Throughline Desk ·

M11E2: Legal, Ethical, and Policy Boundaries in AI-Augmented OSINT

The Comfortable Lie Hidden in "Open Source"

You have probably already internalized a working model. Open-source intelligence is, by definition, collection from publicly available sources. No covert access, no classified intercepts, no warrant required. If it's on the open internet, you're permitted to look. If AI helps you look faster or look at more of it, you're simply scaling a lawful activity. The model is intuitive, internally consistent, and widely held. It is also dangerously incomplete.

The phrase "publicly available" is doing enormous legal work in that formulation — work it cannot support once you examine what it means across different legal frameworks, different organizational types, and different downstream uses of the data collected. Whether you're a federal intelligence analyst, a corporate risk researcher, an investigative journalist, or an NGO monitoring human rights violations, the same act of pulling content from a public website can carry radically different legal exposure and ethical weight. The AI doesn't change that. If anything, AI amplifies the risk, because it enables collection at a scale, speed, and level of granularity that would have been impossible with manual methods — and it invites the comfortable assumption that if a model can do it, it must be permissible.

That assumption needs to be broken before it causes real damage. The constraints on AI-augmented OSINT don't depend primarily on whether the data is technically accessible. They depend on who you are, what you're collecting, how you're collecting it, and what you're doing with it afterward. Those four dimensions interact in ways that aren't obvious, and this episode works through the friction in each of them.

The Org-Type Problem: Same Collection, Different Rules

Start with the most fundamental variable: organizational identity. The legal framework governing OSINT collection is not universal. It is specifically calibrated by what type of entity you are, and the gap between categories is wider than most practitioners appreciate.

For U.S. government agencies — particularly those in the Intelligence Community — the governing constraint is not "is this publicly available?" but rather "does this implicate U.S. persons?" The IC OSINT Strategy 2024–2026, published by the Office of the Director of National Intelligence (ODNI), explicitly identifies the growth of generative AI as creating "both opportunities and risks for OSINT tradecraft" — but it does so against the backdrop of a legal framework that imposes the Fourth Amendment, the Privacy Act, Executive Order 12333, and a thicket of oversight requirements on what any government analyst can collect, retain, and disseminate about U.S. persons, even from open sources. The IC OSINT Strategy notes a commitment to "strengthen OSINT as a core intelligence discipline," but that strengthening has to happen within those constraints, not around them. A government analyst running an AI-powered social media aggregation tool that sweeps up U.S. person data — even if every post is public — has triggered a different set of legal obligations than a private-sector researcher doing the same thing.

The Anthropic-Pentagon dispute that dominated the first quarter of 2026 makes the specific texture of those constraints viscerally clear. The Department of Defense wanted Anthropic to grant the Pentagon unfettered access to its models across all lawful purposes, while Anthropic wanted assurance that its technology would not be used for fully autonomous weapons or domestic mass surveillance. Anthropic's position — stated explicitly after the supply-chain-risk designation — was direct: "We do not believe that today's frontier AI models are reliable enough to be used in fully autonomous weapons. Allowing current models to be used in this way would endanger America's warfighters and civilians. Second, we believe that mass domestic surveillance of Americans constitutes a violation of fundamental rights." The dispute boiled down to a question of who gets to constrain what AI does once it's in government hands. Judge Rita F. Lin found that the Department of War's records showed it designated Anthropic as a supply chain risk because of its "hostile manner through the press," calling out what she characterized as illegal First Amendment retaliation. The legal battle remains ongoing as of this writing, split across two courts reaching different preliminary conclusions. For OSINT practitioners in government contexts, the underlying principle is clear: the lawfulness of using AI tools for intelligence collection depends not merely on the availability of the data but on whether the use falls within the authorization granted by law to that agency — and those authorizations are not blanket permissions.

