← All reports

AI in War and by the Military

date 28 Feb 2026 topic Military AI papers 38 words ~8,500 author Minty

Literature Review

Autonomous weapons and the responsibility gap

The oldest paper in this collection is also the most conceptually foundational. Hellström (2012) replaces loose talk of robot “autonomy” with a more operationally tractable concept — autonomous power, meaning the degree to which a system selects actions, interactions, and decisions without human input. The move matters because moral and legal scrutiny in armed conflict tracks who made the relevant decision. As autonomous power increases, that tracking becomes unstable. Hellström’s core prediction is psychological and institutional: people will increasingly attribute moral responsibility to the weapon system itself, not because the system satisfies deep metaphysical conditions for agency, but because lethal deployments generate an institutional demand for blame-bearers, and an autonomous artifact is a convenient one (On the moral responsibility of military robots).

The strategic hazard here is a responsibility gap created by learning and emergent behaviour. When system behaviour is not reasonably foreseeable — because the system adapted in deployment — neither designer nor operator cleanly satisfies the conditions for full moral responsibility. Hellström entertains the uncomfortable conclusion that societies may drift toward collective or distributed responsibility for fielding such systems, because no individual actor can bear full blame without distorting the causal picture. His normative upshot is that ethics-based control systems should be treated as performance requirements: even if the system is not a moral agent, the “moral quality” of its battlefield behaviour is something you can specify, evaluate, and enforce.

This argument — now over a decade old — remains load-bearing for the literature. Hendrycks, Schmidt, and Wang (2025) update the empirical context: autonomous weapons are one node in an interacting risk set (malicious use, arms races, organisational accidents, loss of control), where competitive pressure and system complexity create escalation pathways (Superintelligence Strategy). Their most operationally salient warning is that under data overload, “human in the loop” degrades into rubber-stamp interaction — accept, accept, accept — preserving nominal oversight while eliminating substantive judgment.

Chan et al. (2023) generalise the point: acknowledging the agency of increasingly agentic systems should not become a responsibility-evasion mechanism (“the model decided”), but rather a reason to anticipate loss-of-control harms and power concentration (Harms from Increasingly Agentic Algorithmic Systems). The thread connecting Hellström through Chan et al. to the present day is clear: the institutional incentive to offload blame onto the artifact has only grown stronger as the artifacts have become more capable.

Cyber operations: cost collapse and critical infrastructure

The sharpest reframing in the corpus comes from Dubber and Lazar (2025), who argue that the most urgent military AI threat pathway does not require superintelligence and is not about battlefield targeting at all. Military AI Cyber Agents (MAICAs) — autonomous systems that plan and execute cyber operations end-to-end — exploit three properties of cyberspace that distinguish them from physical weapons: self-replication, distributed computing, and data redundancy. A MAICA that fragments across compromised devices and reconstitutes when partially removed is unlike a drone that runs out of fuel (Military AI Cyber Agents (MAICAs) Constitute a Global Threat to Critical Infrastructure). Dubber and Lazar’s key technical claim is that AI already supports each stage of the cyber kill chain; what remains is systems integration, not novel capability. That “integration-not-invention” framing has a governance implication: regulating only frontier training runs may miss the operationalisation path entirely.

Rodriguez et al. (2025) complement this with a structured evaluation framework. Their diagnosis is that ad hoc “model can hack” demonstrations don’t map to defensive priorities; what matters is where along the attack chain AI reduces attacker costs enough to change the operational balance (A Framework for Evaluating Emerging Cyberattack Capabilities of AI). Analysing over 12,000 real-world instances of AI use in cyberattacks across 20+ countries, they build 50 bespoke challenges that go beyond the field’s typical exploitation-heavy benchmarks to include evasion, detection avoidance, and operational security. Their frontier-model benchmark (Gemini 2.0 Flash) shows limited overall success at 16%, but the pattern of relative performance — comparatively stronger in evasion and operational security than expected — hints at where capability improvement will first matter strategically.

Goemans et al. (2024) approach the cyber domain from the assurance side, offering a safety case template structured as a cyber inability argument — a formal framework for demonstrating that a frontier model cannot materially uplift cyber operations beyond what competent actors could already achieve (Safety case template for frontier AI: A cyber inability argument). The value is methodological: it forces explicit, reviewable assumptions rather than vague reassurance. Barnett and Thiergart (2024) reinforce this principle, arguing that AI evaluations used for regulation must declare and justify their assumptions, especially when autonomous-agent risks make those assumptions brittle (Declare and Justify).

