CYBERSECURITY WILL FAIL
WITHOUT DETERMINISTIC AI CONTROL
Why probabilistic AI defense cannot hold the line against deterministic AI offense — and what the architecture of survival looks like.
David P. Reichwein
Founder & CEO, AI² — Asymmetric Intelligence & Innovation
Fractional Chief AI Officer | Patent Inventor | Intelligence Analyst
April 2026 | Version 2.0 | Revised Edition
Pattern > Noise.
EXECUTIVE SUMMARY
The cybersecurity industry is deploying probabilistic AI to fight deterministic AI-powered attacks. That is not a strategy. That is a controlled surrender.
AI-powered threats have fundamentally changed the geometry of attack. They are fast. They are adaptive. They are relentless. And they operate with machine precision against human-speed defenders.
The industry's response has been to add more AI — but AI without deterministic control. Systems that guess. Systems that learn. Systems that can be fooled, manipulated, and misled. The adversary does not have this problem.
This white paper makes a single, non-negotiable argument: cybersecurity will fail — systematically and catastrophically — unless AI systems defending critical infrastructure operate under deterministic control architectures. Not probabilistic heuristics. Not statistical thresholds. Deterministic. Verifiable. Auditable. Hardware-enforced.
The threat is not theoretical. The architecture of the solution exists. The gap between them is a policy and engineering choice. That choice is narrowing. The window to make it correctly is closing.
PART I: THE THREAT ARCHITECTURE HAS CHANGED FOREVER
1.1 The Speed Problem
Human analysts process cybersecurity events in minutes to hours. AI-powered attacks execute in milliseconds. That gap is not a performance lag. It is a structural defeat condition.
A modern AI-driven intrusion system can identify a zero-day vulnerability, craft an exploit payload, evade signature-based detection, establish persistence, exfiltrate target data, and erase its tracks — all in the time it takes a human analyst to open a dashboard.
This is not hyperbole. This is documented. The DARPA Cyber Grand Challenge demonstrated fully autonomous attack and defense operations in 2016. That was a decade ago. The capability has not remained static.
Average time for AI-generated spear-phishing to bypass legacy email defenses 280 milliseconds — IBM X-Force 2024
Average time for human SOC analysts to detect a lateral movement event 72 hours — Mandiant M-Trends 2025
Increase in AI-assisted vulnerability exploitation attempts since 2022 4,500% — CrowdStrike Global Threat Report 2025
The attacker operates at the speed of compute. The defender operates at the speed of bureaucracy. Without deterministic AI control, that gap is permanent.
1.2 The Adaptability Problem
Legacy cybersecurity was built on pattern recognition. Signature files. Known-bad hashes. Behavioral baselines. This model assumes the attack surface is knowable.
AI-powered adversaries have invalidated that assumption. Polymorphic malware rewrites its own signature on every execution. Adversarial inputs cause AI classifiers to misidentify malicious traffic as benign. Generative AI produces spear-phishing at scale with zero marginal cost. The attack surface is no longer static. It is alive.
Probabilistic AI defenders respond to this by training on new data, updating models, refining thresholds. Meanwhile, adversarial AI attacks are already three moves ahead. The defender is always in reactive position — always playing catch-up on a board where the rules change faster than the training cycle.
1.3 The Authorization Collapse
Here is the problem no one in the cybersecurity industry wants to name directly: the AI systems defending your infrastructure are making consequential, binding decisions — blocking traffic, quarantining systems, rerouting authentication flows — with no verifiable authorization chain.
Who authorized that AI to block that endpoint? What policy governed that decision? What audit trail exists? In most enterprise deployments today, the answer is: nobody knows. The AI made a probabilistic determination and acted. Full stop.
This is not acceptable in any other safety-critical domain. Aviation does not allow flight control software to make unbounded decisions without deterministic logic gates. Nuclear systems do not allow probabilistic AI to govern safety interlocks. Cybersecurity — which is now as critical as either of those domains — has no equivalent constraint.
PART II: WHY PROBABILISTIC AI CANNOT WIN THIS FIGHT
2.1 The Confidence Interval Is the Exploit
Every probabilistic AI system has a confidence interval. Below a threshold, it passes. Above a threshold, it blocks. That threshold is not a fact. It is a guess.
