THE UPSTREAM BLIND SPOT: PEGASUS AND SURVEILLANCE INFRASTRUCTURES AS DUAL-USE AI RISK

Assessments of artificial intelligence (AI) dual-use risk in security and military contexts often focus on downstream algorithms while overlooking the infrastructural conditions that enable their deployment. This paper argues that upstream surveillance infrastructures constitute a critical but underexamined locus of AI dual-use risk. Through an analysis of zero-click surveillance and a case study of Pegasus spyware, we show how automated, covert data extraction systems enable persistent, large-scale intelligence collection and condition the data environments upon which downstream analytic processes depend. We further examine how privatized surveillance markets diffuse responsibility across public and private actors, constraining oversight and accountability. The paper advances an infrastructural perspective on AI dual-use that foregrounds surveillance architectures alongside algorithmic systems.