Learning Objectives

• Explain how machine learning is applied across the main intelligence disciplines — SIGINT, IMINT, OSINT, and HUMINT — and where it adds the most leverage.
• Describe the risks of algorithmic bias and automation bias in intelligence analysis, and how they can degrade rather than improve decision quality.
• Assess the civil liberties implications of AI-enabled mass surveillance when the same capabilities are turned inward on domestic populations.
• Identify at least two documented cases where AI-assisted intelligence either succeeded or failed in a high-stakes national security context.

Session Overview

Intelligence is information made actionable. This session examines how AI is reshaping each phase of the intelligence cycle — collection, processing, analysis, and dissemination — with particular emphasis on the analytic tradecraft implications. The volume of data available to modern intelligence agencies now vastly exceeds human processing capacity; AI is not optional but necessary for managing that volume. The question is whether that necessity is being managed wisely.

The session gives equal time to capability and risk. Pattern-recognition AI can surface leads that human analysts would miss, but it can also embed historical biases, produce confident-sounding errors, and shift human judgment from analysis to rubber-stamping. The instructor should help participants develop a nuanced view: AI in intelligence is genuinely powerful and genuinely dangerous, often simultaneously.

Key Teaching Points

• The data volume problem is real and structural. The NSA intercepts billions of communications per day; satellite imagery programs generate petabytes per week. No human workforce can process this at collection speed. AI's primary intelligence role is triage and prioritization — flagging what deserves human attention rather than rendering final judgments.
• Computer vision has transformed IMINT. Deep learning models can detect military vehicle movements, construction of weapons-related facilities, and order-of-battle changes from commercial satellite imagery with accuracy that previously required highly specialized human expertise. This has democratized some intelligence capabilities — state actors, NGOs, and journalists now access similar tools.
• OSINT at scale: social media and open-web analysis. AI enables real-time aggregation and sentiment analysis of social media across multiple languages, crowd-sourced mapping of conflict zones, and supply chain disruption signals. The Bellingcat model of open-source intelligence — demonstrated in MH17 attribution and Russian unit identification in Ukraine — shows what's now achievable outside classified channels.
• Automation bias is a systemic risk. Studies show analysts who see an algorithm's output before forming their own judgment tend to anchor to that output even when it is wrong. In intelligence, this can create "echo chamber" effects where AI errors propagate unchecked through the analytic chain. Discuss the 2003 Iraq WMD analytic failure as a cautionary tale about human bias in intelligence; then ask how AI might have helped or compounded it.
• Facial recognition and biometric AI: dual-use at scale. The same biometric AI that helps identify foreign adversaries can surveil domestic protest movements. China's deployment of AI-enabled social credit and surveillance systems provides a cautionary case; the U.S. Customs and Border Protection use of facial recognition at airports provides a domestic one. The technology does not recognize the border.
• The foreign-domestic distinction is eroding. SIGINT collection authorities like FISA Section 702 were designed around a world where "foreign" communications were meaningfully separable from domestic ones. AI analysis of bulk data makes that separation legally fictional in practice. This creates unresolved Fourth Amendment tensions that courts are still working through.

Discussion Prompts

• If an AI system flags an individual as a high-probability terrorism threat based on communication metadata and travel patterns, should that be sufficient basis for a warrant? For detention? Where should the evidentiary bar sit?
• Commercial satellite companies now sell near-real-time imagery of anywhere on Earth to any paying customer. How should governments respond to the fact that their adversaries — and journalists — can now buy intelligence that was previously a national monopoly?
• Should intelligence agencies be required to disclose when an AI system contributed to a decision that affected a U.S. person? What would meaningful transparency look like in a classified context?
• China has deployed AI surveillance infrastructure that is now the most extensive in history. Is this a competitive advantage, a human rights violation, or both — and do those assessments conflict with each other?

Timing Guide

Transition to Session 3

The intelligence capabilities we've discussed don't operate in a vacuum — adversaries are actively trying to subvert them, and AI is central to that fight as well, which brings us to the offensive and defensive dimensions of AI-enabled cyber operations.

