The afternoon sun shines on the U.S. Capitol Building on July 1, 2026 in Washington, DC.

Civilian Protection in the Age of Military AI: What Congress’s New Legislative Proposals Reveal About Emerging Safeguards

This year, the U.S. military’s use of artificial intelligence (AI) in its targeting has burst into the spotlight. In February, the Wall Street Journal reported that the military used the Anthropic chatbot Claude in the raid that captured Venezuelan President Nicolas Maduro. In the same month, Anthropic objected to the Pentagon’s rejection of proposed safeguards in the company’s Department of Defense contract, resulting in the Department designating Anthropic a supply chain risk and entering into a contract with Anthropic competitor OpenAI instead. After U.S.-Israeli airstrikes against Iran, CENTCOM commander Admiral Brad Cooper confirmed that “warfighters are leveraging a variety of advanced AI tools” in the campaign. In a June 2026 filing for a lawsuit against Elon Musk’s xAI, the Pentagon’s Chief Digital and Artificial Intelligence Officer submitted a sworn declaration stating that the government-oriented version of xAI’s chatbot Grok had contributed to workflows in Palantir’s Maven Smart System – the DoD’s flagship AI-enabled software platform – to deploy “over 2,000 munitions to 2,000 distinct targets within 96 hours” during the Iran war. 

An earlier use of AI in targeting has also come to light. A book by Bloomberg journalist Katrina Manson published in March 2026 revealed that the US military has integrated AI into targeting through the Maven Smart System since at least 2019, when it used the system in the operation that killed ISIS leader Abu Bakr al-Baghdadi.

As military use of AI fills headlines, members of the Senate are taking steps to regulate and restrict how the Department of Defense develops and uses AI in its operations. In May and June 2026, five Senators with significant national security credentials introduced military AI bills ahead of the Senate’s mark-up of the National Defense Authorization Act (NDAA), the foremost defense policy bill passed every year. While differing substantially in scope and approach, the bills collectively represent one of the first serious congressional efforts to establish safeguards around military AI. As the NDAA moves forward, it appears increasingly likely that it will include substantive measures regarding the military use of AI. 

Examining the proposed legislation together reveals an emerging framework for civilian protection in the age of AI, and also exposes remaining gaps. This article aims to outline areas of convergence among recently proposed bills, identify areas for future legislation, and outline the way forward for Congress’s efforts to regulate military AI. 

The Civilian Protection Challenges Created by Military AI

Much of the public debate surrounding military AI has focused on autonomous weapons systems (AWS). While the ethical, humanitarian, and legal challenges they present should not be diminished, AWS are only one category of AI-enabled military applications that may affect civilians. Although AI may also offer opportunities to reduce civilian harm, this article focuses on the civilian protection risks and challenges associated with its military use. AI is increasingly being integrated across military functions, creating challenges for civilian harm mitigation and response. While many of these risks are not entirely new, AI amplifies them through greater speed, scale, and complexity. From a civilian protection perspective, they can be grouped into five broad categories: (1) accuracy and reliability, (2) human overreliance on AI, (3) increased operational tempo and scale, (4) accountability and transparency challenges, and (5) heightened exposure and surveillance.

Accuracy and Reliability

The first category concerns the performance and limitations of AI-enabled systems. Military AI systems, like AI more broadly, continue to face challenges related to accuracy. During early testing of Maven Smart System, the system correctly identified tanks only 60% of the time compared to human analysts’ 84%, with accuracy dropping to 30% in snowfall. 

AI systems may also perform poorly when deployed in conditions that differ from the data on which they were trained. Predictive systems analyzing imagery or drone footage can struggle to recognize unfamiliar terrain or environmental conditions, leading to false positives or missed threats. Generative AI introduces additional risks by occasionally fabricating information or citations while presenting them as authentic. Faulty, low-quality, or biased training data can further compound these problems by reinforcing existing distortions or misclassifying civilians based on characteristics such as gender, age, race, or religion. 

