Symposium on PMSCs: Revisiting the International Regulation of Private Military and Security Companies in the Digital Age

[Vincent Bernard is visiting lecturer at the Graduate Institute of International and Development Studies in Geneva. He previously worked as senior policy advisor to the International Code of Conduct Association (ICoCA) and wrote the research report “Ensuring Responsible Security in the Digital Age: The application of the International Code of Conduct for Private Security Service Providers to Advanced Technologies”]

The views expressed in this post are solely the ones of the author.

The swift integration of advanced technologies is reshaping the private military and security sector. The regulation and governance of PMSCs needs to be revisited, as it was designed to regulate physical violence and coercion and does not address the new risks. Facing this transformation, we need to interpret existing rules, review them and/or develop new ones adapted to the digital age. This post suggests a few general advice to guide this necessary adaptation.

Private Security Goes High-Tech

PMSCs are incorporating tools like sensors, facial recognition, behavioral biometrics, or intelligence-gathering platforms such as drones to perform traditional and new security missions. These technologies are being embedded into operations in various ways: for instance, artificial intelligence is increasingly paired with CCTV to identify, monitor, or apprehend suspects while drones are deployed to intercept migrants during transit.

The use of technology for legitimate security purposes is contributing to improving security. Incidentally, it is also improving the tough working conditions of the security personnel, who may be less exposed to dangers. Yet, it also gives rise to risks of violations of human rights and/or International Humanitarian Law (IHL).

Risks are exacerbated where PMSCs are contracted to operate in complex and high-risk environments – such as situations of armed conflicts or countering violent extremism by governments, non-state armed groups or business actors. A few months ago Haiti’s government hired US contractors to work on a taskforce to deploy drones meant to kill gang members. According to some sources they may have killed up to 300 people between March and July 2025, as drone technology enables “targeted killing” on a large scale. This operation should be scrutinized under IHL if we consider that the situation of violence in Haiti qualifies as an armed conflict. If not, it is hard to imagine how these drone attacks could not be extra-judicial killings, in breach of national legislation and human rights.

The current context is favorable to the commodification of security. This is perhaps best illustrated with the recent US efforts to bargain its security and military support for minerals in Ukraine or the DRC. Before Haiti, a number of African governments have been contracting PMSCs (e.g. the Wagner Group) with advanced tech capacities including in the cyber domain. In the Gulf, several States have used PMSCs for regional security operations, VIP protection, maritime security, and counterterrorism efforts. China has been deploying its own security companies to secure its investments in volatile contexts, etc. A number of States are ready to contract private contractors for some missions usually performed by public or non-governmental agencies, creating new business opportunities for PMSCs (examples include detention, demining or delivery of relief items including most recently in Gaza). We have also seen PMSCs contracted in humanitarian action and in border and migration management, where they deploy a vast array of technologies (including drone surveillance, AI enabled CCTV or the collection of biometric information). This is also contributing to re-qualifying economic, social or humanitarian issues as security ones.

PMSCs are expanding their business model toward cybersecurity, digital surveillance, and information operations, areas in which accountability and oversight mechanisms are still lacking. Even outside of conflicts or politically volatile contexts, human rights such as the right to privacy or freedom of expression are also threatened. Governments rely more on private sector products and services through collaborative models while partnerships between police and security providers are fast developing. Integration of tech into security and data sharing between public and private entities contributes to blurring the civil-public boundaries in the field of intelligence, law enforcement and national security. It raises issues of transparency and accountability. Examples include retailers funding biometric police operations, shared citywide CCTV networks for crime detection, or the usage of “mercenary spyware”.

Finally, there is a growing trend of tech firms directly collaborating with defense contractors or investing in military technology, creating a new hybrid high-tech private security industry. While PMSCs are adopting technology to carry out traditional or new missions, a new generation of security providers leverage advanced technologies for surveillance, cybersecurity, and enhanced efficiency. Tech companies are developing their own defense-focused divisions or partnering with military contractors to integrate AI, cybersecurity, and autonomous systems into security operations. Palantir provides AI-powered data analytics to military forces, helping them process intelligence and make rapid strategic decisions. ShieldAI develops autonomous drones that assist in reconnaissance missions in combat zones. Companies like Anduril use AI-driven platforms such as Lattice OS, which integrates autonomous drones and surveillance towers for border security and military applications creating AI-Powered Defense Systems. These tech companies are not only producing and selling advanced technologies but might also be directly involved in their deployment and use. Even though these tech companies may not identify themselves as “PMSCs” they may be providing security and military services, nonetheless.

This evolution blurs the contour of the private security and military sector. It is universal and unstoppable. 

How Can the Regulation of Private Security Keep up?

Existing IHL and human rights instruments have all been drafted before the digital age. For them to be evergreen instruments they need to be interpreted in light of the changing realities. Similarly, the international regulation and governance framework of PMSCs must be interpreted in light of the evolving landscape of private security. The Montreux Document and the International Code of Conduct (the Code) were significant milestones.

Yet, both instruments were designed over a decade ago and were grounded in a context of traditional armed conflict. Interpretation may not be sufficient and there could be a need to review existing instruments or create new ones.

To guide us in this process we can draw on a number of research on the transformation of the sector – including from the UN working group on the use of mercenaries (see their report on cyber actors), ICT4Peace foundation (see for instance this comprehensive report with a focus on the growing role of tech companies in security) as well as DCAF and Privacy International work focusing on private surveillance.