Corporate intelligence teams operate under a different constraint regime, one that is often less visible and therefore more dangerous. A corporate risk analyst at a financial institution has no Fourth Amendment obligations to worry about — the Fourth Amendment constrains government, not private actors. But she is subject to the Fair Credit Reporting Act if her analysis is used to make credit, employment, or insurance decisions. She faces potential liability under unfair business practices law if her competitive intelligence crosses into trade secret misappropriation. And if she's aggregating personal data on individuals — employees, customers, counterparties, subjects of due diligence investigations — she is potentially subject to the California Consumer Privacy Act (CCPA), the General Data Protection Regulation (GDPR) if any of those individuals are in Europe, and a growing stack of state-level analogs.

Investigative journalists occupy perhaps the most legally protected position in this taxonomy, at least in the United States. First Amendment protections, the reporter's privilege, and decades of case law establishing that journalists can receive and publish information that others couldn't legally collect — all of this creates a substantial shield. But that shield has specific dimensions. It protects publication; it protects the editorial decision to investigate; it provides some protection for newsgathering. It does not protect journalists from liability for hacking, for exceeding authorization on a computer system, or for commercial exploitation of data in ways unrelated to newsgathering. The journalistic privilege is a publication privilege, not a collection privilege. A journalist using an AI scraping tool that bypasses technical access controls on a source's systems is not shielded from CFAA (the Computer Fraud and Abuse Act, the primary federal statute governing unauthorized computer access) exposure by the First Amendment.

NGOs occupy the most ambiguous position. Human rights organizations, election monitors, and accountability groups often have quasi-journalistic functions, genuine public interest mandates, and essentially no legal privileges beyond those available to any private citizen. An NGO analyst running satellite imagery analysis via a platform like Palantir AIP (Palantir's AI Platform, which integrates large language models with operational data workflows), feeding AI-synthesized assessments to an international tribunal, is doing work of profound public importance — and doing it with essentially the same legal standing as a random researcher. The GDPR's research exemptions, the journalistic privilege under some national laws, and the public interest considerations in data protection frameworks may provide some relief, but they are not reliably applicable, and they require affirmative invocation and documentation, not assumption.

The critical error practitioners make is assuming that the most permissive framework in their operational context is the operative one. The most restrictive applicable framework governs.

Scraping, Terms of Service, and Where Enforcement Risk Actually Lives

The second dimension of the problem is collection method, and this is where the legal landscape has shifted most dramatically in the past eighteen months.

The conventional wisdom on web scraping, as of a few years ago, ran roughly like this: ToS (terms of service) violations don't create criminal liability, public data is public data, and the CFAA doesn't apply to publicly accessible websites. That conventional wisdom derived primarily from the Ninth Circuit's 2022 ruling in hiQ Labs v. LinkedIn, which held that scraping publicly available data did not constitute unauthorized access under the CFAA. It was never universal — courts in other circuits reached different conclusions — and subsequent litigation focused specifically on AI use cases has substantially complicated it.

On October 22, 2025, Reddit filed a federal lawsuit against AI startup Perplexity and three data-scraping companies: SerpApi, Oxylabs UAB, and AWM Proxy. The legal theory was carefully chosen. Rather than relying on CFAA or copyright infringement directly, Reddit alleged violations of the DMCA's (the Digital Millennium Copyright Act's) prohibition on the circumvention of technological control measures under 17 U.S.C. § 1201(a)(1)(A), a theory that mirrors some aspects of previously popular CFAA claims. The allegations described something more aggressive than simple scraping: Reddit accused Perplexity, SerpApi, Oxylabs, and AWMProxy of circumventing its controls by using large-volume proxy networks, fake user agents, and IP rotations, as well as technologies that overwhelm security measures. Reddit called what it described "data laundering" — whereby data firms scrape large volumes of content and sell it to AI companies. After receiving a cease-and-desist order, Perplexity increased the volume of citations to Reddit forty-fold.

