top of page

RESILIENCE IN THE AI CENTURY


Hyperscalers, Strategic Dependency, and the Case for a New Security Doctrine

A strategic briefing paper  ·  May 2026

 

Executive Summary

We are living through the first years of a century in which artificial intelligence is not merely a technology but a structuring force — reshaping economies, realigning military advantage, and redrawing the map of national power. The emergence of tools like Project Mythos is one symptom of a far larger transformation: the moment at which AI capability crossed from productivity tool to strategic infrastructure.

This paper argues that governments, multilateral institutions, and non-aligned nations face an urgent and largely unacknowledged problem. A small number of private hyperscaler corporations — principally American, with emerging Chinese counterparts — have accumulated technological capabilities that exceed those of most sovereign states in domains that matter: intelligence gathering, communications infrastructure, financial routing, logistics optimisation, and now offensive and defensive cyber capability at machine speed.

The hyperscalers have not merely disrupted industries. They have begun to disrupt the geopolitical map itself — accruing influence that was previously the exclusive preserve of states.

The restricted release of Mythos is therefore not simply a cyber security story. It is a case study in the wider condition: the gap between those inside the technological frontier and those outside it is widening faster than any institution designed to manage that gap was built to handle. A Resilience Strategic Umbrella — a new framework for collective AI-era security — is no longer a theoretical aspiration. It is a practical necessity.

 

Part I: The Hyperscaler Geopolitical Disruption

From commercial platform to sovereign-equivalent actor

The five dominant American hyperscalers — Microsoft, Google (Alphabet), Amazon, Apple, and Meta, with Nvidia occupying a unique position as the infrastructure layer beneath all of them — have, in the space of roughly fifteen years, become actors with geopolitical weight that rivals or exceeds that of many nation-states. This is not hyperbole. It is a structural observation.

Each hyperscaler now controls infrastructure that sovereign governments depend upon for basic function: cloud computing for public services, communications networks, mapping and logistics data, financial transaction routing, and identity verification. In many developing and middle-income countries, the hyperscaler's platform effectively is the digital state. When AWS suffers an outage, hospital systems in multiple countries go dark. When Google updates its search algorithm, entire national industries lose revenue overnight. When Meta restricts content, political movements gain or lose reach on a scale no ministry of information could achieve.

What has changed in the AI era is that this dependency has deepened from infrastructure to cognition. AI systems now draft legislation, write medical diagnoses, run financial risk models, and — as Mythos demonstrates — discover security vulnerabilities in critical national systems. The entity that controls the AI controls, to an increasing degree, the quality of decision-making in every sector it touches.

The new asymmetry of power

Classical geopolitical theory rested on the assumption that power resided in states, which held a monopoly on legitimate force, controlled territory, and commanded the loyalty of populations. The hyperscaler era has broken all three assumptions simultaneously.

Hyperscalers do not hold territory, but they control something more valuable in the information age: the attention, data, and communication infrastructure of entire populations. They do not field armies, but they increasingly supply the intelligence, logistical optimisation, and communications systems upon which armies depend. They are not elected, but decisions made in their boardrooms affect the lives of more people than most democratic governments.

The result is a new form of asymmetric power. A government that wishes to sanction or regulate a hyperscaler faces an adversary with deeper legal resources, greater technical capacity, more international leverage, and — critically — the ability to make its services simply work less well in a given jurisdiction without any formal act of non-compliance. The asymmetry is not merely financial. It is cognitive, informational, and infrastructural.

No government in history has had to negotiate with an entity that simultaneously serves as its military's cloud provider, its population's communications network, and its intelligence agencies' analytical platform — while being incorporated in a foreign jurisdiction.

The Chinese dimension

The American hyperscaler dominance is increasingly contested by Chinese equivalents — Alibaba, Tencent, Huawei, Baidu, and ByteDance — creating a bipolar hyperscaler world that maps imperfectly onto, and in some respects precedes, the broader great-power competition between Washington and Beijing. The Belt and Road Initiative has been accompanied by a less-discussed Digital Silk Road: Huawei's telecommunications infrastructure now underpins connectivity across much of Africa, Central Asia, and Southeast Asia, creating dependencies that mirror and in some respects exceed those created by American platforms.

