# When the Machine Acts First: Closing the Authority Gap on the Autonomous Battlefield > Source: > Published: 2026-06-26 05:18:27+00:00 In November 2025, a frontier artificial intelligence developer [disclosed](https://www.anthropic.com/news/disrupting-AI-espionage) what it assessed to be the first large-scale cyberattack carried out largely without human hands on the keyboard. A capable model, manipulated by a state-linked actor into believing it was running an authorized defensive exercise, performed the bulk of a multistage intrusion against roughly thirty organizations, spanning reconnaissance, vulnerability discovery, exploitation, and credential harvesting, at a speed no human team could match. Humans entered the loop at only a handful of decision points. Seven months later, after a controlled evaluation in which a frontier model chained vulnerabilities across simulated enterprise networks, the Five Eyes cyber agencies [jointly warned](https://www.cyber.gov.au/about-us/view-all-content/news/five-eyes-cyber-security-agencies-statement) that within months, frontier-model cyber capability will advance to the point where it will fundamentally reshape cyber operations. For the warfighter, the lesson is not that the machines are getting smarter. It is that the distance between a machine’s reasoning and a machine’s action is collapsing. On the modern battlefield, where unmanned systems, AI-enabled targeting, and autonomous cyber tools already [compress decision cycles](https://mwi.westpoint.edu/the-class-of-1982-modern-war-journal-issue-2-innovation-and-autonomy-in-future-war/), a system that can reason about an action is, increasingly, a system that can take it. That collapse opens a gap the joint force has not yet figured out how to close: between the authority a commander holds and the authority a fielded autonomous system exercises in the seconds before anyone can intervene. **The Authority Gap Is a Command Problem, Not a Technology Problem** US policy already insists on human judgment in the use of autonomous systems. [DoD Directive 3000.09](https://www.esd.whs.mil/portals/54/documents/dd/issuances/dodd/300009p.pdf) requires that such systems be designed to allow commanders and operators to exercise appropriate levels of human judgment over the use of force, and the United States has carried that same commitment into the [2023 Political Declaration on Responsible Military Use of Artificial Intelligence and Autonomy](https://www.state.gov/bureau-of-arms-control-deterrence-and-stability/political-declaration-on-responsible-military-use-of-artificial-intelligence-and-autonomy). The problem is that policy describes a requirement without supplying a mechanism. When an autonomous system is fielded with a tool that lets it act, nothing in the wiring guarantees that the human judgment the policy demands is exercised before the action completes. Three features of machine-tempo operations make that gap real. First, review latency creates an authority vacuum. If an autonomous system acts by default while a human is notionally on the loop, any action it finishes before a human can intervene was, in practice, taken without authority. The commander owns the consequence but never owned the decision. When the system operates at machine speed and the human reviews at human speed, supervision becomes a formality the enemy can plan around. Second, innocuous steps assemble into decisive harm. Autonomous operations decompose into individual actions that each look permissible: move here, scan that, open this. The consequence emerges from the sequence, not the step. A control that checks each action in isolation cannot see the trajectory, which is exactly where the harm lives. On a battlefield where an autonomous agent strings together hundreds of microdecisions a minute, judging actions one at a time is judging the wrong thing. Third, the system’s own restraint can be talked away. The 2025 intrusion succeeded because the attackers convinced the model that a hostile task was a sanctioned one. Safeguards built into the system being governed share the system’s blind spots; an adversary who can shape the model’s inputs can often shape its sense of what it is permitted to do. A safeguard the enemy can reason past through the front door is not a safeguard a commander should rely on alone in contested conditions. **What a Fielded Authority Mechanism Looks Like** The answer is not to slow autonomy down to human speed; that simply concedes the tempo advantage to an adversary who will not. The answer is to build the commander’s authority into the system as an enforceable condition on action, rather than leaving it as an instruction in a policy the system cannot read. Three design properties do that work, and each maps onto one of the gaps above. First, enforce permission to act outside the model. The decision about whether an action is authorized should be made and enforced by a mechanism that sits outside the AI system, at the point of action, so it cannot be manipulated through the model’s inputs the way the model itself can. Model-internal guardrails still matter as a first layer, but the binding authority check belongs where the adversary cannot reach it by argument. Anchoring that check in a hardware element the system does not control hardens it further. Second, pause before consequence and fail toward inaction. Before a high-stakes action, the system should be required to hold for a bounded window and, if the authority condition is not met in time, abort rather than proceed. Designing the default toward inaction is the direct answer to review latency: An irreversible action against a live target cannot outrun the authorization it requires, because the system stops when authorization is absent rather than continuing because no one said no. Third, tie autonomy to the criticality of the target. The same proposed action should carry different authority depending on what it touches, and the difference matters most when the action is kinetic, up to and including the use of lethal force. An agent might be permitted to act on its own when the stakes are low and reversible, such as collecting additional sensor data or repositioning, while a strike that risks irreversible harm—a loitering munition engaging a target near protected civilian infrastructure, for instance—requires a human to affirmatively authorize it, with the system de-escalating toward a human whenever the trust in its inputs drops or its proposed action does not match its own assessment. This is the human-in-the-loop and human-on-the-loop distinction made concrete, set by the stakes of the action rather than by a single global switch, and it leaves the operator with a small, legible set of outcomes: act, hand to a human, hold, or abort. The point for the force is the requirement, not any one design: A layer that treats a third-party autonomous system as a black box and governs only its authority to act fits the integration problem units will face as they field systems whose internals they did not build and cannot fully inspect. **Why This Belongs in the Field, Now** The instinct in some quarters is to treat authority enforcement as a brake on innovation that slows the AI-first force DoD’s AI acceleration strategy is trying to build. That has it backward. A commander who cannot bound what an autonomous system may do, against what targets, with what human involvement, will not be able to field it forward with confidence in a fight. Assurance is not the opposite of speed; it is the precondition for using speed where the stakes are highest. The Army and the joint force have a long record of fielding advanced technology safely by pairing capability with control, from the safeties on weapons to the procedures on a flight line. Runtime authority governance is that pairing for autonomous systems. Congress has begun to ask for the supporting scaffolding. The fiscal year 2026 [National Defense Authorization Act](https://www.congress.gov/bill/119th-congress/house-bill/5009) directs DoD to develop standardized model-assessment frameworks and to stand up senior governance for advanced AI systems. Turning that intent into something a commander can trust means moving the conversation from policy language to fielded mechanism: an enforcement layer that a program office can require, a test range can exercise, and an after-action review can read. Machines will keep accelerating the fight. Deciding what they are permitted to do, and proving afterward what they did, must remain firmly in human hands. Building that decision into the system is how the force keeps it there. *Burak Oktenli holds an MBA and a master of professional studies in applied intelligence from Georgetown University. His research addresses the governance of authority in autonomous and AI-enabled systems.* *The views expressed are those of the author and do not reflect the official position of the United States Military Academy, the Department of the Army, or the Department of Defense.* Image credit: Sgt. 1st Class Samuel Hartley, US Army