What Middle Powers Risk When AI Goes to War

In 2022, Ukrainian sea drones strapped with explosives headed towards Russian naval vessels docked in Crimea. Midway, they lost connectivity and washed ashore. SpaceX founder Elon Musk, whose company operates Starlink, had decided not to activate service in the area. Ukraine had no standing to compel him otherwise. A military operation involving a sovereign state’s armed forces was determined, at a critical moment, by a private citizen half a world away.

Nearly four years later, imaging firm Planet Labs announced it would withhold satellite imagery of Iran and the surrounding conflict zone indefinitely, at the White House’s request. Bloomberg reported that “It will release images of the designated areas only on a case-by-case basis, including in cases of ‘urgent, mission-critical requirements’ or when deemed to be in the public interest.” Now, the world is left trying to understand a war of this scale through US-approved facts.

These are not edge cases. Firms like Starlink and Planet Labs are part of the integrated technology infrastructure—the hardware, software, data pipelines, and cloud systems—that practitioners call the 'AI stack', on which AI-enabled military operations increasingly depend. It is this stack, and who controls it, that middle powers are building their sovereign AI strategies on.

For the two superpowers, the United States and China, this question is manageable. They own their own stacks, and they can largely compel their domestic tech firms to build what they need. For everyone else, it is not. Middle powers across the Global Majority are integrating AI into defense operations rapidly while remaining structurally dependent on foreign hardware, foreign models, and foreign infrastructure. They are doing so often without adequate protection against withdrawal or adequate legal recourse against errors, and without any international governance framework that addresses what happens when this technology is mobilized against their interests.

Middle powers occupy a specific position in this landscape: states large enough to have significant military AI ambitions, but without the resources or industrial base to own and control a full AI stack.

The stakes are increasing. The US-Iran conflict, which began in February 2026, is the first conflict in which frontier AI systems have been operationalized at such a scale by the US military. It has also produced the first publicly confirmed military strikes on commercial AI infrastructure, when Iranian drones hit Amazon Web Services data centers in Bahrain and the United Arab Emirates, facilities that simultaneously serve clients across the geopolitical spectrum.

While great powers develop military AI at speed while resisting binding constraints, middle powers are living with strategic vulnerability. Understanding that vulnerability requires starting with the architecture of dependency that preceded it.

The dependency trap

The problem isn't that middle powers have chosen poorly, but that the available choices lead to different degrees of dependency rather than its elimination. Aligning with Washington or Beijing binds military infrastructure to a patron's strategic priorities. Drawing from multiple suppliers reduces concentration risk but blurs accountability when all frontier model providers are concentrated in one or two jurisdictions. Building internally still requires foreign chips, foreign models, and foreign cloud infrastructure. The provenance of the components does not change the fundamental exposure.

What current governance frameworks have been incapable of addressing is that middle powers using foreign AI systems for military purposes are not simply importing code; they also inherit the design assumptions, training data, and operational constraints incorporated by a foreign product team. The middle power may know the brand names on the contract (Nvidia chips, Palantir interfaces, Anthropic models), but it cannot necessarily know what those systems were built to prioritize, what they were designed to refuse, or whose strategic assumptions shaped their outputs.

This kind of ‘source code’ problem predates AI. India's experience with procuring French-made Rafale fighter jets is instructive: France withheld access to the source code governing the aircraft's radar, mission computer, and electronic warfare suite. This means that India requires French authorization for any substantive modification, including integration of its own weapons. Indian analysts have described this as acquiring a fighter jet "without its brain." AI targeting systems replicate this dependency at every layer simultaneously.

The kill switch

In March, the US Department of Defense (DoD) designated Anthropic a supply chain risk to national security after the company sought to restrict the use of its AI model Claude for mass surveillance of Americans or fully autonomous weapons. The directive ceased all contracts between the US government and Anthropic. However, OpenAI stepped in hours later to fill the gap. Anthropic sued the government and secured a preliminary injunction in the Northern District of California, but the D.C. Circuit, hearing a parallel challenge to the Pentagon supply-chain designation, declined to grant a stay while the litigation proceeds. Anthropic has since rekindled discussions with the White House, with reports suggesting its model guidelines for classified military use will differ from those governing its standard products.

What this demonstrates is the strategic gravity of the home state: the capacity of a government to exert decisive pressure on domestic AI firms regardless of their stated ethical commitments. Anthropic had a constitution, safety frameworks, and contractual protections different from those of its competitors. The company had legal recourse, a US court, and an injunction. A non-US military client has none of that.

It appears that the boundary between the US government and the US AI industry is dissolving. On May 2, the Under Secretary of War announced finalized agreements with SpaceX, OpenAI, Google, Nvidia, Microsoft, AWS, and Oracle to deploy frontier AI capabilities on the Pentagon's classified networks. A retired NSA director now sits on OpenAI's board. The Army recruits include executives from Meta, Palantir, and OpenAI. The Trump administration has taken a direct equity stake in Intel. What the Anthropic dispute framed as a conflict between corporate ethics and state power is, in practice, evidence of attempts at consolidation: the AI industry and the US military are on a trajectory towards effectively becoming a single system. For middle powers dependent on that system's infrastructure, the kill switch is not a hypothetical risk. It is the operating condition.

