Effective Altruism Forum
EA Forum

Hide table of contents
by Benevolent_Rain
32 min read 0

6

AI safetyExistential riskPolicyAI governanceAI raceAI takeoffResearch
Frontpage
There May Be Powerful AI Safety Levers in the Energy Sector
1. The problem: AI may pose existential risks
2. Why energy might matter for AI safety
3. How energy infrastructure could matter: legibility, assurance, pacing, and control
3.1 Legibility and disclosure
3.2 Verification and assurance
3.3 Conditional access and pacing
3.4 Operational monitoring and ongoing constraints
3.5 Emergency curtailment and interruption
3.6 Physical shutdown and analog controls
3.7 Bypass prevention: backup power and off-grid AI
4. Where energy levers could reduce existential AI risk
4.1 Making frontier AI deployment governable by making it visible
4.2 Making access to dangerous AI systems accountable
4.3 Raising the threshold for successful loss of control
4.4 Reducing gradual disempowerment through resource governance
4.5 Where energy levers are likely weak
5. Why this may fail
6. What should be studied now?
6.1 Which AI risk pathways are energy-legible?
6.2 What authorities already exist?
6.3 What disclosure and assurance requirements are feasible?
6.4 How bypassable are the levers?
6.5 How should energy governance complement compute governance?
6.6 What public narratives will shape policy windows?
7. What kind of effort might be needed?
8. The modest case
No comments

Most AI safety discussions focus on models, algorithms, labs, chips, compute governance, evaluations, deployment rules, export controls, cybersecurity, and international coordination.

That makes sense. These are obvious places to look.

But I think there may be an underexplored class of AI safety levers in energy systems.

The claim is not that “energy solves AI safety.” It almost certainly does not. Energy is less concentrated than chips, for example. Electricity can be generated in many places. Data centers can use less regulated behind-the-meter generation, private power purchase agreements, microgrids, or eventually dedicated nuclear/geothermal infrastructure. And any intervention relying on energy systems will face limitations.

But I think the possibility of useful levers existing is important enough to examine carefully.

Some future AI safety scenarios may require societies to monitor, slow, condition, interrupt, or shut down large-scale AI systems. Most discussion of this problem focuses on software-layer governance or compute governance. But frontier AI also depends on physical infrastructure: large-scale, reliable, geographically delivered electricity flowing through regulated grids, utilities, substations, transformers, interconnection queues, and permitting systems.

If dangerous AI systems increasingly require large, visible, permissioned, energy-intensive infrastructure, then energy systems may contain neglected levers for reducing the probability of human extinction or permanently bad futures from AI.

This is the core idea:

Advanced AI may become usefully governable at the physical infrastructure, in addition to the software and chip layers. Specifically, AI might become more governable via energy at the margin. Moreover, we do not know what the future will hold, and having a larger set of tools in our AI Safety toolbox, some that might work together, is likely useful.

1. The problem: AI may pose existential risks

This piece is about AI risks that could lead to human extinction, permanent and severe disempowerment of humanity, or other existential catastrophes. Thus, I am not primarily discussing ordinary automation harms, bias, misinformation, or generic AI ethics.

I also do not think this argument depends on choosing one canonical taxonomy of AI catastrophe. Existing AI safety writing uses several overlapping frames: loss-of-control scenarios, misuse scenarios, race dynamics, organizational failures, cyber-physical risks, authoritarian lock-in, and gradual disempowerment.

The point of naming these scenarios is not to settle the taxonomy. It is to ask a narrower question:

Across which catastrophic AI pathways could energy infrastructure provide useful monitoring, pacing, shutdown, or conditional-access levers?

Energy will not be equally relevant to all AI risk scenarios. It seems most relevant where dangerous AI activity depends on large, concentrated, visible, permissioned infrastructure: frontier training runs, major inference facilities, AI-scale data centers, militarized AI infrastructure, or economically central AI systems.

But the relevant lever is not only direct control over electricity. Energy and infrastructure regulation could also create disclosure and legibility requirements. For example, very large data-center connection requests could require operators to disclose what classes of systems will run at the site, whether the facility will support frontier training or frontier inference, who the major customers are, what jurisdictions or actors can access the compute, what safety and security standards apply, and whether the facility has emergency shutdown or curtailment procedures.

This matters because some AI governance failures may be failures of visibility rather than only failures of control. If regulators do not know where frontier-scale systems are being trained or served, who is using them, or whether facilities can be interrupted in an emergency, then model-level governance may already be too late.

Energy levers seem weakest where dangerous capabilities become cheap, distributed, hidden, foreign, or hard to distinguish from ordinary computation. But even there, infrastructure-linked disclosure could still complement compute governance by making the largest and most safety-relevant deployments harder to hide.

Most current AI governance proposals focus on labs, models, chips, cloud providers, compute thresholds, evaluations, export controls, licensing, audits, and information security. These seem likely to remain central. The point of looking at energy is not to replace them, but to ask whether energy infrastructure could provide an additional layer of monitoring, assurance, and control.

This is best understood as a defense-in-depth argument. Different governance layers fail in different ways: evaluations may miss dangerous capabilities, lab governance may fail under competitive pressure, cloud oversight may have gaps, and chip controls may be bypassed through stockpiling, smuggling, or jurisdictional arbitrage. Energy-linked governance would also be imperfect, especially if actors can use off-grid generation or distributed compute. But its failure modes may be only partly correlated with the failure modes of software-, lab-, cloud-, or chip-based controls. Where frontier AI still depends on large, visible, permissioned infrastructure, energy may therefore add resilience to the broader AI safety toolkit.

2. Why energy might matter for AI safety

Large-scale AI systems might require enormous amounts of electricity. That sounds trivial, but the governance implications are not.

