The Middle East on fire, part two: The Gulf's AI bet, the exodus, and what boards must do now 

A note on timing

Part One of this analysis published on March 12, when the war was two weeks old and the oil shock was still being absorbed as a discrete event. Three weeks in, the picture is materially different. President Trump has postponed threatened strikes against Iranian energy infrastructure until the 7^th of April, pending the outcome of what he described as active negotiations, citing "major points of agreement."  A ceasefire may come. What will not come back is the assumption that the Gulf is a stable operating environment for trillion-dollar infrastructure commitments. That assumption burned with the AWS data center in Abu Dhabi. This update addresses what has changed, what has not, and why the policy conversation most organizations are having is still the wrong one. 

The Gulf's AI bet: What was actually at stake

To understand the damage, you have to understand what was being built. Saudi Arabia and the UAE spent the last decade executing one of the most ambitiouts economic pivots in history. KSA brought in Ronaldo, launched LIV Golf, bid for the 2034 World Cup, and declared it would export data instead of oil. The UAE positioned Dubai and Abu Dhabi as the world's premier neutral business addresses. Both countries poured billionsinto AI with a coherence and scale that commanded serious attention from every board with global exposure.

Amazon committed $5.3 billion to build an AI zone in Saudi Arabia. Microsoft committed $15.2 billion to the UAE between 2023 and 2029. Google Cloud and PIF advanced a $10 billion partnership through HUMAIN. The UAE and US’s Stargate project (a 500 plus billion dollar project), backed by G42, OpenAI, Oracle, NVIDIA, SoftBank, and MGX, was intended to be the largest AI facility outside the United States. PIF was in discussion to participate alongside SoftBank in OpenAI's $40 billion fundraising round. Gartner projected MENA technology spending at $169 billion in 2026. These were not projections. They were signed commitments and deployed capital. The region had sold itself as a safe destination for the world's data. The Amazon data center fire ended that story.

Why the data centers had no army

This is the question most analysis has avoided, and it is the most important one for any board with technology infrastructure in a geopolitically challenged region. 

Prior to March 2026, the security architecture of commercial data centers was designed around a threat model that combined sophisticated cyber defenses with conventional physical access control. On the cyber side, this included zero-trust network architecture, continuous intrusion detection, and AI-assisted anomaly detection. On the physical side, the model relied on perimeter fencing, badge-controlled access points, biometric verification, surveillance systems, and trained security personnel. This architecture was designed to prevent unauthorized human access and to defend against remote network intrusions. It was not designed to survive a coordinated strike from a state actor operating drone swarms at stand-off distances. 

The gap between those two threat models is the gap where billions of dollars of infrastructure disappeared.

There is a second, less discussed reason. Governments require that certain sensitive data be physically hosted within their borders to ensure digital sovereignty. Data center providers have limited geographic options if they wish to operate in these lucrative markets. They must build physical facilities locally. The data centers were in the Gulf not only because the Gulf wanted them there, but because regulatory localization mandates made building elsewhere impossible if you wanted the contracts. The security model was built for the wrong threat, wrong risk prioritization and wrong national risk register, because the business model was built for the wrong assumption: that geopolitical stability was a given, not a variable. 

This reveals a flaw in risk assessment, particularly in which systemic risks, if any, were considered in the design of these facilities and components within them. To what extent were systemic risks accounted for in other systems and subsystems of the economy relying on functioning data centers, including the tourism sector, the banking sector, and the logistics networks that depend on cloud continuity? Including for example, to what extent did systemic risks to data centers feature in national risk registers in GCC countries over the past 5 years? 

The boundary between commercial cloud computing and military operations has largely vanished. The Pentagon's Joint Warfighting Cloud Capability and its Joint All-Domain Command and Control networks run on the same commercial infrastructure that serves banks. Iran's IRGC claimed the Bahrain facility was targeted to identify its role in supporting enemy military and intelligence activities. Under international law, the cloud has become the modern telegraph cable. Any claims by the private sector against state belligerents for damages are highly unlikely to succeed.

The insight most organizations are not processing: it is cheaper to attack than to defend. The UAE military intercepted 165 ballistic missiles (estimated data), two cruise missiles, and 541 drones over two days. Thirty-five drones and five projectiles still got through. A $30,000 Shahed drone disabled infrastructure worth hundreds of millions. No private security model closes that gap.

Ceasefire on the horizon: Why the damage is already done

President Trump postponed strikes for five days, and then again for ten days, citing productive conversations and major points of agreement. Iran's Foreign Minister Abbas Araghchi rejected the framing: "We are not seeking a ceasefire because we do not want this scenario to be repeated again. We want the war to end completely and permanently." Makes sense right?

