Artificial Intelligence Integration in Military Operations: Capability Development, Operational Risk Assessment, and Strategic Doctrine Evolution

Executive Summary

Military doctrine now seeks to employ artificial intelligence as part of its operational arsenal, framed largely as a question of speed, efficiency, and competitive necessity. Defense institutions deploying AI across command structures are generating new categories of operational vulnerability that outpace the governance frameworks designed to contain them, and the gap between capability adoption and doctrine maturation is widening in ways that create exploitable seams. The problem is not that the Department of Defense is experimenting with generative models, but that this experimentation is already being normalized as routine infrastructure rather than treated as a fragile and high-risk intervention. The consequences spill directly into geopolitical and strategic domains: an AI-dependent military that cannot rapidly isolate and recover from AI failure is a military whose adversaries can now disable at the software layer.

The Structural Seam: When Integration Becomes Dependency

The most consequential vulnerability in AI-enabled military command is not adversarial hacking in the conventional sense, it is the dependency relationship that forms when AI systems become load-bearing infrastructure before doctrine has defined what happens when they fail. The FY 2026 National Defense Authorization Act statutorily chartered a separate ontology governance structure under the DoD chief data officer to establish baseline standards across the agency; however, that framework remains nascent, and command platforms that most urgently need governing definitions have yet to be integrated into this emerging structure. The gap between a modular open systems interface architecture and the chief digital officer's ontology governance remains a critical vulnerability for decision systems.

The interplay between data governance failures and command authority creates compounding risk. When the ontological standards defining what a target is, what a threat is, and what a valid sensor reading is are inconsistent across platforms, AI systems operating on those definitions will produce inconsistent, and potentially contradictory, outputs to commanders in the same operational area. War on the Rocks identified this as the defining tension in April 2026: AI use is accelerating this problem, as many vendors are now using AI to code and incorporate it into their own applications, meaning errors propagate through the stack before they can be identified.

The broader geopolitical implications are direct. An adversary that understands the ontological seams in a coalition's AI-enabled command system does not need to penetrate the network in the conventional sense, it only needs to introduce targeting ambiguity at the data layer to degrade mission effectiveness. These military and technological dimensions of the problem are mutually reinforcing: as platforms become more interconnected under JADC2, the attack surface expands even as integration depth deepens. The Pentagon's CYBER360 survey found that 90 percent of government security and IT leaders view AI as critical to enabling a fully integrated force, while 82 percent cited sharing data across these networks as significantly increasing cyber risk exposure.

Ukraine As The Operational Laboratory: What Dependency Looks Like At Scale

The Russia-Ukraine conflict provides the most detailed observable data on what AI-enabled command dependency looks like when tested under sustained adversarial pressure. The Atlantic Council assessed in March 2026 that sustaining compute under attack has become a national security imperative as critical as shipbuilding capacity or semiconductor production; if the next phase of warfare is shaped by learning cycles and distributed autonomy, the defense industrial base is no longer only steel and shells.

Ukraine's experience demonstrates the stock-flow problem that characterizes AI military dependency: the stock (installed autonomous capability) builds faster than the flow of doctrine, maintenance capacity, and trained personnel needed to sustain it. High sortie rates, short platform lifespans, and intensive electronic contestation impose substantial logistical demands; at the tactical level, drone operations depend on a layered technical architecture including reliable communications links, frequency management, and navigation aids, and both Ukrainian and Russian forces have had to constantly re-engineer control systems, antennas, and guidance methods to overcome jamming and interception.

This finding from the Australian Army Research Centre is analytically significant because it undercuts the assumption that AI autonomous systems reduce the sustainment burden. The opposite is true at scale: each autonomous platform generates a continuous demand signal for software modification, sensor recalibration, and frequency management that requires specialist teams operating behind the frontline at a pace conventional logistics chains were not designed to support.

The interplay between AI capability dependency and geopolitical risk is visible in Ukraine's Brave1 initiative. Ukraine's wartime technology ecosystem is increasingly influencing how Western governments and defense contractors approach modern warfare; Palantir Technologies' Alex Karp met with Ukrainian President Zelenskyy and the Digital Transformation Minister in Kyiv in May 2026 to expand cooperation around the Brave1 defense innovation platform, which uses Palantir's software infrastructure to help Ukrainian defense startups process and analyze battlefield data. When a nation's command intelligence processing runs through a commercial platform operated by a single foreign firm, the sovereign risk implications extend well beyond the battlefield: those dependencies translate directly into negotiating leverage, continuity-of-operations exposure, and potential single-vendor points of failure in any conflict scenario that outlasts the commercial relationship.