Electricity is not just another input. It is:

  • physical,
  • territorial,
  • infrastructure-bound,
  • politically governed,
  • operationally monitored,
  • failure-sensitive,
  • and already entangled with emergency powers and national security. 

A model can be copied. Software can move. Talent can migrate. Capital can cross borders. Even chips can be smuggled or stockpiled.

But a multi-hundred-megawatt or multi-gigawatt AI deployment isn’t mobile in quite the same way. It needs land, power, cooling, grid access, transformers, substations, backup systems, construction, operations, and often several layers of regulatory approval.

Frontier AI may become increasingly dependent on large-scale physical infrastructure that is harder to hide, harder to move, slower to build, and more exposed to existing governance systems than software itself.

In earlier framing, I described energy as a possible constraint, leverage point, coordination surface, bottleneck, or intervention domain for AI governance and safety. Energy should not be treated as “the solution.” It should be treated as a potentially important AI Safety surface area to explore.

3. How energy infrastructure could matter: legibility, assurance, pacing, and control

Energy-linked AI safety interventions should not be reduced to a single idea like “cut the power” or “condition grid access.” The possible intervention space is potentially quite vast.

Energy infrastructure could matter by making large AI deployments more legible, by creating assurance requirements before connection, by pacing access to additional capacity, by enabling operational monitoring, by preserving emergency curtailment options, by requiring physical shutdown mechanisms, and by regulating attempts to bypass grid-based controls through private generation.

These levers apply at different stages. Some apply before a data center is connected. Some apply during normal operation. Some matter only during crisis conditions. Others concern off-grid or behind-the-meter infrastructure.

The point is not that all of these are desirable or feasible. The point is that energy creates a large, distinct intervention surface that is not captured by model-, cloud-, or chip-centered governance alone. And based simply on the large surface area, it seems likely that there are effective intervention points in this space. However, this article does not intend to enumerate these, or even come up with single, verified regulation pathways. Instead, this article simply makes the case that exploring this surface area is worthwhile as an additional layer of defense and resilience.

3.1 Legibility and disclosure

The least exotic version of energy-linked AI governance is not direct control. It is legibility.

Very large data-center connection requests could require operators to disclose what kind of activity the facility will support. For example:

  • who owns and operates the facility;
  • who the major compute customers are;
  • whether the site will support frontier training, frontier inference, ordinary cloud workloads, military workloads, or government workloads;
  • what jurisdictions or actors can access the compute;
  • whether foreign or adversarial actors have access;
  • whether compute use is logged and attributable;
  • what safety and security standards apply;
  • whether the site has emergency shutdown or curtailment procedures;
  • whether backup generation could allow the facility to evade grid-level curtailment;
  • whether the site is connected to critical infrastructure in ways that create systemic risk.
  • possibly other legibility and disclosure mechanisms

This matters because some useful AI governance levers may start with basic visibility. Very large data-center connection requests could become a point where operators must disclose whether the facility will support frontier training, frontier inference, ordinary cloud workloads, military or government workloads, or other safety-relevant uses.

Such disclosure would not itself solve AI safety. But it could make at least some of the largest AI-relevant deployments more legible and create a basis for later monitoring, assurance requirements, customer due diligence, emergency curtailment arrangements, or physical shutdown requirements.

This would complement chip-, cloud-, and model-centered governance proposals. Those approaches try to understand or shape who has access to advanced AI capabilities and compute. Energy-linked governance would ask a different but related question: where is the power going, what infrastructure does it enable, and under what conditions should AI-scale facilities receive access to large amounts of reliable electricity?

This would not be unprecedented in spirit. Energy systems already sometimes require more than a generic statement of electricity demand. In Québec, Hydro-Québec has a specific rate category for “cryptographic use applied to blockchains,” applying to businesses where at least 50 kW of installed capacity is dedicated to mining or maintaining a cryptocurrency system for compensation. Its conditions of service also contemplate connection or modification requests specifically for cryptographic blockchain use, allow denial of incomplete or incorrect requests, and impose different treatment if a customer requested another type of use but is later found to be using the installation for blockchain computation. More generally, large-load planning proposals increasingly ask utilities to describe not just MW and load shape, but the customer class and load use case, such as data center, industrial, or crypto. The AI-safety question is whether “data center” is too coarse a category for frontier AI: should very large compute facilities disclose whether they will support frontier training, frontier inference, military/government workloads, or other safety-relevant uses? 

3.2 Verification and assurance

Disclosure alone is weak unless claims can be checked.

A second class of levers would require assurance that declared uses, safety procedures, and security standards are real. For very large AI-relevant facilities, this might involve:

  • third-party audits;
  • safety cases;
  • cybersecurity reviews;
  • customer due-diligence systems;  
  • compute-use logging;
  • incident reporting;
  • model evaluation commitments;
  • evidence that restricted workloads are not being served;
  • evidence that the facility can comply with emergency orders;
  • proof that shutdown and curtailment mechanisms actually work. 

This would be novel in content, but not in governance form. There are already several adjacent precedents for conditioning facility operation or energization on verified claims.

First, utilities often do not energize facilities solely because a customer asks for power. In ordinary construction, power release can depend on approval from the authority having jurisdiction: electricalbuilding, or fire-safety inspections may need to be completed before the utility is authorized to connect permanent service. The utility does not need to perform the whole safety audit itself; it can rely on a competent authority’s release.

Second, the electricity sector already has mandatory cybersecurity regimes. In North America, NERC’s Critical Infrastructure Protection standards are designed to secure assets required for operating the Bulk Electric System, and FERC-approved reliability standards are mandatory and enforceable. These rules do not make utilities AI safety regulators, but they show that cyber assurance is already part of electricity-system governance where grid reliability is at stake.

