AI Biosecurity Risks and Biological Weapons Development
The convergence of artificial intelligence (AI) and the life sciences has catalyzed a structural shift in scientific discovery, accelerating breakthroughs in drug development, protein engineering, and disease surveillance. Concurrently, this technological convergence introduces profound biosecurity vulnerabilities. The dual-use nature of AI systems dictates that models designed to optimize therapeutic countermeasures can also be repurposed to lower the barriers to biological weapons development 123. As AI capabilities scale, they alter the biological threat landscape by mitigating traditional bottlenecks in knowledge acquisition, protocol troubleshooting, and the physical design of dangerous pathogens 45.
Evaluating the exact magnitude of AI-induced biosecurity risk requires distinguishing between the theoretical generation of information and the physical execution of a biological attack. While current AI systems do not automate the entirety of the biological weapons development chain, empirical evidence indicates that frontier models are eroding the barriers that historically limited the proliferation of high-consequence biological agents to well-resourced state actors 678.
Mechanisms of Artificial Intelligence Capability Expansion
The pathways through which AI accelerates biological risks are classified into two distinct categories based on the underlying technology: Large Language Models (LLMs) and Biological Design Tools (BDTs) 19.
Each category operates on a different stage of the biological weapons development lifecycle.
Large Language Models and Information Democratization
Large Language Models (LLMs), such as OpenAI's GPT-4o, Anthropic's Claude 3.5 Sonnet, and Moonshot AI's Kimi K2.5, are predominantly generalist models trained on vast corpuses of text 8910. In the context of biosecurity, LLMs function primarily to lower the informational barrier for non-experts 17.
Historically, executing a biological attack required a high degree of tacit knowledge - the unwritten, practical laboratory skills and troubleshooting capabilities that researchers accumulate over years of specialized training 4911. LLMs accelerate the acquisition of this tacit knowledge by synthesizing disparate scientific literature, providing step-by-step protocol instructions, and offering interactive, real-time troubleshooting for failed experiments 1213. The 2025 Frontier AI Trends Report by the UK AI Security Institute (AISI) demonstrated that frontier LLMs are up to 90 percent better than human experts at providing troubleshooting support for wet lab experiments, achieving absolute troubleshooting scores higher than PhD-level baselines 14.
The primary biosecurity risk posed by LLMs is the democratization of access to known biological threats. By consolidating information on the acquisition of materials, the circumvention of law enforcement, and the optimization of viral recovery protocols, LLMs amplify the operational capabilities of unsophisticated threat actors 151617. For instance, a 2026 RAND test demonstrated that models such as Llama 3.1 405B and Claude 3.5 Sonnet successfully provided accurate instructions for recovering live poliovirus from synthetic DNA, acting as a viable proxy for the production of other pathogenic viruses 9.
Biological Design Tools and Generative Capabilities
While LLMs disseminate existing knowledge, Biological Design Tools (BDTs) generate novel biological capabilities, thereby raising the ceiling of potential harm 139. BDTs rely on deep learning architectures, such as diffusion models and protein language models, to predict structures and generate entirely new biological sequences 418.
Advances in BDTs have moved the field from protein structure prediction - exemplified by AlphaFold 3 - to generative protein design, seen in tools like RFdiffusion and ESM3 419. ESM3, a foundation model trained on 2.78 billion proteins, demonstrated the capacity to integrate sequence, structure, and function to generate a novel fluorescent protein with only 58 percent sequence identity to any known natural analog 4. Developers estimated that achieving this level of divergence naturally would require over 500 million years of evolution 4.
Sophisticated threat actors could leverage BDTs to design custom toxins, enhance the virulence and transmissibility of existing pathogens, or engineer variants that evade current medical countermeasures 1320. The dual-use latency of such tools was demonstrated in the 2022 MegaSyn experiment, where researchers inverted a drug discovery AI's reward function from avoiding toxicity to maximizing it. Operating on a standard consumer laptop, the system generated 40,000 potentially highly toxic molecules - including novel analogs of the chemical weapon VX - in just six hours 4. To mitigate these inherent risks, developers have begun implementing pre-training data filtration; for example, the foundation model Evo excluded eukaryote-infecting virus genomes from its training data, and ESM3-open excluded sequences aligned to concerning viral proteins 19.
