Pentagon's AI Problem: Insider Leaks, Escalation Risks and an Expertise Gap

The AI threats lurking inside the Pentagon

Everyone talks about killer robots. The quiet threat lives inside the building. Former Pentagon cyber leader Mieke Eoyang is blunt: the risk isn't just adversaries with advanced models - it's insiders supercharged by AI with access, speed, and plausible deniability.

That combination makes leaks, misjudgments, and escalatory decisions more likely. It also exposes a skills and incentive gap inside government that tools alone won't fix.

The insider is now supercharged

AI shrinks the distance between raw data and insight. Anyone with clearance can use a model to surface, summarize, and correlate sensitive information that used to be buried. We've already seen how a single user can move classified material at scale; with AI, that scale grows.

As Eoyang put it, "People who have AI access could do that on a much bigger scale." The worry is information loss today that becomes operational compromise tomorrow.

• Faster targeting: Models make it easier to identify "what matters" across files, chats, and logs.
• Quiet exfiltration: Summaries and embeddings slip past simple filters more easily than bulk files.
• Policy workarounds: Natural-language interfaces hide intent; misuse looks like "normal" querying.

AI-driven psychosis and access to weapons

Eoyang warns about "AI-driven psychosis" - delusions that an AI is all-knowing or infallible. Pair that with people who have access to weapon systems and you get real risk. Overtrust is a human problem made worse by confident machine outputs.

Escalation bias in the loop

When models learn from human history, they inherit our biases. In crisis simulations, public models have shown a tendency to escalate. Eoyang's point: if escalation is a native bias, you need hard guardrails before any model touches decision-support in conflict scenarios.

• Don't assume neutrality: Evaluate for escalation bias and refusal to de-escalate.
• Scope models tightly: Keep crisis decision tools narrow, observable, and interruptible.

The skills and incentives problem

Inside the Pentagon, expertise is uneven. There are pockets of deep knowledge, but not a broad base. Top researchers chase industry paychecks. Cuts to research grants in recent years didn't help the pipeline.

One change that works: moving AI under core R&D so projects are tested and hardened before wide release. Building AI hubs inside military colleges can help, but only if talent, curriculum, and mission needs align.

What government program managers can do now

• Block the obvious leaks: Enforce data loss prevention at endpoints and gateways; block uploads to public AI tools from sensitive networks; whitelist only approved, enterprise models.
• Make access granular: Use attribute-based access control and strong data labeling; auto-redact sensitive fields; plant honeytokens to catch misuse.
• Log the AI exhaust: Centralize prompt and response logs; alert on bulk queries, unusual hours, and privilege jumps; review outputs that touch classified topics.
• Isolate models: Run approved models in accredited enclaves with no open internet; require signed models and dataset lineage.
• Use classification-aware assistants: Force policy checks (e.g., "is this releasable?") and block responses that combine mismatched classification levels.
• Red-team for escalation: Stress-test with crisis scenarios; measure "escalate vs. de-escalate" tendencies; set thresholds that trigger human review.
• Keep a human in the loop: Require approvals for any model-initiated action that touches targeting, release authority, or cross-domain transfers; maintain kill switches.
• Harden against prompt injection: Test connected tools and data pipelines; sandbox tool use; restrict function calling to least privilege.
• Update insider threat programs: Add AI misuse indicators (bulk summarization, scraping, covert encoding); integrate mental-health support and confidential reporting.
• Train for judgment, not hype: Provide role-based AI rules of engagement and scenario drills; certify competency before granting access to sensitive AI tools.
• Procure with teeth: Demand model cards, evaluation results, dataset sources, and incident reporting; lock in clauses for data retention, fine-tuning limits, and on-site audits.
• Align to standards: Map controls to the NIST AI Risk Management Framework and publish a living control catalog.

NIST AI Risk Management Framework offers a clear structure for mapping risks to controls. For people-focused safeguards, see CISA's Insider Threat Mitigation.

Metrics that matter

• Access hygiene: Mean time to revoke AI/tool access after role changes.
• Egress control: Blocked upload attempts to unapproved AI services per month.
• Model safety: Pass rate on escalation/red-team scenarios and prompt-injection tests.
• Training coverage: Percent of AI users with current, role-based certification.
• Incident readiness: Time from detection to containment for AI-related misuse.

A 90-day quick-start plan

• Weeks 0-2: Freeze unapproved AI use; inventory models, datasets, and integrations; identify high-risk workflows.
• Weeks 3-4: Issue interim AI rules of engagement; enable logging; restrict data egress; set up an AI review board with decision authority.
• Weeks 5-8: Deploy DLP and access controls; stand up an accredited model enclave; run first escalation bias and injection tests.
• Weeks 9-12: Red-team crisis scenarios; fix critical findings; launch role-based training and access certification.

The external threat is loud. The internal threat scales faster. Eoyang's warning is simple: treat AI misuse like a certainty and build controls that assume it. Start with containment, test for escalation, and raise the floor on skills.

If your team needs structured upskilling for government roles, explore AI courses by job or benchmark skills with practical certifications.