The more insidious version, however, is the prospect of a soft kill switch: throttling API latency, quietly degrading model accuracy, and withdrawing the most capable version in favor of an older one. In an active military operation, a 200-millisecond targeting system delay could be the difference between a precision strike and catastrophic failure. The home state could degrade a middle power's military capability while the provider maintains plausible deniability.

Even the choice between stacks offers no real escape from this dynamic. Chinese commentary on the Anthropic dispute has suggested that while US AI firms promoted trustworthiness as their competitive advantage over Chinese alternatives, this trustworthiness may be conditional on the home state's strategic priorities. The same is true of Chinese providers. Beijing's National Intelligence Law compels domestic firms to cooperate with state security services on demand. Both stacks answer to their home governments. The governance gap is not between trustworthy and untrustworthy providers. It is between providers who answer to their home states and middle powers who have no equivalent standing.

The same logic extends to hardware. GPU allocation decisions have become diplomatic currency. In late 2025, which countries received priority shipments of Nvidia's Blackwell-generation chips was shaped by geopolitics as much as commerce. A standoff decided by chip queues rather than gunfire is still a standoff decided by someone else.

While buying the stack is a risk, building it on foreign chips is a more expensive version of the same problem.

The sovereign AI illusion

The natural response to the dependency trap is to build your own stack. India's IndiaAI Mission, South Korea's $75 billion sovereign AI investment, and Indonesia's RPJPN digital sovereignty framework each reflect a genuine desire to escape this structural subordination. All of these initiatives currently fall short in the same crucial way.

China and the US "employ 70 percent of the world's top machine learning researchers, command 90 percent of global computing power, and attract more than twice the combined AI investment of every other state," locking the rest of the world, as Sam Winter-Levy and Anton Leicht, researchers at the Carnegie Endowment for International Peace, put it, into a potential "technological vassalage." The conversations around AI sovereignty are held in the shadow of those numbers.

India’s case is the most instructive, as the gap between its sovereign AI rhetoric and structural reality is the most thoroughly documented. At the February 2026 India AI Impact Summit, Prime Minister Narendra Modi unveiled a human-centric AI framework built on ethics, accountability, and sovereignty. The summit attracted $200 billion in investment commitments and positioned India as a creator, not merely a consumer, of AI. The reality, however, is that 90% of India's AI compute runs on American servers, using chips manufactured in Taiwan, running models developed in Silicon Valley. The IndiaAI Mission has deployed over 38,000 GPUs, all foreign hardware. Operation Sindoor, the May 2025 India-Pakistan conflict, which demonstrated India's AI-assisted targeting capabilities, was fought in the context of the same underlying dependency. This is what hardware partnerships look like in practice: not real tech independence, just strategic dependence rebranded as self-reliance.

On the final day of the same summit, India signed the Pax Silica Declaration, formally joining a US-led coalition coordinating policy across the full technology stack from critical minerals to chip fabrication to frontier AI deployment. The US Under Secretary of State described it as saying "no to weaponized dependency." What it formalized was India's place in a supply chain it does not control, on terms set in Washington. That is not sovereignty over the stack, but rather managed dependency, signed in public, at a summit convened to celebrate the opposite.

Likewise, South Korea has committed $75 billion to sovereign AI and framed its ambitions as freedom from the neo-imperialism of the US-China technology race. Its sovereign AI foundation model project runs on Nvidia chips leased from domestic cloud providers. Seoul has sovereignty over the model, but the hardware underneath remains foreign.

These sovereign AI efforts are not wrong to try to reduce opacity. The problem is where they focus. Visibility into how a model behaves at the application layer does not resolve dependency at the hardware, training data, or jurisdictional layers. A state can know exactly what its sovereign model outputs and still have no control over whether the chips running it ship next quarter, whether the cloud infrastructure responds to a foreign subpoena, or whether the provider updates the underlying weights overnight. Sovereignty over the output is not sovereignty over the stack.

The dual-sided conflict and the internal frontier

The Iran conflict is not the worst-case scenario. A bilateral border dispute where both states are customers of the same foundation model provider, cloud provider, or chip supplier presents a problem that no governance framework has addressed. If AWS is the backbone for two states in an active conflict, the corporate board could become, in operational terms, a kind of high command, deciding the conflict's outcome through service decisions that are not governed by any international framework or open to adjudication by a neutral party. There is no Geneva Convention for AI that forces providers to remain neutral. A company isn't required to cut off service to both sides, declare a conflict of interest, or give notice before stopping service.

The same infrastructure built for welfare delivery and civic administration can be repurposed for internal security targeting. Because domestic security operations are classified as internal matters, they fall outside existing military AI governance frameworks and potentially outside the international human rights law that would otherwise constrain such data transfers.

