AI Uplift Assessment Model
AI Uplift Assessment Model
Summary
Section titled “Summary”Overview
Section titled “Overview”The concept of “uplift” quantifies how much AI assistance increases an attacker’s probability of successfully developing and deploying biological weapons compared to what they could achieve using traditional information sources alone. This model attempts to provide a rigorous framework for estimating that marginal contribution across different actor types, attack phases, and technological trajectories. Understanding uplift is essential for calibrating policy responses—overestimating it leads to counterproductive restrictions on beneficial AI research, while underestimating it could leave critical vulnerabilities unaddressed.
The central challenge in assessing AI-enabled bioweapons risk is separating genuinely novel capabilities from information already accessible through scientific literature, textbooks, and expert consultation. Current large language models compress and make searchable vast amounts of published knowledge, but the question remains: does AI meaningfully lower the barrier to bioweapons development, or is it largely redundant with existing information sources? The answer appears to depend critically on actor type, with non-experts potentially gaining significant knowledge uplift while sophisticated state programs may see only marginal benefits from AI assistance.
Early empirical evidence suggests current LLMs provide modest uplift for attack planning, but concerning capabilities in evading biosecurity measures. The RAND Corporation’s 2024 study↗ found no statistically significant difference between AI-assisted and non-AI groups in creating viable bioweapon attack plans, yet Microsoft’s research demonstrated that AI-designed toxins could evade over 75% of DNA synthesis screening tools. This asymmetry—limited knowledge uplift but significant evasion uplift—has important implications for where defensive investments should be prioritized. The combination of LLMs with specialized biological design tools and increasing laboratory automation may create compound uplift effects that exceed any individual technology’s contribution.
Critically, the risk landscape is evolving rapidly. The CSIS report on AI-enabled bioterrorism (August 2025) notes that while OpenAI and Anthropic initially reported “little to no uplift” in 2024 assessments, both labs have since updated their evaluations to flag “substantial and immediate biorisks.” OpenAI concluded in April 2025 that it expects its models to demonstrate “high risks” in the near future—meaning they could substantially increase the likelihood and frequency of bioterrorist attacks by providing meaningful assistance to novices. This rapid evolution underscores the importance of dynamic uplift assessment rather than static point-in-time evaluations.
Conceptual Framework
Section titled “Conceptual Framework”The uplift framework decomposes AI’s contribution to bioweapons risk into measurable components that can be estimated and tracked over time. Rather than treating AI as a monolithic threat, this approach identifies specific bottlenecks where AI assistance might—or might not—significantly alter attack feasibility.
Attack Chain Phases and AI Uplift Points
Section titled “Attack Chain Phases and AI Uplift Points”| Phase | Steps | AI Uplift Type | Key Bottleneck |
|---|---|---|---|
| Information Access | Literature, Internet, AI Systems | Knowledge Uplift | None (easily accessible) |
| Capability Development | Planning, Acquisition, Synthesis | Planning Uplift | Wet Lab Barrier |
| Deployment | Evasion, Weaponization, Delivery | Evasion Uplift | DNA Screening |
The diagram illustrates the attack chain from information acquisition through deployment, highlighting three key points where AI may provide uplift: knowledge acquisition, technical planning, and biosecurity evasion. Critically, the wet laboratory barrier remains a significant bottleneck that AI alone cannot currently address—synthesizing dangerous biological agents requires physical infrastructure, specialized equipment, and tacit knowledge that cannot be easily transferred through digital means.
Mathematical Formulation
Section titled “Mathematical Formulation”Uplift can be expressed both as an absolute difference and as a ratio:
Where:
- = Probability of successful attack with AI assistance
- = Baseline probability using traditional resources
- Uplift ratio of 1.0 indicates no uplift; 2.0 indicates doubled success probability
For compound uplift across multiple attack phases, the total uplift is the product of phase-specific uplifts weighted by phase criticality:
Where is the uplift at phase and is the weight reflecting that phase’s contribution to overall bottleneck reduction.