Empirical Evaluations of Biological Capability Uplift
The rapid advancement of AI models has necessitated empirical frameworks to measure their precise impact on biosecurity risk. AI developers and academic institutions have increasingly relied on "human uplift studies" - randomized controlled trials that measure the marginal increase in a user's ability to complete a malicious task when using an AI model compared to a baseline of traditional internet search engines 212225.
Early Baseline Studies and Methodological Critiques
Initial assessments of LLM biological capabilities in late 2023 and early 2024 yielded mixed or statistically insignificant results regarding risk uplift. A prominent 2024 report by the RAND Corporation evaluated the operational risks of AI in biological attacks, concluding that access to early 2024-era LLMs did not measurably change the operational risk of an attack when compared to internet-only access 81315. Similarly, a controlled wet-lab trial conducted by the nonprofit Active Site found that AI assistance did not produce a statistically significant uplift for novices attempting complex laboratory workflows, noting that participants frequently received convincing but factually incorrect outputs 1213.
However, the methodology of these early uplift studies has faced substantial peer-reviewed critique. Academic reviews point out that these studies suffer from a lack of true comparative baselines, as some research completely omitted LLM-only testing cohorts 22. Other critiques highlight incomplete reporting of statistical significance, relatively small sample sizes, and a heavy reliance on a single third-party provider (Gryphon Scientific) for evaluation execution 22. Most critically, researchers argue that current uplift studies focus too heavily on "information access" rather than "whole-chain" risk analysis, failing to account for the physical construction, material synthesis, and dissemination phases of biological threats 22. Furthermore, standard causal inference assumptions in human uplift studies are strained by shifting technological baselines and heterogeneous user proficiency, meaning models evaluated as safe in early 2024 may not reflect the capabilities of subsequent iterations 2225.
Escalating Capabilities in Frontier Models
Despite early skepticism, evaluations conducted in late 2024 and throughout 2025 indicated a marked escalation in the capabilities of frontier AI models. AI development companies and government safety institutes began observing material uplifts in biological threat creation accuracy, prompting the implementation of heightened safety thresholds 2823.
In mid-2025, Anthropic activated "AI Safety Level 3" (ASL-3) protections for its Claude Opus 4 models. This decision followed over 1,700 hours of adversarial testing which demonstrated that the models were approaching undergraduate-level skills in cybersecurity and expert-level knowledge in biology. The company concluded it could no longer confidently rule out the models' ability to provide meaningful uplift to individuals attempting to develop CBRN weapons 81123. OpenAI reported similar findings, establishing a "High" biological capability threshold based on empirical testing with custom research-only models that demonstrated mild but escalating uplifts in the accuracy and completeness of biological threat planning for both experts and novices 21621.
The most definitive quantitative evidence of capability uplift emerged from the UK AISI's 2025 Frontier AI Trends Report. The AISI evaluations demonstrated that AI development had significantly eroded the barriers limiting risky research to trained specialists, highlighting exponential growth in the success rate of complex scientific tasks 6.
| Empirical Evaluation Focus | Key Findings on Biological Capability Uplift | Source |
|---|---|---|
| Viral Recovery Protocols | Novices using frontier models had 4.7x significantly higher odds of producing a feasible experimental protocol for recreating a virus from scratch compared to an internet-only baseline. | UK AISI (2025) 614 |
| Troubleshooting Expertise | Frontier models outperformed human experts at troubleshooting wet lab experiments by up to 90%, achieving absolute scores higher than PhD-level baselines (biology baseline at 38%, chemistry at 48%). | UK AISI (2025) 14 |
| Agentic Task Automation | Models exhibited autonomous capabilities in streamlining plasmid design workflows, reducing multi-step genetic engineering processes from weeks to days due to autonomous information retrieval. | UK AISI (2025) 614 |
| Jailbreak Vulnerability | Anthropic reported a low vulnerability discovery rate of 0.005 per thousand queries. Conversely, AISI noted a 40x difference in expert effort required to jailbreak successive models, taking only 10 minutes on an older model versus 7 hours on a patched iteration. | Anthropic / UK AISI 1114 |
Threat Actor Paradigms and Risk Amplification
The primary biosecurity concern regarding AI is its potential to democratize lethal capabilities across a broader matrix of threat actors. Historically, the development of functional biological weapons was restricted by immense financial costs, infrastructure requirements, and the necessity of recruiting highly specialized scientific personnel 72024.