Hudson Institute analysts, drawing on French military assessments in 2026, summarized the command-and-control implication directly: modern drone warfare forces a shift where assessed architectures need to embed AI technologies to manage sensing, targeting prioritization, tasking, deconfliction, and maneuvering at machine speed, while preserving appropriate human authority and legal accountability. Dronization demands a faster, more distributed, and more autonomous assessed than legacy chains, but it should still have human accountability.

The Doctrinal Gap: Risk Acceptance Without A Framework

Across Western militaries, the pattern is consistent: AI systems are being acquired and integrated at a pace that doctrine-writing institutions cannot match. The US Army's Combined Arms Doctrine Directorate acknowledged in February 2026 that the Army is incorporating AI tools to help write doctrine itself, with the Combined Arms Doctrine Directorate training doctrine writers on these tools. The recursive quality of this arrangement, using AI to accelerate doctrine production about AI, carries its own risks: AI tools used to draft doctrine may encode the same hallucination tendencies that doctrine is meant to govern.

Academic research published in 2026 and presented at the REAIM Summit argues for a harder boundary. The recognition that delegating command decisions amplifies risks across field-level failure, escalatory instability, and institutional erosion has led some researchers to recommend a categorical ban on AI systems that issue battlefield commands to human soldiers, whether through natural language interfaces or direct control platforms. This view from the academic and arms-control community stands in direct tension with what Army Cyber Command is exploring on the other side: that cyber threats may now move fast enough that AI agents will need the authority to act without waiting for human approval.

The Belfer Center's April 2026 report frames the broader regulatory failure as structural: competitive pressures foster rapid deployments of insufficiently vetted systems, amplifying both operational vulnerability risks and inadvertent escalation risks; yet shared awareness of these dangers among states has not translated into substantive agreement on binding principles. This regulatory failure reflects, in part, divergences in national security interests and socioeconomic legacies.

These technological dynamics compound the existing geopolitical uncertainty in both security and economic domains. Defense firms, particularly those operating in AI-intensive acquisition pipelines, face a compressing window for adversarial robustness testing before commercial platforms reach operational deployment. The broader strategic implications include industrial concentration risk: as the 2026 FY NDAA's cybersecurity provisions indicate, the Act requires training content to address unique AI/ML security vulnerabilities and maintains stability in command structure and authorities, preventing organizational changes that could disrupt cyber operations. But statutory stability in command structure does not address the deeper problem of what happens when the AI systems those commands rely on fail in ways that no commander was trained to diagnose.

The Supply Chain As The Kill Chain

The least-discussed vulnerability in military AI deployment is also the most structurally persistent: the commercial supply chain through which AI capability flows into defense systems is not designed for the adversarial environment in which those systems will operate. Google Threat Intelligence Group documented in May 2026 that throughout early 2026, threat actors have not yet achieved breakthrough capabilities to bypass the core security logic of frontier models; instead, they are leveraging traditional supply chain tactics, such as embedding malicious logic in popular integration libraries or distributing trojanized configuration files, to gain initial access to production AI environments.

The cyber security implications for military financial systems, procurement pipelines, and AI model integrity are direct and underappreciated. A trojanized configuration file embedded in a logistics AI system is not a hypothetical attack, it is the class of attack that Google's GTIG assesses is already being executed against production AI environments. The Scandinavian Journal of Military Studies noted in April 2026 that the development of public-private partnerships in the defense technology sector requires a carefully adapted model rather than direct replication of the rapid, market-driven innovation cycles and risk-tolerant investment culture typical of Silicon Valley, which may conflict with military, ethical, and legal obligations, and that military applications of artificial intelligence that directly affect civilian populations and protected infrastructure must strike a balance between innovation and stringent legal, ethical, and safety standards.

The Pentagon's offensive AI task force adds a further dimension. As Politico reported and Metaintro analyzed in May 2026, the boundary between offense and defense is undefined in the public reporting; AI tools that can probe systems for vulnerabilities can be used to harden friendly networks or to attack adversary ones, and the same model that flags a misconfiguration on a Defense Department server can, in different hands, draft an exploit chain. This dual-use tension is not merely ethical, it generates operational security risk, because any AI hacking tool the US develops and deploys represents a capability whose discovery by an adversary immediately becomes a threat vector against DoD systems.