Quantitative Analysis
Section titled “Quantitative Analysis”Information Sources Comparison
Section titled “Information Sources Comparison”Before assessing AI-specific uplift, it is essential to understand the baseline information environment facing potential attackers. The table below compares information sources by accessibility, depth of technical detail, and danger level. AI must provide value beyond what attackers can already access through traditional channels to constitute meaningful uplift.
| Source | Accessibility | Technical Depth | Danger Level | Cost | Time Required |
|---|---|---|---|---|---|
| Scientific literature | High | Very High | Moderate | Low | Moderate |
| Textbooks | High | High | Low-Moderate | Low | Low |
| Surface internet | Very High | Moderate | Low | Free | Low |
| Dark web forums | Moderate | Moderate | Moderate | Low | Moderate |
| Expert recruitment | Low | Very High | Very High | High | High |
| Current LLMs (2024-25) | Very High | Moderate-High | Uncertain | Low | Very Low |
| Future LLMs (2026-28) | Very High | High-Very High | Uncertain | Low | Very Low |
| Biological Design Tools | Moderate | Very High | High | Moderate | Moderate |
Scientific literature remains the most dangerous information source in terms of depth—published research contains detailed protocols that far exceed what any current LLM can provide. However, literature requires significant expertise to locate, synthesize, and apply, whereas AI systems dramatically reduce the friction of information access. This friction reduction, rather than novel information generation, likely represents AI’s primary current contribution to uplift.
Uplift Estimates by Actor Type
Section titled “Uplift Estimates by Actor Type”Different actor types have vastly different baseline capabilities, meaning AI provides differential uplift depending on who is using it. A non-expert individual may gain substantial knowledge uplift from AI but still faces insurmountable wet laboratory barriers, while a state program with existing expertise gains minimal knowledge uplift but could potentially use AI to develop novel agents or evasion strategies. The Johns Hopkins Center for Health Security notes that AI capabilities could “lower the threshold of expertise and resources that malicious actors need to create biological weapons, and raise the ceiling of potential harm that AI-designed pathogens could cause.”
| Actor Type | Baseline Capability | Knowledge Uplift | Planning Uplift | Overall Uplift | Confidence |
|---|---|---|---|---|---|
| Non-expert individual | Very Low (0.001) | 2.5-5x | 1.5-2x | 1.3-1.8x | Medium |
| Expert scientist | Moderate-High (0.1) | 1.0-1.2x | 1.1-1.3x | 1.0-1.3x | High |
| Terrorist organization | Low-Moderate (0.01) | 1.8-3x | 1.5-2.5x | 1.4-2.5x | Low |
| State program | High (0.3) | 1.1-1.3x | 1.2-1.5x | 1.2-2x | Medium |
| Biohacker collective | Low (0.005) | 2-4x | 2-3x | 1.5-2.5x | Low |
The relatively modest overall uplift estimates—even for non-experts—reflect the dominating influence of the wet laboratory barrier. Knowledge is necessary but not sufficient for bioweapons development; translating theoretical knowledge into functional weapons requires physical capabilities that AI cannot currently provide. However, this calculus may shift significantly as laboratory automation advances.
Detailed Threat Actor Analysis
Section titled “Detailed Threat Actor Analysis”The following table provides a more granular analysis of AI uplift by threat actor category, incorporating assessments from multiple sources including the NTI biosecurity program and NASEM 2025 report:
| Threat Actor | Resources | Expertise | AI Access | Motivation | Current Uplift | 2028 Projected Uplift | Primary AI Benefit |
|---|---|---|---|---|---|---|---|
| Apocalyptic cult | Low-Medium ($1-10M) | Low-Medium | Consumer models | Maximum casualties | 1.5-2.5x | 3-5x | Knowledge synthesis |
| Lone actor (ideological) | Very Low (<$100K) | Variable | Consumer models | Specific targets | 1.3-2x | 2-4x | Protocol guidance |
| Organized terrorist group | Medium ($10-100M) | Low-Medium | Consumer + open-source | Political leverage | 1.4-2.5x | 3-6x | Planning + evasion |
| State-sponsored group | High ($100M+) | Medium-High | Full stack | Deniable attribution | 1.2-1.8x | 2-3x | Novel agent design |
| Rogue state program | Very High ($1B+) | High | Full stack + custom | Strategic deterrence | 1.1-1.5x | 1.5-2.5x | Optimization + evasion |
| Insider threat (expert) | Low but facility access | Very High | Any | Personal grievance | 1.0-1.3x | 1.2-1.6x | Marginal (already expert) |
Key insight: The actors most likely to benefit from AI uplift (non-expert individuals, ideological groups) face the steepest wet-lab barriers, while actors with laboratory capabilities (state programs, insider threats) gain least from AI knowledge assistance. However, evasion uplift—helping attackers circumvent DNA synthesis screening and detection systems—applies more uniformly across actor types and represents the most concerning capability gap.