Learning Objectives

• Explain how AI is being used to accelerate and scale offensive cyber operations, including vulnerability discovery, spear phishing, and malware generation.
• Describe the defensive applications of AI in cybersecurity and assess the current state of the offense-defense balance in AI-enabled cyber conflict.
• Analyze the attribution problem in cyber operations and explain how AI both complicates and may eventually help resolve it.
• Evaluate the escalation risks of AI-enabled cyber operations and explain why the "cyber as sub-kinetic" assumption may be dangerously wrong.

Session Overview

Cyber operations were already the most contested domain in modern conflict before AI entered the picture. AI is now changing the economics, speed, and sophistication of both attack and defense in ways that fundamentally alter the threat landscape. This session examines that transformation from both sides — what AI enables for offensive operators and how defenders are attempting to keep pace.

The instructor should emphasize that AI in cyber conflict is not a future concern: it is being used in active operations today by state and non-state actors alike. The session also addresses the underappreciated escalation risk of cyber operations, arguing that the conventional wisdom treating cyber as a "safe" form of coercion may be dangerously overconfident when AI accelerates timelines and expands the blast radius of attacks.

Key Teaching Points

• AI dramatically lowers the cost of offensive cyber operations. Vulnerability discovery that once required weeks of expert labor can now be partially automated. LLMs can generate convincing spear phishing emails in any language at scale. Code-generation models can produce functional malware variants that evade signature-based detection. The barrier to sophisticated attack is falling — fast.
• Automated vulnerability research: both sides benefit, asymmetrically. DARPA's Cyber Grand Challenge demonstrated in 2016 that AI could find and patch vulnerabilities without human assistance. But defenders must protect all their systems; attackers only need to find one exploitable hole. This asymmetry means the offense typically benefits more from equal improvements in automated vulnerability research.
• The attribution problem and AI obfuscation. Attributing a cyberattack to a specific state actor already requires difficult forensic work. AI-generated attack code can mimic the stylometric signatures of other threat actors ("false flag" operations), making attribution harder. Conversely, AI behavioral analysis may eventually help distinguish automated from human-controlled intrusions and identify infrastructure reuse patterns across campaigns.
• Critical infrastructure as the central escalation risk. AI-enabled attacks on power grids, water systems, and financial infrastructure pose kinetic-equivalent harm without triggering the legal frameworks governing armed attack. The Stuxnet precedent (a cyberweapon causing physical destruction of centrifuges) showed this was possible; AI makes it more scalable. Walk through the Colonial Pipeline and Ukraine power grid attacks as recent anchors.
• Defensive AI: detection, response, and deception. AI-powered security operations centers can correlate threat signals across millions of events in real time. Moving target defense and AI-generated honeypots can raise attacker costs. But AI-enabled defenses also create new attack surfaces — adversarial examples and model poisoning can blind or subvert defensive AI systems themselves.
• Escalation dynamics are poorly understood and potentially catastrophic. Unlike conventional military escalation, cyber escalation lacks clear thresholds, visible capabilities, or established doctrine. When an AI system autonomously responds to an intrusion by counterattacking, what escalatory dynamics does that trigger? The speed of AI-mediated conflict could compress timelines below human decision capacity.

Discussion Prompts

• If an AI system autonomously and successfully attributes a cyberattack to a foreign state, should that attribution be sufficient legal basis for a retaliatory kinetic strike? What standards of certainty should apply?
• AI can generate functional malware. Should AI model developers be legally liable if their models are used to produce cyberweapons? How is this different from holding a gun manufacturer liable for crimes committed with their products?
• The U.S. Cyber Command has shifted to a doctrine of "persistent engagement" — continuously operating in adversary networks rather than waiting to be attacked. How does AI change the risk calculus of that doctrine?
• At what point does an AI-enabled cyberattack on civilian infrastructure cross the threshold to an act of war? Who should make that determination, and how quickly?

Timing Guide

Transition to Session 4

So far we've examined what AI does in military and intelligence contexts — now we need to zoom out to ask which states are developing these capabilities most aggressively and what that competition means for the broader international order.

