Governance Autopsy: Microsoft & Unit 8200 - Part I
Dissecting Microsoft and Unit 8200: A Multi-Series.
About this series.
A governance autopsy dissects the failures of oversight after they have already caused damage. It is not speculation. It is the sober task I am attempting of tracing how decisions were made, how guardrails were absent, and how private and public actors colluded or looked away.
Based on the latest revelation from The Guardian, this series takes up one of those missing pieces that suddenly makes the larger picture visible. The reporting on Microsoft and Israel’s Unit 8200 exposed more than a contract.
This is the first public, fact-driven governance analysis of a hyper-scale cloud migration for a military intelligence unit in an active conflict context, benchmarked against both corporate policy and known public due diligence practices in other hyperscale deployments, and based on all references and sources I reviewed over the past weeks.
I will examine the migration of sensitive intelligence capabilities into commercial platforms. How cloud infrastructures became enablers of militarized surveillance, and how global institutions failed to prevent it.
My goal is not to speculate on classified operations, but to trace what can be established from public sources and industry benchmarks and to measure those facts against the standards Microsoft has set for itself publicly.
Governance Autopsy: Microsoft & Unit 8200 - Part I
The handshake
Satya Nadella calls the cloud “the world’s computer.”
It sounds inevitable.
In late 2021, at Microsoft’s campus near Seattle, Satya Nadella met with Yossi Sariel, the head of Israel’s Unit 8200 (Israel’s equivalent of the NSA) Sariel’s ask was blunt: the military lacked capacity to store and process the flood of intercepted Palestinian communications. Nadella’s reply bypassed policy debate “building the partnership is so critical,” he said urging a phased adoption toward hosting 70% of the unit’s data in Azure.
Picture this :
Ten minutes.
Two hands: a foreign intelligence chief and the CEO of the world’s second most valuable tech company at that time, they strike a deal. Civilian data from a conflict zone will travel through European servers owned by an American corporation, three territories bound by a handshake, oversight nowhere in sight.
Within months, a surveillance system capable of capturing “a million calls an hour” was running on Microsoft’s servers, much of it in Europe. By mid-2025, at least 11.5 petabytes sat on Microsoft servers in the Netherlands with smaller portions in Ireland and Israel.
It was a 10-minute exchange that crystallized what I believe is the single biggest gap in cloud and AI governance to date, a gap I will uncover in this series.
Notes from an (ex) Migration Lead
For the last fifteen years, I’ve led major cloud transformations for large banks and global retailers, moving multi-petabyte workloads across operations spanning US, Europe, Asia, and Africa.
For context, 11.5 PB is roughly half the size of the most extensive publicly disclosed migrations ever done, such as those exceeding 20-25 PB at top European banks. Even large-scale, global migrations for multinational retailers operating in dozens of countries often peak in the 2-5 PB range. That puts 11.5 PB well beyond most enterprise programs.
So the 8200 migration sits far above typical enterprise cloud projects and within the range of the largest documented commercial or government deployments.
I have researched and public sources don’t confirm whether the 70% target was ever reached, or where the remaining share resides. Reporting indicates sensitive subsets still sit on Unit 8200’s internal servers, and the Israeli military has separately stored surveillance intelligence on AWS.
Bu the 11.5 petabytes already sitting on Microsoft’s Dutch servers are huge numbers. At normal call quality, that’s the equivalent of recording every single phone conversation in Gaza, 24 hours a day, for the next fifty years.
That much data doesn’t just materialize in the cloud. We’d call it hyperscale tier of modern cloud transformation.
In other words, what was once limited by the size of an in-house server now becomes limitless: petabytes, exabytes, growing without limits.
Hyperscale class projects often involve expanded access privileges, cross-border data replication, and significant increases in processing power all of which heighten human rights risks.
Here, no such trail appears to exist.
Public records give no indication that Microsoft adjusted its governance or due diligence processes to account for the sheer scale of this migration.
Also, it is not publicly confirmed whether Unit 8200’s migration was a straight lift-and-shift or a modernization. If modernization occurred, Microsoft’s own internal standards would require deeper review, yet there is no public sign such a review took place.
Judging from the evidence, including the system’s capacity to handle “a million calls an hour,” its rapid deployment, and customized Azure environment, it appears likely that this was not a simple lift-and-shift, but included elements of modernization.
According to 972 Magazine, that storage was not passive. The cloud environment was integrated into military planning and operations .That suggests enhanced capabilities beyond mere relocation.
In practice, modernization would shift intelligence systems from fragmented, on-premise tools into unified cloud environments capable of handling vast data streams in real time. That upgrade expands capacity: facial recognition databases can be cross-referenced instantly, drone or satellite feeds layered with location data, communications flagged by algorithms and acted on within seconds.
The technical gain is speed and reach; the consequence is that civilians who might once have remained outside the net are now more easily mapped, tracked, and targeted.
Yet, publicly, there is no indication that Microsoft’s policies for modernization-level reviews were triggered.
Again. no such trail exists.
The governance silence is as loud as the server racks.
Normally, when a hospital or a European bank moves a fraction of this data, regulators swarm. Under the GDPR’s cross-border transfer rules and sovereign data localization regimes, committees sign off, Data Protection Impact Assessments are filed, auditors take notes. Even a modest migration, just a few terabytes, triggers months of compliance paperwork. And that’s before you add the Digital Services Act, the EU’s cloud sovereignty initiatives, or the forthcoming AI Act, all of which demand layered accountability when civilian or high-risk data is involved.
Azure’s ‘neutrality’
Through its ‘infrastructure for sovereignty,’ Microsoft presents Azure as neutral cloud infrastructure while granting expanded transparency and control only to qualifying governments.
But does it still hold when a platform becomes the backbone for militarized surveillance?
What was presented as cloud migration is, in practice, the absorption of intelligence-grade capabilities into commercial platforms. Its scale and global reach amplified technologies designed for control and surveillance.
And instead of raising alarms, Azure treated this as business opportunity.
As a result, on a different soil, another nation’s military intelligence is being warehoused and processed, by an American company, for a foreign army. We (EU citizens) do not permit our own data to float unguarded, but we have opened our continent to become the staging ground for another sovereign’s surveillance machine.
Both European frameworks and Microsoft’s own human rights due diligence will be unpacked later in this series; for now, it is enough to note that the policies existed on paper, but the deal went ahead. What remains to be asked:
What internal governance reviews should have been triggered by the scale and capability upgrades implied here?
What frameworks from company policy to EU regulation should have applied?
And yet, even with all the above, Azure migration is only half the story. And infrastructure is never just the servers and the contracts, it is people. Alongside the movement of cloud systems sits another migration: the steady flow of Unit 8200 alumni into the global tech industry. What begins as military service becomes career capital, carried into boardrooms, start-ups, and cloud providers. This talent pipeline does not merely transfer skills; it carries with it the logics of intelligence work surveillance, preemption, control. To understand how militarized AI spreads far beyond Israel, we have to follow not only the code but also the careers. That is the story of the next part. Together with People, I’ll also dissect the policies Microsoft claims apply in high-risk contexts, compare those to visible use cases in other hyperscale projects, and test what showed up here if anything.
Microsoft has since launched an internal review of its own policies; I will examine what this entails later in the series.
A.D
This is independent work, outside corporate or state influence. If you want to see more critical investigations into how AI governance actually advances (or fails), consider supporting the continuation of this series.
Thank you so much for writing this, Asma. I'm looking forward to the next articles in the series. This is very, very troubling.