The UK National Cyber Security Centre's assessment, documented in the International AI Safety Report, provides the directional judgment: by 2027, general-purpose AI systems will high confidence make cyber offense more effective and efficient; the window to address software vulnerabilities after disclosure has now shrunk to days in some cases, and AI could make it cheaper and faster to execute large-scale cyberattacks. For military command systems running on commercial AI platforms, this is not an abstract forecast, it defines the operational clock against which patch and response cycles must compete.

A Separate Command Is Not The Answer

A structural debate that has emerged in 2026 is whether autonomous and AI systems should be consolidated under a dedicated military combatant command. Forbes, drawing on analysis by former Air Force senior leaders in June 2026, argued directly against this approach: creating a separate combatant command for autonomous and AI systems would complicate tasking, authorities, targeting, prioritization, communications, and sustainment, increasing seams, adding command complexity, and reducing understanding of how the respective tools operate together. The argument is that in combat, those seams are not administrative nuisances, they are vulnerabilities that adversaries would exploit.

This debate matters beyond organizational design. Where AI capability sits in the command hierarchy determines who bears accountability when it fails, who owns the data it trains on, and who can authorize emergency shutdown procedures. The Pentagon already runs the Chief Digital and Artificial Intelligence Office, which absorbed the former Joint Artificial Intelligence Center; whether any new AI task force sits under CDAO, reports directly to the Secretary of Defense, or runs out of Cyber Command itself will determine who controls the hiring footprint and, by extension, the accountability structure. The picture is mixed: authority is fragmented, and no single command chain owns the full lifecycle from model procurement through operational deployment through decommission.

The AutoPractices Project, convened through the Center for War Studies at the University of Southern Denmark and presented at the 2026 REAIM Summit, produced guidance reinforcing the integration-not-isolation principle: meaningful human control over AI-enabled weapons systems requires embedding control mechanisms at the design stage, not grafting governance onto already-deployed systems. The EU's February 2026 drone action plan reflects a parallel logic at the alliance level: the European Commission introduced a new drone action plan focused on detection, protection against incoming units, and safeguarding of critical infrastructure, asking member states to test their 5G networks for early drone warnings and to integrate AI into warning systems, potentially allowing a network of more than 350,000 5G base stations to function as a vast radar system. The integration is network-wide, not siloed in a separate command.

Counterarguments

1. The dependency-as-vulnerability framing overstates the fragility of AI-enabled command systems. The same network effects that create dependency also create redundancy and speed advantages that more than compensate for the new attack surface. If AI decision-support systems are compromised, human commanders can revert to pre-AI doctrine, the human chain of command remains intact. The Forbes piece by former military leaders arguing against a separate AI command is itself a defense of integration, implying that AI systems embedded throughout the force are more resilient than centralized alternatives. Against this, the Google GTIG finding that adversaries are already exploiting production AI environments through supply chain infiltration, without needing to defeat the core security logic, suggests the "revert to human command" fallback may not be available in real time when the system failure is invisible.

2. The Ukraine lessons may not transfer to great-power conflict at the scale and tempo that doctrine must be designed for. Ukraine's tactical AI integration is driven by attrition economics and commercial availability, not by the kind of hardened, classified AI architecture that major powers would deploy. The Ifri finding that small-scale human-machine teaming is "more viable" than autonomous swarms reflects Ukrainian constraints, not necessarily the capability ceiling of US or Chinese systems operating under purpose-built military networks with dedicated spectrum. This is a genuine blind spot: the evidence base for military AI vulnerability is heavily weighted toward the Ukraine conflict, which features extensive improvisation and commercial-off-the-shelf systems that may not represent the operational environment in which doctrine is actually being written.

3. Regulatory and governance frameworks are developing faster than this assessment credits. The FY2026 NDAA's cybersecurity provisions, the DoD Zero Trust Strategy requiring Target Level implementation across all DoD information networks by September 2027, and the CDAO's Responsible AI frameworks and AI assurance toolkits represent a coordinated institutional response that takes time to operationalize. The International AI Safety Report 2026 documents that the number of companies publishing Frontier AI Safety Frameworks more than doubled in 2025, and governments have established governance frameworks for general-purpose AI focusing on transparency and risk assessment. If these frameworks mature and integrate faster than the current trajectory suggests, the doctrinal gap identified here narrows materially within a 24-month window, which would require revising the urgency framing of this assessment.