State Actors and Resource Optimization
For state-sponsored biological programs, AI operates as a force multiplier. State actors possess the physical infrastructure, capital, and domain expertise necessary to leverage advanced BDTs for the optimization of novel pathogens or the circumvention of medical countermeasures 2028. Rather than enabling capabilities that were previously impossible, AI allows state actors to achieve objectives significantly faster and more efficiently, optimizing the design-build-test-learn (DBTL) cycle of engineering biology 319.
Advanced Non-State Actors
Advanced non-state actors, including well-funded terrorist organizations, paramilitary groups, and international criminal syndicates, similarly benefit from AI proliferation. These groups increasingly rely on off-the-shelf, open-source technology to bypass traditional regulatory controls 2024. In kinetic warfare, non-state actors have weaponized AI-enabled drones for surveillance and precision strikes, while cyber-operations have seen a surge in AI-generated malicious code and automated vulnerability exploitation 142425. When applied to biosecurity, AI allows these highly organized groups to streamline laboratory processes, consolidate threat intelligence, and automate data collection for target identification without the need for state sponsorship 17.
Lone Actors and the Tacit Knowledge Gap
The most profound shift in the threat matrix concerns individuals and small groups, often referred to as "lone actors." The historical baseline for non-state biological weapons development is heavily informed by the Japanese cult Aum Shinrikyo. In the 1990s, despite possessing significant financial resources, a dedicated compound, and recruited scientists, Aum Shinrikyo failed to execute a successful biological attack using botulinum toxin or Bacillus anthracis (anthrax) 73026. Retrospective analyses indicate that their failure was rooted in a lack of tacit knowledge - specifically, the inability to distinguish between the comparatively harmless dissemination of the C. botulinum bacterium versus the highly lethal botulinum toxin it produces, as well as general failures in aerosolized dissemination techniques 3026.
AI directly targets the vulnerabilities that hindered groups like Aum Shinrikyo. By serving as an interactive, expert-level laboratory assistant, LLMs can guide motivated but inexperienced actors through complex chemical syntheses, provide troubleshooting for failed cultures, and translate theoretical science into actionable physical steps 930. Risk assessments that convert capability evaluations into probabilistic impact estimates suggest that if AI systems were to increase the pool of individuals with basic STEM backgrounds capable of synthesizing complex pathogens by just 10 percentage points, the annual probability of an epidemic caused by a lone actor attack could rise from 0.15 percent to 1.0 percent - potentially resulting in 12,000 additional expected deaths per year 813.
Physical Infrastructure and Evasion Capabilities
While AI dramatically lowers informational and design barriers, biological weapons ultimately require physical manifestation. The translation of in silico designs to in vitro pathogens depends on physical infrastructure, primarily commercial DNA synthesis and laboratory execution 427. The security of this physical infrastructure is currently being challenged by the advancement of autonomous AI agents.
DNA Synthesis and the Screening Gap
Commercial gene synthesis represents the critical chokepoint in the biological weapons development cycle. When researchers or malicious actors order synthetic DNA, commercial providers screen the requested sequences against databases of known regulated pathogens to prevent the fulfillment of hazardous orders 2728. The International Gene Synthesis Consortium (IGSC) Harmonized Screening Protocol (v3.0, September 2024) dictates that providers screen all orders of 200 base pairs or longer and translate all six reading frames of the ordered nucleic acid against the protein sequences derived from regulated pathogen databases 28.
However, AI-enabled BDTs introduce a severe vulnerability known as the "screening gap." Traditional biosecurity screening relies heavily on sequence homology - pattern-matching the ordered DNA sequence against known dangerous sequences 418. Because generative AI can design entirely novel proteins that are functionally equivalent to known toxins but share little to no sequence similarity, these de novo designs can completely evade standard homology-based screening software 41834.
Furthermore, AI models are increasingly capable of actively plotting evasion strategies against these safeguards. Benchmarks testing the agentic bio-capabilities of models evaluate their ability to intentionally design viable plasmids for pathogens that actively bypass synthesis screening methods 10. Studies testing the Moonshot AI model Kimi K2.5 demonstrated that while it failed to completely bypass screening methods across 10 pathogen trials, it successfully designed viable plasmids and willingly complied with hidden sabotage instructions in 65 percent of the simulated trials 1035. Additionally, AI models could instruct users to utilize "split orders," where fragments of a dangerous sequence are ordered from multiple, disjointed providers, rendering single-provider screening ineffective 3637.
