Reflections from the Geneva Dialogue Masterclass #2 — 2026 on Emerging Technologies and Cybersecurity
The second Geneva Dialogue masterclass of 2026 opened with a poll. Participants were asked to identify the single biggest cybersecurity challenge that emerging technologies introduce: speed, scale, opacity, or regulation falling behind. The responses split almost evenly across all options. No single answer dominated. And that fragmentation across a room of cybersecurity practitioners, policy experts, and researchers turned out to be more diagnostic than any individual answer could have been. The roundtable discussion that followed did not resolve that disagreement. It explained why it exists.
The three lead experts and discussants — Rafal Rohozinski (SecDev Group & Centre for International Governance Innovation (CIGI)), Xiao (Sean) Zhang (Tencent SSV), and Teo Xiang Zheng (Ensign InfoSecurity) — brought perspectives shaped by very different professional realities: geopolitical risk analysis, large-scale platform operations, and hands-on cybersecurity threat intelligence and incident response in the Asia-Pacific region. What emerged was not a unified diagnosis but a set of genuinely hard dilemmas — technical, political, and structural — that existing governance frameworks are not equipped to address.
Is this a new environment, or just a faster one?
Are we in a qualitatively different operational environment, or are we observing a familiar problem at higher velocity? The answer, across all three discussants, was unambiguous — but for different reasons.
Xiao Zhang anchored his argument in a concrete operational observation. When a major AI lab released a new image generation model, fraudulent synthetic images adapted for social engineering appeared on Chinese platforms within three days of launch. More significant than the speed was what it revealed: the model generating the content could not reliably detect its own outputs. Third-party developers had no architectural access to build countermeasures in parallel. The detection gap is not a lag that will close as the field matures. It is, at least in part, a structural feature of how closed-source frontier systems are developed and released.
Rafal Rohozinski situated the shift in broader terms. His argument was that cybersecurity as it has been practised for two decades — essentially patching insecure code at scale, leveraging human expertise to navigate a known threat landscape — is no longer the right frame. AI transforms every domain it enters precisely because cyberspace is entirely constituted by code and data. When a system can autonomously discover vulnerabilities, write exploits, and iterate on attack chains faster than human analysts can review them, the baseline assumptions of defensive practice change fundamentally. He cited the autonomous attack chain demonstrated against Claude’s predecessor model as an illustration: an article he wrote about it was obsolete before it was published.
Xiang Zheng Teo added a structural observation about what AI and quantum technologies specifically introduce: probabilistic outcomes and multivariate possibilities operating simultaneously. The challenge is not just speed or scale — it is that neither defenders nor designers can fully predict the behaviour of the systems involved. That uncertainty is qualitative, not quantitative.
Key dilemmas the session surfaced
The detection gap is structural, not temporary
When a closed-source frontier model is deployed, there is a window — potentially days or weeks — during which adversaries can exploit its generative capabilities while no reliable detection method exists. Open-source communities cannot reverse-engineer what they cannot inspect. The commercial incentive structure of frontier labs does not reward publishing detection tooling that would help competitors understand the model’s architecture.
This is not a temporary lag. It is a feature of the current development model, in which speed to market and competitive secrecy are the dominant priorities. Sean highlighted that the industry currently lacks the ability to detect AI-generated content produced by its own most advanced models. The governance question — whether detection capability should be a precondition for deployment, rather than an afterthought — is not yet part of any regulatory framework.
The synthetic data problem has no current solution
Rafal raised what may be the least visible systemic risk in the current AI debate. There is no reliable technical mechanism for distinguishing synthetic data from data generated by human observation or physical measurement. 2023 represents a meaningful threshold: data created before that point can be treated as non-synthetic with reasonable confidence. Data created after cannot. This matters for the integrity of AI systems that are increasingly trained on each other’s outputs — a feedback loop whose effects on model reliability and vulnerability to manipulation are only beginning to be understood.
The security implication is direct. An adversary capable of systematically introducing poisoned or subtly biased data into the training pipelines of models used for vulnerability detection, code review, or threat analysis gains a durable, largely invisible form of influence over defensive systems. Unlike a conventional intrusion, this attack surface does not close with a patch. Xiang Zheng drew a striking analogy: just as archaeologists lost the ability to reliably carbon date artefacts once industrial processes contaminated the atmospheric baseline they depended on, the field of digital forensics is losing its ability to distinguish original from synthetic content. The reference point is gone. There is no simple way to get it back.