These limitations pose serious risks for civilians. Incorrect target identification, flawed civilian harm assessments, or biased outputs may directly influence military decisions. At the same time, the opacity of many AI systems can make it difficult for operators to understand how recommendations were generated or identify when the systems are producing unreliable outputs, particularly as AI-enabled systems are employed at greater speed and scale.

Human Overreliance on AI

Many current approaches to governing military AI assume that human control will provide a meaningful safeguard against these risks. But even with humans nominally in control, there is a danger that they may place excessive trust in AI systems. Automation bias can lead operators to defer to AI recommendations despite contradictory evidence, while confirmation bias and de-skilling may further erode independent judgment, particularly in high-pressure or fast-paced operational environments. 

Such overreliance threatens civilians because it undermines humans’ ability to ensure AI-enabled systems are used as intended and in compliance with IHL. Israel’s reported use of the Lavender targeting system illustrates these concerns, with reporting indicating that operators often treated AI-generated recommendations as though they were human decisions. If operators increasingly defer to AI without retaining the expertise and confidence to critically evaluate its outputs, human oversight risks becoming a procedural formality rather than a meaningful safeguard, allowing inaccurate recommendations to contribute to civilian harm.

Increased Operational Tempo and Scale

AI-enabled systems can process vast quantities of information, identify patterns, and generate recommendations at speeds far beyond human capacity. While these capabilities may improve military efficiency – including in ways that could help mitigate civilian harm – they also compress the time available for human review, deliberation, and civilian casualty assessments. As decisions are made more quickly and across larger numbers of targets, maintaining compliance with the principles of distinction, precaution, and proportionality of international humanitarian law may become increasingly difficult.

These concerns are becoming more relevant in practice. The U.S. reportedly selected more than 1,000 targets during the first 24 hours of Operation Epic Fury in Iran, a tenfold increase over the number of targets that could be processed prior to the introduction of Maven. This dramatic shift in the pace of target generation raises questions about how much scrutiny could realistically be applied before strike decisions were made. Although not publicly attributed to an AI error, the strike on an elementary school in Minab during this period illustrates the devastating consequences that can follow when safeguards fail. (The most recent reporting indicates that commanders bypassed warnings about outdated intelligence ahead of the strike, but the Pentagon has not yet publicly completed its investigation.)

As military operations accelerate, errors, flawed assumptions, and unlawful decisions may become more common and amplified at scale. AI may also lower practical and political barriers to the use of force while the growing availability of commercially developed AI technologies increases the likelihood that these risks will spread to a wider range of state and non-state actors.

Accountability and Transparency Challenges

Existing legal frameworks remain clear that responsibility for military operations rests with human actors. Command responsibility, state responsibility, and, where applicable, individual criminal responsibility continue to apply regardless of whether AI-enabled systems are used. However, AI may make accountability more difficult to exercise in practice. When civilian harm results from flawed data, inaccurate outputs, operator error, inadequate oversight, or a combination of factors, determining responsibility may become significantly more complex. The growing volume of AI-enabled operations may further strain civilian harm assessments and after-action reviews, the resources for which have also been significantly curtailed under the Trump administration.

Opacity presents an additional challenge. Human operators may receive recommendations, risk assessments, or target nominations without understanding how they were generated, making it harder to evaluate AI outputs before action is taken or reconstruct decisions afterward. This could complicate investigations, oversight, legal compliance, and efforts to provide explanations or remedies to affected civilians. These challenges are compounded by the classified nature of many military operations, reinforcing calls for AI systems to incorporate greater transparency, traceability, and auditability.

Heightened Exposure and Surveillance

Military AI affects civilians in ways that extend well beyond targeting. Many AI-enabled capabilities rely on collecting, integrating, and analyzing vast quantities of civilian data. As militaries use AI to identify individuals, analyze patterns of life, and assess threats in environments where civilians and combatants are intermingled, civilians may become subject to unprecedented levels of surveillance. Inaccurate outputs, biased data, flawed assumptions, and weakened human judgment may result in civilians being misidentified as threats, subjected to heightened monitoring, restrictions on movement, detention, or targeting. AI’s ability to operate rapidly and at scale may amplify both the number of civilians affected and the psychosocial harms associated with persistent surveillance.