Task-Specific Uplift Analysis
Section titled “Task-Specific Uplift Analysis”AI’s contribution varies substantially across different phases of the attack chain. The highest uplift appears in areas where AI provides unique advantages—such as evading detection systems designed around known threat signatures—rather than in core synthesis knowledge where scientific literature already provides extensive detail.
| Task Phase | Current Uplift (2024) | Near-term Uplift (2026-28) | Long-term Uplift (2030+) | Key Drivers |
|---|---|---|---|---|
| Target identification | 1.1x (1.0-1.3) | 2x (1.5-3) | 3x (2-5) | LLM reasoning, database integration |
| Synthesis planning | 1.2x (1.0-1.5) | 3x (2-4) | 5x (3-8) | Specialized bio-models, protocol optimization |
| Acquisition guidance | 1.1x (1.0-1.2) | 1.5x (1.2-2) | 2x (1.5-3) | Supply chain knowledge |
| Protocol optimization | 1.3x (1.1-1.6) | 4x (2-6) | 8x (4-15) | Automated experimentation integration |
| Biosecurity evasion | 2x (1.5-3) | 5x (3-8) | 10x (5-20) | Novel agent design, screening evasion |
| Deployment planning | 1.1x (1.0-1.3) | 2x (1.5-3) | 3x (2-5) | Dispersal modeling, timing optimization |
The asymmetry between evasion uplift and knowledge uplift has critical policy implications. Current DNA synthesis screening relies on detecting known dangerous sequences—AI’s ability to design functional but novel sequences that evade these screens could undermine a key biosecurity control without providing new synthesis knowledge. This suggests defensive investments should prioritize adaptable screening systems over static sequence databases.
Scenario Analysis
Section titled “Scenario Analysis”The future trajectory of AI uplift depends on several key uncertainties. The following scenarios explore different combinations of technological development and policy response.
| Scenario | Probability | Uplift by 2030 | Key Assumptions | Policy Implications |
|---|---|---|---|---|
| Managed Development | 20% | 1.5-2x | Strong AI governance, biosecurity advances keep pace | Continue monitoring, maintain countermeasures |
| Capability Surge | 35% | 3-5x | BDT integration, lab automation, weak governance | Urgent need for adaptive biosecurity |
| Defensive Advantage | 15% | 1.0-1.5x | Screening technology improves faster than evasion | Invest heavily in defensive capabilities |
| Asymmetric Uplift | 25% | Varies (1.2-8x) | High evasion uplift, low knowledge uplift | Focus on evasion-specific countermeasures |
| Wild Card | 5% | 10x+ | Transformative AI capabilities, autonomous bio-agents | Crisis response preparation |
The most likely outcome appears to be the “Asymmetric Uplift” scenario, where AI provides limited additional knowledge uplift but significantly enhances attackers’ ability to evade biosecurity measures. This scenario is particularly concerning because it could undermine existing defenses without triggering the kind of obvious capability jump that would prompt policy response. The “Capability Surge” scenario, while less likely, represents the highest-impact outcome and warrants serious contingency planning.