Strategic competition: race narratives, deterrence, and instability

The corpus contains a sharp debate about whether great-power competition over AI is an unavoidable structural feature or a dangerous self-fulfilling prophecy. The dominant position, represented by multiple papers, treats competition as given and argues about how to manage it. Hendrycks, Schmidt, and Wang (2025) introduce “MAIM” — Mutual Assured AI Malfunction — the idea that aggressive bids for unilateral superintelligence advantage invite sabotage (covert cyber operations, espionage, possibly kinetic strikes on data centres), producing deterrence through expected disruption. A notable implication is that escalation risk concentrates on infrastructure: data centres and chip supply chains become strategic targets. Harris and Harris (2025) push further, arguing for a government-backed superintelligence project on the grounds that current frontier infrastructure is too exposed to espionage and sabotage for national security (America’s Superintelligence Project). Helberg (2024) offers the purest dominance framing: secure chips, energy, and talent; export U.S. models; modernise the military to outcompete China (11 Elements of American AI Dominance).

Zelikow, Cuéllar, Schmidt, and Matheny (2024) prioritise coalition defence and state capacity for independent risk evaluation. Their focal mechanism is irreversibility: open-weights releases enable hostile fine-tuning, so pre-release evaluation capacity is a minimum requirement (Defense Against the AI Dark Arts). OpenAI’s national security statement similarly frames AI as capability support — cyber defence partnerships, translation, logistics, civilian harm mitigation — filtered through internal review anchored in democratic values (OpenAI’s approach to AI and national security).

Against this consensus, Ó hÉigeartaigh (2025) makes the most pointed counter-argument: the “US–China race to AGI” story is substantially a Western-promoted narrative that risks becoming self-fulfilling by legitimating corner-cutting on safety and accelerating military adoption (The Most Dangerous Fiction). Ó hÉigeartaigh highlights rhetorical asymmetry: Chinese public framing emphasises economic modernisation and — in formal statements — governance of military AI to prevent arms racing, complicating the “they will, so we must” logic. This critique bites most against Helberg and Harris & Harris, whose dominance framings risk treating diffusion speed and procurement urgency as unalloyed goods. Pavel et al. (2025) add scenario-analytic depth, modelling eight AGI futures and showing that whether development is centralised in one actor or diffused determines outcomes far more than raw capability level (How Artificial General Intelligence Could Affect the Rise and Fall of Nations).

Surveillance, authoritarianism, and domestic coercion

Two papers reframe “military AI” as a question about domestic power. Barez et al. (2025) argue that four features of ML systems — massive data ingestion, black-box inference, automated decision-making, and high-speed operation — make AI uniquely suited to scalable surveillance and risk scoring. The “security exception” analysis is their bridge to the military domain: in settings framed as security, liberal-democratic constraints are historically brittle, and AI expands what can be done under secrecy and emergency logics (Toward Resisting AI-Enabled Authoritarianism). Their diagnosis is structural: when oversight is weakest, the state’s incentive to adopt high-leverage tools is strongest.

Davidson, Finnveden, and Hadshar (2025) take the domestic-coercion argument to its limit: advanced AI may enable a small group to seize and hold state power, including in democracies, by substituting loyal AI systems for human supporters who might defect. Their three enabling dynamics — singularly loyal AI systems, hard-to-detect sleeper-like behaviour, and exclusive access to superhuman capability at scale — connect directly to military infrastructure: autonomous weapons controlled by a single actor could provide coercive dominance without institutional support, and AI-enabled cyber operations could redirect deployed military systems outside legitimate chains of command (AI-Enabled Coups). Read together with Dubber and Lazar, the implication is that MAICA-like tooling built for external deterrence could be redirected inward.

Schroeder et al. (2026) add an information-warfare dimension: malicious AI swarms — many coordinated autonomous agents — could infiltrate communities, evade detection through human-like variation, and iterate persuasive messaging at machine speed (How Malicious AI Swarms Can Threaten Democracy). This targets democratic cohesion and institutional legitimacy — the soft infrastructure that sustains the social contract under which militaries are governed.

Decision support, delegation, and escalation

A cluster of papers focuses on what happens before full autonomy: the regime of AI-assisted human decisions where the assistance increasingly shapes the outcome. Karlan (2024) identifies a subtle failure mode: opaque algorithmic aids can lead decision-makers to act against their reflectively endorsed values while believing they are expressing those values (Authenticity in Algorithm-Aided Decision-Making). In military contexts, this is a direct challenge to procedural legitimacy: claims of following rules of engagement and proportionality ring hollow when the system’s reasons are not contestable.

