Within AI Misuse Governance
Where Cybersecurity AI Escapes Regulation
This page analyzes how civil AI regulations often exclude defense and cybersecurity applications, leaving high-risk systems unmonitored.
On this page
- Dual use military AI and regulatory exclusion
- Offensive vs defensive AI in cybersecurity
- Cross sector coordination challenges
Page outline Jump by section
Introduction
One of the least discussed governance gaps in the AI doom debate sits at the intersection of cybersecurity, military systems and national security law. While governments increasingly regulate civilian AI, many of the most powerful AI-enabled cyber capabilities fall partly or entirely outside those frameworks. Defence systems, intelligence programmes, cyber operations and dual-use security tools are often subject to separate rules, classified oversight or explicit legal exemptions. The result is a regulatory blind spot: some of the AI systems most relevant to strategic instability, autonomous cyber conflict and loss-of-control concerns receive less public scrutiny than consumer-facing applications. [Verfassungsblog]verfassungsblog.dethe ai act national security exceptionVerfassungsblogThe AI Act National Security Exceptionby P Vogiatzoglou · 2024 · Cited by 4 — AI systems are not subject to the AI Act whe… [TechSec Center]cetas.turing.ac.ukTechSec CenterThe EU AI Act: National Security Implications31 Jul 2024 — This exclusion applies to both public and private entities devel…
For people worried about AI doom or broader existential risk, this matters because advanced cyber capabilities are one of the most plausible routes through which powerful AI systems could gain strategic influence. An AI able to discover software vulnerabilities, conduct large-scale cyber operations, automate defence penetration or manipulate digital infrastructure could become relevant not just to ordinary cybercrime but to military escalation, critical infrastructure disruption and state-level competition. The governance question is therefore not simply whether AI can be used in cybersecurity. It is whether the systems operating in these domains are subject to oversight strong enough to detect dangerous failures before they become systemic.
Where Cybersecurity AI Escapes Regulation
A recurring pattern in AI governance is that the strongest regulations often apply to civilian systems, while national security and military uses receive exemptions.
The European Union’s AI Act is one of the clearest examples. AI systems used exclusively for military, defence or national security purposes are excluded from the regulation’s scope. The rationale is that national security remains primarily the responsibility of member states rather than EU institutions. However, this creates an unusual situation in which some of the highest-stakes AI systems can sit outside the framework that governs many commercial applications. [Verfassungsblog]verfassungsblog.dethe ai act national security exceptionVerfassungsblogThe AI Act National Security Exceptionby P Vogiatzoglou · 2024 · Cited by 4 — AI systems are not subject to the AI Act whe… [TechSec Center]cetas.turing.ac.ukTechSec CenterThe EU AI Act: National Security Implications31 Jul 2024 — This exclusion applies to both public and private entities devel…
Critics do not generally argue that military systems should be regulated exactly like consumer software. The concern is that exclusion creates accountability gaps. Advanced cyber-defence agents, military decision-support systems and offensive cyber tools may operate under classified procedures that are difficult for external regulators, researchers or the public to examine. Independent auditing becomes harder, and incidents may never become publicly visible. [@RSIS_NTU]rsis.edu.sgip24054 military ai governance moving beyond autonomous weapon systems@RSIS_NTUIP24054 | Military AI Governance: Moving Beyond…24 Jun 2024 — Governance of artificial intelligence in the military domain ha…
The practical picture is more complicated than a simple exemption. Many defence companies build systems that serve both military and civilian customers. European legal analysis has repeatedly noted that mixed-use systems can fall back within regulatory scope, particularly when military technologies migrate into civilian environments. Yet determining where military use ends and civilian use begins is often difficult in cybersecurity, where the same software may be used by armed forces, intelligence agencies, critical infrastructure operators and commercial security teams. [Modulos]modulos.aiModulosAI Governance for Defense & EU AI Act | ModulosArticle 2(3) excludes AI systems placed on the market, put into service, or used ex… [3LUTZ | ABEL]lutzabel.comThis article explains when the AI Act, CRA, and NIS2 apply despite military useLUTZ | ABELDual-Use & Defense: The Underestimated Risks of the AI…Many defense companies overestimate the scope of regulatory exemptions… [Artificial Intelligence Act]WikipediaArtificial Intelligence ActIn particular, the Regulation does not apply where AI systems are used exclusively for military, defence or…
For AI-risk analysts, this ambiguity matters because powerful cyber capabilities rarely remain confined to a single domain. Techniques developed for military resilience may eventually appear in civilian infrastructure. Conversely, commercial AI systems may later become embedded in national-security operations.