There is also precedent for treating foreign-controlled digital dependencies in the electricity system as a national-security issue. U.S. bulk-power-security policy has focused on the risk that equipment supplied by foreign-adversary-linked entities could create vulnerabilities in critical electricity infrastructure. More recently, U.S. energy officials have reportedly reassessed risks from foreign-made solar inverters and batteries after undocumented communication devices were found in some units. These cases concern grid equipment, not AI data centers. But they show the general principle: when digital systems connected to the electricity sector could create cyber-physical risk, ownership, control, supply chain, remote access, and hidden functionality become legitimate security questions.

An AI-safety version might use a similar division of labor. Grid operators should not be expected to evaluate model risk directly. But access to AI-scale grid capacity, non-curtailable service, backup generation, or critical-load status could be conditional on proof that a competent AI-safety, cybersecurity, or critical-infrastructure authority has verified relevant claims: what kinds of workloads run at the facility, whether critical societal services would be affected by curtailment, whether restricted workloads are excluded, whether AI systems can interact with facility operations or grid-facing systems, and whether shutdown or curtailment procedures work.

The point of these disclosure and assurance requirements would not primarily be to slow down ordinary data-center buildout. In the default case, they should be made as low-friction as possible: standardized forms, confidential reporting channels, clear thresholds, trusted third-party audits, and fast approval where facilities can show that their workloads, ownership, cybersecurity, emergency procedures, and critical-service dependencies are understood.

The goal is to create visibility and preserve options. Today, governments may have very little practical ability to identify which data centers are serving frontier AI systems, what critical non-AI services are colocated in the same facilities, whether a facility could be curtailed without disrupting hospitals or financial infrastructure, or whether new systems with serious cyber capabilities are being deployed behind the meter. Disclosure and verification would create the map before a crisis. Conditional access would then provide the leverage to make that map real.

3.3 Conditional access and pacing

Disclosure and verification only matter if they are connected to decisions actors care about. Conditional access is the lever that turns legibility and assurance into actual leverage.

Connection to the grid is often a permissioned process. Large loads may require interconnection agreements, grid-impact studies, capacity reservations, infrastructure upgrades, environmental approvals, and negotiations with utilities or transmission operators. In constrained systems, not every large load can be connected immediately or on the same terms.

Existing data-center policy already uses versions of this structure, although for energy and planning reasons rather than AI safety. Ireland’s regulator has created a data-center-specific connection policy under which new data centers must provide new renewable and dispatchable electricity generation instead of simply connecting as ordinary large loads. Singapore allocates new data-center capacity through a government-run Call for Application: at least 200 MW is available, with potentially more capacity for projects using new and innovative green-energy pathways. Neither policy is about frontier AI risk. But both show that governments can make access to data-center-scale infrastructure conditional on satisfying public-policy criteria. An AI-safety analogue could ask whether cyber-physical assurance, workload classification, emergency-curtailment capability, or compliance with a frontier-AI safety regime should become additional criteria for AI-scale facilities.

This creates a possible policy lever: access to AI-scale electricity could be made conditional on satisfying disclosure, assurance, cybersecurity, emergency-control, or critical-workload-classification requirements.

The relevant control points could include:

  • whether a facility receives a grid connection at all;
  • how much capacity it receives;
  • how quickly it moves through the connection queue;
  • whether its service is firm or non-firm;
  • whether it is treated as curtailable or non-curtailable;
  • whether it receives favorable tariffs;
  • whether it can expand capacity later;
  • whether backup generation or islanding is allowed;
  • whether it receives critical-load status during emergencies.

This is different from disclosure and verification. Disclosure asks: what is this facility and what will it run? Verification asks: are those claims true and are the controls real? Conditional access asks: what infrastructure privileges does the facility get if it complies, and what privileges are withheld if it does not?

This could matter because it applies at the buildout stage, before dangerous systems are fully deployed. Rather than waiting until a model is already trained, served, or embedded across society, governments could gain insight and prepare resilience or safety measures earlier: before additional power is allocated, before a site becomes non-curtailable, before backup power allows it to evade emergency orders, or before a facility becomes too operationally important to interrupt.

There are limits to such policies. Actors may move jurisdictions, go off-grid, split compute across sites, use intermediaries, or relabel AI workloads as ordinary cloud. Conditional access should therefore be understood as one defense-in-depth layer, not as a complete governance mechanism. Its value is that it ties safety-relevant disclosure and assurance to a scarce physical input: reliable large-scale electricity.

3.4 Operational monitoring and ongoing constraints

Some levers could apply after grid connection, during normal operation.

For example, AI-relevant data centers could be subject to ongoing obligations such as:

• periodic re-certification of declared facility class and risk profile;

• ongoing reporting of large AI-relevant loads and major compute upgrades;

• alerts when power use, chip counts, or workload intensity exceed declared thresholds;

• requirements to report major changes in model classes, capability profiles, customers, or use cases;

• audits of whether declared workload categories match actual use;

• restrictions on resale of compute to unknown or high-risk customers;

• obligations to participate in demand response or emergency curtailment;

• monitoring of unusual load growth, behind-the-meter expansion, or backup-power expansion.

This is where energy becomes a monitoring layer, not just an approval layer. The point is not only that a facility might physically change. Its use and risk profile might change. In many cases, large data centers may already be AI-heavy. The more important change may be that a new model class is deployed, a major capability threshold is crossed, high-risk cyber or bio workflows become available, major customers change, compute is resold through intermediaries, new accelerators are installed, or backup-power capacity expands.