The practical implication for OSINT teams is not that scraping is always impermissible. The legal risk is no longer primarily theoretical, and it concentrates at specific points that practitioners can identify. ToS violations alone, involving publicly accessible HTML, remain largely a civil matter with modest enforcement risk for most purposes. The risk escalates sharply when collection involves circumventing technical access controls (rate limits, CAPTCHAs, authentication walls, robots.txt directives); using identity masking or IP rotation to evade detection; operating at a scale that degrades the target platform's service; or building commercial products or services on top of scraped data without a licensing agreement. Each of these factors can transform a ToS violation into potential CFAA liability, DMCA liability, or — increasingly likely as courts absorb the Reddit and related litigation — something new that doesn't map cleanly onto existing law.

For AI-specific collection, the risk calculus has a second layer that didn't exist before: training data liability. In June 2025, Reddit sued Anthropic in California court under theories of breach of contract, unjust enrichment, trespass to chattels, tortious interference, and unfair competition. The theory that you can use a scraping pipeline to feed training data to a foundation model, then deploy that model in an OSINT workflow, without creating liability for the original scraping — that theory is actively contested in court right now. Organizations building proprietary AI-assisted analysis tools, or customizing commercial models with OSINT-derived data, need to understand that the data acquisition question and the downstream use question are not separable.

There is also a structural problem with how many OSINT teams are currently operating. The AI tools available in 2026 — including commercial platforms built on GPT-5, Claude, Gemini, and open-weight models like DeepSeek V3 and the recently released GLM-5.1 — make it extremely easy to build pipelines that ingest web content at scale and route it through inference. The engineering friction has largely disappeared. The legal friction has not. The gap between what's technically easy and what's legally established creates exactly the kind of organizational risk that manifests as a lawsuit or regulatory action two years after the activity that created it.

"Publicly Available" Under Privacy Law: A Term of Art, Not a Fact

The third dimension — and perhaps the most widely misunderstood — is what "publicly available" means in the data protection frameworks that govern personal information.

Under the GDPR, "publicly available" is not a legal category that exempts data from the regulation's requirements. The GDPR defines personal data as any information relating to an identified or identifiable natural person: names, email addresses, location data, IP addresses, photographs, biometric identifiers. The fact that this information appears on a public website, in a public social media post, or in a government record does not change its legal status as personal data. Processing that data — and AI analysis of a person's social media posts is unambiguously processing — requires a lawful basis under Article 6, purpose limitation, data minimization, and, for sensitive categories under Article 9, explicit consent or a narrowly defined alternative ground.

The European Data Protection Board (EDPB) has been progressively tightening the space available for OSINT-based personal data processing. EDPB guidance published in June 2025 addressed data transfers to third-country authorities in ways that directly implicate intelligence-sharing arrangements — the kind of arrangements that matter when an NGO is feeding analysis to a non-EU government agency, or when a corporate due-diligence product built in the EU is used by clients in the United States. The notion that you can gather personal data in Europe and freely transmit AI-synthesized assessments based on that data to any jurisdiction is simply wrong.

CCPA has moved in a parallel direction. California's 2026 CCPA changes for technology companies include privacy risk assessments and AI-related oversight, with increased obligations specifically targeting profiling and automated decision-making. For corporate intelligence and risk teams operating in California or processing data about California residents — which is essentially every corporate entity of any size — AI-augmented analysis of individuals now triggers mandatory privacy risk assessment obligations. These are statutory requirements with enforcement authority behind them.

The practical consequence is that the distinction between "OSINT collection on named individuals" and "OSINT collection on topics, patterns, or organizations" is legally meaningful in ways that practitioners often collapse in daily workflow. Scraping social media to understand the operational tempo of a foreign military unit is a different category of activity than scraping social media to build a profile on a named private individual, even if the technical pipeline is identical. The second activity, if it involves EU or California persons, requires a legal basis that most organizations have not established, and a documentation trail that most OSINT workflows do not generate.

The point cuts even harder for AI-specific capabilities. Running an individual's name, profession, and organizational affiliations through a large language model to generate a structured risk assessment is processing personal data. It doesn't matter that all the input information came from public sources. The synthesis — the model's output — is a new processing operation that requires its own legal basis, and in many jurisdictions, if that assessment is used to make decisions about that person, it triggers additional rights including the right to explanation and the right to object. Organizations using tools like Palantir AIP or custom LangGraph pipelines (LangGraph is an open-source framework for building multi-step AI agent workflows) to generate individual-level assessments need to have answered these questions before deployment, not after.