Dual-Use Military AI and Regulatory Exclusion
Cybersecurity is a classic dual-use field. A capability that helps defenders identify vulnerabilities can often be adapted to find weaknesses that attackers can exploit.
This creates a governance challenge that differs from traditional weapons regulation. Governments can regulate missiles, aircraft or explosives as distinct military technologies. AI-enabled cyber systems are often software models, data pipelines or autonomous agents that can perform both defensive and offensive functions depending on who operates them and under what instructions.
Several NATO-related research programmes illustrate this dual-use problem. NATO researchers have spent years exploring Autonomous Intelligent Cyber Defence Agents (AICAs), software agents designed to detect, respond to and counter cyber attacks in contested military environments. The stated goal is defensive: protecting military networks and battlefield systems when human operators cannot respond quickly enough. Yet the same autonomy, adaptability and network access that make such systems useful for defence could also make them powerful instruments if repurposed for offensive activity. [arXiv]arxiv.orgarXivTowards an Active, Autonomous and Intelligent Cyber Defense of Military Systems: the NATO AICA Reference ArchitectureJune 7, 2018…
This does not mean NATO or similar organisations are secretly building uncontrolled cyber weapons. Rather, it highlights a broader governance problem. The technical distinction between offensive and defensive cyber AI is often weaker than the legal distinction. A vulnerability-discovery system, autonomous network agent or model capable of identifying attack paths may support both security testing and cyber operations.
As AI capabilities improve, this dual-use character becomes more significant. Advanced models increasingly demonstrate abilities relevant to coding, vulnerability discovery, malware analysis and automated system interaction. Regulators may find themselves overseeing the civilian side of these capabilities while having limited visibility into how equivalent systems are being developed or deployed within classified environments.
Offensive and Defensive Cyber AI Are Hard to Separate
Many AI governance proposals assume that defensive cybersecurity applications are inherently safer than offensive ones. In practice, the boundary is often blurred.
Defensive AI can include:
- Automated vulnerability detection.
- Intrusion detection and response. [idr.ro]idr.roCodreanu NATO cyber 1NATO adopted an Emerging and Disruptive Technology Implementation Roadmap in 2019, which tends to developments in AI software, autonomous…
- Threat intelligence analysis.
- Network monitoring.
- Incident-response automation.
Offensive AI can include:
- Vulnerability discovery for exploitation.
- Automated phishing and social engineering.
- Malware generation or adaptation.
- Target selection and prioritisation.
- Autonomous network penetration.
The problem is that the underlying capabilities frequently overlap. A model that identifies software weaknesses can support patching or exploitation. A system that autonomously explores a network can map infrastructure for defence or for attack. A model that automates code generation can accelerate security research or malicious tool development.
This overlap becomes particularly important in AI doom discussions because some long-term risk scenarios involve AI systems accumulating strategic advantages through cyber means. A highly capable system might not need physical robots to become dangerous if it could gain access to computing resources, manipulate digital infrastructure or compromise critical systems through automated cyber operations.
Most experts do not claim current AI systems possess such capabilities. The concern is that governance frameworks built around today’s tools may not scale well if future systems become substantially more autonomous and strategically capable.
The Classification Problem
One reason oversight remains weak is that many security-relevant AI programmes operate behind layers of classification.
Civilian regulators typically rely on transparency requirements, reporting obligations, external audits and public accountability. National security institutions often rely on classified review processes, internal controls and restricted access.
Neither approach is inherently wrong. Defence systems contain information that governments reasonably wish to protect. Yet secrecy creates a difficult trade-off.
If a military AI system exhibits dangerous behaviour, external researchers may never learn enough to evaluate the risk. Independent verification becomes difficult. Academic scrutiny declines. Failures may be visible only to a small group of officials with limited technical expertise or competing institutional incentives.
