PAYNE INSTITUTE COMMENTARY SERIES: COMMENTARY

By Peri-Khan Aqrawi-Whitcomb

May 8, 2026

Andrew Ng once called AI “the new electricity,” and, like electricity, AI will move through almost every system that societies depend on. That is why public-sector AI cannot be governed like ordinary software.

In the Gulf, AI is being built at the scale of critical infrastructure. The Stargate UAE project in Abu Dhabi, a major AI infrastructure initiative by UAE and US technology partners, is expected to come online in 2026. Yet in March 2026, Iranian drones struck AWS facilities in Bahrain and the UAE, and Amazon advised customers to move workloads out of its Middle East region.

A few hundred miles north, the Kurdistan Region of Iraq is pursuing digital transformation under very different conditions. The Kurdistan Regional Government has set an ambition to become a regional GovTech leader, having issued biometric IDs to over a million citizens and built centralized digital systems for population records, payroll, and public-service delivery. Yet the same region was struck by 809 drone and missile attacks between February and April 2026, including on civilian infrastructure.

These snapshots describe one emerging reality: AI-grade infrastructure is being built, and the institutions that will depend on it often operate where electricity, connectivity, and security cannot be assumed. The policy question is: what safeguards must be put in place before AI becomes part of essential public services?

Governments are already moving toward AI-enabled systems for functions citizens cannot opt out of, such as electricity distribution, payroll, welfare, emergency response, public finance, and health care. These systems do not need to make autonomous final decisions to reshape public life. A model that ranks which roads get repaired first, a flag that delays a salary, or a risk score that decides which household receives emergency support can each quietly determine outcomes for thousands.

Well-resourced actors, large technology companies, wealthy states, and major energy firms can hire legal teams, auditors, cybersecurity specialists, and red-team engineers, build redundancy, and recover when systems fail.

Public institutions under stress often cannot, and yet they stand to gain most from AI, since their staff and capacity are already stretched thin. Ministries administering Iraq’s federal budget, electricity authorities serving millions, or emergency services under drone strikes could each draw real value from well-designed AI tools.

This is not a rich-versus-poor divide. Governments like those in Iraq, the Kurdistan Region, and many others across the Middle East, Latin America, and parts of Asia are resource-rich and institutionally ambitious. Their challenge is not the absence of public authority. It is the instability of the conditions under which that authority must function: fiscal pressure, infrastructure disruption, humanitarian responsibility, and security risk.

That instability changes the meaning of AI governance. Most governance models assume that once a system is deployed, it can be audited, appealed, corrected, or regulated. But that sequence depends on conditions that can weaken quickly: connectivity must remain intact, records must support decision-making, procurement offices must have technical capacity, and citizens must have channels to challenge harm. When those conditions degrade, the question is no longer whether an AI system is transparent or accountable in principle, but whether anyone can still see, question, pause, or reverse what it is doing.

This is the central problem. Existing AI governance frameworks were designed for environments where those conditions hold by default, not for institutions that must govern amid recurring shocks. The most important governance moment may therefore come before an AI system is bought or licensed. Once it is embedded in payroll, electricity dispatch, or emergency response, that leverage is gone.

The institutional mirage

The issue is not whether institutions under stress should be excluded from AI and, with it, from innovation and progress. They should not be. The issue is whether they are being asked to adopt AI first and govern it later.

Existing AI governance principles are not the problem. The NIST AI Risk Management Framework, the OECD AI Principles, the UNESCO Recommendation on the Ethics of AI, and the EU AI Act all emphasize what matters: transparency, accountability, human oversight, risk management, rights protection, and resilience.

But these principles assume that institutions can enforce them over time, an assumption that does not always hold.

This is the institutional mirage of AI governance: a system can appear to be governed on paper while relying on continuous capacity, reliable infrastructure, and functioning administrative chains. Under stress, those are often the first things to fray.

The World Bank’s forthcoming World Development Report 2026 frames AI as a general-purpose technology reshaping development and identifies government procurement as a tool to shape ecosystems, avoid harmful lock-in, and encourage responsible innovation. That is the right starting point. But for institutions operating under recurring stress, procurement is not only a market-shaping tool. For high-impact public AI, it may be the last practical point at which safeguards can be required before public reliance hardens.