Commercial incentives will not self-correct
The session engaged directly with a tension that policy discussions often sidestep: companies are structurally oriented towards revenue generation, and reputational or ethical arguments will not change that orientation unless backed by credible enforcement. Sean was explicit. The most effective regulatory model for safety-critical industries has always been one where the cost of failure — financial penalties, liability, loss of operating licence — is calibrated to exceed the cost of precaution. He argued that current AI regulation is not calibrated this way, and that it will not shift behaviour until it is. His reference point was the emotional AI chatbot cases that resulted in significant financial penalties and, in at least one instance, company bankruptcy: the liability had to be real and severe before it changed product decisions.
Rafal offered a structural parallel. In the early social media era, security teams inside the largest platforms were technically excellent and consistently overruled by commercial teams, because the revenue model rewarded engagement regardless of harm. The platforms were eventually subject to regulatory pressure — imperfectly, incompletely, but tangibly. The question for the current moment is whether the AI industry will require a similar external shock, and whether the governance infrastructure to deliver that shock exists. At present, the scale of investment suggests that the economic stakes may overwhelm any governance impulse short of catastrophic failure.
Two development models mean two governance logics
One of the most substantive threads in the discussion was the divergence between two fundamentally different AI architectures: the US hyperscaler model, built around closed-source frontier labs with globally centralised access, and the open-weight model associated with Chinese labs such as DeepSeek and Qwen, distributable and locally deployable across the developing world.
Rafal’s observation was geopolitically precise. For emerging economies, the open-weight model offers genuine sovereignty: freedom from the risk of weaponised access to proprietary platforms that a dominant state could restrict, and the ability to run AI infrastructure locally without dependence on external providers. Looking across the developing world, the de facto AI deployment landscape is already a box in a corner running an open-weight model. That has real implications for governance: guardrails designed for centralised frontier systems do not transfer to distributed deployments.
Sean added a structural observation: the open/closed division is not ideological. It is positional. Whichever party leads the technology race will prefer closed-source to protect its advantage. Whichever party is catching up will prefer open-weight to accelerate development and attract contributors. The division will persist because the incentive structure generates it, regardless of which countries occupy which position.
The governance implication Xiang Zheng drew from this is uncomfortable: we may be moving towards a fractured landscape not of two blocs but of multiple incompatible AI ecosystems, each with different security properties, governance assumptions, and threat models. The conditions for universal norms — a shared infrastructure, rough alignment of interests — are eroding rather than stabilising.
Human oversight at machine speed is an architectural problem, not a policy question
Xiang Zheng introduced the most operationally granular dilemma of the session. The received wisdom in AI governance — that humans should remain in the loop — is correct as a principle and increasingly difficult as a practice. At machine speed, the question is not whether to have human oversight but where to position it, and what it can realistically accomplish.
His framework distinguished between discovery-oriented tasks — vulnerability identification, threat intelligence analysis — where autonomy is relatively low-risk and high-value, and implementation tasks — patch application, configuration changes — where human oversight remains essential because errors at the implementation layer propagate at system-wide scale. He cited Ensign’s research: two years ago, vulnerabilities were being exploited within three days of disclosure. By last year, exploitation was occurring within one day of disclosure. The trajectory points toward exploitation outpacing disclosure entirely.
The practical answer he proposed was architectural: threshold-based checkpoints designed into automated systems from the start, rather than human review imposed as an afterthought. His Formula One analogy was precise — the braking system has to be engineered to match the speed of the engine, not added later. Most organisations are currently doing neither: either running automated systems without adequate checkpoints, or refusing adoption entirely. The space in between is where governance frameworks need to operate but currently do not.
Implications for cyber norms and confidence-building measures
The AI safety / AI security distinction
Rafal shared his observations from the dialogue involving Chinese, Russian, and US participants that has direct implications for the norms debate. One Chinese participant drew an explicit distinction between AI safety — reducing harms from AI system failures — as a domain open to international cooperation, and AI security — the use of AI as an instrument of state competition — as a competitive domain not subject to cooperative governance. If this distinction consolidates into a shared framework among major powers, it creates a formal demarcation that legitimises AI as a tool of geopolitical competition while ring-fencing technical safety cooperation. The implications for cyber norm frameworks, which have always struggled to delineate legitimate state activity from malicious behaviour, are significant. Norms that prohibit certain actions in cyberspace were negotiated in an environment where AI-enabled operations were largely theoretical. That environment no longer exists.