The 2026 Regulatory Layer: Three New Constraints That Change Analytic Workflows

Three specific regulatory developments in 2026 have direct operational implications for AI-augmented OSINT, and none of them are primarily about collection. They concern what happens downstream — how analysis is disclosed, how it is governed at the national level, and how it is evaluated for effectiveness.

The most operationally immediate is the EU AI Act's Article 50, which becomes fully enforceable on August 2, 2026. The transparency obligations are broader than most practitioners assume. Article 50 addresses risks of deception and manipulation, the integrity of the information ecosystem, and the marking and detection of AI-generated content, including labeling of deepfakes and certain AI-generated publications. For OSINT producers, the provision that bites hardest is Article 50(4): deployers of an AI system that generates or manipulates text published with the purpose of informing the public on matters of public interest must disclose that the text has been artificially generated or manipulated. Intelligence analysis, investigative journalism, human rights documentation — all of this potentially falls within "informing the public on matters of public interest." An organization producing AI-assisted open-source assessments that will be published, shared with oversight bodies, or distributed to client networks, and that operates in or serves the EU market, has disclosure obligations that didn't exist eighteen months ago.

The technical standard is demanding. The EU's draft Code of Practice on AI-Generated Content, published in December 2025, specifies that a multi-layered approach is required — including embedded metadata, imperceptible pixel-level watermarks, and fingerprinting — with no single technique being sufficient on its own. Regulators may not accept "we use watermarks" as a general statement; they may expect evidence of where and how content is marked, that the marking survives common transformations, and how this is tested, monitored, and documented in practice. For a two-person investigative unit or an NGO with limited technical staff, this is a compliance burden that requires a vendor solution or a substantial internal investment. The enforcement deadline is three months away. The final Code of Practice is expected in June 2026.

The second regulatory development is the White House National Policy Framework for Artificial Intelligence, released in March 2026. Its most consequential element for OSINT practitioners is not its substantive guidance on AI use — it's the preemption logic. The framework recommends that Congress should preempt state AI laws that impose undue burdens, citing as a primary concern the creation of a "patchwork of 50 different regulatory regimes" that complicates compliance. For organizations currently navigating California AB 2013's training data disclosure requirements, Colorado SB24-205's algorithmic discrimination provisions, and the various state-level biometric and automated decision-making laws, this framework signals eventual federal simplification. It is not yet law. The Commerce Department evaluation of conflicting state laws has not been publicly released. The GUARDRAILS Act introduced by Congressional Democrats specifically challenges the preemption agenda. The mosaic of state laws remains operative. Organizations that have deferred compliance with state-level requirements on the theory that federal preemption is coming are making a bet that could prove costly.

Third, FinCEN's (the Financial Crimes Enforcement Network's) April 7, 2026 NPRM (Notice of Proposed Rulemaking) represents the most significant reform of AML/CFT (anti-money laundering and countering the financing of terrorism) program requirements in roughly a generation. The proposal replaces a process-based standard with an effectiveness-based standard. Before, for a financial institution to have basic anti-money laundering required components was enough. Moving forward, the regulator will evaluate whether the program is effective at detecting financial crime activity and reporting useful information to law enforcement. This matters directly for corporate intelligence and financial crimes teams using AI. The NPRM fact sheet makes this explicit, noting that FinCEN's director would consider "whether the bank is employing innovative tools such as artificial intelligence that demonstrate the effectiveness of the bank's AML/CFT program" when deciding whether to pursue enforcement. AI deployment in financial crime detection is now explicitly recognized as a potential indicator of program effectiveness. But effectiveness must be demonstrated, not asserted. Under the NPRM, regulators would evaluate whether program components produce results — whether transaction monitoring rules are catching real suspicious activity or generating thousands of alerts that lead nowhere; whether SAR (Suspicious Activity Report) filing processes are producing useful intelligence for law enforcement or just checking a box. The analytic workflow implications are substantial. An AI system that generates alerts must be monitored, tested, and documented well enough that you can demonstrate to a regulator that it works.