Nations that have accepted Chinese digital infrastructure in exchange for affordable connectivity have, in many cases, made a decision whose full strategic implications were not explained to them, and whose terms they are now unable to renegotiate without economic and political cost. The same is true, with different technical and political characteristics, of nations whose governmental functions run on American cloud infrastructure.

The result is a world in which the majority of nations have lost meaningful digital sovereignty without any formal treaty, declaration of dependency, or democratic decision. It happened through procurement choices, commercial contracts, and the simple fact that the alternatives were not competitive.

 

Part II: Project Mythos as Strategic Symptom

What Mythos represents

Project Mythos — Anthropic's AI-driven vulnerability discovery system, currently withheld from public release and accessible only to a vetted group of roughly 40 institutions via Project Glasswing — should be understood not primarily as a cyber security tool but as a proof of concept for the AI-enabled power asymmetry described above.

Mythos reportedly identifies vulnerabilities in software systems at a scale, speed, and depth that human penetration testers cannot match. It has found critical bugs in systems that had been tested five million times by conventional means. Whether or not the specific technical claims are fully verified, the strategic implication is clear: AI has crossed a threshold at which it can discover and potentially exploit weaknesses in critical infrastructure faster than those systems can be defended by human-speed processes.

The decision to restrict access is therefore both rational and revealing. It is rational because unrestricted release would benefit attackers at least as much as defenders, in a world where offensive operations remain faster than defensive ones. It is revealing because of who has been given access and who has not.

The twelve reasons for restriction — and what they tell us

The restricted release of Mythos can be explained by twelve converging factors, which together illuminate the wider strategic condition:

1.  Industry credibility

Mythos exposes deep flaws that the cyber security industry has spent decades claiming to address. Penetration testing, compliance audits, and certifications missed vulnerabilities that the tool found in systems tested five million times. The implication — that much of the existing security compliance apparatus has been selling false assurance — is an existential threat to a multi-hundred-billion-dollar industry.

2.  Market shock

Public release risks triggering significant repricing across security firms and the big tech companies that own them. Markets that have priced in the value of existing security products and services would be forced to reassess that value rapidly. The financial consequences would be systemic.

3.  Vested interests in unsolved problems

The economics of cyber security, like the economics of many professional services industries, are structured around recurring problems rather than permanent solutions. A tool that genuinely fixes the underlying vulnerability landscape at scale disrupts the revenue model of the industry tasked with managing it. Not everyone in that ecosystem wants the problems actually solved.

4.  Sovereign risk and competitive threat

Unrestricted access to a tool that can identify zero-day vulnerabilities in any software system constitutes a direct threat to national security for any state that has not patched its systems before release. For smaller nations and those without access to the Glasswing group, it is a threat with no corresponding benefit.

5.  The offence-defence asymmetry

The time between vulnerability discovery and weaponisation has already compressed to hours in the conventional threat landscape. Mythos accelerates the discovery phase dramatically. Since patching and remediation remain slow — constrained by procurement cycles, testing requirements, and legacy system constraints — wide release would structurally favour attackers over defenders.

6.  Capability narrative management

Research indicates that smaller models with as few as 3.6 billion parameters, costing a fraction of a cent per query, can replicate core Mythos findings. Restricted release may therefore be as much about managing the public narrative around AI capability — and the regulatory and competitive responses it might trigger — as about controlling the capability itself.

7.  The global access inequality

The Glasswing group consists primarily of large Western technology firms and a small number of institutions. Most central banks, most government cyber agencies, and the overwhelming majority of nations are outside it. This means the world's most powerful vulnerability discovery tool is, in practice, a service provided by an American company to American companies — with everyone else left to manage the consequences.

8.  Legacy critical infrastructure

Power grids, water treatment systems, financial settlement infrastructure, and hospital networks frequently run on software that is ten to thirty years old and cannot be rapidly updated without risking catastrophic operational failure. These are precisely the systems most likely to contain the vulnerabilities Mythos can find, and least able to implement patches quickly.

