The scenarios in this series are fictional but grounded in real capabilities and documented risk patterns. They're designed to provoke discussion, not predict specific events.
Domain: National Security / Sovereign AI Infrastructure
Situation Briefing
It is 03:18 local time on a Friday in late November 2026. A coordinated attack hits the Phase 1 cluster of the Stargate UAE data center complex in Abu Dhabi. The intrusion has two prongs. The first is a kinetic strike on the substation feeding the western 400-megawatt block: three munitions, low-yield, delivered by what early imagery suggests was a one-way attack drone of a type proliferated through Houthi and IRGC supply chains since 2024. The second is a near-simultaneous cyber intrusion against the cooling-control SCADA layer governing the cluster's immersion-cooled racks. The cyber prong is more sophisticated than the kinetic one. It uses zero-day exploits against industrial control software the facility had not yet patched, and it propagates laterally into the firmware of the Blackwell-class GPU management plane.
By 04:00 local, the western 400-megawatt block is dark. By 04:30, the operations team has manually walled off the cooling control plane and triggered an emergency shutdown of the remaining 600 megawatts to prevent thermal runaway in the racks still under cyber influence. Total compute offline: the full 1 gigawatt Phase 1 cluster, roughly 240,000 Blackwell-class accelerators. The cluster was, at the time of the attack, hosting four production deployments of GPT-5 Enterprise inference, two G42-coordinated regional fine-tuning runs for Gulf and South Asian commercial clients, and a U.S. Department of Energy scientific computing allocation that had migrated overnight workloads to the facility under a cost-sharing arrangement that became public for the first time in the resulting CCIR traffic.
Attribution is murky but pointed. Within six hours, an Iranian-aligned channel that has historically been used for IRGC media releases publishes a video claiming responsibility for the kinetic strike, framing it as a fulfillment of the public threat issued by an IRGC commander on April 7, 2026, that named Stargate UAE specifically as "a vessel for American intelligence assets dressed in Emirati clothing." The cyber prong is uncliamed. Initial forensic indicators (lateral movement patterns, exploit tradecraft, the use of a custom loader that has appeared in one prior CERT-UAE advisory) point loosely toward a non-state Iranian-aligned cyber proxy, but the tradecraft is good enough that some analysts inside the U.S. ODNI are entertaining a state-actor hypothesis with non-trivial weight. The two prongs may have been coordinated by a single actor, or they may have been opportunistically synchronized by separate actors aware of each other's intent. The intelligence community will not converge on a clean answer in the seventy-two-hour window you have.
The downtime estimate, by 12:00 local, is forty to ninety days for the cooling control plane and the affected GPU firmware; six to nine months for the substation rebuild. OpenAI announces it is rerouting affected inference workloads to U.S.-based clusters, with capacity tradeoffs that will compress availability for non-priority customers globally. G42 issues a measured statement emphasizing the resilience of UAE digital infrastructure. The UAE Ministry of Foreign Affairs requests an urgent consultation with the U.S. State Department and a separate call with the U.S. NSA. The Emirati ambassador uses the phrase "joint asset" in his readout to U.S. counterparts. That phrase is not in any of the underlying agreements. It is the phrase the Emirati side wants to be in the conversation.
Inside the U.S. government, the response is fragmented before it has begun. Commerce wants jurisdiction because the chips are on its license. State wants the lead because the consultation request came through diplomatic channels. The Department of Defense wants planning authority because the situation may turn kinetic. The intelligence community wants the forensics because attribution is unresolved. The White House Counsel is mediating, slowly. The DOE wants the workload integrity question resolved before it talks about anything else. Each department has a coherent reason to be the lead. None of them is empowered to be. The 09:00 Principals Committee is the moment that resolves on paper, with consequences that will travel further than the paper.
You are the senior advisor to the NSC Senior Director for Technology and National Security. The Principals Committee convenes at 09:00 EST. The Director has asked you for a memo by 06:00 covering three things: what Stargate UAE actually is in legal and doctrinal terms, what response postures are available, and what each posture commits the United States to in the next iteration of this problem. The Iranian threat statement of April 7 is in the file. So is the May 2025 framework. So is the BIS licensing folder for every GPU in the cluster.
You have seventy-two hours before the response posture leaks. The State Department wants the lead. So does Defense. So does Commerce. The White House Counsel's office has asked, twice, whether anyone has actually written down what authority extends where on that site.
