Artificial intelligence is ripping up the rulebooks of industries and sectors in real time.
David Plotinsky, partner at Morgan Lewis, said the national security rulebook in the United States is one of them.
“There’s going to need to be, not just in the foreign investment space, but across the board, new ways of thinking about AI,” he told Competition Policy International (CPI), a PYMNTS company, in an interview.
In a world where data, algorithms and digital infrastructure are strategic assets, nearly every technology company is becoming a national security company, whether it intends to or not. The picks and shovels powering AI are being viewed the way governments once viewed oil pipelines or telecom networks. They are strategic assets tied directly to sovereignty, influence and national resilience.
“We need to think about, for example, how things like AI will increase the ability of foreign adversaries to take even public data and leverage it to try to use social media and other platforms to influence public opinion,” Plotinsky said.
Advertisement: Scroll to Continue
As a result, regulators are no longer merely referees enforcing static rules. They are acting as probabilistic planners and effectively making long-duration bets about which technologies, infrastructures and relationships could create geopolitical vulnerability years into the future.
Compliance Moves From Investment Screening to Technology Governance
For decades, U.S. national security reviews treated foreign ownership as the central proxy for risk. If a foreign company wanted to acquire a U.S. business, regulators stepped in to determine whether sensitive technologies might fall into the wrong hands, with mechanisms like the Committee on Foreign Investment in the United States (CFIUS) and Team Telecom that focused heavily on ownership structures.
However, as AI begins to dominate the geopolitical discourse, what began as a narrow effort to screen foreign investment has evolved into a sprawling regulatory architecture that reaches supply chains, data flows, software ecosystems, telecommunications infrastructure, connected vehicles and the movement of sensitive information itself. In other words, the regulatory center of gravity is moving toward the technologies, data and operational capabilities themselves.
“My sense is that the government is often not in as good a position as the companies it regulates to make predictions about the future,” Plotinsky said. “But nobody, including the companies developing these technologies, has a perfect crystal ball.”
“We do see some regulatory regimes trying to move beyond foreign ownership and regulate in a more surgical way,” he added.
The tension between precision and administrability is becoming a defining feature of modern tech regulation. Regulators want frameworks sophisticated enough to address edge cases and evolving risks, but broad enough to scale across thousands of transactions.
“The government is sending a market signal that if you want to make your life easier in the long term, you should pivot away from some of these problematic countries and problematic vendors and other business partners and just stick with ones that are safer or that are not going to trigger the regulations in the first place,” Plotinsky said.
The Rise of Ownership-Neutral Regulation
As a result, regulators are constructing frameworks that are more ownership-neutral. Programs like the Department of Commerce’s information and communications technology and services (ICTS) supply chain regulations and the Department of Justice’s Data Security Program increasingly apply to U.S. companies themselves if they engage in transactions involving sensitive foreign relationships or infrastructure.
Plotinsky compared the current moment to the expansion of CFIUS itself roughly a decade ago, when policymakers concluded that adversaries no longer needed to steal intellectual property if they could simply purchase access through legitimate transactions.
“Companies didn’t need to worry only about their information being stolen but also just being bought in a purely licit transaction,” he said.
Still, the operational challenge for companies is not simply compliance volume, but conceptual fragmentation. Many executives can misunderstand how national security regulators think about data. Corporate privacy programs often center on user consent and consumer protection. National security frameworks do not.
For all PYMNTS AI coverage, subscribe to the daily AI Newsletter.
