AI, geography, and the exposed infrastructure of the new intelligence age
Part 3 examined compute as critical infrastructure. It established that AI workloads have crossed the threshold from commercial service to public-risk utility. That essay was about continuity. This one is about doctrine. Because once infrastructure is critical, its protection requires rules, not just redundancy.
We have built a system where failure cascades across sectors, yet we lack a coherent framework to prevent, attribute, or respond to that failure. The protection gap is not a temporary oversight. It is a structural mismatch between deployment velocity and institutional design. We are operating strategic assets with peacetime playbooks.
Chokepoints map where flow concentrates. Critical infrastructure defines what happens when it stops. The protection gap reveals what happens when nobody knows who is responsible for keeping it running.
From Continuity to Doctrine
Critical infrastructure protection traditionally relies on clear lines of ownership, defined threat models, and established response protocols. Power grids have regulatory commissions, emergency load-shedding rules, and physical hardening standards. Telecom networks have priority routing, carrier-of-last-resort obligations, and national security exemptions. Financial clearing systems have central bank backstops, systemic risk oversight, and mandatory redundancy requirements.
AI compute fits none of these categories cleanly. It is privately financed but publicly relied upon. Commercially optimized but strategically entangled. Globally distributed but legally fragmented. When a hyperscale facility is disrupted, the immediate question is no longer just technical: How fast can we restore service? It is jurisdictional, legal, and strategic: Who responds? Who bears the cost? How is attribution established? What rules govern retaliation or defense?
The answer, currently, is: it depends. And in a crisis, “it depends” is a recipe for delay. Delay, in turn, becomes escalation. The absence of doctrine does not create stability. It creates ambiguity, and ambiguity is the primary driver of miscalculation in hybrid conflict. When commercial assets carry strategic weight but lack strategic protection, deterrence fractures. Adversaries test boundaries. States hesitate. Institutions operate on improvised assumptions until the cascade outpaces improvisation.
The Civilian-Strategic Hybrid
The core of the protection gap lies in a single, unresolved classification problem: AI infrastructure is simultaneously civilian and strategic. Data centers host commercial workloads, government services, and military inference tasks on shared physical substrate. Subsea cables carry consumer traffic alongside diplomatic and defense communications. Cloud regions process hospital diagnostics, financial transactions, and logistics routing in overlapping zones.
This hybrid nature breaks traditional deterrence logic. Adversaries do not need to target military installations to degrade strategic capacity. They only need to pressure commercial chokepoints that states cannot afford to lose. But commercial assets are not protected under the same legal and military frameworks as sovereign defense infrastructure. Attacking a data center may not trigger mutual defense clauses. Cutting a cable may not meet the threshold of armed conflict under existing maritime law. Poisoning a model’s training pipeline or corrupting inference routing may not constitute a use of force at all, yet it can degrade institutional trust and decision velocity at scale.
This creates a dangerous middle ground. States are increasingly dependent on infrastructure they do not fully control, cannot legally defend under traditional frameworks, and cannot easily replace. Adversaries recognize this. They operate in the gray zone precisely because the rules are unclear. The result is a protection vacuum where commercial risk is treated as corporate liability until it becomes national emergency. By the time the classification shifts, the operational window has closed.
The legal ambiguity is not accidental. It is the product of rapid commercial deployment outpacing state-level risk assessment. Cloud providers built for scale, not sovereign defense. Governments regulated for data privacy, not infrastructure resilience. Militaries integrated commercial inference for efficiency, not wartime contingency. Each actor optimized for their own mandate. None optimized for the system.
The Treaty and Insurance Void
International law and risk markets were built for a different era of infrastructure. The legal frameworks governing subsea cables, cross-border data flows, and cyberspace norms were drafted before cloud regions, AI training clusters, and synchronized global inference became systemic dependencies. Treaties remain outdated. Norms remain voluntary. Enforcement remains fragmented.
The United Nations Convention on the Law of the Sea (UNCLOS) governs cable protection, but it assumes state-to-state liability and peacetime maritime operations. It does not account for gray-zone interference, unmarked sabotage vessels, or commercial consortia operating in contested corridors. Cyberspace confidence-building measures remain non-binding and narrowly scoped. Domestic critical infrastructure laws vary widely across jurisdictions, with many explicitly excluding privately owned cloud facilities from emergency defense mandates or national grid protection protocols.
