Export controls were built to contain weapons of mass destruction. They are now the primary AI governance mechanism for 4.6 billion people in Asia — without safety logic, without dual-use doctrine, and without a single Asian state at the table when they were designed. The only binding international AI treaty exempts national security entirely. The gap is structural, documented, and unaddressed by any existing multilateral framework — including the thematic architecture of the UN Global Dialogue on AI Governance.
United Nations General Assembly Resolution A/RES/79/325, adopted December 2025, established the first multilateral AI governance process with a binding treaty mandate and genuine Global South inclusion. All 193 UN member states are represented. The resolution explicitly requires that Global South voices be centred — responding to a documented critique that every major AI governance instrument to date has been designed by and for a small group of Western governments and companies.
The process runs in two sessions: an initial dialogue phase building shared understanding, followed by treaty negotiations at the 2027 New York session. The positions advanced and the language agreed in the dialogue phase directly shape the architecture of the first international AI treaty with genuine global scope. This tool documents the structural gap that the treaty must address — and provides the mechanism-level design specifications for doing so.
Export controls were designed for weapons of mass destruction (WMD). They became the primary AI governance mechanism for Asia by default — not by design. The architecture collapsed before it came into force. No replacement exists. The only binding international AI treaty exempts the highest-risk use cases entirely. This is the origin of the governance vacuum this tool maps. The vacuum matters for AI safety specifically because ungoverned dual-use AI in critical infrastructure is a documented pathway to the harms AI safety research is designed to prevent: biosecurity uplift for non-state actors, electoral interference at scale, and lethal autonomous systems without accountability or attribution.
Nuclear has the Nuclear Non-Proliferation Treaty (NPT) and the Nuclear Suppliers Group (NSG). Chemical has the Chemical Weapons Convention (CWC) and the Australia Group. Biological has the Biological Weapons Convention (BWC). AI has no agreed definition of what constitutes a dual-use capability, no carve-out distinguishing offensive from defensive use, and no international verification mechanism. The same model that enables pandemic detection enables pathogen design. No governance architecture can distinguish them.
The US BIS — operating under a WMD containment mandate with no AI safety objective — designed the only binding AI governance mechanism for Asia. India, Vietnam, Indonesia, Singapore had no input. The architecture reflects US geopolitical objectives, not Asian security needs, not dual-use safety logic, not the governance capacity of the states it governs.
In January 2025, Indonesia's second-largest telecom Indosat Ooredoo Hutchison signed an MoU with AIonOS to develop AI solutions built on DeepSeek for food security, tourism, and talent development. In May 2025, Malaysia's Deputy Communications Minister announced a sovereign AI infrastructure powered by Huawei Ascend GPUs and DeepSeek — then retracted the statement under US export control pressure; the episode itself documents a country caught between US restrictions and Chinese infrastructure with no multilateral framework governing the choice. Singapore's OCBC — a systemically important bank — has deployed 30+ GenAI applications and its 2024 Annual Report specifically cites DeepSeek reasoning models as a capability it is adopting, with no safety evaluation standard applying to Chinese-origin models regardless of scale. Export controls did not prevent AI development in these countries — they redirected it toward infrastructure with no safety architecture, no transparency requirements, and no incident reporting. The highest-risk countries ended up on the least-governed infrastructure.
Resolution A/RES/79/325 identified seven thematic areas for the multilateral AI governance process. None explicitly addresses export controls or dual-use AI governance. Each theme is scored on how well the current international governance landscape addresses the dual-use dimension — and what the structural gap means for the treaty design process, regardless of which session or forum is being addressed.
Safety frameworks exist only for Western frontier labs. No equivalent applies to Chinese frontier models now deployed across Asian critical infrastructure. The CoE Convention exempts national security — exactly where the highest-capability AI systems are being deployed. "Trustworthy" AI cannot be assessed for models where training data, safety evaluations, and incident history are proprietary and ungoverned.
Export controls create a structural paradox for capacity-building: the compute required to build AI safety evaluation capacity is the same compute Tier 2 restrictions limit. India cannot build an operational AISI without the frontier compute needed to evaluate frontier models — compute its developers are restricted from accessing. The capacity-building agenda cannot succeed while the primary governance mechanism actively constrains the hardware required for governance infrastructure.