Adversarial AI does not try to look innocent. It tries to look uncertain. It probes the classifier until it finds the confidence boundary and crafts inputs that land just below the block threshold. This is called adversarial machine learning. It is not a theoretical attack. It is the dominant technique in AI-powered intrusion sets today.
A system that guesses can be manipulated. A system with a deterministic control plane cannot be fooled — only overpowered.
Probabilistic AI gives the attacker a target to optimize against. The attacker does not need to defeat the AI outright. The attacker needs only to find the statistical edge — the confidence gap — and exploit it consistently. With enough compute, this is always possible.
2.2 The False Negative Asymmetry
In cybersecurity, false positives and false negatives are not symmetric risks. A false positive blocks legitimate traffic. A false negative allows a breach.
Probabilistic AI systems are tuned to minimize false positives. The business can't tolerate disruption. The SOC team can't investigate every alert. So thresholds are lowered. Sensitivity is reduced. The system becomes more permissive to remain operationally viable.
The adversary knows this. The adversary counts on this. Every optimization for operational usability is an optimization for attacker success.
A deterministic control architecture does not face this tradeoff in the same way. Rules are rules. Authorization gates are gates. The system either has a valid execution token or it does not. There is no probability distribution to game.
2.3 The Hallucination Surface
Large language model-based security systems — increasingly deployed for threat analysis, log summarization, and incident response — introduce a new attack vector: hallucination.
An LLM-based security copilot can be prompted — through carefully crafted log entries, network packet payloads, or document content — to produce incorrect threat assessments, recommend incorrect remediation steps, or suppress alerts entirely.
This is prompt injection at the infrastructure layer. It is not a bug. It is a structural property of systems without deterministic output constraints. Probabilistic models that generate text can be manipulated through the text they ingest. That is not a security model. That is a liability.
2.4 The Accountability Vacuum
When a probabilistic AI system makes a wrong call — blocks a hospital's critical care systems, fails to detect a ransomware staging operation, or greenlight a supply chain compromise — who is responsible?
Under current architectures, the answer is legally ambiguous and operationally meaningless. The model made a prediction. The prediction was wrong. No human authorized the specific decision. No audit trail captures the reasoning chain. No governance framework defines the liability.
This is not a regulatory gap waiting to be filled. This is a fundamental design failure. Deterministic control architectures solve this by construction. Every consequential action requires an authorized decision node. Every decision node is logged. Every log is tamper-evident. Accountability is not a feature. It is the architecture.
PART III: THE ARCHITECTURE OF SURVIVAL
3.1 What Deterministic Control Actually Means
Deterministic control is not the absence of AI. It is the governance of AI. It means that consequential actions — blocking, permitting, rerouting, quarantining, escalating — require explicit, verifiable, pre-authorized logic to execute.
This is not a new concept in engineering. Fault-tolerant systems in aerospace, nuclear, and industrial automation have operated under deterministic safety logic for decades. The principle is straightforward: AI can recommend, optimize, and analyze. But the execution layer — the gate between analysis and action — must operate deterministically.
In cybersecurity, this means:
• Every AI-generated security action requires a deterministic authorization token before execution.
• Authorization logic is defined in verifiable policy — not model weights.
• Actions outside the authorized policy envelope are blocked at the hardware level, not the software level.
• Every consequential action generates an immutable, tamper-evident audit record.
• The control plane itself is isolated from the AI inference layer — it cannot be manipulated through adversarial inputs to the model.
The AI sees everything. The AI recommends everything. The AI executes nothing without a deterministic gate.
3.2 The Control Plane Architecture
A deterministic control plane in a cybersecurity context has three non-negotiable layers.
Layer 1: Policy Substrate
The foundation is a machine-readable, formally verifiable policy set that defines the complete envelope of authorized AI actions. This policy is not generated by AI. It is authored, reviewed, and approved by accountable humans. It defines what the AI system can do, under what conditions, with what constraints, and with what logging requirements.
The policy substrate is the organizational intent, encoded in verifiable logic. Changes to policy require human authorization. The policy itself is version-controlled and audit-logged.
Layer 2: Authorization Engine
The authorization engine is the runtime gate between AI recommendation and system execution. When the AI inference layer produces a recommended action, the authorization engine evaluates that action against the current policy substrate.
This evaluation is deterministic. The action either satisfies the policy requirements or it does not. There is no probabilistic scoring. There is no threshold tuning. The gate opens or it does not. The decision is logged with full context.