This issue extends beyond autonomous weapons. Analysts of military AI governance increasingly argue that public debate focuses heavily on lethal autonomous weapons while giving less attention to AI decision-support systems, intelligence analysis tools and cyber operations platforms. Yet these systems may become more widely deployed and more strategically consequential than fully autonomous weapons. [@RSIS_NTU]rsis.edu.sgip24054 military ai governance moving beyond autonomous weapon systems@RSIS_NTUIP24054 | Military AI Governance: Moving Beyond…24 Jun 2024 — Governance of artificial intelligence in the military domain ha…
For existential-risk discussions, this creates an information problem. If warning signs of dangerous autonomy or loss of human control emerge first inside classified cyber or defence systems, the wider research community may receive little advance notice.
Why Cybersecurity Matters in AI Doom Scenarios
Not every AI-risk argument depends on cybersecurity. However, cyber capability appears repeatedly in serious discussions of advanced AI risk.
One concern is recursive capability growth. If a sufficiently capable AI system could automate vulnerability discovery, software engineering and infrastructure acquisition, it might help accelerate its own development or expand access to computing resources.
Another concern is strategic instability. States competing for military AI advantages may feel pressure to deploy systems before they are fully understood. Similar dynamics already exist in cybersecurity, where defenders often fear falling behind adversaries. Combining AI competition with cyber competition could create incentives to reduce testing, transparency or safety precautions. [Atlantic Council]atlanticcouncil.orgAtlantic CouncilHow NATO can integrate AI to prevail in future algorithmic warfareMarch 30, 2026 — This report argues that integrating AI…
NATO’s own strategy documents acknowledge that adversaries may attempt to manipulate, interfere with or sabotage AI-enabled systems. They also recognise the importance of protecting AI applications from cyber compromise. This reflects a growing understanding that AI safety and cybersecurity cannot be treated as separate fields. [NATO]publications.sto.nato.intAutonomous AI Systems Face to Face with the Law of…by A Guarino — Furthermore, AI systems used in military operations must be resilien…
From a doom perspective, the concern is not merely that cyber attacks become more common. It is that increasingly autonomous systems could become central to military command, intelligence, infrastructure management and strategic decision-making. Cyber compromise of such systems could have effects far beyond ordinary network breaches.
Cross-Sector Coordination Problems
Even when governments recognise these risks, institutional fragmentation remains a major obstacle.
Different parts of government often oversee:
- Cybersecurity.
- Defence procurement.
- Intelligence operations.
- Critical infrastructure protection.
- Civilian AI regulation.
- Export controls.
- Technology standards.
Each institution tends to focus on its own mandate. As a result, no single authority may possess a complete picture of how advanced AI cyber capabilities are developing across civilian and military sectors.
The problem becomes more acute when systems cross boundaries. A model trained by a commercial company may later support defence applications. A military cybersecurity capability may be adapted for civilian infrastructure. An intelligence agency may rely on technologies originally built for commercial markets.
Legal analysts examining the EU AI Act have repeatedly highlighted this difficulty. The law’s military and national-security exclusions coexist with other frameworks such as cybersecurity regulations and critical-infrastructure requirements, creating overlapping but incomplete oversight structures. Determining who is responsible for evaluating risk can become surprisingly difficult. [LUTZ | ABEL]lutzabel.comThis article explains when the AI Act, CRA, and NIS2 apply despite military useLUTZ | ABELDual-Use & Defense: The Underestimated Risks of the AI…Many defense companies overestimate the scope of regulatory exemptions… [TechSec Center]cetas.turing.ac.ukTechSec CenterThe EU AI Act: National Security Implications31 Jul 2024 — This exclusion applies to both public and private entities devel…
This coordination problem is especially relevant to catastrophic-risk discussions because existential risks are often cross-sector by nature. A failure that begins in one domain may rapidly spread into others.
What Serious Mitigation Efforts Look Like
There is no consensus solution to these governance gaps, but several proposals appear repeatedly in policy and safety discussions.