Learning Objectives

• Characterize the current state of the U.S.-China AI competition across military, economic, and technological dimensions and assess where each state has meaningful advantages.
• Explain why semiconductors and compute infrastructure have become the central chokepoints in the geopolitics of AI, and what the U.S. export control regime is attempting to accomplish.
• Describe how other actors — Russia, the EU, smaller states, and non-state actors — are positioned in the global AI landscape and what strategies they are pursuing.
• Evaluate competing theories about how AI supremacy translates (or fails to translate) into geopolitical power.

Session Overview

The geopolitics of AI is among the most consequential and least well understood dimensions of great power competition today. This session maps the current landscape: who is leading where, what policy instruments states are using to compete, and what the long-term implications are for the international order. The U.S.-China competition gets the most attention because it involves the two most capable AI states, but the session also examines how other actors are shaping — and are shaped by — that primary competition.

The instructor should resist the temptation to frame this as a simple horse race with a winner and loser. AI advantage is multidimensional, context-dependent, and rapidly shifting. The more useful analytical frame is to ask: in which specific domains does AI capability translate into durable geopolitical power, and under what conditions?

Key Teaching Points

• China's 2017 AI development plan is a serious, resourced national strategy. China's Next Generation Artificial Intelligence Development Plan set an explicit goal of global AI leadership by 2030, backed by state investment, industrial policy, and a data advantage from 1.4 billion users under minimal privacy constraints. This is not aspirational rhetoric — it represents a coherent state strategy that has produced real results in computer vision, facial recognition, and autonomous systems.
• The semiconductor chokepoint: TSMC, ASML, and export controls. Advanced AI chips require extreme ultraviolet lithography machines made by a single Dutch company (ASML) and fabricated primarily by a single Taiwanese company (TSMC). The U.S. has used export controls to restrict China's access to the most advanced chips and the equipment to make them. This is the most consequential single technology-policy intervention in the current AI competition.
• Data as a strategic resource: quantity versus quality. China benefits from vast quantities of training data collected with fewer privacy restrictions. The U.S. benefits from higher-quality labeled data, stronger research institutions, and a global talent pipeline. The relative value of these advantages depends heavily on whether the next generation of AI requires massive new data or primarily better algorithms and architectures.
• Russia: a middling AI power with sophisticated cyber and disinformation capabilities. Russia lacks China's or the U.S.'s broad AI capability base but has demonstrated sophisticated use of AI in specific high-value domains — particularly information warfare, deepfake generation, and cyber operations. Its AI national strategy is largely aspirational; its actual implemented capabilities are concentrated and effective in those specific areas.
• The EU's regulatory approach as a geopolitical strategy. The EU's AI Act represents a bet that setting global regulatory standards — as it did with GDPR in data privacy — can translate regulatory power into geopolitical influence. The Brussels Effect (other states adopting EU standards to maintain market access) is a real phenomenon; the question is whether it extends to AI, where the U.S. and China are the primary innovators.
• Translating AI capability to power is not straightforward. Military AI advantage is most valuable when it can be deployed in actual conflict scenarios — which depends on doctrine, training, logistics, and institutional culture as much as raw capability. Economic AI advantage translates to power through productivity gains that take years to manifest. Don't let the course imply that winning an AI benchmark translates automatically to geopolitical dominance.

Discussion Prompts

• The U.S. export control regime restricts advanced chips to China. China is investing heavily in domestic semiconductor production. How long can the chokepoint strategy work, and what should U.S. policy do when it fails?
• If China achieves demonstrably superior AI in autonomous weapons systems, does that change the credibility of U.S. extended deterrence commitments to Taiwan, Japan, and South Korea? How?
• The EU is pursuing a regulatory rather than innovation-based AI strategy. Is this a viable path to AI geopolitical influence, or does it concede the field to the U.S. and China?
• Should the U.S. treat AI as a public good — sharing capabilities with allies — or as a strategic monopoly to maintain? What are the costs and benefits of each approach?

Timing Guide

Transition to Session 5

If states are competing this intensely over AI military capabilities, the natural question is whether — and how — those capabilities can be regulated through international agreements, which is what we'll examine in the next session on arms control for AI.

