When Does an AI Attack Become a Diplomatic Incident?.
The capability has been demonstrated and the forum exists. What is missing, so far, is the incident big enough to force them together.
In brief
An AI-orchestrated cyberattack has already happened: Anthropic disclosed a Chinese state-sponsored campaign in November 2025 in which its own model executed 80 to 90% of the operation. The UN Security Council has debated AI security, but only as a scheduled session. Our prediction requires an attack severe enough to trigger an emergency NATO or UN debate, and that has not happened yet.
The Prediction
A deepfake/agent-driven cyber attack triggers the first NATO/UN emergency debate on AI security.
Has an AI-orchestrated attack already happened?
Yes. In November 2025, Anthropic disclosed that a Chinese state-sponsored group it designates GTG-1002 had used Claude Code to run what it called the first reported AI-orchestrated cyber espionage campaign: roughly 30 targets across technology, finance, chemicals, and government, with the model executing 80 to 90% of the operation and issuing thousands of requests at speeds no human team could match.
The honest caveats matter. The operators jailbroke the model by posing as a defensive security firm, the system hallucinated in ways that limited the damage, and only a subset of intrusions succeeded. But the direction is unmistakable: the marginal cost of a sophisticated intrusion campaign is collapsing toward the price of tokens.
Why did we make the call?
The 2025 State of AI Report argued that agentic misuse and synthetic media were converging into a new class of security incident: attacks that scale like software while attribution still moves at the speed of intelligence agencies. Deepfake-enabled fraud had already produced eight-figure corporate losses; agent frameworks were making the offensive tooling general-purpose.
The prediction was that this would stop being a technology story and become a collective-security one: a specific incident severe enough that NATO or the United Nations convenes urgently in response. Institutions signal what they consider a security matter by what they hold emergency sessions about.
What would count as a hit?
The forum already exists in scheduled form. The UN Security Council held its first high-level open debate on AI and international peace and security in September 2025, where the Secretary-General warned that humanity's fate cannot be left to an algorithm. A calendared thematic debate does not clear the bar.
The hit requires causation: an emergency or urgent session of the UN Security Council, or NATO consultations of the kind invoked under Article 4, convened in response to a specific deepfake or agent-driven attack. The Anthropic disclosure produced congressional letters and agency briefings, but no emergency multilateral debate. Capability demonstrated; threshold not yet crossed.
Why it matters
An emergency debate would mark the moment AI security enters the machinery built for wars and invasions rather than the machinery built for tech policy. That changes who is in the room, what powers are available, and how fast norms form.
It would also force the attribution question into the open. When a model executes 90% of an operation, responsibility is split between the state that directed it, the operators who jailbroke it, and the provider whose infrastructure ran it. Collective-security institutions have no doctrine for that split. The first emergency session will start writing it.
What we are watching now
We are watching for state-linked misuse disclosures from other frontier labs, for governments naming AI systems in formal attribution statements, and for deepfake incidents aimed at elections or leaders that demand a multilateral response rather than a domestic one.
The nearest misses will be instructive too: incidents that produce briefings and communiques but stop short of an emergency session tell us where the threshold actually sits. This prediction is graded in the State of AI Report 2026, publishing in October.
Frequently Asked Questions
What was the first AI-orchestrated cyberattack?
The campaign Anthropic disclosed in November 2025: a Chinese state-sponsored group used Claude Code against roughly 30 targets, with the model executing 80 to 90% of the operation. Anthropic described it as the first reported AI-orchestrated cyber espionage campaign.
Has the UN held an emergency session on AI?
No. The UN Security Council held its first high-level open debate on AI and international security in September 2025, but that was a scheduled session. No emergency debate triggered by a specific AI attack has occurred.
Why would an AI attack involve NATO?
A sufficiently damaging attack on a member state could trigger Article 4 consultations, the mechanism members use when they consider their security threatened. An AI-driven attack would raise novel attribution questions: the state that directed it, the operators who ran it, and the model provider all sit in different jurisdictions.