Extending oversight beyond civilian systems
Many researchers argue that high-risk military and cyber AI should not be entirely exempt from scrutiny, even if full public transparency is impossible. Independent review bodies, specialised inspectors or security-cleared auditors are frequently proposed as middle-ground approaches. [TechSec Center]cetas.turing.ac.ukTechSec CenterThe EU AI Act: National Security Implications31 Jul 2024 — This exclusion applies to both public and private entities devel…
Focusing on capability thresholds
Rather than regulating systems according to whether they are military or civilian, some analysts favour oversight based on capability. Under this approach, highly autonomous cyber systems would face additional evaluation requirements regardless of their sector.
Joint cyber and AI safety assessments
Traditional cybersecurity reviews focus on vulnerabilities, access controls and resilience. AI safety evaluations focus on model behaviour, autonomy and alignment. Advanced cyber agents may require both forms of assessment simultaneously, particularly if they can take actions without continuous human approval.
International coordination
Military AI development is increasingly multinational. NATO, allied governments and defence contractors all participate in shared ecosystems. Governance mechanisms that operate only at national level may struggle to track technologies moving across alliances and supply chains. NATO’s responsible-use principles for AI represent one attempt to create common expectations, although critics argue that principles alone do not solve enforcement problems. [CIGI]cigionline.orgApril 20, 2026 — NATO's first AI strategy from 2021 outlines six guiding principles: lawfulness, responsibility and accountability, expla… [NATO]nato.intNATOSummary of the NATO Artificial Intelligence StrategyOct 22, 2021 — Allies and NATO must strive to protect the use of AI from such int…
The Unresolved Question
The central governance dilemma remains unresolved: the systems most relevant to national security are often the systems least accessible to ordinary regulatory oversight.
Some observers argue that military organisations already manage dangerous technologies and can govern AI internally. Others worry that secrecy, competitive pressure and rapid capability development make self-regulation insufficient. There is little direct evidence proving either side correct because so much relevant activity remains classified.
For the broader AI doom debate, this uncertainty is itself significant. Cybersecurity is one of the main pathways through which advanced AI could acquire strategic influence, yet military and intelligence applications frequently sit at the edge of existing regulatory frameworks. Whether future AI systems remain controllable may depend not only on technical alignment research but also on whether societies can build credible oversight for the sectors where transparency is hardest and the stakes are highest.
Amazon book picks
Further Reading
Books and field guides related to Where Cybersecurity AI Escapes Regulation. Use these as the next step if you want deeper reading beyond the article.
This Is How They Tell Me the World Ends
Explains offensive cyber capabilities, state competition, and security risks.
Cyber War Will Not Take Place
Provides context on cyber operations and state behavior.
eBay marketplace picks
Marketplace Samples
Example marketplace items related to this page. Use the search link to explore similar finds on eBay.
Endnotes
-
Source: verfassungsblog.de
Title: the ai act national security exception
Link: https://verfassungsblog.de/the-ai-act-national-security-exception/Source snippet
VerfassungsblogThe AI Act National Security Exceptionby P Vogiatzoglou · 2024 · Cited by 4 — AI systems are not subject to the AI Act whe...
-
Source: publications.sto.nato.int
Link: https://publications.sto.nato.int/publications/STO%20Meeting%20Proceedings/STO-MP-IST-210/MP-IST-210-3.02.pdfSource snippet
Autonomous AI Systems Face to Face with the Law of...by A Guarino — Furthermore, AI systems used in military operations must be resilien...
-
Source: lutzabel.com
Title: This article explains when the AI Act, CRA, and NIS2 apply despite military use
Link: https://www.lutzabel.com/en/article/it-related-legal-challenges-for-defense-companies-with-dual-use-products/Source snippet
LUTZ | ABELDual-Use & Defense: The Underestimated Risks of the AI...Many defense companies overestimate the scope of regulatory exemptions...
-
Source: modulos.ai
Link: https://www.modulos.ai/industries/defense/Source snippet
ModulosAI Governance for Defense & EU AI Act | ModulosArticle 2(3) excludes AI systems placed on the market, put into service, or used ex...
-
Source: arxiv.org
Link: https://arxiv.org/abs/1806.08657Source snippet
arXivTowards an Active, Autonomous and Intelligent Cyber Defense of Military Systems: the NATO AICA Reference ArchitectureJune 7, 2018...
