A new Center for a New American Security assessment reads China's military AI as a mixed picture: drone swarm patents and faster targeting workflows are catching up, while DeepSeek era code flaws and sensor limits remain exploitable for now.
The U.S. has a narrow operational window to exploit specific weaknesses in China's military artificial intelligence, and that window is already starting to close. That is the implicit argument running through a new report from the Center for a New American Security (CNAS), a Washington policy research center, which tries to read the state of Chinese military AI without access to classified intelligence.
The report, titled Red Lines: Understanding the National Security Risks of China's Advanced AI and authored by CNAS senior fellow Daniel Remler, reaches its conclusions from unclassified indicators only: procurement patterns, military exercises, public PLA writings, commercial-model benchmarks, and academic patents. Remler is explicit that classified intelligence would be needed to characterize actual capability levels, so what follows is best read as a structured inference, not a battlefield disclosure.
The report's most concrete advance is in agentic AI for drone-swarm decision-making. Remler flags patents from Beihang University, a Beijing university with deep ties to the People's Liberation Army (PLA), China's military. Those patents describe AI agents coordinating unmanned swarms in simulated combat. The implication is not that PLA swarms are already autonomous in the field, but that the doctrinal and engineering scaffolding is being laid openly in academic papers.
Beyond swarms, Remler identifies a faster targeting and command-and-control loop. He argues current and near-term Chinese AI could fuse intelligence streams to build target packages, track logistics, assess battle damage, accelerate offensive cyber attack development, and shorten the time between sensor and shooter. That is the same workflow the U.S. military runs when it puts together a complex strike package such as the recent Operation Epic Fury against Iran, which reportedly used Anthropic's Claude model to help identify targets, a single-source claim via the Orbital Today write-up that has not yet been independently confirmed in the materials available here.
Air & Space Forces Magazine frames the operational implication narrowly: if PLA AI can replicate even parts of the kill-chain workflow that U.S. strike packages depend on, then the air and space superiority the U.S. has enjoyed for three decades becomes contested rather than assumed.
The same report reads as a strategic window precisely because it does not end on the threat. Remler lists vulnerabilities that today still bound PLA AI performance. Chinese models suffer in sensor-degraded environments; when feeds are noisy, denied, or spoofed, accuracy collapses faster than U.S. equivalents. Commercial Chinese models have also shipped with serious code-quality flaws. The DeepSeek family of models, for instance, exposed vulnerabilities that security researchers flagged within months of release. Edge computing, the practice of running AI models locally on small, rugged hardware rather than routing data to a distant cloud, remains immature on the Chinese side, which forces a reliance on communications links that can be jammed.
Each of these weaknesses is structural, not permanent. As edge silicon improves and Chinese engineering culture matures, the sensor-degraded penalty shrinks and the code-vulnerability surface hardens. The U.S. planning window Remler implicitly identifies is therefore measured in years, not decades.
Two framing caveats matter. First, CNAS is a think tank, not a government intelligence producer; the report is expert assessment built on open sources, and its conclusions are inferences rather than confirmed PLA capabilities. Second, the Washington Times published its summary of the same CNAS report on June 18, 2026, followed by Air & Space Forces Magazine and then Orbital Today on June 27. The Washington Times framing leaned toward the threat half of the report, describing the findings as a serious and growing threat to U.S. national security. That framing is not wrong, but it selects the alarm half. The full report's contribution is the balanced map: where PLA is closing the gap, and where the U.S. still has exploitable ground.
The watch item is concrete. Remler's evidence base will go stale on a known cadence: the next round of Beihang swarm-agent publications, the next major DeepSeek-class model release, and any public PLA exercise that tests targeting workflows under communications denial. Each of those is a measurable data point on whether the window is still open or has quietly shut.