At the NATO IST-HFM-225 Research Specialists’ Meeting, we presented work on secure frameworks for deploying generative AI in military contexts alongside stakeholders from NAVWAR PEO C4I.
The Command and Control Imperative
Effective command and control enables decisive action. Leaders must know when, where, and how to apply their tools. In modern warfare, operational commanders need insight beyond frontline activity, with the goal of real-time awareness and rapid counteraction.
The goal is not simply deploying well-equipped platforms, but ensuring true interoperability that enhances, rather than replaces, command judgment.
Security Challenges in Military AI Systems
Generative AI introduces vulnerabilities that extend beyond traditional systems:
- Adversarial inputs designed to deceive ISR, targeting, and decision systems
- Data poisoning from compromised sensors
- Model theft and extraction of decision logic
- Prompt injection and black-box failure modes
- Command integrity risks under degraded communications
Military AI security must maintain both operational effectiveness and information integrity across the lifecycle.
Information Aggregation Risks
AI systems can create intelligence leakage through pattern recognition across apparently innocuous data. Even routine reports can reveal operational priorities, force posture, or preparations when aggregated and analyzed at scale.
A Comprehensive Security Taxonomy
We proposed a framework organized across model security, runtime security, data security, supply chain security, and governance. Cross-cutting concerns include identity management, observability, compliance, and incident response.
Key Security Controls
Military AI applications require workload isolation, compartmentalization, dynamic authorization for automated systems, automated PKI, workload-specific identifiers, continuous monitoring, and credential rotation.
Looking Forward
Military applications of generative AI must balance capability with security. Properly secured AI can enhance command visibility and operational judgment, but only when identity, policy, provenance, and runtime evidence are treated as first-class controls.