Oversight and Accountability: Why "The AI Did It" Is Never an Acceptable Answer

Across every organizational type, every collection method, and every regulatory framework examined above, a single structural requirement emerges with remarkable consistency: documentation of human decision-making. Not because regulators are hostile to AI. Because accountability in any institutional context requires a record of who made what decision on what basis, and AI does not discharge that requirement — it creates it.

The Anthropic-Pentagon dispute shows the accountability problem at its sharpest. Although Anthropic's usage policy prohibits use of its models to incite violence or to develop or design weapons, reports indicate that Claude was used in the January 2026 operation to capture Venezuelan President Nicolás Maduro. The gap between published policy and actual practice was not primarily a technology problem. It was a governance problem. A model vendor publishes a usage policy. A government agency routes its workflows through a third-party integration platform. Multiple contracting layers separate policy from execution. When something happens that's inconsistent with the policy, no one has documented the decision chain clearly enough to assign accountability. The tension between Anthropic's written policy and its actual practice with the Pentagon points to the slippery quality of rules purporting to govern technologies with rapidly evolving capabilities and uses.

That tension is structural to any organization that deploys AI in consequential workflows without having built the documentation infrastructure to match the operational ambition.

For OSINT specifically, this means four things.

First, every workflow that uses a large language model to process, synthesize, or assess open-source information needs a record of what model was used, when, with what system prompt, on what data. Not because lawyers demand it — though they will — but because analytic integrity requires it. An assessment generated by Claude 3.7 Sonnet in March 2026 is different from one generated by GPT-5 in January 2026, and different again from one generated by DeepSeek V3 running on local infrastructure. The model matters. The version matters. The context matters. "We used AI to help analyze the data" is not documentation. It is the absence of documentation wearing a disclosure label.

Second, human review must be substantive, not performative. Automation bias — the well-documented tendency of human reviewers to defer to high-confidence AI outputs — is the primary way human oversight becomes a rubber stamp. A review process that flags all AI outputs as "reviewed" because an analyst read them is not meaningful oversight if the analyst never exercises independent judgment and never overrides the model. Meaningful oversight means the reviewer has enough understanding of the model's limitations, training data gaps, and known failure modes to exercise genuine judgment. This is a training and incentive problem as much as a process problem.

Third, when AI-generated analysis informs consequential decisions — detention, sanctions, financial action, publication of someone's identity — the organization needs a documented chain from the underlying data, through the model's processing, through human review, to the final decision. Not a theoretical chain. An actual record. The EU AI Act's transparency requirements for AI-generated text on matters of public interest are, in part, a formalization of this principle. The FinCEN effectiveness standard is another formalization. They are different regulatory expressions of the same underlying accountability logic: if AI assisted in generating a consequential output, the organization must be able to explain what the AI did and what the human decided.

Fourth — and this is the point practitioners most consistently resist — "the AI said so" does not transfer accountability. If an AI-synthesized profile of a named individual contains an error, and that error is published, or used to deny a financial service, or included in an intelligence product that shapes a policy decision, the organization that deployed the AI is accountable. Not the model vendor. Not the open-source data provider. Not the algorithm. The organization, which made the decision to deploy the tool in a context where errors have consequences. The post-hoc defense that "the model hallucinated" or "we didn't know the training data was biased" is available to no one in a serious legal or oversight proceeding. You knew AI models hallucinate. You deployed one anyway.

What oversight did you build?

Everything discussed so far has concerned what organizations are legally permitted to do. Legal permission is a floor, not a ceiling — and in AI-augmented OSINT, the gap between the two is wide enough to produce serious organizational harm, serious harm to subjects, and serious erosion of institutional legitimacy.