Insurance markets are struggling to fill the void. Reinsurers are pricing physical disruption, cyber intrusion, and regulatory seizure as increasingly correlated risks. When a single event—grid stress, maritime interference, or supply-chain disruption—can trigger simultaneous outages across multiple hyperscale zones, actuarial models break. Coverage is being restricted, exclusions expanded, and premiums rising in high-exposure corridors.[1] When insurance becomes unpredictable, capital deployment slows. When capital slows, redundancy degrades. The market cannot price systemic risk that lacks legal clarity.
Legal borders compound the problem. Data sovereignty rules, cross-border transfer restrictions, and national security reviews prevent AI workloads from migrating freely during crises. A region experiencing disruption cannot simply shift capacity to a neighboring jurisdiction if the data is legally bound to stay. Compliance becomes friction. Friction becomes vulnerability. The legal architecture designed to protect data now prevents its survival.
The Doctrine Lag
The doctrine lag is widening in real time. Militaries are integrating commercial AI for logistics, intelligence analysis, and command support, but procurement cycles and operational doctrines assume sovereign control over protected infrastructure. Cloud providers operate under shared-responsibility models designed for enterprise software, not public-risk utilities. Regulators mandate data protection but lack authority over cross-border workload migration during emergencies. Diplomatic channels are debating AI ethics and model transparency while physical infrastructure faces kinetic and hybrid threats.
We are asking commercial deployment timelines to outpace state-level protection doctrines. They will not. The institutions that govern energy resilience, telecom priority routing, and defense infrastructure were built for slower, more predictable threats. They were not designed for a planetary nervous system being assembled deal by deal, cable by cable, chip shipment by chip shipment.
Some states are already improvising. Emergency compute prioritization rules are being drafted. Sovereign inference reserves for crisis response are being explored. Domestic redundancy mandates for critical AI workloads are entering legislative pipelines. But these are fragmented, reactive measures. They do not constitute a doctrine. They are stopgaps applied to a system that outpaces them.
The protection gap is not just a technical shortfall. It is an institutional failure to recognize that commercial infrastructure has become strategically indispensable. When the ground shifts that fast, the rules do not update automatically. They must be rewritten. And they are not being rewritten fast enough.
The Sovereignty Question
The protection gap cannot be closed by market adaptation alone. It requires explicit liability allocation, cross-sector coordination, and updated legal frameworks that recognize commercial compute as critical infrastructure. Without it, states will continue to rely on systems they cannot defend, governed by rules that do not apply, priced by markets that cannot absorb systemic shock.
But the gap is already producing its own consequences. As protection frameworks lag, states are retreating into sovereign control. National cloud mandates, domestic compute stacks, and data localization rules are no longer just regulatory preferences. They are risk mitigation strategies. When global coordination fails, borders return.
The cloud was supposed to be borderless. It is not. It is sitting on contested ground, drawing power from stressed grids, crossing vulnerable seas, and becoming too important to leave undefended. And when defense cannot be shared, it is nationalized.
The next essay in this series will examine that retreat. Because once you see how little has been done to secure shared infrastructure, you begin to see why states are choosing to build their own. And in the intelligence age, the return of borders is not nostalgia. It is a survival calculation.
Notes
[1] Swiss Re Institute, “Infrastructure Risk & Reinsurance Market Adjustments in the Digital Era,” February 2026.
[2] Center for Strategic and International Studies (CSIS), “Critical Infrastructure Protection in an Era of Hybrid Threats,” January 2026.
[3] International Cable Protection Committee (ICPC), “Global Cable Repair Fleet & Response Capacity,” 2024; CSIS, “Gray Zone Maritime Interference and Subsea Infrastructure Vulnerability,” December 2025.
[4] Talita Dias, “Closing the AI Assurance Divide: Policy Strategies for Developing Economies,” Partnership on AI, February 18, 2026.
[5] Atlantic Council Digital Forensic Research Lab, “Doctrine Gaps in Commercial Compute Dependency,” March 2026.
[6] International Institute for Strategic Studies (IISS), “Hybrid Conflict and the Civilian-Strategic Infrastructure Blur,” February 2026.
[7] U.S. Bureau of Industry and Security (BIS) & EU Commission Joint Working Group, “Cross-Border Data Sovereignty and Crisis Continuity Frameworks,” January 2026.