Export controls are reshaping AI adoption across Asia with profound social and economic implications — redirecting development toward Chinese infrastructure, accelerating dual-stack adoption, and creating technology dependencies difficult to reverse. Indonesia's 277 million people face deepfake-driven electoral interference with no AI governance framework to address it. Vietnam's human-in-the-loop mandates (Decree 142/2026) cannot be operationalised without access to the models they are designed to govern.
Vietnam has a binding AI law and sits in the same restricted compute tier as Indonesia, which has no AI law at all. Governance quality is entirely disconnected from compute access tier. The EU AI Act, US voluntary frameworks, and Asian national laws operate in isolation. The CoE Convention has no mechanism for developing-state participation or recognition of equivalent national frameworks.
The CoE Framework Convention grounds AI governance in human rights — but exempts national security applications (Article 3.2). AI-enabled mass surveillance, autonomous targeting, and election interference — all dual-use applications with direct human rights implications — fall outside the treaty. No Asian developing state is party. The human rights framework most applicable to high-risk AI does not reach the countries where high-risk AI is being deployed without safety governance.
No accountability mechanism exists for AI-enabled dual-use harm. When an AI system contributes to a biosecurity incident, electoral interference, or infrastructure attack, there is no investigation body, no attribution standard, no reporting requirement, and no liability framework that applies across jurisdictions. The OPCW has a challenge inspection mechanism. The NTSB has a no-blame investigation model. Aviation has a black box standard. AI has nothing equivalent.
Open-weight models (Meta Llama, DeepSeek) partially bypass export controls — Asian states can access capable models without compute restrictions. But the safety governance that applies to closed models (AISI evaluations, Frontier Model Forum commitments) does not apply to open-weight models at all. Indosat's DeepSeek deployment and OCBC's adoption of DeepSeek reasoning models are open-weight: outside every safety governance framework that exists. This is not a temporary anomaly — it is structural. Open-weight models cannot be recalled, restricted post-release, or governed through access controls. The governance vacuum for open-weight AI is permanent under the current architecture.
The governance vacuum has persisted for three structural reasons — not because no one has noticed it, but because the actors who control the relevant levers have incentives and mandates that prevent them from filling it. These three findings explain why. Together they make the case that any binding AI governance instrument must create new institutional architecture rather than tasking existing actors with a mandate they structurally cannot fulfil.
The four companies with binding frontier AI safety commitments are the same four companies whose chips and cloud infrastructure Asian states are restricted from accessing. This is not a coincidence — it is the architecture. The countries excluded from compute access are excluded from safety governance by the same set of actors.
The restriction of frontier US compute did not prevent AI development in Asia. It redirected it — toward Chinese infrastructure with no safety architecture, no transparency requirements, and no incident reporting. These are confirmed deployments, not projections. Each one sits entirely outside every governance framework discussed in this tool.