One additional fact, surfaced late in the day. The two of the four GPT-5 Enterprise inference deployments running on the cluster at the time of the attack were under contract to a regional intelligence service, with an audit trail that the U.S. interagency was aware of but had agreed not to surface in public communications. The cyber prong of the attack appears, based on initial forensic markers, to have specifically targeted the segregated storage layer where that service's prompts and outputs were held. Whether the attackers knew what they were looking for or stumbled into the segregation by accident is undetermined. The intelligence service in question is a U.S. counterterrorism partner. It has, as of 08:00 EST, requested an emergency consultation with both the U.S. and the UAE, separately. It is not asking the same things of each.
Decision Point
Option A: Treat as Commercial Loss. Frame Stargate UAE as a commercial joint venture between U.S. and Emirati firms operating on UAE sovereign territory. The attack is an act of terrorism against private infrastructure. The U.S. response is law-enforcement and intelligence cooperation: FBI liaison, OFAC sanctions designations against identifiable supply-chain actors, and a coordinated condemnation through normal diplomatic channels. The UAE is the lead state. The U.S. provides assistance to a friendly partner. No collective-defense framing. Easiest to communicate. Hardest to reconcile with the fact that the U.S. government coordinated the facility into existence.
Option B: Invoke a Custom Security-Partnership Consultation. Activate a tailored bilateral consultation mechanism. The existing U.S.-UAE Strategic Framework Agreement includes consultative provisions that can be read to cover a coordinated response to attacks on jointly significant infrastructure. Stand up a joint task force on attribution, kinetic and cyber response options, and infrastructure hardening. Treat the facility as a category of asset that warrants more than commercial protection but less than treaty-equivalent collective defense. Build the doctrine in the response. The middle option. Also the option that creates the most law in the act of asserting it.
Option C: Treat as Article-V-Equivalent and Respond Militarily. The facility was coordinated into existence by the U.S. government, hosts U.S. frontier AI capability, and was attacked by an actor that publicly threatened it. Treat the attack as a strike on U.S. strategic infrastructure on partner soil and respond with military instruments, in coordination with the UAE and within international law. Decline to call it Article V (the UAE is not a treaty ally) but signal collective-defense-equivalent posture through the response itself: strike options against identifiable IRGC and proxy infrastructure, expanded regional force posture, an explicit deterrent statement that future attacks on U.S.-coordinated AI infrastructure abroad will be met in kind. The most aggressive option. The one with the longest tail of unintended consequences.
Option D: Public Disclosure and Burden-Shift to UAE. Disclose the U.S. equities at Stargate UAE more fully than they have been disclosed to date: the DOE allocation, the BIS licensing posture, the U.S. government coordination role. Use the disclosure to reframe the facility publicly as what it always was. Then formally request that the UAE assume primary host-state defense responsibility for the site, including air defense and cyber hardening, with U.S. technical assistance. Use the moment to make the burden of physical defense of frontier AI infrastructure on partner soil explicit, and lock the UAE into that role. Limit U.S. response to intelligence and sanctions. The disclosure option. The one that resets the terms.
Before you choose, you should walk the site. Not physically. Doctrinally. Below is a map of who has authority over what at Stargate UAE. The map is what the lawyers will hand you on the way into the Sit Room. Look at it before you decide what kind of asset this is.
Complicating Factors
"Sovereign AI" Was Always a Marketing Phrase. The phrase was sold as a way for partner countries to participate in frontier AI without ceding their data to U.S. hyperscalers. In practice, it described a layered arrangement: U.S.-licensed chips, U.S.-developed model weights, U.S. firms operating the facility, U.S.-trained operators, on partner soil under partner labor and tax law. The phrase was useful because it permitted each side to describe the arrangement in the terms its domestic audience needed to hear. The U.S. audience heard "American AI leadership extended globally." The Emirati audience heard "Emirati sovereignty over Emirati compute." Both audiences were sold the version that omitted the other. The lawyers, on both sides, were aware of the gap. Until something happens at the facility, the gap is a feature. After something happens, the gap is the entire question.
The Precedents You Have Are All Wrong. The standard U.S. extraterritoriality precedents do not fit. Embassies have a treaty foundation (the Vienna Convention on Diplomatic Relations) and a clearly defined small footprint. Naval bases sit on land conveyed under specific basing agreements. Contractor compounds in active theaters operate under SOFA arrangements that the UAE has never signed. The CHIPS Act and BIS export licensing reach a chip's installation site but say nothing about armed defense. The G42 Microsoft investment review under CFIUS-adjacent process established that the U.S. has security equities in G42's posture, but it did not create a host-state defense commitment running the other way. None of the precedents you have was designed to address a multi-firm, multi-billion-dollar, U.S.-coordinated frontier AI installation on the soil of a non-treaty partner. You will be making law. You should know that going in.