The gap between those two positions is not one that closes in five days. But even if it does close, the strategic calculus for every organization with Gulf exposure has permanently shifted. A ceasefire does not rebuild the AN/TPY-2 radar at Muwaffaq Salti or the AN/FPS-132 at Al Udeid. That detection layer is a multi-year program, not a diplomatic outcome. A ceasefire does not demobilize the Houthis. Senior Houthi politburo member Mohammed al-Bukhaiti declared that all military options remain possible, including a naval blockade targeting vessels belonging to aggressor countries.  A ceasefire does not reverse the expatriate massive. In a region where foreign nationals make up nearly 90 percent of the working population in the UAE, the human capital layer at the base of diversification is mobile and it is moving.

The question nobody in the boardroom is asking: Is the shia axis stronger or weaker?

Most Western analysis treats the Axis of Resistance as a hierarchy: Iran commands, proxies execute. That model was always incomplete. The reformed axis had transitioned from a top-down, Iranian-driven organization to one in which constituent members enjoyed greater autonomy and interacted more independently with both Tehran and each other.  This distinction matters enormously for corporate foreign policy, because it means a ceasefire with Iran does not switch off the proxies. 

Iran's proxies are fighting different wars, united by Tehran's patronage but diverging in capability and autonomy. Tehran could still have covert cells around the globe waiting for the signal to launch terrorist attacks or conduct sabotage. Qatari officials arrested members of an Iranian sleeper cell in early March.  

Hezbollah has been damaged but not destroyed. Hezbollah carried out its first missile and drone attacks on northern Israel since November 2024 just two days into the war. It still possesses an estimated 1,000 drones, 3,000 fighters, and around 25,000 missiles.  Hezbollah's alliance with Lebanon's Amal Movement has never been more fragile, and frustration within parts of the Shiite community is more visible than in previous rounds of confrontation.  A weakened Hezbollah with nothing to lose is not a reassuring outcome for companies and governments that operate in Lebanon or depend on Mediterranean stability.

In Iraq, Iran-backed militias struck Baghdad International Airport, the US Consulate in Erbil, and the Rashid Hotel housing EU and Saudi diplomatic delegations, sparking an exodus of diplomatic staff from the Iraqi capital.  Baghdad's caretaker government successfully restrained these groups during the June 2025 Twelve-Day War. It failed this time. Observers say the groups were swayed by the killing of Shiite clerics in Iran. This is the dimension that corporate risk frameworks almost never model: the role of religious identity as a trigger that overrides political calculation.

The Houthis' continuous disruption of maritime traffic in the Red Sea and the seeming inability of a US-backed naval coalition to effectively neutralize the threat have positioned them as Iran's new Hezbollah. Their tribal structure and the rugged, inhospitable terrain in Yemen make them inherently more elusive and difficult to neutralize. Coincidentally on March 28^th, the Houthi militants attacked Israle for the first time since the war broke out a month ago. A potential ceasefire in the Gulf does not reach Yemen. And Yemen can undermine trade and oil flow in the Red Sea attacking shipping across the Bab-el-Mandeb strait. 

The axis does not require a functioning Iranian state to continue destabilizing the region. It has been building autonomous capability and local legitimacy for forty years. Groups like Hezbollah, Hamas, and the Houthis are deeply rooted in their respective societies. If the regime fell, Iran's proxies would be stripped of their principal backer but might become less fierce, not unable to hit. For corporate planning purposes, Shia militia presence across Iraq, Lebanon, and Yemen remains structurally embedded for the foreseeable decade.

What corporate foreign policy actually means

Most organizations do not have a Gulf policy. They have a Gulf strategy: how much to invest, which contracts to sign, which relationships to cultivate. Corporate foreign policy is something different. It is a framework for operating in geopolitically contested environments that explicitly addresses what you will and will not do when the political environment shifts. The organizations that understood this before February 28 were better positioned. The ones waiting for the ceasefire to ask the question will be asking it in a permanently altered landscape. 

Three questions define whether your organization has a corporate foreign policy or merely a commercial strategy. Do you have a decision framework for when to exit, and what triggers it? Do you understand your counterparty exposure in the Gulf independent of your direct investments, and is this understanding informed by an evidence-based national risk register ? Are your scenario frameworks built for non-linear escalations and feedback loops? Seventeen submarine cables pass through the Red Sea, carrying the majority of data traffic between Europe, Asia, and Africa. With Iran's closure of the Strait of Hormuz and renewed Houthi threats in the Red Sea, both critical data choke points are now in active conflict zones simultaneously.  