The ethics gap — the space between "this is legal" and "this is something we should do" — is particularly acute in three scenarios that OSINT teams encounter regularly.

The first is aggregate profiling of private individuals using public data. Every piece of information in a social media profile, a corporate database, a government record, or a published photograph may be individually lawful to collect and analyze. Stitched together by an AI system running a name across dozens of sources, synthesized into a structured profile, and scored for risk or intent — the product may be legal in every jurisdiction where the analyst operates, and simultaneously a privacy violation that would strike a reasonable person as abusive. The aggregation problem is real: individually innocuous data points, when combined at AI scale, reveal intimate details of behavior, movement, association, and belief that no individual piece would disclose. The law in most jurisdictions has not caught up to this problem. The ethics have.

The second scenario is surveillance of protected groups using AI-enhanced pattern recognition. An OSINT team working on domestic extremism can lawfully monitor public Telegram channels, public social media accounts, and public web forums. An AI system that ingests all of that data and builds membership graphs, influence networks, and behavioral profiles of named individuals — all from public sources — is doing something that is technically lawful under most U.S. frameworks and ethically fraught under any serious analysis. The history of domestic surveillance operations targeting civil rights organizations, political dissidents, and religious communities is long enough, and recent enough, that the "but it's all public data" defense carries genuine moral weight only to those who haven't read that history.

The third scenario is the use of AI-generated assessments in decisions that individuals cannot challenge. Due diligence profiling, risk scoring, security clearance input, entry restriction recommendations — there is a growing category of decisions where AI-synthesized open-source analysis contributes to outcomes affecting named individuals who have no meaningful opportunity to see the analysis, contest the data, or correct errors. The legal framework around this is developing — CCPA's automated decision-making provisions, Colorado SB24-205's algorithmic discrimination protections — but in many contexts and jurisdictions there is still no legal constraint. The ethics gap is therefore real and operative.

The challenge for organizations is that the ethics gap cannot be closed by policy alone. Writing down that "analysts should consider the proportionality of surveillance before initiating collection" is not the same as building institutional capacity to actually make that judgment. That capacity requires several things that most organizations treat as costs rather than investments: ethics training that goes beyond compliance checklists; a genuine escalation path for analysts who have concerns about a specific workflow; periodic review that asks not "did we follow the rules?" but "should we have done this?"; and organizational tolerance for the answer "no, we shouldn't have," even when the collection was technically permissible.

The Belfer Center at Harvard's work on analytic tradecraft standards in the age of AI frames this as a question about what the Intelligence Community's analytic standards require when AI is in the loop — not just accuracy and source standards, but the professional judgment standards that have always been the backbone of good analysis. Those standards don't become less important because AI is doing some of the work. They become more important, because the analyst's judgment is the only safeguard against a capable, confident, and sometimes wrong machine.

The organizations that will navigate this landscape well are not those that find the maximum permissible boundary of AI-augmented collection and collect to it. They are the ones that have built institutional judgment about where, specifically, their mission is served by aggressive use of these capabilities, and where it is served by restraint. That judgment is not a legal function. It cannot be delegated to counsel. It has to live in the analytic culture of the organization — in how supervisors respond when analysts raise concerns, in how collection decisions are documented, and in what questions get asked in after-action reviews.

The Ground Is Moving: Regulatory Uncertainty as an Operational Condition

The legal frameworks described in this episode are not stable. The EU AI Act enforcement begins in August 2026, but interpretive guidance is still being written. The White House preemption logic is contested in Congress. The FinCEN effectiveness standard is in comment period. The scraping litigation that will define the legal boundaries of AI-era data collection is still working its way through multiple federal courts.

Organizations that built their compliance posture on the current state of the law are already behind.

What doesn't move is the underlying accountability structure. Someone authorized the collection. Someone deployed the model. Someone reviewed the output. Someone made the decision. If any of those steps happened without documentation, without genuine human judgment, or without proportionality analysis — the fact that the law hasn't caught up yet is not a defense.

It's a warning about what comes next.