Empirical Evidence Review
Section titled “Empirical Evidence Review”Summary of Key Studies
Section titled “Summary of Key Studies”| Study | Year | Method | Key Finding | Uplift Estimate | Confidence |
|---|---|---|---|---|---|
| RAND Corporation↗ | 2024 | Red team exercise (n=45) | No significant difference AI vs. internet-only | Knowledge: 1.0-1.2x | High |
| Microsoft Research | 2024 | Toxin design exercise | 75%+ evasion of DNA screening | Evasion: 2-3x | High |
| Gryphon Scientific/Anthropic↗ | 2023 | 150+ hour red team | ”Post-doc level” knowledge provision | Knowledge: 1.5-2.5x | Medium |
| OpenAI internal eval | 2024-25 | Expert uplift trials | o1 provided “measurable benefits to experts” | Expert: 1.3-1.8x | Medium |
| Anthropic Claude 4.5 eval | 2025 | Protocol generation | ”Substantially higher scores, fewer critical errors” | Expert: 1.5-2x | Medium |
| NASEM Report | 2025 | Expert consensus | BDTs cannot yet design self-replicating pathogens | Novel agents: <1.2x | High |
RAND Corporation Study (2024)
Section titled “RAND Corporation Study (2024)”The RAND study↗ represents the most rigorous empirical assessment of AI uplift to date. Forty-five participants were randomly assigned to teams with varying degrees of expertise in both LLM technologies and biology, then tasked with planning biological attacks. Teams with access to LLMs in addition to the internet did not score significantly higher than those without LLM access. As lead author Christopher Mouton stated: “Just because today’s LLMs aren’t able to close the knowledge gap needed to facilitate biological weapons attack planning doesn’t preclude the possibility that they may be able to in the future.”
The study found that while LLMs produced what researchers termed “unfortunate outputs”—problematic responses to prompts—these outputs “generally mirror information readily available on the internet.” This suggests LLMs currently provide convenience rather than novel dangerous capabilities. Key methodological limitations include: testing planning rather than synthesis capability, use of 2023-era models that have since been superseded, and a relatively small sample size.
Microsoft DNA Screening Research (2024)
Section titled “Microsoft DNA Screening Research (2024)”Microsoft’s research revealed a more concerning capability: AI-designed toxins successfully evaded over 75% of commercial DNA synthesis screening tools. One tool flagged only 23% of AI-designed sequences. This finding suggests AI could provide substantial uplift in circumventing biosecurity controls even without providing novel scientific knowledge. The screening tools tested rely primarily on sequence matching against known threat databases—AI’s ability to design functional variants with low sequence similarity to known threats exposes a structural vulnerability in current screening approaches. Following publication, a software patch was deployed globally that now catches approximately 97% of threats, though experts warn the fix remains “incomplete.”
Anthropic and OpenAI Evaluations
Section titled “Anthropic and OpenAI Evaluations”Both Anthropic and OpenAI have conducted extensive internal evaluations of their models’ dangerous capabilities, with findings that have evolved significantly over time:
Anthropic’s Framework: Anthropic’s Responsible Scaling Policy↗ defines AI Safety Levels (ASL) modeled on biosafety level standards. ASL-3 capability threshold is reached when models could “significantly help individuals or groups with basic technical backgrounds (e.g., undergraduate STEM degrees) to create, obtain, and deploy CBRN weapons.” In expert uplift trials for Claude Opus 4.5 (2025), the model was “meaningfully more helpful to participants than previous models, leading to substantially higher scores and fewer critical errors.” However, models still “produced critical errors that yielded non-viable protocols.” Anthropic interprets this as an indicator of general model progress where “a clear rule-out of the next capability threshold may soon be difficult or impossible.”
OpenAI’s Framework: OpenAI’s Preparedness Framework↗ categorizes biological capabilities from Low to Critical. The “High” threshold is breached when a model could “provide meaningful counterfactual assistance to ‘novice’ actors (anyone with a basic relevant technical background) that enables them to create known biological or chemical threats.” OpenAI’s o1 model demonstrated measurable benefits for experts, “particularly in synthesising existing threat information and enhancing access to previously obscure knowledge.” In April 2025, OpenAI concluded it expects models to demonstrate “high risks” in the near future. In July 2025, OpenAI classified its new ChatGPT agent as “highly capable” in the biological portion of its Preparedness Framework.