Just recently, I wrote a research and policy brief for the International Code of Conduct Association (ICoCA) taking stock of the transformation of the sector and putting forward a first interpretation of how the Code applies to new technologies. We discussed these issues and the opportunity of a revision of the Code during a consultative workshop in March 2025. Here are a few general advice that can be drawn from these discussions:

1. Review the Definitions of Security Providers and Services

While international lawyers still struggle to categorize their last incarnation under pre-existing definitions, security actors have already resurfaced elsewhere under a new avatar! This is why the Montreux Document, the Code and the revised fourth draft of the UN instrument on an international regulatory framework on the regulation, monitoring of and oversight over the activities of PMSCs (March 2025), all define PMSCs according to the services they provide, “irrespective of how they describe themselves.” Still, the transformation of security services could be better reflected in the various instruments, looking at new methods to perform traditional security operations and the changes and risks this may introduce as well as the emergence of new services, such as cybersecurity.

Looking at the most recent development, the revised fourth draft (March 2025) of the UN draft instrument echoes the rapid transformation of the security sector. The preamble now expresses concern about:

…the risk posed by excessive or otherwise inappropriate use of PMSCs by States for certain services and activities including those involving the use of force and provided to a variety of clients; and enhanced by the application of emerging technologies and the use of cyberspace by such companies;

(p. 7)

The definition of PMSCs and their services in the UN draft instrument has been progressively enlarged and article now 1.2b incorporates in the definition of security services relevant tech-enabled services including:

…strategic planning, intelligence, investigation, reconnaissance, flight operations, manned or unmanned, satellite surveillance, transfer of military technologies, any kind of knowledge transfer with military applications, material and technical support to armed forces, logistical and operational support to armed and security forces, whether on land, in the air or at sea, or whether in cyberspace or outer space…

These could include the type of services provided by tech companies such as Palantir.

While the list of security services in the Montreux document and the larger list in Section B of the Code are non-exhaustive, they remain overly narrow. To ensure they stay relevant, these instruments need to include operations in cyberspace, issues related to data protection etc. clearly extending their scope beyond physical security.

2. Expand the Scope of Protection

Private security providers’ electronic surveillance, cyber or information operations could affect the rights of individuals and groups. The way companies collect, store, and transfer data may directly infringe on the right to privacy, freedom of expression and/or may lead to persecutions of individuals and political, religious or ethnic groups. For instance, border security technologies and monitoring services could raise serious concerns surrounding the collection, processing, and sharing of biometric data about asylum seekers.

Even if the latest draft of the UN instrument has an updated, expanded definition, most of its provisions still reflect PMSCs whose ideal type or exemplification seem to be a 2000’s Blackwater military contractor. We also need to change our mindset. In particular, while Human Rights are referred to in general, instruments could be more specific on the rights that 2025 tech-enabled security providers can now infringe upon, such as the right to privacy.

The Code is based on a broader understanding of the private security sector, beyond military contractors, and already includes human rights that may be violated by new types of tech-enabled security operations. For instance, article 21 of the Code requires member and affiliate companies to “respect the human rights of persons they come into contact with, including, the rights to freedom of expression, association, and peaceful assembly and against arbitrary or unlawful interference with privacy or deprivation of property”. Still, the original focus was on preventing physical violence and coercion and a revision process could further underscore the protection of human rights in the digital age. Anticipating the most serious human rights and IHL risks that may arise from the use of technologies could guide us to decide which provisions need to be amended or added to existing instruments, in particular addressing specific technologies and reinforcing the protection of social, civil and political rights.

3. Compliance Should Come by Design

Most private security providers are not producers of technologies but only buying them. Therefore, procurement will be key in preventing future abuses and violations of international norms.

Technologies should need to conform with accepted relevant standards for the security sector. For instance, the Institute of Electrical and Electronics Engineers (IEEE) has recently developed a standard for procuring artificial intelligence and automated decision systems. It is intended to help procurement teams identify and manage risks in high-risk domains. Governments and business associations should impose such standards for PMSCs acquiring and deploying advanced technologies.

Rather than attempting to list and regulate every possible technology, international regulatory instruments could introduce a provision requiring security providers to ensure that any new weapons, methods or security technologies comply with these relevant standards. This provision would obligate companies to review the legality of new technologies before deploying them in security operations. It would be similar to article 36 of the first Additional Protocol to the Geneva Conventions whereby States have an obligation to determine the compatibility with international law of ‘a new weapon, means or method of warfare’ in the ‘study, development, acquisition or adoption’ phases. Such provisions could be adopted specific instruments for PMSCs (such as the ICoC) and could be incorporated into national legislation and regulatory mechanisms, such as licensing procedures for security companies.

4. Operationalise and Implement Rules and Principles

Whether the international regulation of PMSCs is re-interpreted, updated or expanded, the rules and principles will need to be included in the policies of companies and training of security personnel while they also need to be known and monitored by clients, stakeholders and civil society. Similarly, while existing regional or national legislations (such as the European GDPR or the South African POPIA) may already apply, they may lack implementation guidelines directly applicable for security operations. Most recently ICT4Peace and ICoCA partnered to produce a Comprehensive Toolkit for the Responsible Use of Technologies by Private Security Companies, the first tool operationalizing human rights into the practice of PMSCs. It empowers PMSCs to use technology responsibly, ethically and with respect for human rights. It can also inform States and corporate clients that contract PMSCs as they have significant leverage and must demand adherence to human rights principles at all times.

PMSCs go tech and tech companies provide security services. However existing governance mechanisms are still tailored for “boots on the ground” type of contractors. Bringing tech services and tech companies into the governance of PMSCs would require their adaptation (see for instance goal 4 of the new ICoCA 2024-2030 strategic plan). The next step will be to create a meaningful dialogue and promote ethical conduct between security providers, civil society, governments, tech producers and clients within the frame of existing governance mechanisms and perhaps through new platforms.