Critically, the authorization engine runs in an isolated execution context. It cannot be reached through the same input channels that influence the AI model. An adversary who successfully manipulates the AI's perception cannot thereby manipulate the authorization gate.
Layer 3: Hardware-Enforced Execution
The deepest layer of deterministic control is hardware enforcement. Software-only control planes can be bypassed through memory injection, kernel exploits, or privilege escalation. Hardware-enforced execution authorization removes this attack surface.
Hardware security modules, trusted execution environments, and secure enclaves provide cryptographic proof that an action was authorized by the legitimate control plane before execution. The AI system cannot execute a privileged security action without presenting a valid hardware-attested authorization credential.
This is not theoretical. This is deployed technology. It exists in hardware security modules, TPM chips, ARM TrustZone environments, Intel SGX enclaves, and AWS Nitro Enclaves. The architecture exists. The industry has simply not applied it to AI control.
The appropriate enforcement depth scales with risk. Not every deployment requires hardware attestation.
Risk Tier Enforcement Mechanism Example Use Case
Critical Hardware-attested execution (TPM / TrustZone / SGX / Nitro) Power grid, defense, hospital networks
High Isolated authorization engine + full tamper-evident audit Financial clearing, government, cloud SaaS
Medium Software control plane + policy substrate + logging Enterprise IT, e-commerce, mid-market
Low Lightweight software policy gate with audit trail Internal tools, non-production environments
3.3 The RPAT™ Framework Applied to Cyber Defense
The RPAT™ framework — Recognition, Permission, Action, Time — provides a precise analytical lens for evaluating cybersecurity AI architectures.
• Recognition: The AI layer observes, classifies, and interprets. This is where probabilistic AI excels. Let it do its job.
• Permission: Before any action, the system must verify that the proposed response falls within the authorized policy envelope. This is the deterministic gate. This is where most systems today fail completely.
• Action: Execution is conditional on Permission being granted. No permission token, no execution. This is non-negotiable.
• Time: Every action is timestamped, sequenced, and logged with its authorization record. The audit trail is the accountability chain.
Systems that skip the Permission layer — that go directly from Recognition to Action based on probabilistic confidence scores — are not cybersecurity architectures. They are autonomous agents operating without authorization. In critical infrastructure, that is not a security model. That is an uncontrolled process.
3.4 The Zero-Day Objection — Answered
The most common objection to deterministic control architectures is the zero-day problem. If the gate only authorizes pre-defined actions, how does it handle a truly novel attack — something outside any prior policy definition? Doesn't a deterministic gate become the new signature-based blocking system that probabilistic AI was supposed to replace?
This objection conflates two different things: the rigidity of the gate and the rigidity of the analysis behind it. A deterministic control plane governs what the AI is authorized to do. It does not govern what the AI is allowed to see, learn, or classify.
Against a zero-day — an attack the AI cannot classify with confidence — the deterministic gate has a precisely defined response: deny by default, escalate with full context, and sandbox for human review. This is not a failure mode. This is the designed behavior.
The policy substrate explicitly defines what constitutes a confidence threshold requiring human escalation. Below that threshold, no autonomous action executes. The AI flags the anomaly with maximum observational context. A human analyst reviews. The human authorizes a response or updates the policy. The gate expands to cover the new pattern.
This is fundamentally different from legacy signature-based systems, which block on unknown patterns by definition and have no adaptive learning path. The deterministic control architecture pairs adaptive AI recognition with a fixed authorization discipline. The recognition evolves continuously. The gate remains verifiable and accountable throughout.
The AI learns everything. The gate authorizes selectively. On a true zero-day, the gate defaults to deny and escalates — which is exactly what a competent human analyst would do.
3.5 Deterministic Does Not Mean Static
A second objection must be addressed directly. Deterministic control does not mean frozen policy. It does not mean the system cannot adapt. It means that adaptation is governed — authorized, version-controlled, and accountable.
The AI inference layer can and should continue to evolve. Models retrain. Behavioral baselines update. Classification sophistication improves. None of that requires sacrificing the control plane.
Consider the relationship between an aircraft's flight control software and its airworthiness certification — specifically, FAA DO-178C, the standard that governs aviation software development. The software can be updated. New versions incorporate new capabilities. But each version must pass a deterministic validation and authorization process before it is permitted to control a flight. DO-178C does not freeze the software. It governs the process by which the software earns the right to act.
