The recurring exclusion of military, intelligence, and national-security AI uses from civilian AI-governance instruments. EU AIA Art. 2(3) explicit exclusion; US EO 14110 §11 + NSM-10 separate track; CoE AI Convention Art. 3 carve-out; UK White Paper sectoral-regulator-only scope; India DPDPA state-security exemptions. China's approach is notable for treating state security as the central concern, not a carveout.
Definition & scope
The cross-jurisdiction picture below shows how each of 45 tracked instruments treats this topic. The patterns vary substantially — and 33 regimes are silent, leaving gaps that future policy work could address.
Regulatory approaches: how the carveout is constructed
Beyond the binary of whether an instrument excludes national security, jurisdictions differ in the legal *modality* by which they do so — a distinction the coverage table above does not capture. Four constructions recur. The first is an **explicit textual exclusion**: the EU AI Act states that "[t]his Regulation does not apply to AI systems where and in so far as they are placed on the market, put into service, or used with or without modification exclusively for military, defence or national security purposes" (Regulation (EU) 2024/1689, Art. 2(3)), and the Council of Europe Framework Convention carves out national-security activities in Art. 3 (CoE 2024). Scholars note this exclusion leaves dual-use capabilities — biometric and satellite-imaging surveillance especially — substantially under-regulated 1, and that even the Act's Art. 5 surveillance prohibitions are hollowed out by broad law-enforcement and security exceptions 2; it "does not apply to any dual-use technologies that are also used outside of the national security context" (Powell 2024, CETaS). The second is **exclusion by scope-omission**: the UK's pro-innovation White Paper imposes no statutory duties on defence or intelligence at all, the carveout arising from silence rather than a clause (UK DSIT 2023). The third is a **parallel-track** model, where security AI is routed to a separate, classified governance regime rather than left ungoverned — the approach the United States adopted via a dedicated national-security memorandum fulfilling §4.8 of EO 14110. The fourth, exemplified by China, inverts the logic: state security is the organising concern of the regime, not an exception to it (editorial characterisation). These modalities are not cosmetic — a parallel track preserves some accountability architecture that scope-omission discards entirely. The United States parallel track is itself filled out by the DoD Responsible AI Strategy and Implementation Pathway, whose tenets require that "DoD personnel will exercise appropriate levels of judgment and care, while remaining responsible for the development, deployment, and use of AI capabilities" (DoD RAI S&IP 2022) — operationalising security AI rather than exempting it. A further variant routes the carveout through acquisition rules: DFARS Subpart 252.204 (clause 252.204-7012 plus the CMMC clauses -7019/-7020/-7021) obliges contractors to "provide adequate security" on covered systems by implementing NIST SP 800-171, making contractor information-security itself the operative national-security overlay (DFARS 252.204-7012).
Key fault lines: the "exclusively" boundary and the competence contest
The most contested question is not whether security uses are excluded but *where the excluded zone ends*. The EU AI Act ties its exemption to the word "exclusively" (Regulation (EU) 2024/1689, Art. 2(3)); Recital 24 clarifies that a system placed on the market for both an excluded purpose and a non-excluded purpose — civilian or law-enforcement — "fall[s] within the scope of this Regulation" (EU AIA, Recital 24). Because most modern AI is dual-use, this makes the boundary porous in principle yet self-certified in practice: commentators argue the "exclusively" formula is destabilised by the unresolved CJEU/member-state contest over the security boundary, such that declaring a military purpose can suffice to remove a system from the Regulation's reach 3. The stakes are concrete at the law-enforcement edge, where predictive-policing and predictive-justice systems sit astride the boundary and strain data-protection and oversight duties 4. A second, deeper fault line is one of EU constitutional competence. In *Privacy International* and *La Quadrature du Net* the Court of Justice held that activities of communications providers carried out for national-security ends remain subject to EU law even where the underlying intelligence activity does not, turning the national-security boundary into contested terrain rather than a clean exclusion 5. Yet the Court's controller-based route is itself unstable: it "creates significant legal uncertainties," inviting a data-subject-centred reconstruction of scope instead 6. The unresolved tension — whether a broad statutory carveout can coexist with a jurisprudence that subjects security claims to proportionality review — is, in the editorial assessment here, the structural fault line beneath the topic.