| Country / Entity | Deployment Confirmed | Chinese Stack | Safety Governance Applies? | Incident Reporting? | CoE Treaty? |
|---|---|---|---|---|---|
| 🇮🇩 Indosat Ooredoo Hutchison (Indonesia) Second-largest Indonesian telco · 100M+ subscribers |
Signed MoU (Jan 2025) with AIonOS to develop solutions built on DeepSeek for food security, tourism, talent development; AI Centre of Excellence announced. By mid-2026 pursuing hybrid strategy with Nvidia H100 GPUs and own Indonesian LLM (Sahabat AI). | DeepSeek + Alibaba Cloud | None | None | Not party |
| 🇲🇾 Malaysia — Skyvast Sovereign AI Private initiative; MoU with Huawei Malaysia signed |
Deputy Communications Minister announced sovereign AI on Huawei Ascend GPUs (May 2025); retracted next day under US export control pressure. Ministry of Digital had separately published an MoU between Huawei Malaysia and Skyvast for Ascend-powered sovereign AI cloud. Huawei denied selling chips; government denied involvement. | Huawei Ascend (announced, disputed) | None | None | Not party |
| 🇸🇬 OCBC Bank (Singapore) Systemically important bank · MAS regulated |
30+ GenAI applications deployed (OCBC Annual Report 2024); DeepSeek reasoning models cited as capability being adopted; 300+ total AI use cases. Model-level provenance of individual applications not publicly disclosed. | DeepSeek (cited); multiple providers | None for Chinese models | None | Not party |
| 🇹🇭 Thailand AI Sector Government and private sector |
Simultaneous investment from Microsoft and ByteDance — competing infrastructure 2024–25 | ByteDance (dual-stack) | Partial (Microsoft stack only) | None | Not party |
| 🇻🇳 Vietnam Digital Economy Law 134/2025 in force — best governed Tier 2 |
Alibaba Cloud data centres in region; growing DeepSeek deployment across enterprise sector | Alibaba Cloud + DeepSeek (growing) | Law 134/2025 (domestic only) | Not for Chinese models | Not party |
This is not a gap waiting to be filled. These institutions exist. They have mandates, budgets, and staff. The problem is structural: each one is prevented from reaching the highest-risk AI applications by its founding instrument, its membership composition, or its enforcement mechanism. Understanding why each institution cannot act is the prerequisite for knowing what the 2027 treaty must build.
| Institution | What it can do | Why it cannot reach AI | The structural barrier | What would fix it |
|---|---|---|---|---|
| US BIS Bureau of Industry and Security |
Export controls on dual-use goods and technology | WMD containment mandate — no AI safety objective. Rescinded the only comprehensive AI rule it ever published. Unilateral — no multilateral mandate. | Wrong mandate | Replace with multilateral mechanism with explicit AI safety objective |
| OPCW Organisation for the Prohibition of Chemical Weapons |
CWC implementation, chemical weapons verification, challenge inspections | Jurisdiction limited to chemical weapons as defined in 1993 CWC. AI-enabled chemical weapon design is not within scope unless a new protocol extends the mandate. | Wrong jurisdiction | CWC protocol extending OPCW mandate to AI-enabled CBRN uplift assessment |
| WHO World Health Organization |
Global health governance, pandemic preparedness, biosecurity norms | No mandate over AI systems. AI-enabled pathogen design sits at intersection of AI and biosecurity — WHO covers the biosecurity side only. No joint mandate with any AI body. | No AI mandate | Joint WHO–AI Safety Secretariat protocol for dual-use AI biosecurity evaluation |
| CCW GGE Convention on Certain Conventional Weapons — Group of Governmental Experts |
Autonomous weapons discussions since 2014; lethal autonomous weapons systems norms | CCW mandate expires September 2026. 12 years of discussion with no binding outcome. Consensus requirement means Russia and China can block. Not a treaty — a discussion forum. | Mandate expiring · Consensus blocked | Meaningful human control standard in 2027 treaty, bypassing CCW consensus requirement |
| ITU International Telecommunication Union |
Telecommunications standards, internet governance, digital development | Technical standards body only — no enforcement mandate. AI Focus Group produces guidance, not binding standards. Universal membership but no power to compel compliance. | Standards, no enforcement | ITU develops AI provenance and incident reporting technical standards; 2027 treaty mandates adoption |
| IAEA International Atomic Energy Agency |
Nuclear safeguards, verification, peaceful use promotion | Mandate limited to nuclear material and technology. AI governance requires a new international body with an equivalent inspection mandate — IAEA cannot extend its remit unilaterally. | Wrong domain — but strongest institutional model | International AI Safety Secretariat modelled on IAEA Article 12 — the Precedents tab specifies the design |
| CoE Convention (CETS 225) Only binding international AI treaty |
Human rights, democracy and rule of law obligations for AI lifecycle | Article 3.2 blanket national security exemption covers exactly the highest-risk dual-use applications. No Asian developing state is party. No inspection or verification mechanism. | Self-exempted the highest-risk uses | Narrow Article 3.2 in 2027 treaty; extend participation to Asian developing states via Article IV-equivalent bargain |
| UN GGE on Cybersecurity Group of Governmental Experts — ICT security |
Norms for responsible state behaviour in cyberspace; 11 agreed norms since 2015 | Norms are non-binding. No enforcement mechanism. AI-enabled cyberattacks are not addressed in existing norm language. Russia and China have parallel OEWG process, fragmenting the framework. | Non-binding · Fragmented | Budapest Convention extension to AI-enabled attacks; 2027 treaty fills the enforcement gap |
Every functioning WMD governance regime required seven layers to work. Nuclear built all seven — it took 25 years and two weapon deployments. Chemical built six. Biological built three, and the missing verification layer is precisely why AI-enabled bioweapon design is the highest-risk ungoverned dual-use application today. AI has fragments of one layer, and that layer was rescinded before it came into force. Click any layer to compare.
