Space as Critical Infrastructure and the Rise of AI Governance
April 23, 2026
Recently, I completed the Indiana University Space Cybersecurity Foundations badge. It gave me a timely opportunity to reflect on something that is becoming harder to ignore: space cybersecurity should no longer be treated as a niche technical topic at the edge of policy conversations.
It is increasingly part of a broader discussion about resilience, governance, and the protection of critical services.
Print Certificate - Indiana University -2
Space systems are becoming more central to how modern societies function, and institutions are responding accordingly. ESA explicitly frames cyber resilience as necessary not only for its own assets, but for Europe’s wider space sector, noting the growing integration of space systems and services with the terrestrial economy.
In the United States, CISA has warned that adversaries can exploit vulnerabilities in connected space systems to degrade critical infrastructure. In the European Union, NIS2 now covers entities in critical sectors, including space, while the Critical Entities Resilience framework brings parts of the space sector into scope where services depend on relevant ground-based infrastructure.
That shift matters because the security problem is not limited to satellites in orbit. The real attack surface is socio-technical and distributed across organisations, software, communications links, supply chains, mission operations, and ground infrastructure.
The EU’s Space Strategy for Security and Defence makes this direction clear by emphasising the need to better protect space systems and services as part of Europe’s security interests. In other words, space security is no longer only about protecting hardware. It is about governing a whole ecosystem that has become strategically significant.
This is exactly why a governance perspective matters. The compliance challenge facing organisations in strategic sectors is rarely about a single framework. It is about interpreting multiple requirements, aligning them to operational reality, and maintaining evidence over time. NIST Cybersecurity Framework 2.0 is useful here because it is designed to be sector- and technology-neutral, and because NIST explicitly supports human-usable and machine-readable formats that can help organisations automate parts of their risk management processes.
At the same time, the proposed EU Space Act, launched on 25 June 2025, shows that policymakers are also moving toward a more harmonised framework for safety, resilience, and sustainability in the space sector, partly in response to today’s fragmented regulatory landscape.
From my perspective, this makes space a compelling case study for automated compliance governance. If an organisation operates in or depends on space services, it may need to reconcile cybersecurity outcomes, resilience obligations, supply chain expectations, privacy requirements, and sector-specific controls simultaneously. The real problem is not simply whether controls exist. It is whether those controls can be translated into a governance structure that is traceable, repeatable, and capable of continuous assessment.
That is the gap my thesis addresses: not compliance as a static checklist, but compliance as an operational governance system.
AI governance adds a new layer to this conversation. NIST’s AI Risk Management Framework states that AI risk management is central to responsible development and use of AI systems and to building trustworthiness. NIST is now also developing a Trustworthy AI in Critical Infrastructure profile, as critical infrastructure increasingly relies on AI across IT, OT, and ICS environments.
In the EU, the AI Act has already entered into force, with the European AI Office and Member State authorities playing key roles in implementation and enforcement.
As of April 2026, the Act is due to become broadly applicable on 2 August 2026, with some exceptions and staggered obligations already in place.
For space and other critical sectors, AI governance should not be reduced to whether a model performs well in testing. The more important questions are governance questions. Who is accountable when an AI-assisted decision affects mission operations or incident handling? What data was used, and how reliable is it?
How are outputs validated? When must humans intervene? How is failure investigated? And how is resilience maintained if the AI system is degraded, manipulated, or simply wrong?
NIST CSF 2.0 is particularly helpful here because it explicitly notes that AI risks should be treated alongside other enterprise risks, including cybersecurity, privacy, reputational, and supply chain risk.
This is why I think the future of space cybersecurity will depend not only on stronger technical controls, but on better governance architectures. We need approaches that can connect strategy to evidence, policy to implementation, and innovation to accountability. We also need governance models that recognise AI as both a tool and an object of control: something that may support monitoring, triage, or compliance analysis, but which must itself be governed across its lifecycle.
My main takeaway is simple: Space should increasingly be treated as part of the critical infrastructure conversation, and AI governance as part of the space security conversation.
The sectors that matter most will need more than isolated standards and point solutions. They will need integrated, resilient, and machine-interpretable governance. That is where I believe some of the most meaningful cybersecurity work now sits.