Trajectory: what is changing (2024–2026)
The carveout landscape has shifted materially since several instruments were first catalogued, and parts of the coverage table reflect superseded provisions. In the EU, the AI Act's prohibited-practices regime (Art. 5) became enforceable on 2 February 2025 and general-purpose-AI obligations on 2 August 2025, with high-risk obligations due 2 August 2026 — yet none of these phases reach systems falling under the Art. 2(3) exclusion, so the security gap widens in relative terms as civilian obligations bite. Critically, the law-enforcement and national-security exceptions *widened* during the legislative process, producing "double standards for fundamental rights protection" 7, and analysts warn the resulting exemptions will make meaningful supervision of policing and migration AI extremely difficult (Jones & Lanneau 2025, Statewatch). The pattern echoes longer-running surveillance debates: human-rights review of bulk interception has insisted such measures are not per se disproportionate yet demand end-to-end independent oversight 8, a safeguard the AI carveouts conspicuously omit. In the United States the picture changed more sharply. Executive Order 14110 was rescinded on 20 January 2025 and superseded by Executive Order 14179, "Removing Barriers to American Leadership in Artificial Intelligence" (signed 23 Jan. 2025; 90 Fed. Reg. 8741), whose implementation and America's AI Action Plan follow-on have been tracked provision-by-provision (CSET Georgetown, EO 14179 tracker). The Biden-era National Security Memorandum on AI (24 Oct. 2024) was in turn rescinded and replaced by NSPM-11 (5 June 2026), whose §3(f) reorients the security track around adoption, adaptation, assurance, and accountability. The net direction, on the evidence reviewed here, is convergent: civilian regimes tighten while the security perimeter is preserved and, in the US case, re-tooled toward acceleration rather than restraint.
Coverage across jurisdictions
Historical primacy & cross-jurisdiction tension
First addressed by DFARS Subpart 252.204 (Safeguarding Covered Defense Information and Cyber Incident Reporting) on (governs). Subsequent regimes have either codified, diverged from, or remained silent on this baseline.
- Forum-shoppingEU AI Act↔Executive Order 14179 — Removing Barriers to American Leadership in AI
- Forum-shoppingExecutive Order 14110 on Safe, Secure, Trustworthy AI↔Interim Measures for Generative AI Service Management
- Forum-shoppingCouncil of Europe Framework Convention on AI↔G7 Hiroshima AI Process Code of Conduct
Compare jurisdictions: EU vs US · EU vs UK · EU vs CN
Enforcement & impact
Silent regimes — gap signal
Instruments that do not address National Security Carveouts in AI Regulation — candidates for future policy work.
- Executive Order 14179 — Removing Barriers to American Leadership in AIUS
- Interim Measures for Generative AI Service ManagementCN
- G7 Hiroshima AI Process Code of ConductG7
- OECD AI Principles (Recommendation)OECD
- UN GA Resolution on Safe, Secure, Trustworthy AIUN
- NIST AI Risk Management FrameworkUS
- Bletchley Declaration on AI Safetyglobal
- Seoul Declaration on Safe, Innovative and Inclusive AIglobal
- NIST AI RMF Generative AI ProfileUS
- California SB-1047: Safe and Secure Innovation for Frontier AI Models ActUS
- Brazil AI Bill (PL 2338/2023)BR
- ASEAN Guide on AI Governance and EthicsASEAN
- African Union Continental AI StrategyAfrican_Union
- Anthropic Responsible Scaling Policy (RSP) v2US
- OpenAI Preparedness FrameworkUS
- Google DeepMind Frontier Safety FrameworkUS
- Meta Frontier AI FrameworkUS
- UK-US AI Safety Institute Memorandum of Understandingglobal
- White House Voluntary AI CommitmentsUS
- Singapore Model AI Governance Framework for Generative AISG
- Japan METI AI Guidelines for BusinessJP
- General Data Protection Regulation (GDPR)EU
- EU General-Purpose AI Code of PracticeEU
- OMB Memorandum M-24-10 (Advancing Governance, Innovation, and Risk Management for Agency Use of AI)US
- California SB-53: Transparency in Frontier Artificial Intelligence Act (TFAIA)US
- California SB 243: Companion ChatbotsUS
- California SB 942: AI Transparency ActUS
- Revised Product Liability Directive (Directive (EU) 2024/2853)EU
- UNESCO Recommendation on the Ethics of Artificial IntelligenceUNESCO
- Directive (EU) 2024/2831 on improving working conditions in platform workEU
- New York RAISE Act: Responsible AI Safety and Education ActUS
- TAKE IT DOWN Act (Tools to Address Known Exploitation by Immobilizing Technological Deepfakes on Websites and Networks Act)US
- UN Global Digital CompactUN
See also
Further reading
14 academic & grey-literature sources bearing on this topic — catalogued metadata with a primary link; one-line findings are ✦ AI-generated summaries, labeled as such (charter §7.9). Browse the full literature index.