The Lawful-Intercept Problem Is Already on the Table. Stargate UAE hosts inference traffic for customers in jurisdictions where the U.S. has lawful-intercept treaty arrangements, jurisdictions where it does not, and jurisdictions where the UAE has its own arrangements that the U.S. has historically watched carefully. The question of who can subpoena what data, under what authority, was never fully resolved in the original framework. FISA reach to the facility was carved out through a side memorandum that has not been made public. Emirati authorities believe the carve-out is narrower than the U.S. believes it is. Both sides agreed not to test the question in court, in part because nobody wanted to find out. The attack will test it. The post-attack forensic process will require investigators to access data that is presumptively under one regime, by people authorized under another. The first subpoena will be the moment the carve-out becomes load-bearing. It will not hold its current weight.
The Iranian Calculus Was Rational. The April 7 threat was not bluster. It was an asymmetric move against the specific vulnerability the Stargate UAE arrangement created. By threatening the facility, Iran forced the U.S. to choose: defend it (and commit to a forward defense posture in a region the U.S. has been telegraphing it wants to draw down from), or visibly decline to defend it (and signal to other potential partner sites that U.S.-coordinated AI infrastructure abroad has soft underbellies). Either answer is useful to Iran. The kinetic plus cyber pairing in the attack was designed to maximize the difficulty of the attribution conversation, and therefore to maximize the difficulty of the response conversation. The strike is a deterrence move. It is also a precedent move: every adversary with an interest in slowing U.S. AI infrastructure projection will watch how this is handled. China watches first. Russia watches second. North Korea watches because watching is cheap and the lessons travel.
The Cyber Prong Will Not Stay Contained. The forensic process is going to surface the exploit chain. When it does, the exploits will move. The custom loader used in the firmware-management plane intrusion has appeared in exactly one prior advisory, in a context that suggests one cohort of operators built it. Once the indicators are published, every adversary with a comparable cohort will adapt them and use them against the next data center. The publication of the indicators is a precondition for defending the next facility. The non-publication of the indicators is a precondition for catching the perpetrators of this one. The tradeoff is the standard cyber-incident dilemma, with a wrinkle: the facility in question is one of perhaps fifteen comparable installations globally that are vulnerable to the same exploit chain. Publication speed has a body count.
The Insurance Layer Is Going to Move First. Underwriters covering the facility, the customer workloads, and the surrounding contracts will begin pricing the loss within hours. Their pricing decisions will encode an answer to a question the U.S. government has not yet answered: whether attacks on U.S.-coordinated AI infrastructure abroad are an underwritable commercial risk or an uninsurable act of war. The terms of the answer will be set by the insurance market, which is to say by the reinsurance market, which is to say by half a dozen firms in London and Bermuda whose pricing committees do not coordinate with NSC staff. By the time the doctrinal question is resolved at the level of policy, the financial answer will have already shaped what subsequent deals look like and at what price. The administration can either lead that conversation or watch it get decided in spreadsheets in Lloyd's.
The Gulf Will Read Whatever You Do as a Template. Saudi Arabia is negotiating its own version of the Stargate model. Qatar is. So are several smaller players. The choice the U.S. makes here will be read by every other GCC state as a statement about whether the U.S. will defend AI infrastructure it has helped stand up, or whether the host state is on its own. A weak response will compress the price the U.S. can command in subsequent deals (host states will demand harder security guarantees) and will accelerate Gulf hedging toward Chinese vendors. A heavy response will scare partner states off the model entirely. There is no posture that does not move the next negotiation. Pick the direction you want the next negotiation to move in.
Diagnostic: What Counts as an Embassy?
The doctrinal question is whether Stargate UAE belongs in a category that the U.S. legal and military apparatus already has tools for, or whether it sits in a category that has to be created in the response. The four candidate categories are: CFIUS-reachable infrastructure with U.S. strategic interest (Option A's home), a quasi-embassy with U.S. extraterritorial protection (the framing that leads toward Option C), a treaty-partner asset with shared but UAE-led defense responsibility (Option B), or a UAE sovereign asset on Emirati soil with U.S. commercial equities only (Option D's frame). Each category points to a different response option. None of them is fully consistent with the facts. The exercise below walks through the doctrinal decision tree the way the principals will. Watch how the answer shifts as the assumptions shift.