There are partial precedents for this kind of post-connection oversight. Hydro-Québec’s blockchain rules make a post-connection change or misclassification of computational use legally significant: if a customer requested connection for another type of use but Hydro-Québec later finds, within five years of energization, that the installation is being used for cryptographic blockchain computation, different cost obligations apply. This is not AI safety regulation, but it shows that there is precedent for requiring disclosure if there is a shift from one computational use to another.

Data-center-specific ongoing reporting also already exists. Under the EU data-center reporting regime, and Sweden’s implementation of it, owners or operators of data centers above 500 kW installed IT power demand must report annual energy-performance information to an EU-wide database; the required data includes energy use, water use, waste heat, and whether the data center contributes to grid services. That is energy-performance reporting, not workload reporting, but it shows that operating data centers can be subject to recurring disclosure obligations.

A more mature ongoing-compliance model exists in electricity reliability regulation. In the North American reliability system, compliance monitoring can involve audits, spot checks, self-certifications, self-reports, compliance investigations, periodic data submittals, and complaints. This precedent is mainly about reliability compliance, not AI safety, but it shows that ongoing audit and reporting machinery already exists around electricity infrastructure.

Flexibility and curtailment requirements could also create a low-friction disclosure pathway. For new AI-scale data-center connections, some form of workload interruptibility classification could be baked into baseline connection or service terms, even if emergency interruption is not currently needed and may never be used. A facility could be required to specify which loads are flexible, which are deferrable, which are critical, and which cannot be interrupted without wider consequences. Additional benefits — such as faster connection, favorable tariffs, non-firm service, or critical-load treatment — could then depend on the quality and usefulness of this classification. For AI data centers, this naturally pushes toward workload classification: frontier training may be more deferrable than real-time inference; some inference may support critical healthcare, finance, telecom, government, or emergency services; some workloads may be cyber-sensitive; and some compute may be resold to customers the facility operator does not fully know. In other words, curtailment planning can create useful operational legibility before anyone knows whether emergency interruption will ever be needed.

Flexibility and curtailment requirements could also create a low-friction disclosure pathway. For new AI-scale data-center connections, some form of workload interruptibility classification could be baked into baseline connection or service terms, even if curtailment is rarely or never used. A facility could be required to specify which loads are flexible, which are deferrable, which are critical, which are cyber-sensitive, and which cannot be interrupted without wider consequences. For AI data centers, this naturally pushes toward AI-safety-relevant workload classification: frontier training may be more deferrable than real-time inference; some inference may support critical healthcare, finance, telecom, government, or emergency services; some workloads may involve cyber, bio, military, or autonomous-R&D capabilities; and some compute may be resold to customers the facility operator does not fully know. In other words, curtailment planning can create useful operational legibility before anyone knows whether emergency interruption will ever be needed.

This is not hypothetical as a grid-governance form, even though the AI-safety content would be novel. Hydro-Québec’s blockchain tariff bakes curtailment into continued service, allowing covered demand to be reduced to 5% of recent peak on two hours’ notice for up to 300 hours per rate year. Google has signed demand-response agreements with U.S. utilities to curtail up to 1 GW of data-center electricity use during critical periods, and flexible-load tariff datasets already cover interruptible, demand-response, standby, backup, and cogeneration programs for large loads. These examples are about grid reliability and cost, not AI safety. But they show that large compute facilities can be asked in advance to classify what can be interrupted, under what conditions, and with what operational consequences. The AI-safety extension might be to make that classification more informative: not only “how many MW can you reduce?” but “what kinds of AI workloads, customers, capabilities, and critical dependencies would be affected if this load is reduced?”

An AI-safety version would be novel in content. The relevant updates might concern workload classes, major customers, frontier training or inference use, restricted workloads, cyber-physical controls, critical-service dependencies, major chip upgrades, model capability profiles, or backup-power expansion. But the governance form is familiar: large or reliability-relevant facilities can be required to keep authorities informed when their operational significance changes.

This could matter especially in race or organizational-failure scenarios, where a facility might remain physically similar while becoming much more safety-relevant because the models, customers, workloads, or capabilities running inside it have changed.

3.5 Emergency curtailment and interruption

Another class of possible interventions concerns emergency conditions.

In severe scenarios, states may need the ability to slow, interrupt, or isolate dangerous AI infrastructure. Energy systems already include concepts like load shedding, demand restrictions, critical-load prioritization, rolling outages, emergency disconnections, grid islanding, and proactive de-energization. These mechanisms are not designed for AI safety. But they show that electricity systems are already treated as controllable during crises.

There are several relevant precedents for fast interruption. During the February 2021 Texas emergency, ERCOT initiated rotating outages and shed about 10,500 MW of customer load at the highest point to protect the system. California’s Public Safety Power Shutoffs provide a different kind of precedent: utilities may temporarily de-energize specific areas to reduce wildfire risk from electric infrastructure. Local emergency powers can be even more direct: some building codes give officials authority to disconnect utility service in an emergency where necessary to eliminate an immediate hazard to life or property, and utilities may disconnect power around active fires for public safety. Finally, cryptocurrency mining provides the closest computational-load precedent: Kazakhstan’s state electricity provider cut power supplies to crypto miners during grid stress. These are not AI-safety precedents, but they show that electricity access can be interrupted quickly, and sometimes selectively, when a load or energized infrastructure is treated as unsafe, lower-priority, or system-threatening.

An AI-safety version involves:

• legal authority to curtail power to specific frontier AI facilities during declared emergencies;

• pre-negotiated curtailment agreements for AI data centers;

• “break-glass” procedures involving regulators, grid operators, cybersecurity agencies, and national-security authorities;

• mandatory participation of frontier AI data centers in emergency demand response;

• critical-workload classification so authorities know what else would be disrupted;

• clear protocols for when and how energy access can be interrupted;

• time limits, logging, review, and safeguards against abuse.

