All Briefings | Red Team Scenarios
May 18, 2026
Red Team Scenarios

The Compute Embassy

The scenarios in this series are fictional but grounded in real capabilities and documented risk patterns. They're designed to provoke discussion, not predict specific events.

What You Will Decide
Role
Senior advisor to the NSC Senior Director for Technology and National Security
Window
72 hours after the kinetic-and-cyber attack on Stargate UAE
Tradeoff
Commercial-loss frame vs. quasi-embassy frame vs. Article V-equivalent frame
Widget

Domain: National Security / Sovereign AI Infrastructure

Situation Briefing

At 03:18 local time on a Friday in late November 2026, the Stargate UAE Phase 1 cluster goes dark. A kinetic strike, a cyber intrusion, and a public claim from an Iranian-aligned channel land inside the same hour. By dawn, the question in Washington is no longer whether the facility is commercial infrastructure. The question is whether the United States has been treating it as something more without saying so.

The cluster sits in the Gulf, but the strategic logic sits in Washington. Its contracts, chip flows, security assumptions, and emergency authorities were built to project American AI capacity through allied territory. That makes the response harder than a commercial outage and less clean than an attack on a U.S. base.

The NSC has one morning to choose the frame that will govern every subsequent move: commercial incident, bilateral security consultation, Article V-adjacent precedent, or something custom that admits the infrastructure has become part of national power without pretending a treaty already says so.

The decision is not symbolic. The first public posture will decide whether allies see the facility as protected strategic infrastructure, whether adversaries see a tolerable gray-zone target, and whether the next "compute embassy" is built with a security doctrine or only with better press language.

Decision Point

Option A: Treat it as commercial loss. Keep the response inside contract, insurance, and UAE domestic security channels. This is legally narrow and strategically unbelievable.

Option B: Invoke a custom security-partnership consultation. Build a one-off bilateral mechanism around the AI framework, intelligence equities, and infrastructure protection. It is less clean than a treaty, but it fits the facts.

Option C: Escalate toward collective-defense language. This signals resolve but overclaims the law. It also teaches every future host country that U.S.-backed compute infrastructure may import U.S. crisis obligations.

Option D: Disclose the strategic nature of the site. Admit publicly that the cluster was always more than a commercial build. This clarifies deterrence and creates immediate political exposure.

Complicating Factors

"Sovereign AI" was never sovereign in the hard sense. The phrase made the project sellable to the host country. It did not resolve who controls the chips, models, data flows, or emergency decisions when the site is attacked.

The available precedents do not fit. This is not an embassy, a base, a flagged vessel, or a simple private facility abroad. It borrows pieces from each category without inheriting a complete doctrine from any of them.

The workloads complicate the posture. If the cluster hosted U.S. government workloads, allied defense models, or sensitive commercial systems, the response cannot be calibrated only to physical damage.

The next site is watching. Whatever Washington says in the first seventy-two hours becomes the template for other compute deals, other host governments, and other adversary risk calculations.

Diagnostic: What Counts as an Embassy?

The doctrinal question is whether Stargate UAE belongs in a category that the U.S. legal and military apparatus already has tools for, or whether it sits in a category that has to be created in the response. The four candidate categories are: CFIUS-reachable infrastructure with U.S. strategic interest (Option A's home), a quasi-embassy with U.S. extraterritorial protection (the framing that leads toward Option C), a treaty-partner asset with shared but UAE-led defense responsibility (Option B), or a UAE sovereign asset on Emirati soil with U.S. commercial equities only (Option D's frame). Each category points to a different response option. None of them is fully consistent with the facts. The exercise below walks through the doctrinal decision tree the way the principals will. Watch how the answer shifts as the assumptions shift.

Interactive Widget · The Article V Question
The Article V Question
Three questions. The path you walk decides what kind of asset Stargate UAE is, and what response posture follows.
Decision path: (begin below)

Discussion Questions

What did the United States actually promise? The public framework, BIS licenses, contracts, and private security assurances may tell different stories. The NSC needs one posture before those differences leak.

Who owns the hosted-model risk? If sensitive workloads were interrupted, stolen, or exposed, the incident is not only about a data center. It is about the dependency map the data center supported.

How much doctrine should be created in public? Silence invites adversaries to test the gray zone again. Overstatement creates a defense obligation the law has not caught up to.

Anna's Read

The framework was more strategic than the public language admitted and less treaty-like than the crisis response will want it to be. That gap is the problem.

Article V does not apply. A pure commercial-loss frame does not survive contact with the facts. The right answer is a custom security-partnership consultation that says, without theatrical escalation, that U.S.-backed compute infrastructure abroad now carries national-security significance.

My recommendation is B with elements of D. Build the bilateral mechanism, disclose enough to make deterrence credible, and use the post-incident review to define security obligations for future compute-embassy deals before the next one is hit.

Related Briefings

Red Team Scenarios
The Document Reads Like 2019
An export-control framework written for the last threat environment, tested in this one. Same gap, different domain.
Red Team Scenarios
Pentagon-Anthropic II
When a frontier model is procured into national-security workflows, the contract is the doctrine. Same problem, model-side.
Red Team Scenarios · April 13, 2026
The Logistics Oracle
An AI producing high-confidence assessments outside its authorized domain. Same pattern of implicit authority, different stakes.

Anna R. Dudley writes on national security, AI policy, and the institutional structures absorbing the costs of AI deployment faster than they are being redesigned. Red Team Scenarios is the series for the call you don't want to take. Subscribe at annardudley.substack.com.

Back to Briefings
Copied to clipboard