The United States and China have opted out of a joint declaration concerning the use of artificial intelligence in military applications, as revealed during a recent summit in A Coruna, Spain. Out of the 85 countries present at the Responsible AI in the Military Domain summit, only 35 nations signed a commitment to 20 principles aimed at governing AI deployment in warfare. Concerns are growing among governments that rapid advancements in AI could outpace regulations, increasing the risk of accidents and unintended escalations. Dutch Defence Minister Ruben Brekelmans highlighted the urgency of balancing responsible AI use with the competitive pressures posed by nations like Russia and China. Major signatories included Canada, Germany, France, and the United Kingdom.
Federal civilian agencies have been ordered by the Cybersecurity and Infrastructure Security Agency to remove end-of-life devices within one year due to increasing cyber threats. This directive, issued on February 6, 2026, mandates that agencies eliminate unsupported hardware and software that no longer receive updates from their manufacturers. CISA Acting Director Madhu Gottumukkala emphasized that these unsupported devices pose significant risks to federal systems. The agency pointed out that attackers, including those linked to nation-states, are increasingly exploiting edge devices that lack vendor support, making them vulnerable to cyber exploits. CISA has also created a list of end-of-life devices but will not publish it publicly.
Why do we care?
Two stories this week reveal the gap between governance aspiration and operational reality in technology risk management.
At the REAIM Summit in Spain, only 35 of 85 attending nations signed a non-binding commitment. The US and China both declined. This is predictable game theory—neither superpower will voluntarily constrain military AI development while the other doesn’t. The summit’s value is diplomatic, not operational. No enforcement mechanism exists.
The more consequential story is CISA’s Binding Operational Directive 26-02, issued February 5th. Federal civilian agencies must inventory all end-of-support edge devices within three months and eliminate them within eighteen months. CISA’s language is unusually direct: “substantial and constant” threat from “widespread exploitation campaigns by advanced threat actors.” This is how expectations move into the private sector — not through law, but through insurance. When underwriters start asking the same questions CISA is asking, ‘optional’ becomes ‘uninsurable.’
For MSPs, the CISA directive matters far more than the summit. CISA explicitly stated this guidance applies to all organizations seeking to strengthen network security.
The unpublished device list is the critical detail. CISA knows which edge devices are being actively exploited and isn’t sharing publicly. The conservative assumption: any edge device past end-of-support is a target.
MSPs should treat this directive as a preview of private sector expectations. Conduct edge device audits now. Build replacement roadmaps before clients—or their insurers—start asking the questions CISA is already asking federal agencies.