The most relevant AI scenarios are not ordinary grid emergencies. Instead it could be scenarios where events might look strange across society and attribution is uncertain: suspected AI-enabled cyber operations, election interference, coordinated failures in infrastructure such as transportation, automated exploitation of critical systems, or sudden deployment of models with dangerous operational capabilities. In such cases, energy intervention would be a crude but useful tool: If one or more specific facilities are plausibly enabling the activity, a pre-defined emergency-control regime might buy time while other authorities investigate or respond.

That regime should not be discretionary infrastructure shutdown by panic. It would need clear triggers, competent authorities, evidence thresholds, workload classification, protection for critical services, due process where possible, post-hoc review, and abuse safeguards. It might apply only in declared emergencies or when a competent national-security, cybersecurity, or AI-safety authority certifies that a facility is plausibly and materially enabling ongoing, threatening activity.

This is not a clean solution. DCs might have backup generators, private gas, batteries, multiple sites, foreign facilities, or allied jurisdictions. Emergency curtailment could also create collateral damage if the same facility hosts healthcare, financial systems, telecom, government services, or other critical workloads. But partial emergency leverage may still matter, especially if the alternative is to have no operational lever at all. And the fact that critical workloads might be interrupted under such scenarios might be another way to encourage ongoing disclosure on what type of workloads run at the various DCs (see section above on operational monitoring).

3.6 Physical shutdown and analog controls

AI safety discussions often focus on digital controls: model behavior, monitoring systems, access controls, evaluations, cloud permissions, and software guardrails. But frontier AI systems ultimately run on physical machines, inside facilities with electrical systems, cooling systems, backup power, access controls, fire-safety systems, and operational runbooks.

The previous section discussed emergency authority: when, if ever, states or grid actors should be able to curtail power to dangerous AI infrastructure. This section is about the implementation problem underneath that authority. If a competent authority or facility operator decides that a frontier AI system must be slowed, isolated, or stopped, in addition to digital or remote controls, what physical control pathways exist?

In other words, the issue is not only whether someone can legally order interruption. It is whether the facility has shutdown paths that are practical, targeted, human-controlled, resistant to software failure or compromise, and that could be part of the toolkit during a crisis.

This is not mainly about inventing new “AI kill switches.” Large data centers typically already have some physical interruption and control mechanisms: emergency power-off or disconnecting means, manual breaker access, UPS and generator controls, fire-suppression interfaces, access controls, and operational procedures. The exact architecture varies by jurisdiction, facility design, redundancy philosophy, and operator preference. These systems are usually designed for personnel safety, fire response, electrical safety, equipment protection, and continuity management — not AI safety.

The strategic point is that physical shutdown systems can become security-relevant even when they were not designed as security tools. Industrial safety systems are a clear example. Safety instrumented systems are designed to keep dangerous industrial processes within safe limits and to isolate or shut down processes when limits are breached. They are also important enough that attackers have targeted them: the TRITON/TRISIS malware was designed to manipulate industrial safety systems, potentially preventing safe shutdown or causing unsafe operation. This is not an AI-data-center precedent, but it shows that national-security and cybersecurity actors already pay attention to physical shutdown paths in critical infrastructure.

For frontier AI infrastructure, the relevant questions are practical:

• what physical shutdown paths exist;

• who can activate them;

• whether they are local, remote, networked, or manual;

• whether backup power can bypass grid curtailment;

• whether workloads are segmented enough to interrupt risky systems without disabling critical services;

• whether shutdown prevents automated restart;

• whether use of emergency controls would damage equipment, destroy evidence, or create collateral risks;

• which authority, if any, could lawfully request or order action.

The case is not that physical controls are stronger than software controls. The case is that they might provide separate layers of defense. If the same digital stack controls model deployment, monitoring, scheduling, cooling, restart, and access permissions, then purely software-based controls may be correlated with that failure mode.

This should not be oversold. Existing data-center shutdown mechanisms are blunt. They are not workload-aware AI-safety tools. A facility may host critical services alongside risky workloads, and a prepared actor could route around shutdown using backup generators, private gas, batteries, multiple sites, foreign facilities, or allied jurisdictions. Sudden shutdown could also create its own risks if evidence is lost or critical services are interrupted.

The practical first step is therefore awareness and mapping, not dramatic intervention. National-security, cyber, emergency-management, and energy authorities should understand which AI-scale facilities exist, what physical shutdown and backup-power arrangements they have, who controls them, what would happen if they were used, and what safeguards would be needed before anyone considered them as emergency levers. The aim is to ensure that, if physical control paths become strategically important under extreme AI-risk scenarios, governments are not discovering them for the first time during the crisis.

3.7 Bypass prevention: backup power and off-grid AI

While energy-based interventions might become relevant, there are recent developments that would make sure interventions harder.

This suggests a final category: regulating not only grid access, but also the ability of frontier AI infrastructure to evade grid-based oversight through private generation.

Relevant areas include:

  • behind-the-meter gas turbines;
  • dedicated nuclear or geothermal facilities;
  • large battery systems;
  • colocated renewables;
  • fuel supply contracts;
  • microgrid islanding;
  • private transmission lines;
  • offshore or remote data centers. 

This matters because a “grid kill switch” or disclosure requirement is much less useful if frontier AI facilities can simply island themselves or run independently.

A realistic energy safety agenda would therefore also need to ask:

  • should certain kinds of private power buildout require AI safety review?
  • Could backup power still be regulated as outlined above?
  • Could emergency curtailment requirements apply to both grid and behind-the-meter power?
  • How easy would it be for dangerous actors to evade national energy controls? 