- Predictive policing and predictive justice: Ethics, data protection, and the AI act Peer-reviewed✦ AIExamines how predictive-policing and predictive-justice systems interact with data-protection law and the AI Act's law-enforcement provisions, exposing accountability and oversight shortfalls.
- National Security and New Forms of Surveillance: From the Data Retention Saga to a Data Subject Centred Approach Peer-reviewed✦ AIArgues the CJEU's controller-based route for applying EU law to national-security surveillance 'creates significant legal uncertainties,' proposing a data-subject-focused scope instead.
- Cop out: security exemptions in the Artificial Intelligence Act (in: Automating Authority — AI in European police and border regimes) Civil society✦ AIDocuments how AI Act security exemptions plus police powers to restrict supervisory information-sharing will make meaningful supervision of policing and migration AI 'extremely difficult.'
- The AI Act Roller Coaster: The Evolution of Fundamental Rights Protection in the Legislative Process and the Future of the Regulation Peer-reviewed✦ AITraces how the AI Act's law-enforcement and national-security exceptions widened during negotiations, producing 'double standards for fundamental rights protection' and gaps in the regulatory framework.
- Toward a global standard for ethical AI regulation: addressing gaps in AI-driven biometric and high-resolution satellite imaging in the EU AI Act Peer-reviewed✦ AIIdentifies how the AI Act's military, defence and national-security exclusions leave biometric and satellite-imaging surveillance under-regulated, arguing for a global standard to close these gaps.
- Prohibited AI surveillance practices in the Artificial Intelligence Act: promises and pitfalls in protecting fundamental rights Peer-reviewed✦ AIArgues the AI Act's Article 5 surveillance prohibitions are undercut by broad law-enforcement and security exceptions, so 'enforcement of fundamental rights and data protection law' must do the heavy lifting against mass survei…
- The EU AI Act: National Security Implications (CETaS Explainer) Research institute✦ AIExplains the AI Act's national-security exclusion 'does not apply to any dual-use technologies that are also used outside of the national security context,' and that rights groups dispute it.
- Facial Recognition Technology in Policing and Security—Case Studies in Regulation Peer-reviewed✦ AIThrough regulatory case studies, argues facial recognition in policing requires a tailored governance framework grounded in necessity and proportionality rather than ad hoc deployment.
- The AI Act National Security Exception: room for manoeuvres? Think tank✦ AIArgues the AI Act's exclusion of systems used 'exclusively for military, defence or national security purposes' will be destabilised by the unresolved CJEU/member-state contest over what national security means.
- A Struggle for Competence: National Security, Surveillance and the Scope of EU Law at the Court of Justice of European Union Peer-reviewed✦ AIAnalyses how the CJEU in Privacy International and La Quadrature du Net subjected member-state national-security surveillance to EU law, turning the national-security boundary into a contested struggle over competence.
- Big Brother Watch and Others v. the United Kingdom Peer-reviewed✦ AICase note on the ECtHR Grand Chamber's first post-Snowden bulk-interception ruling, holding bulk surveillance not per se disproportionate but requiring end-to-end independent oversight safeguards.
- Bulk Surveillance in the Digital Age: Rethinking the Human Rights Law Approach to Bulk Monitoring of Communications Data Peer-reviewed✦ AIContends 'utility and harm calculations can conceal the complex nature of contemporary digital surveillance practices,' rethinking human-rights-law tests for bulk communications surveillance.
- Data retention as mass surveillance: the need for an evaluative framework Peer-reviewed✦ AIArgues data-retention mandates justified by national security amount to mass surveillance and proposes an evaluative framework because such 'highly intrusive proposals' lack an agreed basis for assessment.
- The Executive Order on Removing Barriers to American Leadership in Artificial Intelligence (implementation tracker) Research institute✦ AIProvision-by-provision tracker of EO 14179 implementation and its America's AI Action Plan follow-on (Jul 2025).