Published: June 7, 2018
-
Source: arxiv.org
Link: https://arxiv.org/abs/1803.10664 -
Source: nato.int
Link: [https://www.nato.int/en/about-us/official-texts-and-resources/official-texts/2021/10/22/summary-of-the-nato-artificialSource snippet
NATOSummary of the NATO Artificial Intelligence StrategyOct 22, 2021 — Allies and NATO must strive to protect the use of AI from such int...
-
Source: nato.int
Link: https://www.nato.int/en/about-us/official-texts-and-resources/official-texts/2024/07/10/summary-of-natos-revised-artificial-intelligence-ai-strategySource snippet
NATOSummary of NATO's revised Artificial Intelligence (AI) strategy10 Jul 2024 — Within the AI Strategy, Allies endorsed six Principles o...
-
Source: cigionline.org
Link: https://www.cigionline.org/publications/advancing-responsible-ai-across-nato-innovation-and-interoperability/Source snippet
April 20, 2026 — NATO's first AI strategy from 2021 outlines six guiding principles: lawfulness, responsibility and accountability, expla...
Published: April 20, 2026
-
Source: regulations.ai
Title: NAT O Principles for Responsible Use of AI in Defence
Link: https://regulations.ai/regulations/RAI-X6-GO-RESPONS-2024Source snippet
NATO Principles for Responsible Use of AI in Defence - Regulations.aiJanuary 8, 2026 — NATO's Responsible AI Principles guide the ethical...
Published: January 8, 2026
-
Source: nato.int
Link: https://www.nato.int/enSource snippet
NATO: North Atlantic Treaty OrganizationNATO is a defensive alliance of 32 countries from Europe and North America. Its mission is to def...
-
Source: history.state.gov
Link: https://history.state.gov/milestones/1945-1952/natoSource snippet
Atlantic Treaty Organization (NATO), 1949The North Atlantic Treaty Organization was created in 1949 by the United States, Canada, and sev...
-
Source: cetas.turing.ac.uk
Link: https://cetas.turing.ac.uk/publications/eu-ai-act-national-security-implicationsSource snippet
TechSec CenterThe EU AI Act: National Security Implications31 Jul 2024 — This exclusion applies to both public and private entities devel...
-
Source: rsis.edu.sg
Title: ip24054 military ai governance moving beyond autonomous weapon systems
Link: https://rsis.edu.sg/rsis-publication/idss/ip24054-military-ai-governance-moving-beyond-autonomous-weapon-systems/Source snippet
@RSIS_NTUIP24054 | Military AI Governance: Moving Beyond...24 Jun 2024 — Governance of artificial intelligence in the military domain ha...
-
Source: artificialintelligenceact.eu
Link: https://artificialintelligenceact.eu/recital/24/Source snippet
Recital 24 | EU Artificial Intelligence ActAI systems placed on the market or put into service for an excluded purpose, namely military...
-
Source: atlanticcouncil.org
Link: https://www.atlanticcouncil.org/in-depth-research-reports/report/how-nato-can-integrate-ai-to-prevail-in-future-algorithmic-warfare/Source snippet
Atlantic CouncilHow NATO can integrate AI to prevail in future algorithmic warfareMarch 30, 2026 — This report argues that integrating AI...
Published: March 30, 2026
-
Source: Wikipedia
Title: European Union
Link: https://en.wikipedia.org/wiki/European_UnionSource snippet
European UnionThe European Union (EU) is a political and economic union of 27 member states that are located primarily in Europe. A su...
-
Source: Wikipedia
Link: https://en.wikipedia.org/wiki/NATOSource snippet
NATOThe North Atlantic Treaty Organization (NATO) is an intergovernmental military alliance between 32 member states—30 in Europe and...
-
Source: Wikipedia
Title: Artificial Intelligence Act
Link: https://en.wikipedia.org/wiki/Artificial_Intelligence_ActSource snippet
Artificial Intelligence ActIn particular, the Regulation does not apply where AI systems are used exclusively for military, defence or...