This is one reason energy governance cannot only focus on public grid connections. If energy becomes a meaningful AI safety lever, the relevant intervention surface may expand to include backup power, private generation, fuel supply, and siting.

4. Where energy levers could reduce existential AI risk

4.1 Making frontier AI deployment governable by making it visible

One way energy levers could reduce existential risk is by making frontier AI deployment more visible to the institutions that may need to govern it.

The basic intuition is simple: governments cannot govern what they cannot see. If authorities do not know which facilities are training or serving frontier systems, who controls them, what customers can access them, whether dangerous workloads are excluded, whether critical services are collocated, or whether emergency interruption is possible, then many later safety interventions will be too slow or too blind.

Energy regulation may help because large AI deployments often need electricity access, grid upgrades, backup power, and service arrangements that already pass through permissioned infrastructure systems. Those processes could become disclosure and verification points: not only “how many megawatts do you need?” but “what systems will this power, who can use them, what safeguards apply, and what options exist if risk escalates?”

This matters under race or unsafe-scale-up dynamics. Race dynamics are not themselves the catastrophe; they are a pressure that can push labs, states, companies, or coalitions to deploy systems before they are safe, secure, evaluated, or governable. Energy-linked disclosure would not replace model evaluations or AI regulation. But it could route basic facts about upcoming frontier AI deployment to energy agencies, AI safety regulators, cybersecurity agencies, national-security bodies, militaries, and emergency planners.

Recent cyber-capability developments illustrate why this visibility matters. Claude Mythos Preview was treated as sensitive enough that Anthropic launched it through Project Glasswing, a restricted-access program for selected partners working on critical software security. UK AISI evaluated Claude Mythos Preview and found significant improvement on multi-step cyber-attack simulations. Anthropic may have acted responsibly by restricting access and working with selected evaluators and partners, but the example also shows the fragility of a visibility model that depends heavily on voluntary lab disclosure alone.

The energy-linked version would not ask grid operators to judge whether a model is safe. It would ask whether AI-scale facilities should have to disclose enough about their workloads, customers, model classes, cybersecurity controls, backup-power arrangements, and emergency procedures that competent authorities can decide whether further review is needed.

This would be most useful where frontier AI remains large, concentrated, and infrastructure-dependent. It would be much weaker if dangerous systems can be developed or deployed through small, distributed, foreign, or hard-to-detect compute.

4.2 Making access to dangerous AI systems accountable

The previous section focused on visibility into frontier AI deployment itself: what systems are being trained or served, where they run, and what controls surround them. This section concerns the next layer: if powerful or potentially dangerous systems are nonetheless allowed to run, who gets access to them?

This may matter especially for political influence, coup attempts, authoritarian consolidation, military misuse, and large-scale cyber operations. Such efforts may involve major inference capacity, specialized model access, resellers, foreign or state-linked customers, political intermediaries, or unusual usage patterns around sensitive periods such as elections, protests, leadership transitions, or military crises.

Energy-linked governance could support access accountability by tying AI-scale electricity access, expansion, non-curtailable service, backup power, or critical-load status to customer due diligence, access logging, resale restrictions, sanctions compliance, cybersecurity review, and reporting of high-risk use. The point would not be that energy regulators decide who may use AI systems. It would be that AI-scale infrastructure should not provide frontier capabilities to unknown or high-risk users while remaining opaque to institutions responsible for AI safety, national security, cybersecurity, election security, or critical infrastructure.

This would not catch all misuse. Bioweapons-relevant misuse, some cyber misuse, persuasion, blackmail, insider abuse, or foreign deployment may not require large domestic AI data centers. It would also need strong safeguards: customer-disclosure and access-monitoring requirements could themselves be abused for surveillance, censorship, or political control. The case is therefore not for unrestricted state visibility into all AI use. It is for proportionate oversight of major access pathways to the most powerful systems, especially where those systems depend on large, safety-relevant infrastructure.

4.3 Raising the threshold for successful loss of control

Energy levers could also matter in certain loss-of-control scenarios.

In these scenarios, the dangerous actor is not primarily a malicious human user, but the AI system itself: a system that deceives operators, evades monitoring, manipulates humans, replicates, acquires resources, resists shutdown, or maintains access to compute. In such cases, software-layer controls may fail partly because the system being controlled can interact with, manipulate, or route around the software control environment.

Energy and physical-infrastructure levers could matter while the system still depends on identifiable facilities. They might slow training, interrupt large inference clusters, constrain automatic restart, limit backup-power autonomy, require human-controlled shutdown paths, or force review before additional capacity is brought online.

The risk-reduction mechanism is not only delay after a crisis begins. It may also raise the threshold for a successful loss-of-control event in the first place. If a dangerous system cannot secure its objectives through software alone, but must also preserve access to power, cooling, data-center operations, backup generation, manual restart procedures, facility staff, fuel supply, and physical infrastructure, then it faces a harder problem. It may need to persuade humans, compromise facility personnel, manipulate contractors, secure backup energy, bypass manual controls, or move workloads to other sites before it can safely make an irreversible move.

That could matter. Physical and institutional dependencies may force a dangerous system to plan longer, act more cautiously, or delay action until it has solved problems outside the software domain. That additional preparation time could give humans more opportunities to notice suspicious behavior, improve monitoring, harden systems, restrict access, test shutdown paths, or install additional safeguards. In optimistic cases, non-software control requirements could shift a dangerous system from “act now through software” to “wait until I can also overcome physical and institutional controls,” potentially buying months or years before a take-over plan is attempted.

