The World Is Adversarial

Compute Models Still Assumes Peace

There is an increasingly broad consensus on a reality that would have been dismissed as alarmist, or paranoid, a decade ago: the digital environment is permanently adversarial.

State-sponsored compromise, insider threat, supply-chain infiltration, jurisdictional coercion, and grey-zone operations are no longer treated as rare or exceptional. They are the baseline, and that thinking now sits at the centre of modern security doctrine, from the policy discussions at the Munich Security Conference to the operational assumptions inside sovereign security operations centres.

The security stack is built not to prevent exposure, but to govern it once it has already occurred.

On the threat model, there is now rare and growing clarity. On the system model, not so much.

We are attempting to operate in an [openly hostile] environment using a compute architecture that still assumes moments of safety.

The Decryption Delusion

Despite acknowledging that the environment is adversarial by default, nearly all modern digital systems rely on a compute model that assumes, however briefly, the existence of a safe moment.

The pattern is always the same. Sensitive data is encrypted in transit. It is encrypted at rest. These protections are presented as decisive security measures. Yet to extract value, to process, verify, analyse, or act on that data, it must be decrypted. This moment is treated as unavoidable, not a structural weakness. That is the key issue at hand.

Everything that follows, access control, monitoring, logging, auditability, compliance enforcement, exists to manage the consequences of that single assumption. The security stack is built not to prevent exposure, but to govern it once it has already occurred.

In this article we argue that the assumption of a “safe moment” is no longer compatible with the world we now explicitly acknowledge.

Clearing the Table: What Is Not Disputed

Before examining the compute model itself, it is important to separate foundational security from the architectural problem under discussion.

Transport security is assumed.
Encryption of the pipe is table stakes. TLS, modern key management, and secure channels are baseline requirements for any contemporary system. They are not in dispute and not the focus here.

Storage security is necessary but insufficient.
Encryption at rest protects against loss, theft, and physical compromise. It does not address exposure during use. These are solved problems at the level required for this discussion. The failure begins the moment the CPU requests plaintext.

The Inherited Compute Model

Most modern systems follow a linear lifecycle:

• Data is collected.

• Data is encrypted for transport and storage.

• Data is decrypted for computation.

• Procedural controls are applied to govern interaction with the plaintext.

This model emerged in an era of smaller systems, slower adversaries, and episodic compromise. It assumes that exposure can be bounded by time, scope, and trust. That assumption has collapsed.

The moment data is decrypted, it leaves the domain of cryptographic guarantees and enters the domain of operational and institutional control. From that point onward, security depends on factors such as:

• Correct configuration of complex execution environments

• Integrity of privileged operators

• Stability of legal and organisational frameworks

• Trustworthiness of underlying hardware and firmware

These are not mathematical guarantees. They are social and procedural ones.

In a world that explicitly assumes coerced operators, compromised vendors, and contested jurisdictions, reliance on these guarantees is a liability, not a design choice.

AI as a Catalyst, Not a Cause

Artificial intelligence does not introduce a new class of risk to this model. It removes the margin for error. AI amplifies the consequences of decrypt-to-compute by increasing:

• Value density, concentrating large amounts of sensitive data into models and intermediate representations

• Processing velocity, collapsing the window between decryption and exploitation

• Plaintext exposure, making transient access persistent at scale

What AI removes is the buffer. At scale, governing decrypted plaintext is no longer a viable security strategy. This is not an AI problem. It is a compute-model flaw that AI makes impossible to ignore.

The Fundamental Contradiction

We now operate under two assumptions that cannot both be true:

1. Security analysis increasingly treats compromise as inevitable.

2. System architecture continues to treat exposure as manageable.

If exposure is a prerequisite for computation, then all downstream security mechanisms are compensatory. They exist to manage the impact of failure, not to prevent it. They mitigate damage after a condition the system itself has chosen to create.

That does not make these controls useless, it makes them structurally insufficient.

Where This Leads

If the environment is adversarial by default, the relevant question is no longer how to govern exposure more effectively. The relevant question is why exposure is required at all.

Answering that question requires challenging the most entrenched assumption in modern computing: the mandate to decrypt in order to compute.

That is where this series goes next.