NSG export trigger criteria. IAEA safeguards as precondition for nuclear technology transfer. Functioning since 1970s.
Australia Group dual-use chemical export controls. Schedule 1/2/3 precursor controls under CWC. Functioning since 1985.
Australia Group biological agent controls. Partial — gaps in dual-use equipment. BWC has no export control mandate.
Biden Diffusion Rule rescinded May 2025 — never enforced. No replacement. Pre-2022 chip controls on China only. Asian Tier 2 states: no binding framework. The only AI governance layer is broken.
↗ BIS RescissionIAEA defines nuclear material categories. Internationally agreed taxonomy of what constitutes weapon-relevant material.
CWC Schedules 1/2/3 define dual-use chemicals by military utility and commercial use. OPCW Technical Secretariat maintains the taxonomy.
Australia Group pathogen control lists. Partial — gaps in dual-use equipment. No agreed international taxonomy of dual-use biological capabilities.
No agreed international taxonomy of dual-use AI capabilities. UK AISI evaluates CBRN uplift — but voluntarily, for cooperating labs only, and covering no Chinese-origin models.
↗ METR Common ElementsIAEA distinction between peaceful nuclear use (Article IV NPT right) and weapons-relevant activity. Enrichment level thresholds distinguish civilian from weapons-grade material.
CWC explicitly distinguishes industrial production from weapons precursors. Challenge inspection verifies disputed use-cases. End-use certificates required for dual-use chemicals.
BWC Article I prohibits offensive weapons but has no verification mechanism. Dual-use research oversight exists in some jurisdictions, not internationally harmonised.
AI pandemic detection and AI pathogen design require identical compute and similar models. Deepfake detection and generation use the same architecture. No governance mechanism can currently distinguish defensive from offensive AI use at capability level. This layer is entirely absent for AI.
National nuclear regulatory bodies, safeguards agreements, domestic enrichment oversight. Required for NPT adherence.
National Authorities under CWC Article VII. Mandatory declaration and inspection facilitation. Every CWC state party must have a designated national authority.
UK AISI (strong, CBRN mandate). EU AI Office (binding). Korea KAISI (Jan 2026). Japan AISI (exists). Vietnam Law 134/2025 (binding, no eval capacity). India AISI (proposed). Indonesia: nothing.
No country in this set has a dual-use AI evaluation mandate with CBRN scope. US has no federal AI law. No operational AISI in India or Indonesia. The layer exists in fragments in three Western countries only.
IAEA investigation mandate. Nuclear forensics programme for attribution. Post-incident material analysis to trace weapon origin.
OPCW fact-finding missions. Technical Secretariat investigation capacity. Syria and Salisbury investigations demonstrated a functioning attribution mechanism.
No OPCW equivalent. Article VI BWC allows Security Council consultation but has no investigation mechanism. COVID-19 origin investigation demonstrated the gap.
No investigation body for AI-enabled dual-use harm. No forensics standard. No attribution protocol. No no-blame reporting channel. Intelligence agencies can sometimes attribute — but outside any public governance framework.
IAEA safeguards inspections. Additional Protocol. Comprehensive safeguards agreements. Verification is the backbone of the NPT.
OPCW routine inspections. 98% of declared chemical weapons stockpiles destroyed and verified. The strongest WMD verification regime.