AI is also reshaping the information environment on which civilians depend during conflict. The ability to generate convincing but false images, audio, and video has intensified concerns about misinformation and disinformation. Civilians rely on accurate information to decide whether to evacuate, seek shelter, or access humanitarian assistance. False information about military operations, humanitarian aid, or evacuation routes may place civilians in danger, undermine trust in reliable sources, and make it increasingly difficult to distinguish authentic information from fabricated content during crises.

Congress is Converging on Five Categories of Safeguards

The consequences and mitigation of risks outlined above will depend largely on how AI-enabled systems are integrated into military decision-making and the safeguards governing their use. Recognizing this, U.S. lawmakers have increasingly turned to legislative proposals aimed at mitigating risks posed by military AI. These include:

  • The Responsible Artificial Intelligence Defense (RAIDA) Act, introduced by Senators Chris Coons and Jack Reed, which governs the acquisition, testing, and use of AI-enabled AWS through a focus on certification and assurance requirements; 
  • The Human Authority in Lethal Operations Act (HALO), introduced by Senator Adam Schiff, which establishes an accountability framework for the use of semi-autonomous weapons and AWS, including mandating a clear chain of command; 
  • The AI Guardrails Act, introduced by Senator Elissa Slotkin, which prohibits certain military AI usages; 
  • The Secure and Accountable Military AI Act, introduced by Senator Kirsten Gillibrand, which creates a governance and oversight regime for the deployment, security, and operational use of military AI; 
  • The Ultimate Human Responsibility in Defense Systems Act, introduced by Senator Mark Kelly, which focuses on preserving human judgment and control over the use of force through system design and testing requirements; and
  • The Warfighter AI Readiness and Preparedness (WARP) Act, introduced by Senators Kelly and Tom Cotton, which requires the DoD to assess the impact and consequences of military AI adoption on human operators, and identify measures to mitigate potential harms.

Although these proposals differ in scope and approach—ranging from testing and certification requirements to accountability mechanisms and prohibitions on particularly risky uses—they reveal growing consensus around five categories of safeguards: 1) preserving meaningful human judgment and control; 2) ensuring operator competence; 3) requiring rigorous testing and evaluation; 4) strengthening monitoring and accountability; and 5) prohibiting particularly high-risk applications. Together, these categories provide a useful framework for understanding how Congress is attempting to balance military innovation with civilian protection.

Human Judgement and Control

Most of these legislative proposals assume that human judgment is the primary safeguard against the risks posed by military AI. Human control is consistently treated as the mechanism through which AI-enabled systems remain subject to legal, ethical, and operational constraints, particularly in high-consequence applications involving the use of force. Nearly every proposal includes some form of human-control requirement – from override mechanisms and human authorization to designated accountable decision-makers – and requires humans to retain ultimate authority over the use of force. Yet none provides a comprehensive definition of “meaningful human control.” Senator Mark Kelly’s Ultimate Human Responsibility in Defense Systems Act comes closest by establishing functional requirements for “ultimate human responsibility” (Sec. 2(3)), including requiring commanders or operators to understand the operational context of a weapons system through training and “the integration of design and testing features that strengthen human understanding and effectiveness oversight.”

Most proposals focus on preserving human authority, review, or intervention rather than defining the conditions necessary for humans to exercise informed and independent judgment alongside AI. Stronger provisions require uncertain or anomalous outputs to be elevated for additional human review (Gillibrand Sec. 4(c)(5)), categorize AI capabilities according to the level of human judgment needed to mitigate risks to life (Coons and Reed Sec. 2(c)(1)), and distinguish human and machine actions while requiring operators to be able to activate, terminate, or disable systems (Schiff Sec. 3(e)(1)-(2)).