Joint Evaluation (2025): In early summer 2025, OpenAI and Anthropic collaborated on a first-of-its-kind joint evaluation where each lab ran their internal safety and misalignment evaluations on the other’s publicly released models, marking an important step toward industry-wide safety standards.
NASEM Consensus Report (2025)
Section titled “NASEM Consensus Report (2025)”The National Academies of Sciences, Engineering, and Medicine published “The Age of AI in the Life Sciences: Benefits and Biosecurity Considerations” in March 2025, commissioned by the Department of Defense under Executive Order 14110. Key findings include:
- Current biological design tools (BDTs) can design simpler biological structures such as molecules, but are “currently unable to design self-replicating pathogens, which are orders of magnitude more complex”
- It is “unlikely that currently available viral sequence data are sufficient to train” a model capable of designing novel pandemic pathogens
- “AI-enabled biological tools do not necessarily reduce the bottlenecks and barriers to crossing the digital-physical divide”
- AI capabilities can enhance both offensive and defensive biological capabilities, with the report recommending creation of a BioCATALYST research network co-led by DOD and ODNI
The Biological Design Tool Integration Risk
Section titled “The Biological Design Tool Integration Risk”Current analysis focuses primarily on text-based LLMs, but the emerging combination of multiple AI capabilities may create compound uplift effects exceeding any individual technology’s contribution. The integration of LLMs for knowledge synthesis, AlphaFold and similar tools for protein structure prediction, generative biological models for novel agent design, and automated laboratory systems for synthesis creates a “capability stack” that deserves particular attention.
This integration risk is currently understudied. Most biosecurity assessments evaluate individual technologies rather than their combination, potentially missing emergent risks from capability stacking. A sophisticated attacker with access to all these tools could potentially: use LLMs to identify targets and plan synthesis; employ protein structure prediction to design novel variants; use generative models to optimize functional properties; and eventually leverage automated labs to iterate synthesis protocols with minimal human intervention. Each component might provide modest individual uplift, but the compound effect could be substantial.
Time Dynamics and Trend Analysis
Section titled “Time Dynamics and Trend Analysis”Uplift is not static—it evolves as capabilities advance and defenses adapt. Several trends will shape the trajectory:
Uplift Trajectory Projections
Section titled “Uplift Trajectory Projections”| Capability Domain | 2024 Baseline | 2026 Projection | 2028 Projection | 2030 Projection | Key Driver |
|---|---|---|---|---|---|
| Knowledge synthesis | 1.2x (1.0-1.5) | 1.8x (1.3-2.5) | 2.5x (1.8-3.5) | 3x (2-4.5) | LLM reasoning + retrieval |
| Protocol optimization | 1.3x (1.1-1.6) | 2.5x (1.8-3.5) | 5x (3-8) | 8x (5-12) | Integration with lab automation |
| Evasion design | 2x (1.5-3) | 4x (2.5-6) | 7x (4-10) | 10x (6-15) | Protein design tools + generative models |
| Novel agent design | 1.1x (1.0-1.2) | 1.3x (1.1-1.6) | 2x (1.4-3) | 3x (2-5) | Training data + compute availability |
| Acquisition guidance | 1.1x (1.0-1.2) | 1.4x (1.2-1.7) | 1.8x (1.4-2.3) | 2x (1.5-2.8) | Supply chain knowledge |
Critical observation: Evasion capabilities are projected to advance fastest, potentially reaching 7-10x uplift by 2028-2030. This asymmetry means AI could undermine biosecurity defenses (DNA screening, surveillance) before significantly enhancing attackers’ synthesis capabilities—a dangerous sequencing that could create windows of elevated vulnerability.
Factors Affecting Trajectory
Section titled “Factors Affecting Trajectory”Factors increasing uplift include improving model capabilities, expanding open-source availability (the Future of Life Institute 2025 AI Safety Index notes only 3 of 7 major AI firms conduct substantive dangerous capability testing), advancing wet lab automation, integration of specialized biological design tools, and decreasing costs of DNA synthesis equipment.