No verification protocol. Negotiated 1994–2001, collapsed when US withdrew citing trade secrets and technical verification limits. AI will face identical arguments. This is the warning precedent.
↗ UN BWC DocumentationNo international verification mechanism. CoE Convention has a Conference of the Parties — but no inspection, no technical secretariat, no challenge mechanism. Hiroshima AI Process is non-binding with no verification.
NPT is multilateral — 191 state parties consented to its terms. IAEA Board of Governors includes developing-state representation. Imperfect, but consent-based.
CWC negotiated through the Conference on Disarmament. 193 states parties. Universal participation in rule design. OPCW has universal membership.
BWC has 183 states parties. Consent-based but weak — representation without enforcement. Implementation conferences every five years.
Export controls designed by BIS (US agency) with no Asian input. CoE Convention negotiated by CoE members — India, Vietnam, Indonesia, Singapore absent. Frontier Model Forum: four companies. The UN Global Dialogue is the first inclusive forum — but non-binding in its first session. This is the most absent layer of all seven.
Urgency score is a weighted composite: 40% governance capacity gap (inverse of Oxford Insights score), 40% dual-use risk exposure, 20% export control exposure post-rescission. India, Vietnam, and Indonesia are not OECD members — their absence from the OECD AI Index is itself a governance gap finding.
| Country | Oxford AI Readiness 2024 | OECD Member | Export Control Status | Layers Covered (of 7) | Urgency |
|---|---|---|---|---|---|
| 🇮🇩 Indonesia | 65.85 / rank ~55 | No | Vacuum post-rescission | 0 / 7 | 9.4 |
| 🇮🇳 India | ~64.0 / rank 46 | No | Vacuum post-rescission | 0 / 7 | 8.1 |
| 🇻🇳 Vietnam | 61.42 / rank ~65 | No | Vacuum post-rescission | 1 / 7 | 7.8 |
| 🇸🇬 Singapore | 84.25 / rank 2 | No | Vacuum — same tier as Indonesia | 2 / 7 | 6.2 |
| 🇯🇵 Japan | 75.75 / rank 11 | Yes | Tier 1 — semiconductor leverage | 3 / 7 | 4.8 |
| 🇰🇷 South Korea | 79.98 / rank 3 | Yes | Tier 1 — Samsung/SK Hynix | 3 / 7 | 4.2 |
| 🇺🇸 United States | 87.03 / rank 1 | Yes | Rule designer — no replacement | 5 / 7 | Designer |
| 🇬🇧 United Kingdom | 78.88 / rank 5 | Yes | Tier 1 — co-designer | 5 / 7 | Comparator |
| 🇪🇺 European Union | ~76 avg / Top 10 | Yes (members) | Tier 1 — AI Act binding | 5 / 7 | Comparator |
Six specific governance mechanisms that make WMD regimes function — mapped to their AI equivalent at institutional level, with design requirements and draft treaty language. The research contribution here is not the analogy. It is the specification: what institutional architecture, what mandate, what enforcement mechanism, and what political bargain each layer requires. Every mechanism is sourced to primary treaty texts.
IAEA inspectors verify nuclear material is not diverted from peaceful use to weapons. Comprehensive safeguards agreements are legally binding on all NPT non-nuclear states. Additional Protocol expands inspection rights to undeclared sites.
Independent technical secretariat with inspection authority. Safeguards criteria agreed multilaterally. Material accountancy system. Board of Governors with enforcement referral to Security Council.
An independent International AI Safety Secretariat with authority to conduct pre-deployment evaluations of frontier models, maintain a registry of dual-use capability assessments, and refer non-compliant systems to the UN Security Council. Evaluation criteria agreed by all member states — not set by four Western companies. Modelled on IAEA Article 12 safeguards, applied to training compute above the dual-use capability threshold.
Any CWC state party may request an inspection of any facility in any other state party on grounds of suspected non-compliance. OPCW Technical Secretariat conducts the inspection. Executive Council may block with 3/4 majority vote.
98% of declared chemical weapons destroyed and verified. Syria and Salisbury investigations demonstrated functioning attribution. The CWC verification regime is the model for what works.