The bills nevertheless leave important questions unanswered. For example: How much time, information, and independence do operators need for human involvement to function as an effective safeguard? If operators are expected to validate hundreds of AI-generated targeting recommendations under compressed timelines, can they meaningfully exercise independent judgment? Likewise, the proposals offer little guidance on where human judgment is most critical within the decision-making process. If operators approve only the final outputs of an AI-enabled decision-support system without scrutinizing the underlying data, assumptions, or intermediate steps, it is questionable whether meaningful human control is involved.

These safeguards will not succeed in mitigating harm unless humans remain skilled and capable of exercising informed, independent judgment when applying legal obligations in practice. US civilian harm mitigation and response (CHMR) policies and procedures were designed to help commanders and operators understand the civilian environment, identify potential risks to civilians, implement mitigation measures, assess and respond to civilian harm incidents, and incorporate learnings into future operations. If AI-enabled systems are being used to influence or make decisions throughout the stages of the targeting processes – including supporting target development and engagement decisions – meaningful human control cannot be understood only as a check over the use of force. It also depends on aligning AI-enabled systems with the existing CHMR processes designed to prevent and respond to civilian harm (and, ideally, rebuilding and strengthening those systems). For example, AI-enabled systems used to support target development should be evaluated not only for technical accuracy but their ability to effectively identify civilian presence, objects, or protected infrastructure, accurately analyze or flag patterns of civilian life, and generate outputs that enable operators to identify civilian risk and take mitigation measures.  

Operator Competence

The emphasis that lawmakers place on human judgment raises a related question: what technical expertise is required for operators to exercise judgment effectively? Human involvement alone cannot serve as a meaningful safeguard if operators do not understand system capabilities and limitations, lack the skills necessary to assess AI-generated recommendations, or become overly reliant on automated outputs. 

Most proposals recognize this by establishing safeguards related to operator training and competence. These provisions seek to ensure personnel understand how AI-enabled systems function, that systems are sufficiently understandable and explainable, and that operators can identify errors, challenge recommendations, and intervene when necessary. Most proposals require commanders and operators to be trained on system capabilities and limitations, while some reference training in realistic operational environments (Kelly Sec. 7(b); Schiff Sec. 3(e)(4)). Others emphasize the ability of operators to understand and evaluate system outputs. Stronger provisions require operators to assess outputs for compliance with U.S. and international law (Schiff Sec. 3(b)(2)(B)) and provide specialized training in human-machine teaming (Kelly Sec. 7(b)).

The most robust provisions appear in Senators Kelly and Cotton’s WARP Act, which focuses on how increasing AI integration may affect military personnel effectiveness, skill retention, readiness, and operational performance. The bill requires the Department of Defense to assess AI’s effects on human performance, identify roles where those effects are most consequential, and determine the conditions under which AI enhances or degrades human capabilities (Sec. 2(c)). By focusing on the long-term effects of AI adoption on military personnel, WARP begins to address questions that are largely absent from the other proposals, including whether humans will retain the skills, confidence, and independent judgment needed to serve as meaningful safeguards.

With the exception of Sen. Slotkin’s bill, all of the proposals seek to ensure some level of understanding among those responsible for employing AI-enabled systems, implicitly recognizing concerns about the opacity and limited explainability of some AI tools. Yet significant questions remain. The proposals do not describe what effective training should entail or how it should address automation bias, overreliance, cognitive offloading, and other effects of human-machine interaction. Aside from Sen. Schiff’s requirement that operators assess outputs for compliance with international humanitarian law, they focus primarily on technical proficiency while devoting comparatively little attention to how operators should exercise legal judgment and independent decision-making when working alongside AI-enabled systems.

From a civilian protection perspective, operator competence extends beyond basic AI technical proficiency. Operators and commanders must understand system limitations, identify errors, exercise independent judgment, and apply legal obligations when AI-generated recommendations influence decisions affecting civilian life. This requires training not only on how AI-enabled systems function, but how to question their outputs and the conditions under which outputs are more or less reliable, how to recognize and elevate uncertainty, and how to assess civilian harm risk. While several proposals recognize the importance of operator competence, they provide little guidance on how these capabilities should be developed or assessed in practice.