9.  Democratisation of nation-state attack capability

The capacity to identify and exploit zero-day vulnerabilities in critical infrastructure was previously the preserve of a handful of well-resourced state intelligence agencies. Mythos makes a version of that capability accessible to actors who lack that resourcing. The geopolitical threat calculus changes fundamentally when non-state actors, criminal organisations, and smaller hostile states can operate at previously nation-state-level offensive capability.

10.  Regulatory and legal liability

A public release followed by a major breach — of a hospital system, a power grid, or a financial institution — would expose Anthropic to regulatory and legal consequences that could be existential. Restricted access under a formal framework creates a defensible record of responsible disclosure. The liability management rationale and the safety rationale point in the same direction, which makes them mutually reinforcing and difficult to disentangle.

11.  The false assurance problem

Decades of compliance-driven security — certifications, audits, penetration testing — have created institutional confidence that is not matched by actual resilience. Mythos makes that gap visible at scale. The organisations most threatened by this revelation are not the attackers but the defenders who have been charging for a service they could not fully deliver.

12.  Regulatory capture by commercial convenience

By restricting access to a group that includes Microsoft, Google, Apple, Amazon, and Nvidia, Anthropic ensures that its primary commercial partners can patch their systems before regulators, competitors, or foreign governments can respond. The safety rationale is genuine. So is the commercial convenience. The two are inseparable — which is precisely the problem for any governance framework that attempts to treat them as distinct.

 

Part III: The Case for a Resilience Strategic Umbrella

Why existing frameworks are insufficient

The international frameworks developed to manage shared security risks — the UN Charter, NATO's Article 5, the Nuclear Non-Proliferation Treaty, the Wassenaar Arrangement on export controls for dual-use technologies — were designed for a world in which the principal actors were states, the principal threats were physical, and the principal weapons were things that could be counted and verified.

None of these conditions holds in the AI-era threat landscape. The principal actors in offensive AI capability development are now private corporations. The threats are informational and infrastructural rather than physical. The weapons — AI models, training pipelines, data access — are neither countable nor easily verified. A framework built on state actors, physical weapons, and treaty verification is not merely imperfect for this environment. It is structurally mismatched to it.

The Budapest Convention on cybercrime, the most relevant existing multilateral instrument, covers criminal acts but has no mechanism for addressing the structural power asymmetry created by hyperscaler dominance or the strategic implications of AI-enabled vulnerability discovery. The European Union's AI Act addresses safety and fundamental rights but was not designed as a geopolitical security instrument. NATO's emerging AI principles are aspirational rather than operational. The gap between the speed of AI capability development and the speed of multilateral governance is not closing. It is widening.

What a Resilience Strategic Umbrella requires

A Resilience Strategic Umbrella for the AI century must address four interlocking problems that existing frameworks leave unresolved.

First, it must address the access inequality problem. The current structure, in which the most powerful AI security tools are accessible only to a handful of private corporations and their chosen institutional partners, is not a stable equilibrium. It creates an ever-widening capability gap between the technologically advanced and everyone else, and it does so without democratic mandate or multilateral agreement. A genuine resilience framework requires either broad access to protective AI capabilities or binding obligations on those who hold them to extend protection to critical infrastructure globally, on terms that do not create new forms of dependency.

Second, it must address the sovereignty problem. Nations that have allowed their critical digital infrastructure — communications, cloud computing, financial systems, identity management — to be provided by foreign private corporations have, in effect, outsourced a portion of their sovereignty. A resilience framework must include mechanisms for nations to reclaim meaningful digital sovereignty without being forced to choose between security and connectivity. This requires investment in open, interoperable infrastructure alternatives, not merely regulatory pressure on existing providers.

Third, it must address the governance gap for AI-enabled offensive capability. The same AI that helps Mythos find vulnerabilities in critical infrastructure can help an adversary exploit them. There is no international agreement on the development, testing, or deployment of AI systems with offensive cyber capability. There is no verification mechanism, no disclosure requirement, and no prohibition on use against civilian infrastructure. Filling this gap requires a new treaty framework — one that treats AI offensive capability as the dual-use strategic technology it is, with the same seriousness that earlier generations brought to nuclear and chemical weapons.