-
Source: idr.ro
Title: Codreanu NATO cyber 1
Link: https://www.idr.ro/publicatii/Codreanu-NATO-cyber_1.pdfSource snippet
NATO adopted an Emerging and Disruptive Technology Implementation Roadmap in 2019, which tends to developments in AI software, autonomous...
-
Source: digital-strategy.ec.europa.eu
Title: eu A I Act | Shaping Europe’s digital future
Link: https://digital-strategy.ec.europa.eu/en/policies/regulatory-framework-aiSource snippet
Act | Shaping Europe's digital future - European UnionThe AI Act is the first-ever legal framework on AI, which addresses the risks of AI...
-
Source: pure.uva.nl
Title: verfassungsblog.de The AI Act National Security Exception
Link: https://pure.uva.nl/ws/files/277168848/verfassungsblog.de-The_AI_Act_National_Security_Exception.pdfSource snippet
AI Act National Security Exception9 Dec 2024 — AI systems are not subject to the AI Act when put in the EU market or service exclusively...
-
Source: facebook.com
Link: https://www.facebook.com/NATO/Source snippet
BrusselsNATO, Brussels. 2430882 likes · 65741 talking about this · 27835 were here. Official Facebook page of NATO - the North Atlantic T...
Additional References
-
Source: linkedin.com
Link: https://www.linkedin.com/pulse/ai-act-defence-true-exemption-emanuele-gambula-bdvyfSource snippet
AI ACT IN DEFENCE: A TRUE EXEMPTION?Apparently, the regulation does not apply where AI systems are placed on the market, put into service...
-
Source: globsec.org
Link: https://www.globsec.org/sites/default/files/2025-02/Leveraging%20Artificial%20Intelligence%20for%20NATO%27s%20cyber%20resilience%20-%20Preliminary%20perspectives_web.pdfSource snippet
Leveraging Artificial Intelligence for NATO's cyber resilienceThis brief is part of a new research series exploring NATO's potential in u...
-
Source: ccdcoe.org
Link: https://ccdcoe.org/uploads/2018/11/Towards_NATO_AICA.pdfSource snippet
The NATO AICA reference architectureTo fight cyber-attacks that may target this last class of military systems, we expect that NATO needs...
-
Source: edri.org
Link: https://edri.org/our-work/eu-ai-act-needs-clear-safeguards-for-ai-systems-for-military-and-national-security-purposes/Source snippet
EU AI Act needs clear safeguards for AI systems for military...Mar 23, 2022 — The proposed AIA excludes AI systems developed or used exc...
-
Source: defencefinancemonitor.com
Link: https://www.defencefinancemonitor.com/p/eu-ai-act-defence-exemption-boundary -
Source: linkedin.com
Link: https://www.linkedin.com/posts/cigionline_nato-has-an-ai-strategy-but-without-operationalization-activity-7451996936594907136-HrtzSource snippet
Centre for International Governance Innovation (CIGI)'s PostNATO's AI strategy from 2021 outlines six principles of responsible use...
-
Source: revista.unap.ro
Link: https://revista.unap.ro/index.php/XXI_FSA/article/download/1274/1237/4470Source snippet
unap.roNATO'S ENCOUNTERS IN THE CYBER DOMAINby DM Păunescu · Cited by 2 — By adapting its posture in the cyber domain, refining doctrine...
-
Source: techradar.com
Link: https://www.techradar.com/pro/the-eu-ai-act-what-it-means-and-how-to-complySource snippet
It mandates technical protections against threats like data poisoning, adversarial attacks, and model vulnerabilities, requiring continuo...
-
Source: c2coe.org
Link: https://c2coe.org/download/human-oversight-in-ai-driven-defence-at-what-positions-do-we-need-the-human-in-the-loop/Source snippet
[Human Oversight]({{ 'human-oversight/' | relative_url }}) in AI-Driven Defence – at what positions...4 Aug 2025 — When an AI highlights a potential threat in a busy area, a human...
-
Source: edri.org
Link: https://edri.org/our-work/the-ai-act-isnt-enough-closing-the-dangerous-loopholes-that-enable-rights-violations/Source snippet
The AI Act isn't enough13 Nov 2025 — While the EU's AI Act aims to regulate high-risk AI systems, it is undermined by major loopholes tha...
Topic Tree