References
Sources cited inline in the analysis (linked from the superscript markers), then the primary instrument sources behind the classifications.
- Ezgi Yazici (2025) Toward a global standard for ethical AI regulation: addressing gaps in AI-driven biometric and high-resolution satellite imaging in the EU AI Act, Law, Innovation and Technology. 10.1080/17579961.2025.2470589 — Identifies how the AI Act's military, defence and national-security exclusions leave biometric and satellite-imaging surveillance under-regulated, arguing for a global standard to close these gaps. ↩
- Irena Barkane & Lolita Buka (2025) Prohibited AI surveillance practices in the Artificial Intelligence Act: promises and pitfalls in protecting fundamental rights, Critical Perspectives on Predictive Policing (Edward Elgar). 10.4337/9781035323036.00011 — Argues the AI Act's Article 5 surveillance prohibitions are undercut by broad law-enforcement and security exceptions, so 'enforcement of fundamental rights and data protection law' must do the heavy lifting against mass survei… ↩
- Plixavra Vogiatzoglou (2024) The AI Act National Security Exception: room for manoeuvres?, Verfassungsblog (EU AI Act's Impact on Security Law debate s. 10.59704/292082becc7cc8e6 — Argues the AI Act's exclusion of systems used 'exclusively for military, defence or national security purposes' will be destabilised by the unresolved CJEU/member-state contest over what national security means. ↩
- Chiara Gallese (2026) Predictive policing and predictive justice: Ethics, data protection, and the AI act, Computer Law & Security Review. 10.1016/j.clsr.2026.106282 — Examines how predictive-policing and predictive-justice systems interact with data-protection law and the AI Act's law-enforcement provisions, exposing accountability and oversight shortfalls. ↩
- Monika Zalnieriute (2022) A Struggle for Competence: National Security, Surveillance and the Scope of EU Law at the Court of Justice of European Union, The Modern Law Review. 10.1111/1468-2230.12652 — Analyses how the CJEU in Privacy International and La Quadrature du Net subjected member-state national-security surveillance to EU law, turning the national-security boundary into a contested struggle over competence. ↩
- Maria Tzanou, Plixavra Vogiatzoglou (2025) National Security and New Forms of Surveillance: From the Data Retention Saga to a Data Subject Centred Approach, European Papers. source — Argues the CJEU's controller-based route for applying EU law to national-security surveillance 'creates significant legal uncertainties,' proposing a data-subject-focused scope instead. ↩
- Francesca Palmiotto (2025) The AI Act Roller Coaster: The Evolution of Fundamental Rights Protection in the Legislative Process and the Future of the Regulation, European Journal of Risk Regulation. 10.1017/err.2024.97 — Traces how the AI Act's law-enforcement and national-security exceptions widened during negotiations, producing 'double standards for fundamental rights protection' and gaps in the regulatory framework. ↩
- Monika Zalnieriute (2022) Big Brother Watch and Others v. the United Kingdom, American Journal of International Law. 10.1017/ajil.2022.35 — Case note on the ECtHR Grand Chamber's first post-Snowden bulk-interception ruling, holding bulk surveillance not per se disproportionate but requiring end-to-end independent oversight safeguards. ↩
- EU-AIA-2024: Art. 2(3) explicitly excludes AI systems used exclusively for military, defence, or national-security purposes
- US-EO-14110: §11 national-security exemption; NSM-10 parallel-track governance for national-security AI
- UK-WHITEPAPER-2023: Defence + intelligence excluded via sectoral-regulator scope; carveout via omission rather than explicit clause
- COE-AI-CONV: Art. 3 — does not apply to AI used for national security / defence
- IN-DPDP-2023: DPDPA exemptions for state-security functions (Art. 17); not specifically AI but applies
- GSA-AI-GUIDE-2024: Guide references existing federal supply-chain risk-management framework (FAR Part 4 Subpart 4.21) which carries national-security overlays
- DOD-RAI-2022: The S&IP IS the DoD-specific RAI framework; tenets + ethical principles operationalise the national-security AI use case rather than carving out from a civilian framework
- FEDRAMP-AI-2024: FedRAMP High baseline + JAB authorisation route exists for higher-sensitivity use cases; classified systems are outside FedRAMP scope and governed by separate ICD-503 / NIST SP 800-53 IC overlay frameworks
- DFARS-252-204: 252.204-7012 + CMMC clauses (-7019/-7020/-7021) are the operative national-security-overlay framework for defence-acquisition information security; the subpart IS the carveout regime
- CN-DEEPSYN-2022: Art. 6, Art. 19 & Art. 20
- IT-AILAW-2025: Art. 6 — activities for national-security purposes by the intelligence services, ACN cybersecurity/resilience, national-defence by the Armed Forces, and certain national-security policing are excluded from the law's scope (subject to fundamental-rights respect; further rules by regulation under l. 124/2007 art. 43).