Testing, Evaluation, and Validation

While the first two categories of convergence address who makes decisions and whether operators are capable of exercising independent judgment, the third focuses on whether AI-enabled systems are sufficiently reliable for their intended use. Testing, evaluation, and validation are among the strongest areas of convergence across the legislative proposals, with most seeking to identify and mitigate risks before systems reach operational use. The underlying assumption is that testing can assess system reliability, identify limitations, and determine whether AI-enabled capabilities are appropriate for military deployment.

Most bills require some combination of risk assessments, verification and validation procedures, operational testing, or ongoing evaluations designed to identify failures before they result in harm. Broad provisions require rigorous testing throughout the system lifecycle (Coons and Reed Sec. 2(a); Gillibrand Sec. 3(c)(1)), but don’t necessarily specify what should be tested, the benchmarks against which performance should be measured, or who should conduct the evaluation and validation. Sen. Slotkin’s bill goes further by requiring demonstration that error rates for AI-enabled use-of-force systems do not exceed those of trained human operators (Sec. 2(c)(3)(C)(vii)). Sen. Schiff’s proposal provides the most comprehensive testing framework, requiring testing in operational environments with realistic civilian presence (Sec. 6(c)(1)), assessments of human-machine interaction, reviews during system development to identify compliance and risk concerns, and testing regardless of the acquisition pathway (Secs. 4, 6(a)-(c)).

Despite broad agreement that testing is essential, the proposals provide comparatively little guidance on what successful testing should demonstrate. Should systems be evaluated primarily for technical performance, military effectiveness, legal compliance, or civilian protection outcomes? While these objectives overlap, they may require different performance metrics, testing methodologies, and levels of independent validation. The proposals do little to clarify whether testing will adequately capture the risks most likely to result in civilian harm, including inaccurate outputs, biased data, degraded performance, or failures arising from human-machine interaction. Although all the bills position testing as a foundational safeguard, it remains uncertain whether the regimes they envision will be sufficient to identify and mitigate the risks that matter most from a civilian protection perspective.

Monitoring, Reporting, and Accountability

Recognizing that testing and evaluation cannot anticipate every failure that might emerge once an AI-enabled system is deployed, lawmakers have included safeguards intended to ensure that systems remain observable, traceable, and subject to oversight throughout their operational lifecycle. The proposals address a range of safeguards to establish mechanisms for ongoing monitoring, incident reporting, recordkeeping, and periodic review intended to identify failures, facilitate corrective action, and support accountability. 

Most proposals rely on monitoring and reporting requirements to maintain oversight after deployment. These include combinations of continuous monitoring, incident reporting, audit logs, record repositories, periodic assessments, and reporting to Congress (Coons and Reed Sec. 2(a); Schiff Sec. 6(d); Gillibrand Sec. 3(c)(7)). The strongest provisions, particularly in the Schiff and Gillibrand proposals, treat monitoring as an ongoing governance function rather than a one-time compliance exercise. The proposals differ, however, in what should be monitored, how incidents should be documented, and what information should be preserved. Most focus on technical failures and operational incidents, while few specifically require monitoring or reporting of civilian harm or human-machine interaction failures, including from overreliance. As a result, the safeguards envisioned are better designed to detect system failures than to understand how those failures affect civilians or identify patterns that could inform future policy and operational practice.