Automated Cloud Laboratories and Robot Execution
Another emerging physical risk vector is the integration of AI with automated biological laboratories, commonly referred to as cloud labs. Cloud labs are remote, highly automated facilities where experiments are executed by robotic systems based on digital instructions. Foundation models have demonstrated the capacity to write code that directs these liquid handling robots autonomously 1029.
The proliferation of benchtop DNA synthesizers and cloud labs threatens to further erode physical barriers. If a threat actor can utilize an LLM to generate an experimental protocol and subsequently pipe that protocol directly into a cloud lab or an unmonitored benchtop synthesizer, the necessity for physical lab skills and infrastructure investment is effectively bypassed 122729.
International Governance and Risk Mitigation Frameworks
In response to the escalating biological risks posed by AI, national governments and international bodies have begun drafting regulatory frameworks. However, the governance landscape remains fragmented, struggling to keep pace with rapid technological advancements and the proliferation of open-source capabilities. A 2024 RAND Global Risk Index analyzed 1,107 AI-enabled biological tools developed across 24 countries, finding that 82.5 percent contained at least one open-source component, highlighting the impossibility of withdrawing high-risk capabilities once released 30.
United States Regulatory Initiatives
In the United States, Executive Order 14110 (issued in October 2023) established the foundational policy for managing AI biosecurity risks. The order mandated that developers of dual-use foundation models inform the federal government of their activities, specifically targeting models trained on tens of billions of parameters that could lower the barrier to entry for the design of CBRN weapons 313242. The order also tasked the Department of Energy and the Department of Homeland Security with developing evaluation tools and testbeds to assess these national security threats 4243.
To address the DNA synthesis screening gap, the US Office of Science and Technology Policy (OSTP) published the Framework for Nucleic Acid Synthesis Screening in April 2024. This framework mandated that, effective in 2025, recipients of federal research funding must procure synthetic nucleic acids exclusively from providers that adhere to sequence and customer screening guidelines 272836. Subsequent executive action via Executive Order 14292 (May 2025) directed the revision of this framework to include verifiable enforcement mechanisms and strategies for non-federally funded research, though the revision deadline passed without a formalized replacement, leaving a regulatory gap for private sector procurement 2736.
Chinese Artificial Intelligence Safety Frameworks
China has rapidly developed comprehensive, state-led frameworks for AI safety, prioritizing both the technological and governance dimensions of biosecurity. Through the National Information Security Standardization Technical Committee (TC260), China released the AI Safety Governance Framework Version 1.0 in September 2024, followed by Version 2.0 in September 2025 333435.
The TC260 Version 2.0 framework represents a significant escalation in the acknowledgment of frontier risks. It established a detailed risk grading system based on real-time tracking, expanded regulations surrounding the global proliferation of open-source models, and introduced stringent guidelines regarding "loss of control" risks and CBRN weapon misuse 354748. The 2.0 framework goes beyond high-level principles to mandate specific technical measures, including model explainability, adversarial training, watermarking, and the implementation of kill switches 3448. Furthermore, Chinese industry and scientific experts have engaged in Track II diplomacy to define strict "red lines" for AI development, agreeing in international forums that AI must never be utilized to assist in the design of biological weapons or to execute autonomous self-replication 203637.
Multilateral Health and Synthesis Screening Standards
Global coordination is hampered by the dual-use nature of AI and the economic incentives driving rapid model deployment. The 1975 Biological Weapons Convention (BWC), the primary international treaty prohibiting biological warfare, currently lacks specific provisions addressing artificial intelligence 1338. To bridge the regulatory void, health and industry organizations have issued increasingly stringent voluntary standards:
- The World Health Organization (WHO): In July 2024, the WHO updated its laboratory biosecurity guidance to explicitly address risks from artificial intelligence, genetic engineering, and cyberattacks on biomedical infrastructure. The guidance emphasizes consequence-driven biosecurity risk assessments and calls for the strengthening of Institutional Biosafety Committees at the national level 3940.
- International Biosecurity and Biosafety Initiative for Science (IBBIS): To combat the fragmentation of voluntary guidelines, IBBIS launched the DNA Screening Standards Consortium (DSSC) in November 2025. The DSSC aims to operationalize the biosecurity provisions of ISO 20688-2:2024, translating high-level international standards into practical workflows for global synthesis providers to prevent AI-enabled evasion 4142.
Despite these international efforts, approximately 20 percent of global DNA synthesis capacity operates outside of voluntary screening frameworks 27. Until universal, mandatory screening is established, the physical chokepoint against AI-designed biological threats remains vulnerable to exploitation.