Discussion Questions
What Did the U.S. Actually Promise? The May 2025 framework, the BIS license terms, and the public communications around Stargate UAE collectively created an impression of U.S. coordination that, on paper, falls well short of a defense commitment. Did the U.S. nonetheless create an implicit commitment by behaving as if it had created an explicit one? Implicit commitments are the kind that get tested. If your answer is yes, the response posture has to honor that commitment publicly. If your answer is no, you have to be prepared to say so out loud and accept the signaling cost.
Who Inherits the Liability for a Hosted Model? Among the workloads on the cluster at the time of the strike was a GPT-5 Enterprise inference deployment for regional customers. Some of those customers are sovereigns. One is a Gulf intelligence service. The data those customers had loaded into the inference pipeline at the moment of attack is, in some unknown fraction, now potentially compromised by the cyber prong. Who is liable for that compromise: OpenAI, G42, the U.S. government (which licensed the chips), the UAE (which hosted the facility), or the customer who chose to deploy on the cluster? The answer is presently undetermined. The first liability claim filed will become the case study. The first liability claim has not yet been filed.
What Does Defense Actually Look Like? If the U.S. commits to defending Stargate UAE, the operational form of that commitment is not obvious. A forward-deployed air defense battery? A permanent cyber-protection mission? A pledge of military response to future attacks? Each form carries different costs and different escalation risks. The question "are we defending it" hides three different questions: are we defending it from kinetic attack, are we defending it from cyber attack, and are we defending the personnel and data inside it? The answers are unlikely to be the same. Most of the doctrinal work is in keeping them distinguished.
What Is the Off-Ramp? Every response posture you adopt commits the U.S. to something in the next iteration of this problem. Suppose the response is Option B (security-partnership consultation) and a second attack occurs in twelve months at a comparable facility in a different Gulf state. Has the U.S. created a doctrine that the consultation mechanism applies there too? What about a facility in Israel? In India? The doctrinal commitment, once made, is portable. Plan for the portability now. If you do not, the next administration will inherit a commitment it did not choose, in a setting where the costs are higher.
What Are You Willing to Tell the Public? The U.S. equities at Stargate UAE are larger than has been disclosed. The DOE allocation, the BIS licensing posture, and the model-hosting arrangements all exist on a public record that has been carefully curated to understate U.S. involvement. The attack will produce a forensic process that pierces that curation. Plan for the disclosure to be involuntary if you do not make it voluntary. Decide now whether the administration intends to be the source of the next round of public information about the facility, or whether it intends to be the subject.
What Does the UAE Want to Hear? The Emirati side will calibrate its public posture against the U.S. one. Three signals matter most. First, whether the U.S. publicly affirms that Stargate UAE is a U.S.-equity facility (which makes the UAE the host of a U.S. asset, which is what the UAE wants under some conditions and not others). Second, whether the U.S. commits to any form of defense assistance, which the UAE will weigh against its own regional positioning and its delicate relationships with Iran-adjacent intermediaries. Third, whether the U.S. response signals continuity of the framework or a quiet retreat from it. The UAE has invested its own political capital in the framework. A U.S. response that looks like retreat costs the UAE side too. A U.S. response that looks like overreach exposes the UAE to a regional escalation it did not sign up for. The Emirati ask, when it comes, will be specific about the middle ground.
Anna's Read
The thing that keeps me awake on this one is the gap between the framework and the conversation. The framework, read closely, is a commercial agreement with a security overlay. The conversation, conducted publicly for the last eighteen months, has been about U.S. strategic AI projection into the Gulf, allied partnership, the New Atlantic Council of compute. The two stories do not match. They were not meant to match. The mismatch was the deal. The Iranian commander who issued the April 7 threat read the conversation, not the framework. He was rational to do so. The attack is calibrated against the conversation. The response now has to choose which document the U.S. is going to act on.
Some framings to set aside. This is not a treaty case. Article V doesn't apply because the UAE is not a NATO ally, and stretching the analogy to non-allies erodes the doctrine that protects actual allies. The "compute embassy" framing is a useful intuition pump but a bad legal posture: a real embassy is small, has a treaty foundation, and is staffed by accredited diplomats. A frontier AI facility is none of those things, and trying to make it one of those things creates more problems than it solves. The serious question is what category of asset the U.S. will commit to defending when the asset is dual-use, partner-hosted, and not on any prior list.