Fragility is not poverty

The Kurdistan Region of Iraq makes the dilemma visible, not because it is unique, but because it is a constitutionally recognized federal region laying digital foundations while managing fiscal pressure, humanitarian responsibility, and security risk. Iraq and the Kurdistan Region have resources, institutions, and strategic weight. Fragility is not poverty.

Consider a near-future procurement decision to integrate AI into MyAccount, the KRG’s digital payroll program now serving more than 800,000 civil servants, pensioners, and public-sector beneficiaries. The question is not only whether the software works on an ordinary day, but whether it can be questioned, paused, or overridden when records are incomplete, connectivity is cut by a drone strike, or officials are deciding under emergency pressure, and whether that is feasible without the in-house legal teams, red-teaming specialists, or full-time AI auditors that wealthy governments take for granted. Such conditions can be required before a system is embedded; they are far harder to demand afterward.

The lesson travels beyond Kurdistan. Ministries, electricity authorities, emergency agencies, and humanitarian organizations in many settings face the same choice: modernize now, but do not let reliance outrun governance.

Procurement as resilience

Procurement is often treated as paperwork. For high-impact public AI, it should be treated as governance infrastructure. Institutions under stress need not build advanced AI regulators overnight or import compliance regimes designed for wealthy states. They need a smaller, harder set of questions before a system enters public life.

A small set of contractually required safeguards does most of the work, none exotic, all far harder to add later: a public-interest data sheet on data sources and known limitations; a decision log for auditability; a human override and rollback protocol that names who can pause or reverse a decision; and a degraded-mode protocol for when data, connectivity, or capacity falls below acceptable thresholds.

Procurement requirements can become so heavy that only the largest vendors can comply, excluding local firms or producing compliance theater. The answer is not a maximalist rulebook but a minimum safeguard floor. The test is simple: does the requirement help a public institution understand, challenge, pause, or safely degrade a system under stress? If not, it is bureaucracy. If so, it is governance.

Responsibility must be shared. Governments must define the public-interest conditions for AI in essential services. Vendors must build safeguards rather than sell responsibility as an add-on. Donors should treat accountability as part of deployment cost, and cloud providers should treat resilience as public duty, not merely uptime.

The governance divide

If AI safeguards become a privilege of stable bureaucracies, the institutions most exposed to failure will be left with the weakest protections, a governance divide in which those least able to absorb harm carry the greatest risk.

Public institutions under stress should not be denied the benefits of AI because they lack the layered governance machinery of high-capacity bureaucracies. But neither should they place essential services inside systems they cannot inspect, challenge, pause, or safely degrade.

The goal is not to slow AI adoption but to make safe adoption possible for institutions that cannot afford to get it wrong. They may not be able to outspend crisis. But they may still be able to outgovern it.

That work begins before the contract is signed.

ABOUT THE AUTHOR

Peri-Khan Aqrawi-Whitcomb is a Non-Resident Fellow at the Payne Institute for Public Policy at the Colorado School of Mines and a specialist in crisis governance, institutional resilience, and sustainable development, with extensive expertise on Iraq and the Kurdistan Region. This commentary draws on her ongoing MSc research in Sustainability, Innovation & Technology, and her thesis, Sovereign Resilience by Design: Procurement-Based AI Safeguards for Fragile Public Institutions.

ABOUT THE PAYNE INSTITUTE

The mission of the Payne Institute at Colorado School of Mines is to provide world-class scientific insights, helping to inform and shape public policy on earth resources, energy, and environment. The Institute was established with an endowment from Jim and Arlene Payne and seeks to link the strong scientific and engineering research and expertise at Mines with issues related to public policy and national security.

The Payne Institute Commentary Series offers independent insights and research on a wide range of topics related to energy, natural resources, and environmental policy. The series accommodates three categories namely: Viewpoints, Essays, and Working Papers.

Visit us at www.payneinstitute.mines.edu

FOLLOW US

DISCLAIMER: The opinions, beliefs, and viewpoints expressed in this article are solely those of the author and do not reflect the opinions, beliefs, viewpoints, or official policies of the Payne Institute or the Colorado School of Mines.