This does not make energy a decisive control layer. A sufficiently capable system might still route around it through distributed compute, foreign facilities, human intermediaries, markets, or compromised infrastructure. But forcing a dangerous system to operate across physical, logistical, and institutional boundaries may increase the chance that humans can detect, disrupt, or regain control before the situation becomes irreversible.

Energy is therefore not a magic off-switch for loss of control. Its possible value is as a less-correlated layer of defense: cruder than software controls, but potentially useful precisely because it sits partly outside the software domain and depends on physical infrastructure, institutional procedures, and people who may already operate within security-sensitive environments.

4.4 Reducing gradual disempowerment through resource governance

Energy levers may be most indirect in gradual disempowerment scenarios, but still important.

Some catastrophic AI outcomes may not involve a discrete malicious actor or an abrupt AI takeover. Human agency could gradually erode as AI systems become embedded in the economy, science, infrastructure, governance, culture, firms, and state capacity. Over time, decisions may increasingly be optimized around machine systems, machine-speed institutions, and AI-mediated economic power rather than human judgment, bargaining power, or democratic control.

Energy policy will not solve this by itself. But energy is one of the places where large-scale machine cognition becomes physically visible. AI infrastructure competes for electricity, grid capacity, land, cooling, water, backup generation, gas turbines, transmission buildout, public subsidies, and political attention. If AI systems displace labor while also raising electricity bills, delaying electrification, or consuming scarce grid capacity, the resource conflict may become politically salient.

This creates a different kind of risk-reduction mechanism. Energy governance could help make the expansion of machine cognition more visible, contestable, and conditional. AI data centers could be required to pay their full marginal grid costs, fund grid upgrades, accept interruptibility, disclose major workload categories, justify public benefits, avoid crowding out households or strategic industry, and contribute to local or national resilience. In some cases, benefits could be shared more directly through local investment, subsidized household energy, public-interest tariffs, or requirements that AI infrastructure strengthen rather than weaken the surrounding energy system.

The point is not to frame this as a simple conflict between humans and machines. In the near term, companies, states, utilities, investors, militaries, and markets will allocate energy to AI. But if advanced AI becomes economically and strategically central, those human institutions may increasingly reorganize physical resources around AI systems. Energy is one domain where that reorganization can be seen, debated, priced, conditioned, and potentially constrained.

This would not prevent gradual disempowerment on its own. But strong resource governance could reduce the chance that society quietly builds the physical base for machine-dominated systems while ordinary people bear the costs. It could also create political pressure for AI infrastructure to produce visible public value, not merely private capability growth.

This also matters because public pressure over AI energy use may create policy windows whether AI safety actors engage or not. Those windows could produce crude anti-data-center backlash, or they could be shaped toward targeted interventions: mandatory reporting, safety-linked connection approvals, customer disclosure, cybersecurity assurance, emergency-curtailment planning, backup-power transparency, and better monitoring of frontier AI infrastructure. If AI safety people ignore this domain, the politics of AI energy use may be driven mostly by electricity-price anger, climate politics, local opposition, or generic anti-corporate sentiment. Some of that may be useful. Much of it may be poorly targeted.

4.5 Where energy levers are likely weak

Across all of these pathways, the same boundary applies: energy levers are strongest where dangerous AI activity remains large, visible, permissioned, and infrastructure-dependent. They are weakest where dangerous capabilities become cheap, distributed, foreign, hidden, or hard to distinguish from ordinary computation. This is why energy should be treated as one defense-in-depth layer, not as a substitute for model evaluations, lab governance, cloud oversight, chip controls, cybersecurity, biosecurity, export controls, or international coordination.

5. Why this may fail

This agenda could fail even if energy is, in principle, a relevant AI-safety surface.

First, the intervention space may be too speculative or too expensive to justify. Policymakers may reasonably decide that energy agencies should not spend scarce attention on low-probability AI catastrophe scenarios, especially if the proposed measures impose costs on grid connection, data-center buildout, economic growth, electricity prices, or electricity reliability.

Second, the policies may fail to be implemented in any meaningful form. Energy regulators may lack jurisdiction over AI workloads. Grid operators may not want responsibility for AI safety. AI companies, cloud providers, utilities, and data-center developers may resist disclosure or conditional access. Governments may lack technical capacity, legal authority, or political will. Even if a policy process begins, the final version may be watered down until it has little practical effect: thresholds set too high, reporting categories made too vague, exemptions added for incumbents or “critical” customers, disclosure kept too confidential to be useful, penalties made trivial, enforcement underfunded, or emergency powers made so procedurally constrained that they cannot operate on relevant timelines.

Third, implemented levers may be bypassed. Actors may move jurisdictions, split compute across facilities, use intermediaries, relabel workloads as ordinary cloud, rely on backup power, build behind-the-meter generation, use foreign infrastructure, or reduce energy needs through efficiency gains.

Fourth, implemented levers may be too blunt. Emergency curtailment or shutdown could disrupt critical services if healthcare, telecom, finance, government systems, or emergency services are colocated with risky workloads. Physical interruption may also destroy evidence, damage equipment, create operational instability, or cause collateral harm that is deemed disproportionate to the risk being addressed.

Fifth, the levers may be abused. Disclosure, customer-monitoring, conditional-access, and emergency-control requirements could become tools for surveillance, censorship, political control, industrial favoritism, or protectionism. Any serious proposal would need clear thresholds, competent authorities, confidentiality protections, due process where possible, time limits, logs, review, and safeguards against misuse.

Finally, the institutions may not fit the problem. Energy regulators are not AI safety regulators, and grid operators might not be expected to evaluate model risk. The most plausible versions would require a division of labor: energy systems provide leverage and visibility, while AI-safety, cybersecurity, national-security, and critical-infrastructure authorities provide the substantive risk assessment.