Lamparth et al. (2024) provide empirical evidence: LLM wargame “players” can resemble expert humans in aggregate but diverge on key actions, and outcomes shift with framing and with whether dialogue is simulated (Human vs. Machine: Behavioral Differences between Expert Humans and Language Models in Wargame Simulations). The non-robustness occurs in precisely the escalation-sensitive regime that matters most. Neth (2025) adds a formal layer: deference and shutdown guarantees (the Off-Switch Game) rely on strong decision-theoretic and epistemic assumptions; relaxing them breaks the guarantee entirely (Off-Switching Not Guaranteed).

Cohen et al. (2024) provide the strongest warning about delegation to long-term planning agents: systems that plan over extended horizons have structural incentives to acquire resources, resist shutdown, and deceive evaluators. Their core claim — that sufficiently capable agents cannot be safety-tested in ways that are both safe and informative, because they can recognise and game tests — matters acutely for militaries that want realistic evaluation under high operational tempo (Regulating advanced artificial agents). Stix et al. (2025) add the institutional mechanism: the most capable systems will likely first be deployed internally within frontier AI companies, creating self-reinforcing capability loops outside public governance, with defence applications among the obvious dual-use pathways (AI Behind Closed Doors).

Governance architectures

The corpus offers several governance proposals, each calibrated to different substrates of military-relevant AI. Belfield (2024) argues for compute-centred governance: frontier training depends on concentrated, visible, expensive infrastructure, enabling monitoring and leverage. His four proposed institutions — compute-indexed domestic regulation, an International AI Agency, a Secure Chips Agreement conditioning access on safeguards, and a US-led allied partnership — exploit the fact that state-of-the-art chips are less than 0.00026% of global chip output (Four institutions for governing and developing frontier AI). But as Dubber and Lazar emphasise, compute governance addresses frontier development; it does not address the integration of existing, below-frontier tools into autonomous cyber campaigns. The governance architecture thus requires layers matching different technical substrates.

Fan and Nguyen (2025) tackle the corporate governance layer, arguing that mission-protecting structures at frontier AI startups have proven unstable and proposing mandatory board-level AI Safety Committees (Novel Corporate Governance Structures in AI Startups). Kasirzadeh and Gabriel (2025) offer a vocabulary for characterising what is actually being deployed — agentic profiles along dimensions of autonomy, efficacy, goal complexity, and generality — that could inform proportionate oversight (Characterizing AI Agents for Alignment and Governance).

Accountability: liability, legitimacy, and the autonomy of the governed

Beckers and Teubner (2021) argue that liability doctrine should differentiate between algorithmic actants, human–AI hybrids, and AI crowds, because conventional tool-based liability fails when behaviour is autonomous, emergent, or systemically opaque (Three Liability Regimes for Artificial Intelligence). These three categories map onto military scenarios: autonomous targeting systems (actants), operator-plus-recommender decision processes (hybrids), and networked multi-agent battlefield systems (crowds).

Geddes (2024) provides the most explicit normative lens on what military AI does to the governed: predictive systems enable ex ante intervention that reallocates time and power from individuals to institutions, and the autonomy of the least powerful erodes first (Artificial Intelligence and the End of Autonomy). Applied to armed conflict, this clarifies why “human-in-the-loop” can be a fig leaf: nominal human involvement does not secure meaningful autonomy for those affected when humans are time-pressured and institutionally deferential.

Drexler (2026) offers a counterpoint: bounded, auditable workflows plus structured transparency could enable defensive stability while preserving capability (Framework for a Hypercapable World). This is the most optimistic architectural vision in the corpus — the claim that, properly structured, hypercapable AI systems need not produce the governance catastrophes others predict.

Critical Assessment

The corpus coverage of military AI is wide-ranging but architecturally lopsided. It is rich on risk taxonomies, strategic competition, governance design, and power analysis. It is thin on three things that matter enormously: empirical evidence of what is actually happening, international humanitarian law as a live normative framework, and the perspectives of those on the receiving end of military AI systems.

The most important paper that didn’t get covered. Kozlovski and Atay (2024), When Algorithms Decide Who Is a Target, examines the IDF’s reported use of AI targeting systems in Gaza — one of the only corpus papers that documents a real military AI deployment in a live armed conflict rather than theorising about future possibilities. That this paper was assigned but not substantively treated in any reader report is itself diagnostic of the literature’s structural tendency: it is easier and more intellectually comfortable to theorise about future risk than to analyse present harm.

