The laws of armed conflict were written for a world in which the distinction between civilian and military infrastructure was, if not always respected, at least theoretically identifiable. Soldiers wore uniforms. Factories produced weapons. Command centres directed armies. The principle of distinction, the foundational rule of international humanitarian law requiring combatants to differentiate between military objectives and civilian objects, assumed that the categories were separable, even if the separation was sometimes contested.
Operation Epic Fury has produced a conflict in which that assumption has collapsed entirely, not through deliberate violation but through the structural transformation of military infrastructure itself. When the CIA runs intelligence workloads on Amazon Web Services, when Palantir’s AI targeting systems operate on commercial cloud infrastructure, when the Maven Smart System that directed 5,500 strikes in eleven days is built on commercial AI platforms, the distinction between civilian and military technology does not merely blur. It disappears.
Iran’s Islamic Revolutionary Guard Corps drew this conclusion operationally and stated it explicitly. In late March 2026, Iranian military leadership formally declared that AWS, Google, and Microsoft data centers hosting U.S. defence workloads constituted legitimate military targets under international law. The declaration invoked the principle of distinction under the Geneva Conventions to argue that facilities hosting classified Pentagon AI systems alongside civilian infrastructure had forfeited their civilian status.
On March 1, Shahed drones struck two AWS data centers in the UAE and a third in Bahrain, the first deliberate military attack on commercial hyperscale cloud infrastructure in history. On April 2, Iranian state media claimed a strike on Oracle’s Dubai facility. The IRGC published a list of 29 technology targets across Bahrain, Israel, Qatar, and the UAE, including AWS, Microsoft, Google, Oracle, IBM, Palantir, and Nvidia, and warned that “for every assassination, an American company will be destroyed.” On April 3, an IRGC-affiliated outlet published a video using Google Maps satellite imagery to identify OpenAI’s $30 billion Stargate facility in Abu Dhabi as a retaliatory target, displaying photographs of key technology executives alongside the facility’s coordinates.
What makes the IRGC’s legal argument so strategically significant, and so analytically uncomfortable, is that it is not obviously wrong. The U.S. Department of Defense’s Joint Warfighter Cloud Capability contracts, valued at up to $9 billion, distribute classified military workloads across AWS, Microsoft Azure, Google Cloud, and Oracle simultaneously.
The CIA’s Commercial Cloud Enterprise contract runs intelligence analysis on the same hyperscale infrastructure that processes civilian banking, healthcare, and logistics data. Iranian state media specifically cited the use of Anthropic’s Claude on AWS infrastructure for U.S. intelligence analysis and war simulations as justification for targeting those facilities.
The principle of distinction does not protect a facility that hosts both a supermarket delivery algorithm and a targeting AI simultaneously. The legal logic underlying Iran’s claim is, as Silicon Canals noted, “genuinely difficult to refute.” By spreading military workloads across commercial cloud providers through the JWCC contract, the Department of Defense has inadvertently transformed every major hyperscaler’s Middle East infrastructure into a dual-use facility, and dual-use facilities are not protected under the laws of armed conflict.
The consequences of this transformation extend in both directions simultaneously. Iran’s strikes on AWS infrastructure impaired two of three cloud availability zones in the UAE region and one in Bahrain. Standard redundancy models failed because multiple zones went down simultaneously. Abu Dhabi Commercial Bank, Emirates NBD, First Abu Dhabi Bank, payments platforms, and major commercial operations experienced outages.
The same physical attack that targeted military AI infrastructure disrupted civilian banking for millions of people, not as collateral damage but as an inherent consequence of the dual-use architecture that military procurement created. The harm flows in both directions: civilian populations bear the cost of attacks on military infrastructure because the military chose to house its workloads in civilian facilities, and commercial companies bear the legal and financial consequences of a conflict they did not choose to enter.
The legal framework governing this situation is not merely inadequate, it is absent. Standard commercial property and business interruption insurance policies exclude acts of war. The century-old Cuba Submarine precedent makes claims by private companies against state belligerents for wartime damages virtually impossible to pursue. The 1972 Liability Convention designed to govern state responsibility for damage was not written for a world in which commercial AI platforms are integral to military targeting architectures.
There is no international agreement governing the military use of commercial cloud infrastructure, no norm limiting the targeting of dual-use data centers, and no verification mechanism that could establish whether a given commercial facility is or is not hosting military workloads at any given moment. The algorithm that directed 5,500 strikes against Iranian targets has no Geneva Convention. Neither does the data center that ran it.
The arms control and international humanitarian law communities have not yet produced an adequate response to this architecture, and the window for doing so is narrowing rapidly. Every major military is now integrating commercial AI platforms into targeting, logistics, intelligence, and command and control. Every major technology company operating in geopolitically contested regions is now a potential military target under the legal logic Iran has established and operationally validated.
The $500 billion Stargate project, spanning facilities from Abilene, Texas, to Abu Dhabi, was designed as civilian infrastructure for AI development. Its military adjacency, through Pentagon cloud contracts, intelligence community relationships, and the unavoidable dual-use character of advanced AI, has made it a target in a conflict its architects never anticipated joining.
The world needs governance frameworks for this architecture before the next conflict makes the question academic. That means arms control agreements limiting the military use of commercial cloud infrastructure. It means legal clarity on the combatant status of technology companies whose platforms are integrated into military targeting systems.
It means insurance and liability frameworks that reflect the actual risk profile of operating AI infrastructure in geopolitically contested environments. And it means an honest acknowledgment, from both governments and technology companies, that the privatisation of military AI has created a targeting problem that no existing legal framework is equipped to resolve. The algorithm has no Geneva Convention. Writing one is now a matter of some urgency.
Disclaimer:Â The opinions expressed in this article are solely those of the author. They do not represent the views, beliefs, or policies of the Stratheia.