What GCC countries must do now

It is inconceivable that the situation will go back to normal. Even when capital returns, it will be operating in very different risk and profit scenarios. Investment incentives need to be revisited.  Risk tolerance levels will need to be reassessed. Recent national risk registers will need to be reconsidered. Where systemic risks underestimated? What must change in the development of the future national risk registers? How should GCC countries redefine their relationship with their neighbours? 

What risk managers and boards must do now

This is not a situation for wait-and-see. Six actions are required right now.

First: reassess all regional exposure against a materially higher threat baseline. The pre-February 28 national? Risk registers is a historical document. Personnel in the Gulf, supply chains through Hormuz or Red Sea, contracts dependent on Gulf counterparties, data infrastructure hosted in the region: all of it must be re-evaluated now. Insurance is not the answer. Standard commercial property policies contain war exclusion clauses. Insurers will invoke them. The 2019 Houthi drone attack on Aramco's Abqaiq facility was treated as a wake-up call. The region returned to its investment plans largely unchanged. Traditional risk management is also not the answer. There is an urgent need to rethink how we identify systemic risks and to what extent we incorporate these in national risk registers, how we define our systems and sub-system boundaries, and how we manage systemic risks from prevention, to mitigation, adaptation and transformation as well as preparing for disruptions, accidents and crises. (Dr. Fadi Hamdan)

Second: model cascading, non-linear scenarios across multiple sectors and geographies. This conflict is not producing isolated shocks. It is producing feedback loops: energy disruption feeds inflation, inflation feeds political pressure, political pressure feeds regional instability, instability feeds further disruption. Boards need scenario frameworks that account for tipping points across security, economic, social, and technological systems simultaneously. A new way of thinking is required: systemic risk thinking as opposed to siloed traditional risk management approaches. Managing systemic risks requires i) exploring the system under consideration, its boundaries and dynamics with other systems, ii) developing scenarios and reviewing the dynamics of possible future interactions with other systems within the interconnected risk landscape (e.g. the AWS and the data centers), iii) setting organizational goals on the level of tolerability for risk and uncertainty, iv) developing a portfolio of strategic approaches for managing systemic risks consisting of pro-active intervention strategies of prevention, mitigation, adaptation and transformation as well as preparing for disruptions, accidents and crises. (Dr. Fadi Hamdan)

Third: activate business continuity plans as an operational response, not a precaution. The current conflict is hitting Bahrain, Kuwait, Qatar, Saudi Arabia, the UAE, Jordan, Iraq, Lebanon, and Iran at the same time. If your plans were built for single-country disruption, they need revision now. Traditional prevention, mitigation, preparedness and response are not enough. Firms must develop adaptation capacities to emerging systemic risks that cannot be prevented or sufficiently mitigated. (Dr. Fadi Hamdan) 

Fourth: get legal and insurance teams reading contracts now. Force majeure and material adverse change clauses, along with war risk and business interruption coverage, need to be understood before they are needed. In most cases, war exclusion clauses will apply. Boards should know that before the next invoice arrives from a Gulf counterparty that cannot perform. 

Fifth: take personnel safety seriously as an active liability, not a compliance checkbox. Gulf-based staff and their families need clear protocols, updated emergency contact chains, and explicit guidance on evacuation thresholds. Organizations waiting for the situation to worsen before acting are creating both human and legal exposure.

Sixth: model sustained high energy costs into financial planning for 2026 and beyond. Oil touching $120 and $128 even briefly changes cost structures across every sector. Iran is actively mining Hormuz. Bab-el-Mandeb may follow. The G7 and IEA agreed to release 400 million barrels from strategic reserves. That buys time. It does not solve the problem. If both chokepoints close simultaneously, the models assuming a return to $80 oil are wrong by a factor of two or more.

The bottom line

Iran spent forty years preparing for this war. Its new Supreme Leader has signaled continuity, not recalibration. Hormuz is mined. Bab-el-Mandeb is one decision away from closing. Oil touched $120. AWS data centers are offline. Multiple US THAAD radar systems have been destroyed. Dubai International Airport was struck. Expatriates are leaving. The Gulf's AI and tourism diversification model, backed by hundreds of billions in committed capital, has absorbed a shock it was never designed to withstand. 

A ceasefire, if it comes, will be described as a resolution. It is not. It is a pause in a conflict whose structural drivers are generational. The organizations and governments that treat it as a return to normal will misread the next decade. The ones that treat it as a window to reset their operating assumptions, build genuine corporate foreign policy, and stop outsourcing geopolitical judgment to a military umbrella they do not control will make better decisions in a landscape that is not going back to what it was.

This is what we call corporate foreign policy intelligence. The Gulf just taught the world what happens when you build without it.