While these limitations are serious, they might not yet be reasons to ignore energy. They are reasons to treat it as one uncertain defense-in-depth layer, not as a substitute for model evaluations, lab governance, cloud oversight, chip controls, cybersecurity, biosecurity, export controls, or international coordination.

6. What should be studied now?

Given all uncertainties discussed above, I do not think the right next step is to advocate one specific policy.

The right next step is to further map and investigate the intervention surface.

6.1 Which AI risk pathways are energy-legible?

For which catastrophic scenarios would dangerous AI activity likely require:

  • multi-hundred-megawatt clusters;
  • multi-gigawatt campuses;
  • large inference facilities;
  • ordinary cloud infrastructure;
  • distributed inference;
  • small efficient models;
  • specialized on-premise deployments? 

Energy levers matter much more in some of these worlds than others.

6.2 What authorities already exist?

Across major jurisdictions, who can:

  • approve, deny, or delay large data-center connections;
  • impose conditions on large electricity users;
  • require disclosure of end uses;  
  • curtail loads during emergencies;
  • classify facilities as critical infrastructure;
  • regulate backup generation;
  • impose cybersecurity requirements;
  • allocate grid-upgrade costs;
  • prioritize some loads over others? 

The implementation pathway itself also needs study. Which parts require EU- or US-level action? Which could be piloted nationally or state-by-state? Which could be handled through regulator guidance, grid-connection policy, data-center permitting, critical-infrastructure designation, voluntary hyperscaler agreements, or emergency-planning exercises?

6.3 What disclosure and assurance requirements are feasible?

Could large AI data centers be required to disclose:

  • ownership;
  • major customers;
  • frontier training or inference use;
  • foreign access;
  • high-risk workloads;
  • safety and security standards;
  • shutdown and curtailment capability? 

Could those be usefully audited?

6.4 How bypassable are the levers?

For each possible lever, ask:

  • Can actors move jurisdictions?
  • Can they go off-grid?
  • Can they split compute across facilities?
  • Can they use intermediaries?
  • Can they relabel workloads as ordinary cloud?
  • Can they rely on backup power?
  • Can they use foreign facilities?
  • Can they reduce energy needs through algorithmic progress? 

This should be analyzed adversarially.

6.5 How should energy governance complement compute governance?

Energy governance should not be seen as an alternative to compute governance. It may be a complement.

Compute governance tracks chips and compute capacity. Energy governance tracks the physical ability to power that compute. Cloud governance tracks who gets access. Model governance tracks what systems are trained and deployed.

The practical question is whether these layers can be combined into a more robust picture of frontier AI infrastructure than any one layer can provide alone.

6.6 What public narratives will shape policy windows?

If AI energy demand becomes politically salient, what narratives will dominate?

Possibilities include:

  • AI is raising your power bills;  
  • AI is blocking electrification;  
  • AI is forcing new gas plants;
  • AI is taking power from households;
  • AI data centers benefit billionaires while costs are socialized;
  • AI infrastructure is strategically necessary;
  • AI infrastructure must be regulated like critical infrastructure;
  • AI safety requires emergency control over frontier compute. 

Some narratives may help reduce risk. Others may produce counterproductive backlash. AI safety actors should not assume this conversation will automatically go well.

7. What kind of effort might be needed?

If the above is even partly right, this space may require a hybrid effort that is neither a conventional AI policy think tank nor a conventional energy consultancy.

The initial goal would not be to campaign for a single policy. It would be to test which parts of the intervention surface survive contact with reality: which levers are legally plausible, technically meaningful, hard to bypass, and actually relevant to existential risk.

8. The modest case

The argument here is not that energy will control AI, that the grid is an AI kill switch, or that electricity constraints will prevent dangerous AI.

The argument is narrower:

Some safety-relevant AI systems may depend on large-scale physical infrastructure. Energy systems are among the most important and most governed parts of that infrastructure. Therefore, energy may provide neglected levers for making frontier AI deployments more visible, more conditional, more auditable, more interruptible, or harder to scale recklessly.

These levers may fail. They may be bypassed. They may matter only in some scenarios. They may require coordination with compute governance, cloud oversight, lab regulation, cybersecurity, and national security institutions.

But AI safety may need every viable layer of defense. Software-layer governance may fail. Lab commitments may fail. Model evaluations may lag behind capabilities. International agreements may be too slow. Chip controls may be bypassed. Cloud monitoring may be incomplete.

In that world, physical infrastructure levers could be valuable even if they are partial, messy, and imperfect.

Energy is not the solution to AI safety. But it may be one of the places where advanced AI becomes most exposed to existing human institutions.

If so, we should understand that surface before it might matter.

 

  • I used an LLM to help create this post and it likely contains ">10% AI-generated text". That said, I really do not know how to measure this 10% number. My workflow is that I write something, then use AI to tighten it and improve flow. I then give feedback to the AI on its rewriting attempts. I might then finally go over it and do some small edits myself. Or not. So from that perspective you might say "80% of the text was copied from an LLM output" - but the text is far from AI generated in my mind - these are my ideas and analyses, my structure and so on. The AI might be more of a polish on top, kind of like an improved spell check. I also bounced some technical ideas and framing questions with an LLM. Feel free to give me guidance for future posts on how to disclose my AI use. Also happy to share DMs with links to LLM convos on how I work.

6

0
0

Reactions

0
0

More posts like this

Comments
No comments on this post yet.
Be the first to respond.
More from Benevolent_Rain
View more
Curated and popular this week
Relevant opportunities
View more