The CLOUD Act adds a further dimension. It allows US authorities to compel American companies to produce data stored anywhere in the world, even in data centers built on foreign soil. A 2025 Canadian white paper warned that physical location no longer guarantees data sovereignty, and if a Five Eyes partner with substantial legal leverage is worried, middle powers with no equivalent standing are in a considerably more exposed position. The CLOUD Act has, in practice, brought American server infrastructure into the reach of US security interests regardless of location.

In March 2026, Iran named 18 technology companies, including Nvidia, Microsoft, Google, Palantir, and Oracle, as legitimate military targets on the grounds that they make an effective contribution to military action against Iran. Under IHL's military objective test, that designation is legally arguable. On May 2, 2026, the US Under Secretary of War finalized agreements with seven of those same companies to deploy frontier AI on Pentagon classified networks. A middle power running its military AI on that infrastructure is depending on assets that one belligerent has already designated as targets, and another has formally integrated into its war machine.

What governance would actually require

At the February 2026 REAIM Summit in A Coruña, 35 nations endorsed a non-binding declaration on the responsible use of military AI. Neither the United States nor China signed. The previous two iterations had secured roughly 60 signatories. A process that loses half its participants in a year is not building consensus. It reflects the broader fracturing of great power commitment to multilateral governance

The choice Canadian Prime Minister Mark Carney described at Davos earlier this year between 'hegemons and hyperscalers' is not a future risk. It is the current condition. The governance frameworks that would make it genuinely avoidable do not yet exist.

Adequate governance, then, would require movement on four fronts.

The first is contract accountability standards. Commercial agreements between AI providers and government clients should include binding prohibitions on unilateral service withdrawal during active conflicts, mandatory disclosure of material changes to model capability or accuracy, and provisions creating legal accountability when AI-assisted targeting produces civilian harm. AI service agreements need to go further than traditional arms sales: mandatory disclosure of model architecture, training data provenance, and capability changes. Without these standards, every middle power military client is operating on a subscription that can be cancelled, degraded, or redirected without notice.

The second is supply chain transparency requirements. States integrating AI into defence operations should be required to disclose, at a minimum, the hardware layer, the model layer, and the data layer of their military AI systems and to update that disclosure when any layer changes materially. While recommendation one addresses accountability for how systems behave, this addresses accountability for what systems are built from. Without knowing the supply chain, governance is blind to the jurisdictional exposures described above.

The third is parliamentary authorization before citizen data collected for welfare purposes is repurposed for security operations, a precedent Kenya's courts established in the Huduma Namba case and that no international AI governance forum has yet generalized.

The fourth is functional separation of civilian and military AI workloads. Commercial AI infrastructure that simultaneously serves civilian clients and military targeting operations cannot claim IHL civilian protection, nor can providers claim neutrality when a belligerent designates them as targets. Tech companies providing AI services to military clients should maintain genuinely separate infrastructure through distinct legal entities, separate physical architecture, and different jurisdictional exposure. This is the structural precondition for IHL protections to apply meaningfully to the AI infrastructure layer.

None of these recommendations is achievable without a shift in how middle powers approach governance forums themselves. AI computing and frontier models are now as vital as shipping lanes or internet cables. Controlling them provides strategic power, and cutting them off is a tool for coercion. The REAIM process is the right forum to address this, but the approach must change. Middle powers should not show up as supplicants begging for access to technology on the great powers' terms. Instead, they must act as a unified bloc with their own structural interests, defending a version of governance that the great powers will not champion on their behalf. The consolidation of frontier AI within the US military classified networks makes this urgency undeniable.

Conclusion

The condition of the middle power in the AI age is one of precarity: operating on terms they do not set and cannot necessarily change. Current attempts at "digital sovereignty" often lack a solid foundation: they are essentially a local software layer built on top of foreign hardware they don't control. National AI missions frequently result in simply buying more foreign chips, while high-level summits celebrate "innovation" without addressing the underlying dependency.

As long as that condition persists, national agency in the AI domain is, for now, little more than a subscription service that can be throttled or cancelled without a diplomatic cable or multilateral intervention. The great powers will continue to participate in governance forums while ensuring those forums produce nothing that constrains them. Middle powers do not have that luxury. They are building their most sensitive state functions on a stack they cannot defend, under a legal architecture not designed with their interests in mind.

The path out does not run through more national missions purchasing more foreign chips under the banner of sovereignty. It runs through a reckoning with what sovereignty actually requires in a networked world: transparency about dependencies, legal constraints on repurposing, binding standards for service continuity, and governance frameworks that treat foundational AI infrastructure the way international law has learned, slowly and imperfectly, to treat maritime straits: as commons that cannot be weaponized at will.

Without that reckoning, the questions that define military AI dependency—whose chips, whose model, whose data, and who decides when any of it stops—will continue to have answers that no middle power parliament has authorized, no treaty has governed, and no governance summit has thought to ask. Middle powers will not be building the futures of their states. They will be renting them, on terms set elsewhere, from landlords who answer to someone else.