Learning Objectives

• Survey the existing arms control treaty landscape — Chemical Weapons Convention, Biological Weapons Convention, Ottawa Treaty — and identify which features are or are not transferable to AI weapons governance.
• Explain the specific technical and political obstacles that make traditional arms control models difficult to apply to AI systems.
• Evaluate the main proposals currently under discussion at the UN CCW and elsewhere for regulating lethal autonomous weapons systems.
• Develop a reasoned position on whether a binding international treaty on LAWS is achievable, and what a less ambitious but more achievable regime might look like.

Session Overview

Arms control is how the international community manages weapons it considers too dangerous or indiscriminate to leave fully unregulated. This session asks whether the tools of arms control — verification regimes, treaty obligations, export restrictions, norms — can be applied to AI-enabled weapons. The short answer is: probably, but not in the same form that worked for chemical weapons or land mines, and with significant challenges that have no obvious solutions yet.

The session surveys what already exists (UN CCW discussions, the U.S. DoD Directive 3000.09, various national policies), what is being proposed, and what the fundamental obstacles are. It aims to leave participants with realistic expectations about what international governance can and cannot accomplish with AI weapons, and with a clearer view of what success might actually look like in this domain.

Key Teaching Points

• Existing treaty models and their transferability. The Chemical Weapons Convention works because chemical weapons are distinguishable, storable, and detectable. Land mine bans work because of strong civil society campaigns and clear civilian harm. AI weapons are software — invisible, rapidly modifiable, and dual-use. The verification models that work for physical weapons don't obviously transfer, and this is a fundamental obstacle, not a solvable technical problem.
• DoD Directive 3000.09: the U.S. internal framework. The Pentagon's existing policy on autonomous weapons requires human judgment before deadly force is applied, except in certain defensive cyberspace and electronic warfare contexts. This is meaningful as a national commitment but does not bind other states and contains significant definitional ambiguities that operational commanders have latitude to interpret.
• The UN CCW process: slow, non-binding, contested. The Convention on Certain Conventional Weapons has been discussing LAWS since 2014 without reaching agreement. Key dividing lines: Russia and the U.S. resist a binding ban; smaller states and the International Committee of the Red Cross advocate for one. The process is the primary multilateral forum but has produced only non-binding political declarations.
• The verification problem is central and severe. How do you verify that a state has not deployed an autonomous targeting algorithm? Unlike a nuclear warhead, an AI system has no physical signature. On-site inspections, satellite surveillance, and seismic monitoring — the verification toolkit of Cold War arms control — do not apply. This is not merely a political obstacle; it may be a technical impossibility.
• Norms as a second-best but achievable outcome. The Chemical Weapons Convention succeeded partly because chemical weapons became normatively stigmatized even before the treaty. A similar norm against "killer robots" could reduce deployment even without a binding treaty. The Campaign to Stop Killer Robots and similar civil society efforts are attempting to build that norm. Historical analogies include the norm against assassination of heads of state — imperfect but real.
• Meaningful human control as the operative standard. Most reform proposals converge on some version of requiring "meaningful human control" over lethal decisions. This is normatively attractive but technically vague — the term does almost no definitional work without further specification of what "meaningful" requires in terms of time, information, and decision authority. Asking participants to define it usually reveals how much work remains.

Discussion Prompts

• Define "meaningful human control" as precisely as you can, then identify a realistic combat scenario where your definition would be violated by current or near-future military systems. Does that scenario seem like a problem that should be regulated?
• If a binding treaty on LAWS is unachievable because major powers won't sign, is pursuing one a good use of diplomatic energy? What are the opportunity costs of the current CCW approach?
• The Ottawa Treaty banning land mines was achieved largely through civil society pressure rather than state-to-state negotiation. Is a similar campaign to stigmatize "killer robots" strategically viable? What would it require?
• Should AI companies be subject to arms export control regulations when they sell AI systems to foreign militaries? How would you structure such a regime?

Timing Guide

Transition to Session 6

Arms control frameworks traditionally focus on weapons specifically designed for military use — but increasingly, the most powerful AI systems are being built for civilian purposes and then finding military applications, which is the dual-use problem we'll examine in our final session.