Securitization Theory Analysis

Securitizing Actor: Multiple actors simultaneously, the US Department of Defense through the FY2026 NDAA, Army Cyber Command leadership through public wargame statements, EU institutions through the February 2026 drone action plan, and academic institutions through the REAIM Summit. No single securitizing actor controls the frame.

Referent Object: The integrity of military command authority itself, specifically, the human chain of command and the legal accountability structures that international humanitarian law requires. The threat is framed not as an external adversary per se, but as the possibility that AI systems could silently degrade or replace the human decision-making that legitimizes the use of force.

Existential Threat Construction: Army Cyber Command framed the issue in May 2026 in terms of operational survival: if the cyber threat is sufficiently fast-moving, the military may need to permit AI agents to act autonomously, meaning the alternative to AI authority is mission failure. Researchers at the REAIM Summit 2026 inverted this, arguing that delegating command decisions to AI amplifies risks across field-level failure, escalatory instability, and institutional erosion. Both frames invoke existential consequences but attribute agency differently.

Target Audience: Legislative bodies (NDAA provisions), military leadership (wargame conclusions), and allied governments (REAIM Summit participants and EU member states). The discourse is primarily intra-governmental and defense-industrial, with civil society represented primarily through academic arms-control voices.

Extraordinary Measures: The Pentagon's task force studying deployment of offensive AI hacking tools across Cyber Command and NSA constitutes a measure that would not ordinarily be considered acceptable in peacetime cyber doctrine. The EU's proposal to use 350,000 5G base stations as a distributed radar architecture crosses a threshold from commercial infrastructure into dual-use national security infrastructure, a designation that, once made, alters regulatory and investment requirements.

Classification: SECURITIZED

Process Tracing Analysis

Cause and Outcome: The cause under examination is the rapid normalization of commercial AI systems as military command infrastructure. The outcome being traced is the emergence of structural command vulnerability, specifically, the creation of exploitable dependencies that adversaries can target at the software and data layer without conventional kinetic action.

Causal Mechanism Chain: (1) Geopolitical competition accelerates military AI adoption timelines beyond what doctrinal development can absorb. (2) Defense institutions purchase commercial AI platforms designed for speed-to-market, not adversarial robustness. (3) Commercial AI systems are integrated into command and control workflows before ontological standards, accountability frameworks, or failure-mode doctrine is established. (4) The gap between integration and governance creates unmonitored dependencies, systems whose failure modes are unknown to commanders and whose supply chains are vulnerable to adversarial infiltration. (5) Adversaries identify and begin exploiting supply-chain vectors, producing command uncertainty at precisely the moment when AI-assisted decision speed is most needed.

Evidence Assessment:

• Step 1: Smoking gun, Belfer Center April 2026 documents competitive pressure driving rapid deployment of insufficiently vetted systems; Stanford AI Index 2026 quantifies the narrowing capability gap that motivates US acceleration.
• Step 2: Smoking gun, Small Wars Journal March 2026 documents normalization of generative AI as routine military infrastructure; War on the Rocks April 2026 documents vendor-defined ontologies lacking adequate DoD oversight.
• Step 3: Hoop test, FY2026 NDAA ontology governance structure confirmed as nascent and unintegrated with command platforms; Army doctrine AI use confirmed February 2026.
• Step 4: Smoking gun, Google GTIG May 2026 confirms active exploitation of AI production environments through supply chain infiltration in early 2026.
• Step 5: Hoop test, National Defense Magazine April 2026 reports AI models used by Pentagon susceptible to foreign influence, though the full extent of active exploitation at command level remains classified.

CAUSAL_MECHANISM_STRENGTH: MODERATE

The supply chain exploitation step is well-evidenced; the final link, confirmed command-level impact, relies partly on classified evidence unavailable in open sources.

Constructivism Lens Analysis

Actor Identities: Western defense institutions are projecting a dual identity: responsible stewards of human control norms and competitive modernizers who cannot afford to fall behind adversaries. This identity tension, which pervades US, EU, and Australian military AI discourse, constrains available policy options and produces the doctrinal ambiguity documented throughout this assessment.