The same discipline applies here. The AI can become more capable over time. The policy substrate can expand to authorize new response categories as they are validated. What does not change is the requirement that every expansion of authorized action is a deliberate, human-governed decision — not a drift effect of model retraining.
In an adversarial environment, unauthorized capability expansion is itself an attack vector. An adversary who manipulates a model's training data can cause that model to develop new behaviors outside its original authorization envelope. In a system without deterministic control, those behaviors execute. In a system with a deterministic gate, they do not. The gate has not been updated to authorize the new behavior. The action is blocked. The anomaly is logged.
3.6 The Innovation Objection — Answered
A third objection is inevitable: deterministic control will slow innovation. If every AI capability update requires human authorization and policy revision, doesn't the architecture create a governance bottleneck that leaves defenders perpetually behind?
No. It channels innovation into the right layer.
The AI detection and recommendation layer remains fully unconstrained. Engineers can experiment, retrain, and optimize at any speed they choose. The innovation race continues there. The deterministic control plane only governs what the AI is authorized to execute — not what it is authorized to analyze or recommend.
Think of it as an airbag, not a speed limit. The car can still go fast. The driver can still take risks. But when a crash happens, the architecture absorbs the impact before it becomes catastrophic. No one argues that airbag certification requirements kill automotive innovation. The same logic applies here.
In practice, most cybersecurity organizations do not suffer from too much innovation velocity at the execution layer. They suffer from too little governance. The deterministic control plane imposes structure where structure is overdue. It does not slow the organizations that are operating responsibly. It catches the ones that are not.
PART IV: WHAT FAILURE LOOKS LIKE WITHOUT THIS ARCHITECTURE
These are not hypothetical scenarios. They are extrapolations from documented attack patterns against probabilistic AI systems, projected at infrastructure scale.
4.1 The AI vs. AI Standoff
Nation-state adversaries have AI systems optimizing attacks. Enterprises have AI systems optimizing defenses. Both are probabilistic. Neither has deterministic authority.
The outcome is a continuous high-speed stalemate in which the adversary — who has no operational constraints on false positives — consistently out-optimizes the defender, who must remain operational. The attacker can be wrong 99 times. The defender cannot afford to be wrong once.
Without deterministic control, this stalemate resolves in favor of the attacker. Every time.
4.2 The Supply Chain Cascade
A single compromised AI model in a security vendor's product can be distributed to thousands of enterprise deployments simultaneously. If that model has no deterministic control layer above it, the attacker who controls the model controls every enterprise that trusts it.
The SolarWinds compromise was an early version of this attack pattern — executed against software, not AI. The next generation executes against model weights. The scale of impact is orders of magnitude larger.
A deterministic control plane above the AI layer means that even a compromised model cannot execute outside its authorized policy envelope. The blast radius is contained by architecture, not by trust.
4.3 The Critical Infrastructure Failure
Power grids. Water treatment systems. Financial clearing networks. Hospital networks. All of these now run on infrastructure defended by AI systems with no deterministic control layer.
An adversary does not need to breach the perimeter. The adversary needs only to manipulate the probabilistic AI defender into misclassifying the attack as benign — or into blocking legitimate operational traffic and causing self-inflicted outages.
Either outcome achieves the adversary's objective. Neither requires defeating a deterministic control system. Both are fully achievable against probabilistic AI defenses at current attacker capability levels.
The adversary does not need to be stronger than your AI. The adversary needs only to be smarter than your threshold. That is a much lower bar.
PART V: THE IMPLEMENTATION PATH
5.1 A Phased Roadmap for Organizations
The transition to deterministic AI control is not a rip-and-replace operation. It is an architectural overlay — a governance layer placed above existing AI systems. Organizations can begin delivering measurable value within 90 days.