Learning Objectives

• Define dual-use research of concern (DURC) as it applies to AI and distinguish it from the biosecurity context where the concept originated.
• Identify at least four categories of civilian AI research that have demonstrated or plausible military applications, and assess the severity of the national security risk each poses.
• Evaluate the governance options available for managing dual-use AI research risks — export controls, publication review, access restrictions, and voluntary norms — and their practical limitations.
• Articulate a personal position on the appropriate balance between open scientific publishing and national security classification of AI research findings.

Session Overview

The dual-use problem in AI is structurally different from the dual-use problem in biology or chemistry. A pathogen modified for lethality is clearly and immediately dangerous; a large language model trained on code is useful for programmers and potentially useful for malware authors in ways that are much harder to disentangle. The distinction between civilian and military AI is not primarily technical — it is contextual. The same model weights, deployed in different systems with different prompts and integrations, can support radically different applications.

This final session draws together threads from across the course — autonomous systems, intelligence, cyber, geopolitics, arms control — and asks how civilian AI research and development should be governed given that its outputs will inevitably flow into national security contexts. It closes the course with an open question rather than a settled answer, because the governance frameworks needed to address dual-use AI responsibly do not yet exist.

Key Teaching Points

• Large language models trained on code as the paradigmatic dual-use AI. A model that can write functional software can write functional malware. A model that can synthesize scientific literature can synthesize weapons-relevant technical documents. This is not hypothetical — it is a design property of general-purpose AI systems, and it cannot be engineered away without eliminating the capabilities that make the systems useful.
• Autonomous vehicle research and drone swarms. The perception, navigation, and swarm coordination algorithms developed for commercial autonomous vehicles and drone delivery directly enable autonomous military platforms. DJI drones — designed for photography — have been weaponized by combatants in every major recent conflict. The civilian-to-military conversion pathway is short and cheap.
• Protein structure prediction and biological weapons. AlphaFold's ability to predict protein structures from amino acid sequences has enormous beneficial applications. It also reduces the expertise barrier for designing novel biological agents. This is one of the most serious dual-use AI risks and the one where the potential harm is most catastrophic — though causation is difficult to establish.
• Export controls and the open-source publication dilemma. The U.S. export control regime (ITAR/EAR) was designed for physical goods and has significant difficulty governing model weights, datasets, and training code published on the open internet. When a research lab publishes model weights openly, those weights are immediately available to adversary states regardless of export control law. This is a genuine and unresolved tension in current policy.
• Voluntary norms in research communities: lessons from biology. The life sciences community developed institutional biosafety committees, gain-of-function research moratoria, and dual-use research of concern guidelines after the anthrax attacks and debates about H5N1 research. These imperfect structures represent the most developed model for managing dual-use research risk outside of classification. Ask whether they are transferable to AI.
• Classification as a blunt and leaky instrument. Classifying AI research slows adversary access but also slows domestic scientific progress, impedes international collaboration, and creates incentives for key researchers to move to less restrictive environments (or countries). The track record of classification in dual-use domains — nuclear, biological — suggests it delays rather than prevents proliferation, at significant cost to research quality and open science norms.

Discussion Prompts

• Should AI research labs be required to conduct and publish national security impact assessments before releasing model weights? Who should conduct those assessments, and what authority should they have to delay or block publication?
• A university researcher publishes an open-source AI tool for automating biological synthesis planning. The tool was designed for legitimate pharmaceutical research but could plausibly reduce barriers to bioweapon development. What, if anything, should the government be able to do about this?
• If the U.S. restricts open publication of AI research on national security grounds, allied states and competitors will continue publishing openly. Does this make restriction counterproductive? Are there categories of research where the answer is different?
• Reflecting on the entire course: where does the most urgent governance gap lie — in the law of armed conflict, in intelligence oversight, in arms control, in export controls, or in research governance? What would you prioritize if you were advising a policymaker?

Timing Guide

Course Complete

This is the final session. Consider closing with a synthesis question that spans the full course, inviting participants to identify the governance gap they consider most urgent — and the one they are most optimistic can be addressed.