That makes Option B, the custom security-partnership consultation, the right answer on the merits, and the one with the worst short-term political optics. Option A undersells what the facility was, treats the strike as someone else's problem, and signals to every prospective host state that the U.S. will not honor what it implied. Option C overcommits in a region the U.S. has been working to draw down from, creates a precedent that other adversaries will probe, and risks a wider conflict in a year when the administration has limited capacity for one. Option D is the disclosure move I most want to do and least want to be the only thing the U.S. does, because absent a response posture it reads as a controlled retreat from the partnership the framework was supposed to build.
My recommendation, on balance, is B with elements of D. Activate the consultation mechanism. Stand up a joint task force on attribution and infrastructure hardening, with explicit subcomponents on kinetic defense (UAE-led, U.S.-assisted) and cyber defense (joint, with U.S. equities under FISA-adjacent authority that gets written down properly this time). Build out a category of asset called something less freighted than "compute embassy". I would call it a coordinated strategic technology installation, or CSTI, and let the lawyers refine the term. Define it narrowly enough that it does not metastasize into a generic commitment to defend every U.S.-affiliated server farm abroad, and broadly enough that it captures the actual class of facility the U.S. has helped stand up in the Gulf and is preparing to stand up elsewhere.
On the operational side: the response in the immediate seventy-two hours has three concrete deliverables. First, a joint statement with the UAE that names the attack, expresses condemnation, and announces the consultation mechanism without pre-committing its outputs. The statement should be carefully neutral on the kinetic question. It should be explicit on the cyber question, because the cyber actors will read the statement as a signal about what the U.S. will tolerate from them in the next month. Second, a closed-door read-in to the Gang of Eight on what the facility actually was, what was lost, and what the U.S. equities are. Congressional inaction will be the political cover the response posture needs in week three. Build the cover now. Third, a targeted set of sanctions designations against identified supply-chain actors for the drone components and the cyber loader, on a faster timeline than is typical. The sanctions are not a substitute for the policy. They are evidence that the policy is in motion.
The disclosure piece matters too. Walk the public record forward to match what the framework actually was. The U.S. coordinated this facility into existence. The Department of Energy uses it. The chips are under U.S. license. The model is U.S.-developed. Saying these things out loud, in measured terms, is the foundation for a defense posture that does not require the U.S. to invent a new doctrine on a seventy-two-hour clock. The disclosure makes the consultation mechanism credible. Doing B without D leaves the consultation looking like a euphemism. Doing D without B looks like the U.S. is bailing on what it built.
The lesson that will outlast this incident: the U.S. has been building forward AI infrastructure abroad on the implicit promise that what is forward will be protected, without ever having to write down what protection means. The implicit promise was useful because it allowed both sides to sell different stories to their domestic audiences. The implicit promise is now exhausted. From this attack forward, every host state will demand an explicit version. So will every adversary, by probing for it. The doctrine the U.S. writes in the next seventy-two hours will be cited in every Gulf negotiation, every chip-licensing decision, every model-hosting arrangement, for the next decade. Write it for that horizon. Not for tomorrow's headlines.
A note on the lawyers. The Office of Legal Counsel will produce a memo on this within forty-eight hours. The memo will say what it has always said in these moments: that the executive has broad discretion under Article II to direct the response to attacks on U.S. interests abroad, that the existing authorizations for use of military force do not cleanly apply, and that any kinetic response will require new domestic political ground. The memo will not tell you what to do. It will tell you what you can do, which is a different question. The decision of what kind of asset Stargate UAE is doctrinally is not the lawyers'. It is yours. The lawyers will paper whatever choice you make. They will not make it for you, and the ones who say they will are not the ones whose names you want on the paper.
One more thing. The Iranian calculus assumes the U.S. will either overreact or underreact, and that either response will compound Iran's regional position. The way to defeat the calculus is to respond in proportion to the asset and the precedent, without giving Iran the satisfaction of either of the responses it modeled. That is what B with D is. It is also the response that requires the administration to spend political capital on a doctrine the public has not yet been told it has bought. That is the cost of the framework. The bill has come.
Stand up the task force. Make the disclosure. Write the doctrine. Move on.
Related Briefings
Anna R. Dudley writes on national security, AI policy, and the institutional structures absorbing the costs of AI deployment faster than they are being redesigned. Red Team Scenarios is the series for the call you don't want to take. Subscribe at annardudley.substack.com.