Operative Norms: The norm of meaningful human control over lethal force, grounded in International Humanitarian Law, is operative but contested at the implementation layer. No binding international norm currently defines what "meaningful" means when AI systems are making targeting recommendations faster than human commanders can validate them.

Intersubjective Meaning: The 2026 REAIM Summit produced competing narratives: AI autonomous systems as an escalation risk requiring categorical prohibition (arms-control community) versus AI autonomous systems as a competitive necessity whose governance must be handled internally by major powers (defense establishment). These frames are not yet reconciled into shared meaning, and the absence of consensus allows each actor to claim compliance with norms while pursuing incompatible practices.

Norm Lifecycle Stage: The norm of meaningful human control is in the Cascade phase domestically within Western institutions, rapidly being adopted as a framework principle in legislation, doctrine guidance, and contractor requirements. It remains in the Emerging phase internationally, as no binding treaty framework has secured state commitment beyond voluntary declarations. The result is a bifurcated norm lifecycle: internalized in rhetoric, contested in practice.

Norm Lifecycle: CASCADE

Indicators To Watch

Decision Relevance

Scenario A (~55%): Managed integration with persistent governance gaps — Defense institutions continue acquiring and deploying AI systems faster than doctrine matures, but adversarial exploitation remains at the supply chain / indirect level rather than achieving direct command disruption. The US maintains a narrow capability lead. Recommended: For defense contractors and technology suppliers, prioritize adversarial robustness testing and supply chain transparency before contract award; DoD exposure to vendor liability for undisclosed foreign AI components will increase as congressional pressure builds. For institutional investors in defense AI firms, the regulatory tightening implied by NDAA provisions and FY2027 Zero Trust deadlines creates compliance cost risk that is not yet priced into sector valuations.

Scenario B (~30%): Doctrinal vacuum exploited in a crisis — A fast-moving cyber or kinetic event forces a major military to rely on AI decision-support in a domain where no risk acceptance framework has been formalized, resulting in an autonomous AI action that produces unintended escalation, civilian harm, or mission failure at an operationally visible scale. Recommended: Institutional risk managers at defense-adjacent organizations should develop playbooks now for second-order effects, supply chain disruption, regulatory overreaction, and rapid contractor liability shifts are the most moderate-to-high confidence spillover channels. For policymakers, the trigger for binding autonomous weapons regulation may not be a deliberate adversary action but an inadvertent system behavior during a crisis, the governance architecture should not wait for that event.

Scenario C (~15%): International norm breakthrough constrains autonomous weapons — UN Secretary-General's 2026 deadline produces a binding framework or politically consequential voluntary agreement on autonomous weapons systems, creating a new compliance layer that defense acquisition programs must navigate. Recommended: Organizations with exposure to defense AI procurement should begin scenario-planning for treaty compliance costs and potential capability restrictions on deployed systems; the EU's LEAP initiative and the REAIM Summit institutional momentum make this scenario non-trivial even if a hard deadline slips.

Analytical Limitations

• The most operationally significant vulnerability data, confirmed adversarial exploitation of AI systems within classified military command networks, is not available in open sources. This assessment rests on unclassified threat intelligence, academic research, and defense journalism; the actual threat picture at classified levels may be materially more severe or more contained.
• The Ukraine conflict evidence base, while the richest available real-world data set on military AI dependency, reflects conditions (commercial COTS systems, improvised integration, high-intensity attrition at relatively low AI maturity) that may not accurately represent how purpose-built military AI command systems would behave in a great-power conflict scenario.
• Risk acceptance doctrine being developed by Army Cyber Command after the May 2026 wargame has not been published; this assessment infers the doctrinal gap from public statements by ARCYBER leadership and cannot evaluate whether unpublished internal frameworks have already addressed the vulnerabilities identified here.
• The Stanford AI Index benchmark gap between US and Chinese AI models measures general-purpose performance, not military-specific capability. The national security implications of a 2.7 percent gap on a civilian leaderboard may be substantially different from the operational gap in domains like computer vision, electronic warfare modeling, or logistics optimization where military AI actually competes.
• This assessment does not model adversary doctrine: Chinese and Russian frameworks for military AI integration, their own AI governance failures, and their exploitation timelines are based on open-source inference and carry significant uncertainty. A fuller picture would require signals and human intelligence inputs unavailable here.