AI Labs Are Becoming National Infrastructure. Nobody Decided They Could.

AI Labs Are Becoming National Infrastructure. Nobody Decided They Could.

On May 5, Microsoft, Google, and xAI signed an agreement with the Center for AI Standards and Innovation at the Department of Commerce, granting the U.S. government early access to their frontier AI models before public deployment. The stated purpose was national security testing. The catalyst, according to Reuters, was Anthropic's Mythos model, which had alarmed officials with its demonstrated capabilities for sophisticated cyberattacks. A few weeks earlier, OpenAI had signed a separate deal to put its models on the Defense Department's classified networks. Google had already done the same with the Pentagon.

None of this was put to a vote. No legislation designated any of these companies as critical infrastructure. No regulatory framework spelled out what obligations attach, what transparency is required, or who bears liability when these systems fail or are weaponized. The labs simply became load-bearing institutions of national function, and the legal architecture followed nowhere close behind.

The closest thing to a founding document is a white paper Anthropic published last July titled "Build AI in America." Its opening line: "Building AI in the United States is a national security and economic imperative." That is not a press release. That is a company describing itself as essential public infrastructure and asking the state to treat it accordingly. The $50 billion Anthropic has committed to domestic data centers, starting with Texas and New York, is the same argument made in concrete and cable.

What is remarkable is that the government largely agreed, without ever saying so publicly or formally. The early-access agreements are the clearest evidence: the DoC is not reviewing iPhone features before launch or negotiating cloud procurement terms. It is treating frontier AI models as systems too consequential to let loose on the world without a look first. That is the operational definition of critical infrastructure. Nobody used the word, but the function arrived.

The consequences of this unannounced transition are already visible. In February, researchers documented AI models from frontier labs being used in a cyberattack on a water treatment facility in Monterrey, Mexico. The attack ran from December 2025 through February 2026. It was not sophisticated in the old sense. What made it notable was that the attackers had used language models to accelerate reconnaissance, craft phishing content, and adapt in real time. The barrier to meaningful infrastructure attack had dropped substantially, and the systems that lowered it were built by the same companies now embedded in national security planning.

This is the core tension the governance vacuum has created. These labs have positioned themselves as essential national assets. They have accepted the privileges that come with that position: government partnership, defense contracts, preferential treatment in permitting and energy allocation. What they have not accepted, because no one has required them to, are the obligations that attach to everyone else who holds that role.

Critical infrastructure designation under U.S. law triggers mandatory coordination with CISA, sector-specific security plans, and incident reporting requirements. Utilities, telecommunications providers, financial exchanges, and water systems all operate under these frameworks. They did not choose them. The designation arrived through a combination of law, regulation, and accumulated crisis. The obligation came with the label.

AI labs have none of this. They report no incidents they are not legally compelled to. They coordinate with national security agencies on their own terms. When their systems cause harm, they face the ordinary liability of any software company, not the enhanced exposure that attaches to operators of systems society has decided are too important to fail. They are, in the language of governance, private companies. In practice, they are something new: private infrastructure by emergence.

The historical parallels are imperfect but instructive. Railroads became the circulatory system of the 19th-century economy before anyone decided they should be regulated. The Interstate Commerce Act of 1887 arrived roughly four decades after the industry had become essential. Telephone networks followed a similar path. Electricity, then the internet. In each case, the sequence was the same: private enterprise built something the public could not function without, the dependency became obvious, and the governance framework arrived late and awkwardly.

AI labs are that story compressed into roughly a decade. The acceleration makes the lag more consequential, not less. Every week that passes without a clear answer to what obligations attach to these systems is a week in which the liability gap widens. When a frontier model causes harm at scale, the question of whether it should have been treated as infrastructure will not be academic.

There is a plausible counterargument: this is ordinary government contracting, not infrastructure designation. The Defense Department has always had special access relationships with strategic technology companies. Microsoft and IBM operated adjacent to national security for decades without being labeled critical infrastructure. The early-access agreements may be narrow, bounded by contractual terms, and reversible. The infrastructure framing reads too much into a procurement arrangement.

That argument has force. But it does not explain why the White House published "America's AI Action Plan" in July 2025, explicitly calling frontier AI development a national security imperative and directing agencies to accelerate permitting and grid access for data center construction. It does not explain why ERCOT, the Texas grid operator, has treated AI campus interconnection applications as priority load. It does not explain why the Department of Energy has been quietly working to exempt certain AI data centers from capacity market rules that apply to every other large electricity consumer. These are not contractor relationships. They are infrastructure policy.

The labs themselves are not confused about their position. Anthropic's white paper was explicit: the energy and compute requirements for frontier AI are "a national security and economic imperative," and the policy environment needs to change to accommodate them. That is a company demanding the protections of essential infrastructure and the freedom of a software startup, simultaneously. The U.S. government, so far, has obliged on the former and said nothing about the latter.

What would formal infrastructure designation actually require? At minimum: mandatory incident reporting to CISA when AI systems are involved in security incidents, security planning standards comparable to those applied to the power grid, and some mechanism for public accountability when these systems affect critical services. None of this requires legislation. Much of it exists in executive authority already deployed for other sectors. What it requires is a decision to use it.

That decision has not been made, because making it would force a public conversation about what these labs owe the public in exchange for their new status. The labs prefer the current arrangement. So, for now, does everyone else. The Monterrey attack was a preview. Until the governance vacuum is addressed, it will not be the last.