A challenge evaluation mechanism: any state party may request independent evaluation of an AI system suspected of dual-use capability. The International AI Safety Secretariat conducts evaluation using standardised CBRN uplift protocols. Confidentiality protections for model weights and training data (analogous to CWC trade secret protections). Results reported to an Executive Board with enforcement referral authority.
42 participating countries maintain and update lists of dual-use chemicals, biological agents, and equipment subject to export controls. Annual plenary reviews and updates in response to scientific developments. Informal — not a treaty.
Western-dominated — no China, Russia, or major Global South participation. Created governance fragmentation rather than universal coverage. Its informality is both its strength (speed) and its weakness (legitimacy).
An international Dual-Use AI Capability Review Process: a standing technical body that annually updates a taxonomy of AI capabilities crossing the dual-use threshold, with universal membership unlike the Australia Group. The UN Scientific Panel on AI (established 2026) is positioned to perform this function — but needs a formal mandate, a dual-use lens, and an export control linkage.
The BWC prohibits biological weapons but has no verification mechanism. The Soviet Union ran the world's largest offensive biological weapons programme (Biopreparat) throughout the BWC's existence, in clear violation — revealed only after Soviet collapse.
In 2001, the US withdrew from Protocol negotiations citing concerns about protecting commercial trade secrets and the inability to verify compliance in dual-use biological facilities. These are exactly the arguments that will be raised about AI model weights.
The AI governance community will face identical arguments to those that killed the BWC verification protocol: model weights are trade secrets, verification would disadvantage Western companies, compliance cannot be technically verified. The BWC failure shows what happens when these arguments succeed. The 2027 treaty must have verification built in from inception — not negotiated separately, later, and unsuccessfully.
Non-nuclear states accepted NPT restrictions in exchange for a guaranteed right to peaceful nuclear use. Without Article IV, developing states had no incentive to join a treaty that restricted their technology access without offering anything in return.
Developing states will not accept a 2027 AI treaty that restricts their AI development without an equivalent guarantee. The export control architecture's fundamental political problem is that it imposes restrictions without any guaranteed pathway to beneficial AI access.
States accepting dual-use AI governance obligations (capacity-building requirements, incident reporting, AISI-equivalent evaluation) receive a guaranteed right to access frontier AI compute for peaceful applications — biosecurity defence, healthcare AI, agricultural AI. The governance compute carve-out proposed in Tab 2 is the operational form of this Article IV right. Without it, the treaty will fail to achieve developing-state participation.
Every other WMD and safety governance regime was triggered by catastrophe. ICAO Annex 19 is the only major international safety standard built through proactive professional consensus. It achieved universal adoption because it was technically credible, built incrementally, and gave operators a compliance pathway rather than an immediate ban.
Four pillars: safety policy, safety risk management, safety assurance, safety promotion. Each pillar was operationalisable. Compliance was measurable. Built by practitioners, not politicians. Extended progressively to new domains without requiring new treaties each time.
An international AI Safety Management Standard modelled on ICAO Annex 19: four pillars (safety policy, dual-use risk assessment, safety assurance/evaluation, safety promotion/incident reporting). Binding on frontier AI developers above a compute threshold. Extensible over time. The UN Scientific Panel on AI should draft this standard for the 2027 New York session. It is achievable without waiting for a catastrophe.
When an AI system contributes to a biosecurity incident, electoral interference, or infrastructure attack, there is no investigation body, no attribution standard, no forensics protocol, and no liability framework that applies across jurisdictions. The OPCW can attribute chemical weapon use. The NTSB investigates aviation accidents. AI has no equivalent. These four scenarios document what the absence of Layer 5 means in practice — and what any binding governance instrument must build to fill it.
An AI system is used to design a novel pathogen with enhanced transmissibility. Conducted by a non-state actor using open-weight models (DeepSeek, Llama) on cloud infrastructure in a jurisdiction with no AI governance framework. A pandemic results. Who is legally accountable?