- JP-AIPROMO-2025: Act No. 53 of 2025, Art. 3(2)
Cite this article 8 formats · BibTeX, RIS, APA, Chicago, … · 1-click copy
Persistent identifier: https://policywindow.org/wiki/national-security-carveouts — committed-stable URL with content-versioning via ?asOf= (rollout pending per methodology §7). DOIs via Zenodo are on the roadmap.
Article tools — track changes, suggest an edit
View history — every captured revision of this article · What links here
12 instruments tracked.
Does governance work? — the social-science evidence
What the peer-reviewed social science shows: whether the harm this topic addresses is empirically real, and whether governance of it works. The badge is the epistemic status of the evidence(not the policy debate) — “thin” or “absent” efficacy evidence is itself a finding (the “second silence”). Each epistemic-status label is Policy Window's editorial assessment of the cited evidence base (a structured classification), not a verdict any single source issues.
That civilian AI-governance instruments carve out national-security uses is black-letter and undisputed (EU AIA Art. 2(3); CoE Framework Convention Art. 3(2) on national-security activities, distinct from Art. 3(4) on national defence; US NSM-25 (Oct. 2024) as the national-security-track instrument fulfilling §4.8 of EO 14110); civil-society legal analysis argues a blanket exclusion is harder to square with a necessity-and-proportionality approach than a qualified one (Korff/ECNL 2022; Vogiatzoglou 2024). But whether the carveout itself produces concrete unredressed harm is empirically under-observed almost by construction — the secrecy it confers suppresses the very evidence needed to measure it. The closest analogue, national-security deference in the courts, shows the mechanism is real (the FISC granted all but eleven of 33,900 applications 1979-2012, a 99.97% approval rate; Sinnar 2022 documents downstream harms to securitized communities), yet Clarke (2014) shows that lopsided ex parte approval rates alone do not prove rubber-stamping, because rational case selection and pre-vetting produce similar rates in ordinary Title III wiretaps (99.93%) and delayed-notice warrants (99.6-99.8%) — so the magnitude of harm attributable to the carveout, as opposed to the legitimate secrecy of the domain, remains genuinely contested.
Sources: Korff 2022 (ECNL Opinion on the implications of the exclusion of national security from AI legislation, Oct. 2022); Sinnar 2022 (Harvard Law Review Forum 136:59, 'A Label Covering a "Multitude of Sins": The Harm of National Security Deference'); Clarke 2014 (Stanford Law Review Online 66:125, 'Is the Foreign Intelligence Surveillance Court Really a Rubber Stamp?'); EPIC FISC statistics 1979-2012
There is no impact evaluation showing that any specific design of the national-security carveout — categorical exclusion versus parallel governance track versus civilian-compliance-with-override — measurably improves oversight or reduces harm relative to the alternatives; the question is argued doctrinally (Vogiatzoglou 2024; Korff/ECNL 2022) but has never been tested empirically. The closest analogue evaluation literature is on the parallel-track model already in use for intelligence surveillance (the FISC / FISA oversight regime), and even there the evidence that the mechanism delivers effective scrutiny is itself contested rather than established (Clarke 2014; Sinnar 2022). No direct evaluation exists because the carveouts are recent (EU AIA 2024, CoE Framework Convention 2024, US NSM-25 2024), enforcement actions are by design non-public, and private parties typically lack standing to challenge a specific exempt deployment — the structural features that make the harm hard to observe also make the governance impossible to evaluate.
Sources: Vogiatzoglou 2024 (Verfassungsblog, 'The AI Act National Security Exception: room for manoeuvres?', 9 Dec. 2024); Korff 2022 (ECNL Opinion, exclusion of national security from AI legislation); Clarke 2014 (Stanford Law Review Online 66:125); Sinnar 2022 (Harvard Law Review Forum 136:59)