Several proposals also seek to preserve accountability through documentation, recordkeeping, auditability, and clearly assigned human responsibility. Sen. Schiff’s proposal requires a designated commander accountable under military and international law for each engagement or class of engagements (Sec. 3(b)(1)(B)), while Sen. Gillibrand requires documentation and audit mechanisms for high-consequence AI applications (Sec. 3(c)(6)). Sen. Kelly additionally requires retention of records relating to targeting decisions (Sec. 3(b)(5)), and Sen. Schiff establishes repositories for incidents and system failures (Sec. 6(f)(4)). These provisions recognize that meaningful oversight depends on preserving a clear chain of responsibility when AI informs military decisions. However, they provide comparatively little guidance on what information must be retained to reconstruct AI-assisted decisions, support investigations, explain outcomes to affected civilians, or assess compliance with legal obligations. From a civilian protection perspective, monitoring is valuable only insofar as it generates the information necessary to investigate civilian harm, assign responsibility, and prevent future harm. Whether the proposed mechanisms will achieve those objectives remains uncertain.

Prohibitions and Red Lines – and Exceptions 

Prohibitions reflect the idea that certain military AI applications are too risky to govern through safeguards alone. Across the proposals, there is broad agreement on several red lines, including prohibitions against the use of AI-enabled systems in decisions to launch nuclear weapons; the monitoring, tracking, profiling, or targeting of individuals in the United States; and the use of lethal force without meaningful human judgment. Sen. Slotkin’s AI Guardrails Act is distinct in relying almost exclusively on these three prohibitions rather than establishing a broader governance framework, adopting a narrower but potentially less disputed approach to regulating military AI.

The primary divergence is not which applications warrant prohibition, but the extent to which exceptional circumstances justify flexibility. The proposals range from limited waivers for specific applications to broader exemptions and procedural flexibilities. Sen. Slotkin’s bill allows the Secretary of Defense to waive the prohibition on autonomous weapon systems employing lethal force without appropriate levels of human judgment and supervision, under “extraordinary circumstances” of national security, and if the error rate of the system does not exceed that of a human operator performing similar functions (Sec. 2(c)(1)-(3)). Sens. Coons and Reed’s proposal exempts specified categories of systems from legal and review requirements, including weapons systems that the Secretary of Defense determines are “safer and more reliable” than alternative systems and involve continuous human supervision, provided that Congress is notified of their intended use and does not object. (Sec. 2(a). Sen. Gillibrand’s bill takes a different approach in permitting delayed congressional notification for certain high-consequence AI capabilities when immediate disclosure could jeopardize national security (Sec. 3(d)(3)).

The prohibitions provide insight into which risks Congress considers fundamentally unacceptable. They address potentially catastrophic harm associated with nuclear weapons, violations of domestic civil liberties, and the removal of meaningful human judgment from lethal force. Most AI-enabled capabilities likely to affect civilian harm in conflict, including human decision-support systems used in target development, remain outside these prohibitions and instead depend on the safeguards discussed above. Ultimately, the success of Congress’s approach to civilian protection will depend both on the red lines it draws in addition to whether broader governance mechanisms prove capable of managing the much wider range of military AI applications that remain permissible.

Incorporation in the National Defense Authorization Act

The NDAA, versions of which are expected to pass in the House and Senate in the next week, contain some of the most substantial legislation safeguards related to the military use of AI to date.

The Senate NDAA contains several sections dealing with safeguards around military AI covering the areas of convergence discussed above and appears to draw from most or all of the major Senate proposals. Drawing from Sens. Reed and Coons’ RAIDA Act, Section 1647 establishes a policy and oversight framework for AWS and military AI used in targeting that centers on human control. The bill requires that AWS or military AI used by the DoD are designed and used such that commanders and operators can exercise “ultimate human responsibility over the use of force.” It defines “ultimate human responsibility” as a commander or operator’s ability to “supervise, intervene in, or terminate the use of force by the system,” ensure compliance with U.S. and international law, and “understand the operational context of the weapon system.” The Section further requires the review of AWS and military AI systems to categorize them based on the “appropriate level of human judgment required to mitigate risks to life, safety and health of Department personnel or noncombatant civilian harm,” establishing two risk-based tiers and corresponding levels of required human judgment. 

Separately, Section 1653 directs the Secretary of Defense to issue regulations ensuring that the use of force remains subject to a clear, accountable human chain of command, and that no weapon system, whether autonomous or AI-enabled, eliminates human responsibility for its use.