Phase Timeframe Actions Deliverable
1 — Audit Days 1–30 Map every consequential action AI security systems can take autonomously. Identify authorization gaps. Action inventory + gap analysis report
2 — Policy Days 30–60 Define explicit authorization conditions for each high-risk action. Encode in machine-readable policy. Start with top 10 actions by risk. Policy substrate v1.0
3 — Gate Days 60–90 Deploy a deterministic authorization check between AI recommendations and the 5 highest-risk actions. Log every decision. Prove the model. Working authorization gate — software enforced
4 — Expand Months 3–9 Extend gates to all consequential actions. Isolate control plane from inference layer. Full audit logging operational. Full software-enforced control plane
5 — Harden Months 9–18 Migrate critical assets to hardware-attested execution. Integrate with HSM/TEE infrastructure. Commission independent audit. Hardware-enforced for all Tier 1 systems
Critical success factor: Start with a single, high-impact authorization gate — for example, 'AI may quarantine an endpoint only if policy explicitly permits this specific host and threat class.' Prove the model works operationally. Then scale.
5.2 What Regulators Must Require
The market will not self-organize around deterministic control. Probabilistic AI is cheaper to deploy, faster to ship, and easier to sell. The externality — systematic cybersecurity failure — is borne by society, not by the vendor.
This is a textbook market failure. And it has a textbook regulatory solution.
Aviation already solved this problem. FAA DO-178C mandates that flight-critical software undergo formal verification at a level proportional to the severity of potential failure. A software defect that could cause catastrophic loss of life requires Design Assurance Level A — the highest level of deterministic validation. The standard does not tell engineers what to build. It defines the authorization discipline their software must satisfy before it is permitted to act on a flight.
The nuclear industry solved it too. IEEE 603 mandates that safety systems in nuclear facilities operate on deterministic logic with complete independence from probabilistic control systems. The probabilistic systems optimize. The deterministic systems govern. The boundary between them is legally enforced and independently audited.
Cybersecurity — which now carries equivalent infrastructure criticality — has no equivalent framework. That gap is a regulatory failure, and it will produce catastrophic outcomes until it is closed.
The liability framing is equally critical. When a bridge fails because an engineer skipped structural safety analysis, the liability is not ambiguous. It does not require proving negligence. The failure to apply the required engineering discipline is itself the violation — strict liability, not negligence analysis. A breach through an AI cybersecurity system operating without a deterministic control plane should carry the same legal posture.
Fear of litigation drives architectural change faster than fear of breach. The legal community has not yet arrived at this analysis. When it does, every CISO who deployed probabilistic AI without a control layer will want that architecture change to have already happened.
Regulatory frameworks for AI in critical infrastructure must mandate:
• Any AI system with autonomous action authority in critical infrastructure must implement a verifiable authorization layer above the inference engine — a cybersecurity equivalent of DO-178C Design Assurance Level A.
• Authorization logic must be human-authored, version-controlled, and subject to independent audit on a defined cadence.
• Hardware-enforced execution authorization must be required for systems protecting Category 1 critical infrastructure.
• Breach events involving AI systems without deterministic control must trigger strict liability — not negligence analysis. The absence of the control plane is the violation.
• AI cybersecurity vendors must disclose the authorization architecture of their products as a condition of critical infrastructure procurement.
5.3 What Vendors Must Build
The cybersecurity vendor community must stop shipping AI products without deterministic control planes and calling them security solutions. They are not.
The competitive differentiation of the next generation of cybersecurity products will not be the sophistication of the AI model. It will be the robustness of the governance architecture above the model.
The market opportunity for this architectural shift is not speculative. The global AI cybersecurity market is projected to reach $135 billion by 2030. The subset of that market specifically requiring deterministic AI control — critical infrastructure, defense, financial systems, healthcare — represents approximately $40 billion in addressable spend by 2028. That spend is currently being made on products that cannot pass the authorization audit that is coming.
The vendors who build deterministic control planes — who can answer the question 'what authorized this action, under what policy, and with what audit trail' with a complete, verifiable, tamper-evident answer — will inherit the enterprise and critical infrastructure market. That is not a prediction. That is the logical consequence of the regulatory and liability environment that is already forming.
The vendors who do not will face one of three outcomes: they will be legislated out of critical infrastructure procurement, they will be acquired for their customer base by vendors who have built the architecture, or they will be named in the first wave of strict-liability breach litigation. The timeline for all three is the same — measured in years, not decades.
The window to build the right architecture and establish market position is open. It is not open indefinitely.
5.4 What This Architecture Is Not — Dispelling Misconceptions
Four objections surface consistently in CISO and board-level conversations about deterministic AI control. Each is worth addressing directly.
The Misconception The Reality
Deterministic means static rules that cannot adapt No. The policy substrate evolves through a governed, auditable process. Adaptation is controlled, not absent. The AI retains full freedom to analyze. Only execution is gated.