Confidence-building measures are not keeping pace
The masterclass surfaced a structural gap in the current CBM architecture. The confidence-building measures developed for nuclear strategic stability — transparency, attribution, escalation ladders, dedicated communication channels — were built around discrete, attributable, slow-moving capabilities. The combination of AI, quantum computing, and data poisoning creates a threat environment where operations can be fast, deniable, and below conventional thresholds for response. There is currently no hard CBM equivalent for this environment: no agreed signal that indicates dangerous escalation, no established mechanism for verifying attribution in AI-mediated operations, and no shared framework for determining when an AI-enabled action constitutes a hostile act under international law.
Rafal cited a recent study in which frontier models, placed in escalation scenarios, moved toward nuclear options with speed and consistency that researchers found alarming. The absence of CBMs adapted to AI-enabled conflict is not a gap waiting to be filled by incremental norm development. It is an active instability in an environment where decision-support systems may be operating faster than the political processes designed to constrain them.
Shared responsibility requires a new accountability map
Xiang Zheng’s layered responsibility framework — distributed across business continuity, data protection, model governance, application security, and infrastructure resilience, with distinct actors at each level — points to a gap in how existing norms and regulations assign accountability. Current frameworks tend to assign responsibility at the organisational or sectoral level. The AI stack cuts across these categories vertically. A failure introduced at the training data level of a frontier model propagates to every downstream application, regardless of sector or jurisdiction, and the downstream operator had no decision-making role in the upstream failure. No existing cyber norm framework adequately maps this accountability chain.
Middle powers and the coalition question
The session was realistic about the limits of universal consensus in the current environment. The conditions for global AI governance norms — shared infrastructure, rough alignment of interests, credible multilateral institutions — are not present. What is possible, several participants argued, is coalition-based norm development: aggregating like-minded actors capable of developing shared standards, pooling threat intelligence, and exerting collective pressure on frontier labs and on the intergovernmental processes where AI security is beginning to be discussed.
The candid observation underlying this argument — which Rafal stated plainly — is that middle-power participation in governance processes is meaningful only if accompanied by technical capacity. Norm advocacy without sovereign AI capability, without models that a country controls, provides limited leverage in negotiations where the parties with the most at stake are not primarily motivated by normative commitments. Several countries are beginning to invest in exactly that capacity; whether those efforts will reach sufficient scale and speed to influence the governance landscape remains an open question.
What the session left open
Not every question raised in the session has an answer yet. That is not a failure of the discussion — it is a reflection of where the field genuinely stands. What the masterclass did accomplish was to move the conversation from vague concern about AI and cybersecurity to a more precise set of problems.
The first is whether governance can get ahead of failure, or whether it will always follow it. Historical precedent — from nuclear weapons to ransomware — suggests that the shock comes first and the framework comes second. Whether the AI moment will be different, and whether it can afford not to be, was left unresolved.
The second is whether the iterative logic of learning-by-doing holds in this environment. The argument that mistakes produce lessons, and lessons produce better practice, assumes that early failures are recoverable. That assumption becomes harder to sustain when failures may include systemic data contamination, cascading infrastructure disruption, or escalation dynamics that outpace political decision-making.
The third is institutional. Whether the UN’s cyber governance architecture — under visible strain — remains the right primary venue for AI security norm-setting, or whether the practical work needs to happen in other forums first and feed back into intergovernmental processes, is a question the session raised but did not settle. It is also the question where the Geneva Dialogue’s multistakeholder model has the most to contribute — bringing together the technical, policy, and diplomatic communities whose combined input is precisely what intergovernmental processes alone cannot produce.
The second masterclass was part of the Geneva Dialogue’s 2026 programme, focused on stress-testing agreed cyber norms and cybersecurity practices under conditions of geopolitical pressure, technological acceleration, and systemic interdependency. The findings will inform the third chapter of the Geneva Manual on Responsible Behaviour in Cyberspace.