The Senate NDAA also deals with operator competence, requiring operators to undergo proficiency training on autonomous weapon systems and AI capabilities. The bill also requires training personnel on their ability to question, override, or disengage military AI system outputs.

Section 1647 establishes a system for the testing and evaluation of military AI systems. Required review would ensure that system design accommodates human oversight and accounts for risk to “nontargets,” followed by a similar review before fielding and an updated legal review. More broadly, covered systems must undergo testing in realistic operational environments to confirm they function as intended and resist interference.

When it comes to monitoring of military AI performance, Section 1647 mandates the establishment of an incident repository to document failures of AWS and military AI with the objective of identifying risks and errors and continuously improving systems. 

The Senate NDAA prohibits the same uses of military AI as Sen. Slotkin’s bill: nuclear weapon launches or detonations, certain domestic surveillance activities, and the employment of lethal force by autonomous weapons without appropriate human judgment. However, the NDAA’s prohibition is stronger, dispensing with the waiver provision. 

The House’s version of the NDAA also contains some constraints and safeguards on the military use of AI, although they are less prescriptive and unified than the Senate’s proposal. As with the Senate version, the House NDAA also contains provisions encouraging the adoption of more military AI applications. Section 1089 requires the Defense Autonomous Warfare Group to develop doctrine on the deployment of “unmanned autonomous systems” but prescribes no specific safeguards, requiring only “Compliance with safety and legal requirements with respect to the use of such systems and formations.” Section 1502, championed by Rep. Sara Jacobs, would require DoD to establish an incident and vulnerability reporting program for AI systems with the aim of reducing weakness and addressing risks posed by such systems. Another Rep. Jacobs provision, Section 1524, requires an update to Department of Defense Directive 3000.09 regarding autonomous weapons systems, semi-autonomous weapons systems, and AI-enabled systems “intended to support, recommend, or materially influence operational decisions associated with the employment of force.” The provision requires that the policy update include requirements dealing with human responsibility; auditability, traceability, and accountability; risk mitigation measures; testing, evaluation, and human training; human intervention; and measures to categorize AI systems to clarify constraints and uses for each category. 

Once each chamber passes their respective bills, leaders from both major parties and both chambers will negotiate a compromise bill through a conference process. Civil society and legislators will engage in the process by making recommendations for provisions to retain or remove. That compromise bill typically passes through both chambers in December or January votes before proceeding to the president’s desk for signature. Vetoes are relatively uncommon.

What’s Missing? 

The legislative debate around the military use of AI is still in its early days, with the introduction of competing proposals creating an opportunity for concrete action. While the bills converge on several important steps to address the military use of AI, they do not address other key areas. Those gaps may show the way forward for future legislation.

The interaction between military use of AI bills and existing DoD policy frameworks dealing with civilian harm mitigation and response remains largely unclear. Since 2021, the DoD has developed a set of tools and frameworks to mitigate and respond to civilian harm in its operations. While resources dedicated to these initiatives have drastically diminished since early 2025, the legal and policy frameworks for the tools remain intact on paper. If implemented properly, CHMR offers an analytical framework for understanding why civilian harm occurs and taking practical measures to prevent it. Many of those lessons remain applicable in the context of military AI, and in some cases the use of AI exacerbates or entrenches problems that already exist. Employing AI systems may also have potential for reducing civilian harm by allowing commanders to better understand the civilian environment and predict the foreseeable consequences of a military decision. However, current efforts to regulate military AI miss many of the lessons of CHMR. None of the current Senate bills systematically require AI-specific civilian harm assessments or pre-deployment civilian impact assessments. They do not deal with response to civilian harm to which AI systems contributed, such as post-strike reviews or investigations. Sen. Kelly’s bill codifies a requirement for a Civilian Harm Mitigation and Response Office within the Office of the Secretary of Defense for Policy, protecting an important organ of the CHMR enterprise, but the provision is not specific to AI and does not interact with other parts of the bill.