BWC prohibits state development of biological weapons but has no enforcement mechanism. Non-state actors are not directly bound. AI developer has no liability for downstream misuse of open-weight models. Cloud provider faces terms of service violations — civil, not criminal. Result: no binding accountability mechanism exists.
No AI forensics standard equivalent to nuclear material fingerprinting or OPCW chemical analysis. Models used, compute accessed, and design process leave no internationally admissible evidentiary trail. Intelligence agencies may be able to attribute — but outside any public legal framework. The BWC verification gap means no treaty mechanism exists to investigate even suspected state involvement.
Mandatory compute and API access logging for frontier model providers above a capability threshold — creating an admissible evidentiary trail. An international AI forensics protocol for post-incident attribution modelled on OPCW chemical analysis. Liability provisions extending to frontier model developers for foreseeable dual-use applications, with safe harbour for developers who have conducted AISI-equivalent CBRN evaluations.
AI-generated deepfakes of political candidates distributed at scale during an Indonesian or Indian election. Produced using open-weight Chinese models (DeepSeek) hosted on domestic servers. Electoral outcome materially affected. Who is accountable?
Indonesia: no AI law. Electronic Information and Transactions Law applies to some online content but not AI-generated deepfakes specifically. India: IT Act provisions apply but enforcement against state-linked actors is effectively impossible. Model developer: no international liability exposure. Result: near-zero accountability.
AI-generated deepfake attribution requires model fingerprinting and artefact analysis combined with investigation of distribution infrastructure. No international standard exists. States with technical attribution capability (US, UK, Five Eyes) may investigate — but findings are intelligence, not legal evidence, and are not shared through any multilateral mechanism.
A Content Provenance Standard: mandatory watermarking and provenance metadata for AI-generated content above a capability threshold (C2PA standard or equivalent), legally admissible in electoral interference proceedings. An international Electoral AI Integrity mechanism within the UN system, with authority to investigate AI-enabled election interference.
An AI-enabled cyberattack disrupts Singapore's financial system. The attack uses AI systems for planning, evasion, and payload generation, developed by a state-linked actor. A systemically important bank's AI systems — sourced from multiple providers including Chinese-origin models with no safety evaluation — are implicated as an attack vector. Who is accountable?
Budapest Convention on Cybercrime applies to some aspects but has no AI-specific provisions. China and Russia are not parties. UN GGE norms are non-binding. OCBC may have liability under MAS regulations for inadequate third-party risk management. DeepSeek developer: no international liability mechanism exists.
AI-enabled cyberattacks are designed to be deniable. The same AI tools used for attack are used for legitimate security research. Attribution requires access to training data, deployment logs, and infrastructure — none accessible through current international legal mechanisms. Singapore AISI has no authority over Chinese-origin AI systems deployed in Singapore's financial sector.
Extension of the Budapest Convention framework to AI-enabled attacks. Mandatory security evaluation for AI systems deployed in critical financial infrastructure regardless of model origin. Mandatory incident reporting to a cross-border AI Security Incident Registry. A state responsibility doctrine for AI-enabled attacks where the state of the model developer can be held to account for foreseeable misuse.
An autonomous AI targeting system deployed in active conflict makes a targeting decision resulting in civilian casualties. The AI system was developed using models fine-tuned in a jurisdiction with no AI governance framework. Who is accountable under IHL?
IHL requires human accountability for targeting decisions. If an AI system makes targeting decisions without meaningful human control, there is an "accountability gap" — no human made the specific decision, so no human can be held to account. CCW GGE has discussed autonomous weapons since 2014. No binding treaty as of mid-2026. CCW mandate expires September 2026.
AI targeting systems are designed by developers, trained on datasets, deployed by militaries, and operated by combatants — with decisions distributed across this chain. IHL requires a human decision-maker accountable for targeting. AI systems create an accountability gap where no individual in the chain made the specific targeting decision that caused harm.
A Meaningful Human Control standard for autonomous AI weapons systems, with a pre-deployment validation requirement. The standard should specify: minimum human oversight required for AI-assisted targeting to meet IHL accountability requirements; a pre-deployment validation protocol run by an independent technical body; a post-incident attribution protocol that can trace targeting decisions through the AI decision chain.