Cultural Organization (UNESCO) issued its global standard of AI ethics in 2021 and established the AI Ethics and Governance Lab to produce tools to help member states asses their relative preparedness to implement AI ethically and responsibly, but these largely drew on existing frameworks rather than adding anything new.¹³¹ Interest in the area ballooned following the release of ChatGPT, such that Secretary-General António Guterres convened an AI Advisory Body in late 2023 to provide guidance on future steps for global AI governance. That report, published in late 2024 and titled “Governing AI for Humanity,” did not recommend a single governance model, but it proposed establishing a regular AI policy dialogue within the UN to be supported by an international scientific panel of AI experts.¹³² Specific areas of concern include the need for consistent global standards for AI and data, and mechanisms to facilitate inclusion of the Global South and other currently underrepresented groups in the international dialogue on AI.¹³³ A small AI office will be established within the UN Secretariat to coordinate these efforts.  

At the political level, the General Assembly has adopted two resolutions on AI. The first, Resolution 78/L49 on the promotion of “safe, secure and trustworthy” artificial AI systems, was drafted by the United States but drew co-sponsorship support from a wide range of countries, including some in the Global South.¹³⁴ The second, Resolution 78/L86, drafted by China and supported by the United States, calls on developed countries to help developing countries strengthen their AI capacity building and enhance their representation and voice in global AI governance.¹³⁵ Adoption of both resolutions by consensus could indicate global support for Chinese and US leadership on AI regulation, but the depth of that support remains unclear.¹³⁶ Notably, following the adoption of Resolution 78/L86, two separate groups were established, one led by the United States and Morocco, and the other by China and Zambia.¹³⁷

There is also disagreement over the role of the UN Security Council (UNSC) in addressing AI-related threats. Resolution 78/L49 does not apply to the military domain but, when introducing the draft, the US permanent representative to the UN suggested that it might serve as a model for dialogue in that area, albeit not at the UNSC.¹³⁸ The UNSC held its first formal meeting focused on AI in July 2023.¹³⁹ In his remarks, the secretary-general noted that both military and non-military applications of AI could have implications for global security and welcomed the idea of a new UN body to govern AI, based on the model of the International Atomic Energy Agency.¹⁴⁰ The council has since expressed its commitment to consider the international security implications of scientific advances more systematically, but some members have raised concerns about framing the issue narrowly within a security context. At the time of writing, this remains a live issue.¹⁴¹

NATO

NATO is not in the business of civil regulation, but it plays a major role in military standards and is included here for completeness. 

The Alliance formally adopted its first AI strategy in 2021, well before the advent of ChatGPT and other forms of GPAI.¹⁴² At that time, it was not clear how NATO intended to overcome different approaches to governance and regulatory issues among allies, nor was it obvious which of the many varied NATO bodies with an interest in AI would take the lead.¹⁴³ The regulatory issue has, in some ways, become more settled with the advent of the EU’s AI Act, in that the gaps between European and non-European allies are clearer. Within NATO itself, the establishment of the Data and Artificial Intelligence Review Board (DARB) under the auspices of the assistant secretary-general for innovation, hybrid, and cyber places leadership of the AI agenda firmly within NATO Headquarters rather than NATO Allied Command Transformation.¹⁴⁴ One of the DARB’s first priorities is to develop a responsible AI certification standard to ensure that new AI projects meet the principles of responsible use set out in the 2021 AI Strategy.¹⁴⁵ Though this certification standard has not yet been made public, NATO is clearly making some progress in building consensus across allies. However, NATO is not a regulatory body and has no enforcement role, so it will require member states to self-police or transfer that enforcement role to a third-party organization.¹⁴⁶

NATO requires consensus to make decisions and, with thirty-two members, consensus building is not straightforward or quick, especially on contentious issues. Technical standards might be easier for members to agree on than complex, normative issues, and technical standards are an area in which NATO happens to have a lot of experience.¹⁴⁷ The NATO Standardization Office (NSO) is often overlooked in discussions of the Alliance’s successes, but its work to develop, agree to, and implement standards across all aspects of the Alliance’s operational and capability development has been critical.¹⁴⁸ As the largest military standardization body in the world, NSO is uniquely placed to determine which civilian AI standards apply to military and national security use cases and identify areas where niche standards are needed. 

Analysis

The regulatory landscape described above is complex and constantly evolving, with big differences in approach seen even between otherwise well-aligned countries. However, by breaking various approaches into their component parts, it is possible to see some common themes.  

Common themes

Regulatory approach

The general preference seems to be for a sectoral or use-case-based approach, framed as a pragmatic attempt to balance competing requirements to promote innovation while protecting users. However, there is increasing concern that some kinds of AI, notably large language models and other forms of GPAI, should be regulated with a vertical, technology-based approach. China looks like an outlier here, in that its approach is vertical with horizontal elements rather than the other way around, but in practice the same regulatory ground could be covered. 

Scope

There is little consensus around which elements of AI should be regulated. In cases where the framework refers simply to “AI systems” without saying explicitly whether that includes training data, specific algorithms, packaged applications, etc., it is possible to infer the intended scope through references in implementation guidance and other documentation. This approach makes sense in jurisdictions where the regulatory approach relies on existing sectoral regulators with varying focus. For example, a regulator concerned with the delivery of public utilities might be concerned with the applications deployed by the utilities providers, whereas a financial services regulator might need to look deeper into the stack to consider the underlying data and algorithms. China is again the outlier, as its regulation is specifically focused on the algorithmic level, with some coverage of training data in specific cases. 

Type of regulation

The EU and China are, so far, the only jurisdictions to have put in place hard regulations specifically addressing AI. Most other frameworks rely on existing sectoral regulators incorporating AI into their work, voluntary guidelines and best practices, or a combination of both. It is possible that the EU’s AI Act will become a model as countries increasingly turn to a legislative approach, but practical concerns and lengthy timelines mean that most compliance and enforcement regimes will remain fragmented for now. 

Target group

Almost all of the frameworks place some degree of responsibility on developers of AI systems, albeit voluntarily in the loosest arrangements. Deployers of AI systems and the service providers that make them available are less widely included. There is some suggestion that assignment of responsibility might vary across the AI life cycle, though what this means in practice is unclear, and only Singapore suggests differentiating between ex ante and ex post responsibility. Even in cases in which responsibility is clearly ascribed, it is likely that questions of legal liability for misuse or harm will take time to be worked out through the relevant judicial system. China is again an outlier here, but a more comprehensive AI law could include developers and deployers. 

Impact on defense and national security

At first glance, little of the civil regulatory frameworks discussed above relates directly to the defense and national security community, but there are at least three broad areas in which the defense and national security community might be subject to second-order or unintended consequences. 

• Market-shaping civil regulations could affect the tools available to the defense and national security community. This area could include direct market interventions, such as modifications to antitrust law that might force incumbent suppliers to break up their companies, or second-order implications of interventions that affect the sorts of skills available in the market, the sorts of problems that skilled AI workers want to work on, and the data available to them. 

• Judicial interpretation of civil regulations could impact the defense and national security communities’ license to operate, either by placing direct limitations on the use of AI in specific use cases, such as domestic counterterrorism, or more indirectly through concerns around legal liability. 

• Regulations could add hidden cost or risk to the development and deployment of AI systems for defense and national security use. This area could include complex compliance regimes or fragmented technical standards that must be paid for somewhere in the value chain, or increased security risks associated with licensing or reporting of dual-use models. 

By using these areas as lenses through which to assess the tools and approaches found within civil regulatory frameworks, it is possible to begin picking out specific areas and initiatives of concern to the defense and national security community. The tables below make an initial assessment of the potential implications of civil regulation of AI on the defense and national security community by grouping them into three buckets. 

• Be supportive: Areas or initiatives that the community should get behind and support in the short term. 

• Be proactive: Areas that are still maturing but in which greater input is needed and the impact on the community could be significant in the medium term. 

• Be watchful: Areas that are still maturing but in which uncertain future impacts could require the community’s input. 

The content of these tables is by no means comprehensive, but it gives an indication of areas in which the defense and national security community might wish to focus its resources and attention while the civil regulatory landscape continues to develop.

Be supportive

Areas or initiatives that the community should get behind and support in the short term

Be proactive

Areas that are still maturing but in which greater input is needed and the impact on the community could be significant in the medium term.

Be watchful

Areas that are still maturing but in which uncertain future impacts could require the community’s input

Conclusion

The AI regulatory landscape is complex and fast-changing, and likely to remain so for some time. While most of the civil regulatory approaches described here exclude defense and national security applications of AI, the intrinsic dual-use nature of AI systems means that the defense and national security community cannot afford to think of or view itself in isolation. This paper has attempted to look beyond the rules and regulations that the community chooses to place on itself to identify areas in which the boundary with civil-sector regulation is most porous. In doing so, this paper has demonstrated that regulatory carve-outs for defense and national security uses must be part of a broader solution ensuring the community’s needs and perspectives are incorporated into civil frameworks. The areas of concern identified are just a first cut of the potential second-order and unintended consequences that could limit the ability of the United States and its allies to reap the rewards that AI offers as an enhancement to military capability on and off the battlefield. Private-sector AI firms with dual-use products, industry groups, government offices with national security responsibility for AI, and legislative staff should use this paper as a roadmap to understand the impact of civil AI regulation on their equities and plan to inject their perspectives into the debate. 

Fellow

Deborah Cheverton

Nonresident Senior Fellow

Forward Defense Scowcroft Center for Strategy and Security

Afghanistan Defense Industry

Deborah Cheverton is a nonresident senior fellow in the Atlantic Council’s Forward Defense program within the Scowcroft Center for Strategy and Security and a senior trade and investment adviser with the UK embassy. 

The author would like to thank Primer AI for its generous support in sponsoring this paper. It would not have been possible without help and constructive challenge from the entire staff of the Forward Defense program, especially the steadfast support of Clementine Starling-Daniels, the editorial and grammatical expertise of Mark Massa, and the incredible patience of Abigail Rudolph.

Issue Brief Apr 3, 2025

Sovereign remedies: Between AI autonomy and control

By Trisha Ray

Sovereign AI has gained a foothold in several capitals around the world.

Artificial Intelligence International Norms

New Atlanticist Nov 15, 2024

AI safety concerns transcend borders. To meet the challenge, US efforts need to go global.

By Will LaRivee

Will the United States work with partner nations to take the necessary steps at the upcoming International Network of AI Safety Institutes meeting in San Francisco?

Artificial Intelligence Internet

MENASource Dec 9, 2024

Advancing US national security through Middle East AI negotiations 

By Akash Wasil

Leading negotiations around global AI standards can help the United States manage security risks and ensure that emerging frameworks align with its values and interests.

Artificial Intelligence Middle East