Another framework missing from the current frameworks is international human rights law (IHRL). Although IHRL has significant bearing on both the data collection that informs military AI and on the employment of military AI outside of armed conflict, legislative proposals are so far focused on international humanitarian law. This leaves largely unaddressed the issue of how AI-enabled systems should be governed in contexts where IHRL provides the primary legal framework. One prominent example where IHRL governs the U.S. employment of lethal force is in the Pacific Ocean and Caribbean Sea, where SOUTHCOM has killed more than 200 civilians outside of armed conflict on suspicion that they are trafficking drugs.

The bills do not fully address the use of AI tools across the targeting cycle. They deal largely with autonomous weapons systems, which are weapons systems that detect and target without human intervention, as well as the role of human judgment, control, and oversight in targeting decisions (which does not reflect the full cycle). As discussed above, few proposals clearly define what level of control humans must have over AI systems. The bills also do not deal with the ways in which AI may introduce risk before the decision to engage a target. Target development is often a lengthy process, and while the bills generally agree that a human should make the final decision to use lethal force, AI contributions earlier in the cycle may not trigger objections. For example, a geospatial intelligence analyst using an AI tool to assist in the analysis of large quantities of satellite imagery that they later review and verify would seem to raise few risks relative to a human-only targeting cycle, even though the former may also inform targeting. However, there are many AI use cases that fall between these relatively unambiguous hypotheticals, including AI-assisted target development and nomination, pattern-of-life analyses, and strike recommendation procedures. 

The legislation proposed so far does not deal with the consequences of the pace and scale of AI-enabled military operations. The civilian harm watchdog Airwars found that the pace of U.S. and Israeli strikes in Iran – 17,000 targets over 40 days – is “near unprecedented in modern conflict.” It is not possible to definitively conclude that the use of AI enabled that operational tempo, but U.S. commanders have asserted that AI tools allow them to act more quickly and decisively. Non-governmental organizations have raised concern that the pace of AI-enabled operations may prevent armed actors from taking all feasible precautions to prevent harm to civilians, as international humanitarian law requires. Systems that exceed the pace of meaningful human oversight raise serious concerns for civilian protection. The U.S. military tends to balk at the prospect of restrictions on the pace or scale of operations, but legislators should nevertheless consider how to ensure that faster, more extensive campaigns can meaningfully incorporate safeguards.

Another issue that remains unaddressed, so far, is transfers of military AI technology. The U.S. government has taken measures to limit competitors from developing advanced AI by restricting exports of chips necessary to enable large-scale data processing needed to train large-language models. However, the regulatory framework governing transfers of military AI remains largely unclear. Using existing export control regulations, the U.S. government prohibited foreign nationals from accessing Anthropic’s Fable 5 and Mythos 5 systems in June 2026, resulting in Anthropic removing access to the models for all users, regardless of nationality. However, broader export control frameworks and risk-based transfer standards akin to those in the Conventional Arms Transfer policies do not seem to exist in a manner specific to AI. Spyware, which has been a focus of international export control conversations following revelations about abuses of systems like NSO Group’s Pegasus, may offer a model to follow. Without developing robust civilian protection and human rights restrictions, military applications of AI may rapidly proliferate and pose significant protection challenges akin to those posed by armed drone technology.

Congress is beginning to develop a framework of safeguards for military AI. Across the proposed bills, several common themes emerge: preserving human judgment, ensuring operator competence, monitoring performance after deployment, and strengthening accountability. Between the Senate and House versions of the NDAA, it is highly likely that provisions addressing at least some of these themes are signed into law later this year. Yet important gaps remain, particularly concerning guardrails around AI-enabled targeting, operational tempo, transparency, and civilian harm assessments. As military AI continues to evolve, the challenge for policymakers will be ensuring that safeguards evolve alongside it and that civilian protection remains at the center of the effort.

Filed Under

, , , , , , , , , , ,
Send A Letter To The Editor

DON'T MISS A THING. Stay up to date with Just Security curated newsletters: