At the NATO IST-HFM-225 Research Specialists' Meeting, we presented our work on creating secure frameworks for deploying generative AI in military contexts alongside stakeholders from NAVWAR PEO C4I. This blog post outlines our approach to ensuring these powerful technologies can be integrated safely into mission-critical systems.
The Command and Control Imperative
Our presentation began with a foundational principle from Vice Admiral Willard: "The root tenets of command and control are timeless—but they have been lost in the chase for new technologies. Commanders must exert exacting control over their forces to advance their plans if they are to defeat that future adversary who is multidimensional, well equipped, well trained, willing to fight, and intending to win." This perspective guided our framework development.
Effective command and control enables decisive action—leaders must know when, where, and how to apply their tools. In modern warfare, operational commanders need superior insight beyond frontline actions with the primary goal of achieving real-time enemy awareness and rapid counteraction.
The challenge we address is how generative AI can provide our forces with omniscient command equipped with richer context in the understand-decide-act cycle. This capability creates overmatch against adversaries who may have well-equipped platforms but lack true interoperability and comprehensive situational awareness. Technology serves as a force multiplier when it enables real-time information exchange and execution. The goal isn't simply deploying well-equipped platforms, but ensuring true interoperability that enhances, rather than replaces, command judgment.
Security Challenges in Military AI Systems
Generative AI introduces unique security vulnerabilities that extend beyond traditional military systems, creating an expanded attack surface requiring tailored defense strategies:
- Rapidly Evolving Threat Landscape: AI systems face dynamic threats including:
- Adversarial Inputs: Malicious signals or electronic warfare attacks designed to deceive AI-driven ISR, targeting, and decision systems
- Data Poisoning: Manipulated training or operational data from compromised sensors that degrades model reliability
- Model Theft: Interception or extraction of model parameters that expose decision logic, enabling effective countermeasures
- Operational Vulnerabilities:
- Black Box Risk: Poisoned data or malicious inputs difficult to detect in complex AI systems
- Data Drift: Models trained in controlled environments failing under battlefield conditions with varying terrain, weather, and deception tactics
- Prompt Injection: Manipulated inputs that can distort AI-generated intelligence and decision-making outputs
- Command Integrity Challenges:
- Maintaining reliable information flows while preventing unauthorized access
- Ensuring AI systems enhance rather than obscure commander situational awareness
- Preserving human judgment in the decision loop under degraded communications conditions
These military-specific challenges require security approaches that maintain both operational effectiveness and information integrity across the entire AI lifecycle.
Information Aggregation Risks
During our session, we posed a scenario to illustrate the unintended consequences of seemingly innocuous AI applications: What if every service member was asked to report their top five activities from the previous week, and this data was aggregated and processed through a transformer model?
Even with basic organizational structure data, an adversary with access to such a system could potentially infer strategic, operational, or tactical objectives. For example, patterns in routine activities might reveal preparations for operations, shifts in force posture, or command priorities that weren't intended to be disclosed. This represents a form of unintentional intelligence leakage that traditional security models don't adequately address.
This example highlights how AI systems can inadvertently create new intelligence vulnerabilities through their ability to identify patterns across seemingly disconnected data points. Securing military AI requires considering not just direct adversarial attacks, but also the risks of pattern leakage and inferential disclosure that come with powerful analytical systems.
A Comprehensive Security Taxonomy
To address these challenges, we proposed a taxonomy organized across five domains:
- Model Security
- Training Security
- Model Integrity
- Evaluation
- Runtime Security
- Workload Isolation
- Access Control
- Monitoring
- Data Security
- Privacy Controls
- Encryption
- Data Lineage
- Supply Chain Security
- Artifact Security
- Dependencies
- Deployment
- Governance
- Compliance
- Audit & Logging
- Risk Management
Cross-cutting concerns include identity management, observability, compliance requirements, and incident response.
Key Security Controls for Military AI
Our framework emphasizes several critical security controls:
Workload Isolation and Compartmentalization
Military AI applications require strong isolation to prevent lateral movement and credential theft. This includes:
- Secure processes and kernels to prevent container escapes
- Segmented workloads to reduce breach impact radius
- Dynamic credentials for AI workloads that interact with multiple systems
Dynamic Authorization for Automated Systems
When AI workloads act autonomously, authorization must be equally dynamic:
- Evaluation based on request source, purpose, and context
- Granular authorization for jobs and workloads acting on behalf of users
- Real-time policy enforcement tied to automated credential issuance
Trust Scaling Through Automated PKI
Our approach leverages automated high-velocity PKI with:
- Automated identifier assignment with unique workload-specific identifiers
- Instant credential issuance tied to workload identifiers
- Policy-driven trust verification
- Continuous monitoring and credential rotation
Implementation Techniques
For practical implementation, we recommend:
- Delegated Access: Using standardized delegation protocols like SPIFFE, X.509, JWTs, and OpenID Connect
- Authorization Policy Enforcement: Implementing policy engines using tools like Open Policy Agent (OPA) and Cilium
- Processing Jobs Locally: Running computation where data is created to reduce transmission risks
- Distributed Ledger for Verification: Implementing transparency logs
- Secure Updates: Deploying frameworks like TUF (The Update Framework) and in-toto
Learning from Industry Security Incidents
We analyzed several enterprise security incidents that offer valuable lessons for military implementations:
- Microsoft AI Research Data Leak (2023): A misconfigured SAS token in Azure Blob Storage exposed 38TB of sensitive internal data, including private keys and passwords. In a military context, similar credential vulnerabilities could compromise classified data stores or provide adversaries with access across command systems, potentially affecting operational security at critical moments.
- Copilot Oversharing Problem: This enterprise incident demonstrated how AI systems can access data across intended boundaries when traditional permissions fail to contain exposure. For command and control environments, similar flaws could lead to unauthorized data sharing across classification boundaries or coalition partners, compromising operational security and potentially revealing strategic intentions.
These industry examples underscore how seemingly isolated technical vulnerabilities can cascade into systemic failures. In military command and control contexts, where decision speed and information integrity directly impact mission outcomes, such failures could compromise situational awareness, disrupt communication chains, or expose sensitive capabilities to adversaries.
The military implications extend beyond data exposure to potentially affecting command visibility, decision cycles, and trust in automated systems during critical operations. These considerations make implementing robust security frameworks even more imperative for military applications than for commercial systems.
Looking Forward
Military applications of generative AI must balance capability with security. Our framework provides a starting point for implementing AI systems that enhance rather than diminish command visibility and operational judgment.
The security challenges will continue to evolve, making continued collaboration between researchers, practitioners, and operational leaders essential. We believe that properly secured AI capabilities can rebalance the operational advantage through vigilance and adaptation, supporting rather than supplanting the critical human elements of military decision-making.