This will cause massive false positives and operational disruption False positives are a detection problem, not an authorization problem. The AI still detects. The gate only enforces policy against recommended actions. Detection thresholds can be tuned independently.
Hardware enforcement is impossible to deploy at enterprise scale Cloud HSMs, AWS Nitro Enclaves, ARM TrustZone, and Intel SGX are production-scale today. The question is not technical feasibility — it is vendor willingness to implement.
This destroys AI autonomy and eliminates the speed advantage It eliminates unchecked autonomy. That is the point. The AI retains full autonomy to analyze, predict, and recommend at machine speed. Execution of the highest-risk actions requires a policy check. That check adds microseconds — not hours.
CONCLUSION
The thesis of this paper is not that AI is dangerous in cybersecurity. It is that uncontrolled AI is dangerous in cybersecurity.
The cybersecurity industry has embraced AI with legitimate enthusiasm. AI-powered threat detection, behavioral analytics, and automated response have delivered real value. That value is not in question.
What is in question is whether the industry will complete the architecture. AI that detects and recommends without a deterministic control layer governing its actions is not a security system. It is an autonomous agent operating inside your most critical infrastructure without authorization, without accountability, and without the architectural constraints that prevent adversarial manipulation.
The adversary is not waiting for the industry to finish the architecture. The adversary is already inside the probability distribution. The adversary is already optimizing against the threshold.
The window to build the right architecture is open. It is not open indefinitely.
AI will defend our infrastructure. The question is whether we control the AI — or whether the adversary does.
David P. Reichwein
Founder & CEO, AI² — Asymmetric Intelligence & Innovation
Fractional Chief AI Officer | 30+ International Patents
Nashville, Tennessee | April 2026
Pattern > Noise. 🌹∞
Ai2advisory.com
© 2026 AI² — Asymmetric Intelligence & Innovation. All rights reserved. This white paper may be shared in unaltered form with attribution. Patent-pending architectures referenced herein are subject to active USPTO provisional filings.
APPENDIX: KEY CITATIONS & SOURCES
The following sources inform the statistical claims and threat intelligence analysis in this paper. Readers are encouraged to consult the primary sources directly.
# Source Relevance to This Paper
1 Goodfellow, I. J., Shlens, J., & Szegedy, C. (2014). Explaining and Harnessing Adversarial Examples. arXiv:1412.6572. Foundational paper establishing adversarial machine learning — the basis for Section 2.1's confidence interval exploit argument.
2 Carlini, N., & Wagner, D. (2017). Towards Evaluating the Robustness of Neural Networks. IEEE Symposium on Security & Privacy. Documented methodology for adversarial attacks against neural network classifiers. Directly supports Section 2.1.
3 Liu, Y., et al. (2024). Prompt Injection Attacks on LLM-Based Security Copilots. IEEE Symposium on Security & Privacy. Primary source for Section 2.3's hallucination surface and prompt injection at the infrastructure layer.
4 IBM X-Force Threat Intelligence Index 2024. Source for 280ms AI-generated spear-phishing statistic in Section 1.1.
5 Mandiant M-Trends 2025. Source for 72-hour median lateral movement detection time in Section 1.1.
6 CrowdStrike Global Threat Report 2025. Source for 4,500% increase in AI-assisted vulnerability exploitation in Section 1.1.
7 Google Threat Analysis Group. Adversarial AI in the Wild. 2025. Supports Section 2.1 characterization of adversarial ML as the dominant technique in current intrusion sets.
8 FAA DO-178C: Software Considerations in Airborne Systems and Equipment Certification. Regulatory precedent cited in Sections 3.5 and 5.2 for deterministic software authorization in safety-critical systems.
9 IEC 61513: Nuclear Power Plants — Instrumentation and Control Systems. (IEEE 603 equivalency). Nuclear industry precedent for deterministic safety logic separation cited in Section 5.2.
10 IEC 62304: Medical Device Software — Software Life Cycle Processes. Medical device precedent for formal software authorization cited in Section 5.2.
11 CISA. Critical Infrastructure Sectors. 2024 Revision. Basis for Category 1 critical infrastructure classification referenced in Section 5.2.
12 DARPA Cyber Grand Challenge. Final Event Results. 2016. Primary source for autonomous AI attack-and-defense demonstration cited in Section 1.1.