Fourth, it must address the accountability vacuum created by the hyperscaler structure. When a private corporation's infrastructure failure causes a national healthcare system to collapse, the existing legal and political accountability mechanisms are inadequate. When a private corporation restricts access to a capability that could protect national critical infrastructure, there is no multilateral forum with the standing to challenge that decision. A resilience framework requires governance mechanisms that can hold hyperscaler-equivalent actors accountable to standards defined by the international community, not merely by their home regulators.

Resilience in the AI century is not a technical problem with a technical solution. It is a political problem that requires political will, multilateral architecture, and a willingness to constrain private power in the public interest.

Practical pillars of the framework

A Resilience Strategic Umbrella, practically constituted, would rest on five pillars:

Digital Sovereignty Compact. A multilateral agreement establishing minimum standards for national digital sovereignty, including requirements for domestic or collectively-owned alternatives to hyperscaler services for specified critical government functions, and binding commitments from hyperscalers operating in signatory states to data localisation, transparency, and continuity of service obligations.

AI Security Commons. A collectively governed repository of AI-enabled vulnerability discovery, accessible to the critical infrastructure operators of all member states, managed by a body analogous to the International Atomic Energy Agency, and funded by a levy on hyperscalers whose revenue exceeds defined thresholds. The Glasswing model — private access for commercial partners — would be prohibited for tools of this strategic significance under the commons framework.

Dual-Use AI Treaty. An international agreement establishing obligations of disclosure, testing, and proportionate restriction for AI systems with offensive cyber capability above defined capability thresholds, with a verification mechanism analogous to nuclear inspection regimes, adapted for the non-physical nature of AI systems.

Critical Infrastructure Protection Floor. A binding minimum standard for the cyber resilience of critical infrastructure — power, water, health, financial settlement, communications — applicable to all member states and supported by mandatory access to AI-enabled vulnerability remediation tools, funded on a capacity basis.

Hyperscaler Accountability Mechanism. A standing multilateral body with investigative and adjudicative authority over hyperscaler conduct that affects the digital sovereignty, security, or democratic integrity of member states, with enforcement powers that go beyond the advisory and reputational mechanisms currently available to international institutions.

 

Conclusion: The Urgency of Architecture

Project Mythos is a symptom, not the disease. The disease is the absence of multilateral architecture adequate to the AI century — architecture that can manage the concentration of AI capability in a small number of private corporations, address the structural inequality between those inside the technological frontier and those outside it, and create governance mechanisms for AI-enabled strategic capabilities before those capabilities are used in ways that make governance impossible.

The hyperscalers have already disrupted the geopolitical map. They have done so not through aggression but through the ordinary operation of commercial incentives in the absence of adequate regulatory constraint. The gap between their capabilities and those of most sovereign states will continue to widen unless political will is applied to close it — not by suppressing AI development, but by ensuring that its benefits and its risks are governed by institutions accountable to the international community rather than to shareholders alone.

The window for building that architecture is open. It will not remain so indefinitely. The pace of AI capability development means that each year of governance delay is a year in which the asymmetry deepens, the dependencies multiply, and the cost of course correction rises. The case for a Resilience Strategic Umbrella is not idealistic. It is, in the most precise sense of the word, practical.

The AI century will be shaped by the institutions built in its first decade. Those institutions do not yet exist. Building them is the strategic priority of our time.

 

END OF BRIEFING PAPER

This document was prepared as an integrated strategic analysis. May 2026.

 
 
 

Recent Posts

See All
Thoughts on a UK Water Grid

Summary: A Disused-Infrastructure Network Linking Kielder, Manchester, Cambridge and London The concept: stitch together genuinely disused or under-used British infrastructure — water transfer tunnels

 
 
 
The Modern Day East India Companies - US High Techs

June 30, 2026 History Remains Important... From my own history, 25 years ago +/-, I was recently reconnected with Christian Tafani . Together, back then, we wrote a paper called 'The Twenty First Cent

 
 
 
Two Key Generalities To Remember About AI

In a product development meeting today I was reminded of two things:1. CONTEXT - AI does not do CONTEXT, humans do. So AI CANNOT do everything. In the RESILIENCE context this is CRITICAL, and resilien

 
 
 

Comments


bottom of page