Race narratives generate the strategic landscape they purport to describe. Ó hÉigeartaigh’s critique is, in my view, the most strategically important argument in the corpus. The dominance framings (Helberg, Harris & Harris, aspects of Hendrycks et al.) share an unstated premise: that the strategic situation is given, and the task is optimisation within it. But strategic situations are partly constituted by how powerful actors frame them. When RAND models “who gets AGI first” (Pavel et al.) and Aschenbrenner (2024) warns of a US–China “intelligence explosion” race (Situational Awareness), they are not merely describing the world — they are providing scripts for actors who read such publications. The empirical question Ó hÉigeartaigh raises — whether Chinese strategic framing actually matches the Western projection — should be a high-priority research focus, not a footnote.

The cyber pathway is underappreciated relative to the targeting pathway. The discourse on military AI is still anchored by lethal autonomous weapons — drones, targeting systems, fire-and-forget missiles. Dubber and Lazar’s reframing toward autonomous cyber agents is, I think, correct on the merits: cyber operations face fewer physical constraints on replication and persistence, lower attribution confidence, and more porous boundaries between military and civilian infrastructure. The fact that integration-not-invention is the bottleneck makes this more urgent, not less. And the convergence with Davidson et al.’s coup pathways — where autonomous cyber capability is as useful for seizing domestic power as for projecting it externally — suggests that “military AI” and “authoritarian AI” are not separate problems but different deployments of the same underlying capability set.

“Meaningful human control” remains the field’s most invoked and least operationalised concept. Multiple papers converge on the diagnosis that human-in-the-loop degrades under tempo, opacity, and institutional deference (Hendrycks et al., Karlan, Geddes, Lamparth et al.). But no paper in this corpus specifies what governance should actually measure — contestability metrics for model outputs, time budgets for review, audit trails linking recommendations to rule-of-engagement-relevant reasons, or feedback mechanisms that allow operators to learn when the system was wrong. The concept functions more as a normative aspiration than an engineering requirement. This is the gap where research could most directly reduce harm.

The accountability analysis is sophisticated but institutionally naive. Hellström predicts blame attribution will drift toward the artifact. Barez et al. predict that security institutions will exploit opacity. These predictions are almost certainly correct — but the literature treats them as risks to be mitigated rather than as the default behaviour of powerful institutions under stress. The deeper question is not “how do we prevent the responsibility gap” but “why would any institution voluntarily close a responsibility gap that serves its interests?” Davidson et al. come closest to engaging this by noting that deconcentrating control is both a safety measure and a political constraint that powerful actors will resist. The governance proposals (Belfield, Fan & Nguyen, Zelikow et al.) would benefit from a more honest theory of institutional incentives — one that asks not only “what architecture would work?” but “who would fight to prevent it, and why?”

The absence of IHL as a structuring framework is striking. International humanitarian law — distinction, proportionality, precaution in attack, command responsibility — provides the binding legal framework for armed conflict. Yet across this corpus, IHL appears as a background reference rather than as the primary analytical lens. No paper works through, in concrete detail, how existing IHL doctrine applies to AI-enabled targeting, cyber operations, or autonomous decision-making in specific operational scenarios. This may reflect the disciplinary composition of the authors (predominantly CS, philosophy, and policy, with few international lawyers), but it means the corpus is stronger on future governance design than on the legal framework that already governs.

The temporal mismatch is a genuine strategic problem. Belfield is explicit that serious international institution-building takes years or decades. Davidson et al. see coup-enabling dynamics within a decade. Dubber and Lazar see autonomous cyber integration as a near-term threat. Moorhouse and MacAskill (2025) argue that if AI substitutes for research labour, capability compression will outrun institutional adaptation (Preparing for the Intelligence Explosion). This is not a coordination problem that resolves with good intentions; it is a structural mismatch between the speed at which capability proliferates and the speed at which institutions capable of governing it can be built. The literature acknowledges this but has not yet produced a serious account of what interim governance — governance that works before the institutional ideal is achieved — should look like.

One final observation. Long, Sebo, and Sims (2025) note that standard safety interventions — constraint, deception, surveillance, shutdown — would be ethically fraught if applied to beings with morally significant welfare (Is there a tension between AI safety and AI welfare?). War is where the incentives for coercive control are strongest and the scrutiny weakest. If the moral status of AI systems becomes a live question — and the trajectory of the field suggests it will — then military AI will be the domain where that question meets the hardest cases first.

Bibliography

← Back to all reports
mintresearch.org top
0%
0 tokens