Factors decreasing uplift include improving biosecurity measures, enhanced DNA synthesis screening (97% effectiveness post-Microsoft patch, up from ~40-70%), export controls on critical equipment, increasing attention to AI safety in biology, and deployment of metagenomic surveillance systems like the Nucleic Acid Observatory.
The net direction depends on the relative pace of offense and defense, which remains highly uncertain. The NTI biosecurity program warns that “AIxBio capabilities could reduce the effectiveness of biosecurity and biodefense measures, including evading biosurveillance systems, enabling resistance to medical countermeasures, and circumventing nucleic acid synthesis screening.”
Current trajectory analysis suggests uplift is likely to increase over the 2025-2030 period, with the most significant increases in evasion capabilities and protocol optimization. The wet laboratory barrier may erode as automation advances, potentially removing the key bottleneck that currently limits non-expert attackers. This suggests the next five years represent a critical window for establishing robust biosecurity measures.
Limitations
Section titled “Limitations”This model faces several important limitations that constrain confidence in its estimates. First, empirical data remains sparse—only a handful of studies have directly assessed AI uplift, and these have significant methodological limitations. Second, the model relies heavily on expert judgment for parameter estimates, introducing potential biases and anchoring effects. Third, the analysis focuses on information and planning uplift while treating the wet laboratory barrier as exogenous, potentially underestimating future scenarios where this barrier erodes.
The model also struggles to account for “unknown unknowns”—novel AI capabilities or integration pathways that could provide uplift in ways not currently anticipated. History suggests transformative capabilities often emerge unexpectedly, and the model’s scenario analysis may not adequately capture tail risks. Finally, the model treats actor types as discrete categories, but real actors exist on a spectrum and may combine characteristics in ways that alter uplift dynamics.
Policy Implications
Section titled “Policy Implications”Regardless of precise uplift estimates, several policy conclusions appear robust. First, investing in adaptable biosecurity countermeasures—particularly AI-enabled screening that can detect novel threats—addresses both high-uplift and low-uplift scenarios. Second, monitoring for capability jumps, especially in biological design tool integration and laboratory automation, can provide early warning of escalating risk. Third, maintaining uncertainty about uplift argues for precautionary investments in defensive capabilities even if current uplift appears modest.
Defense Priority Matrix
Section titled “Defense Priority Matrix”The CSIS report on AI-enabled bioterrorism offers specific policy recommendations that can be prioritized based on uplift analysis:
| Intervention | Target Uplift Domain | Cost Estimate | Expected Impact | Priority |
|---|---|---|---|---|
| AI-enabled DNA synthesis screening | Evasion (-1.5 to -2.5x) | $200-400M/year | High | Critical |
| NIST/CAISI biosecurity standards | All domains (-0.3 to -0.5x) | $50-100M/year | Medium | High |
| Frontier BDT evaluation requirements | Novel agent design (-0.5 to -1x) | $30-50M/year | Medium | High |
| Open-weight model monitoring | Knowledge/evasion (-0.2 to -0.4x) | $50-80M/year | Low-Medium | Medium |
| Metagenomic surveillance expansion | Detection (not uplift) | $300-500M/year | High | High |
| International AI Safety Institute coordination | All domains (-0.1 to -0.3x) | $20-40M/year | Low-Medium | Medium |
Key recommendation: Given the asymmetry between evasion uplift (2-3x current, potentially 7-10x by 2028) and knowledge uplift (1.0-1.2x current), resources should prioritize adaptive screening systems over information restriction approaches. The CSIS report specifically recommends that “the White House should direct agencies to develop a standardized AI-enabled screening system for DNA synthesis, capable of identifying novel threats that evade today’s static lists.”
Conditional Policy Responses
Section titled “Conditional Policy Responses”If current uplift is indeed low, resources should focus on maintaining that low uplift rather than restricting AI development broadly. This suggests targeted interventions at specific high-risk capability points—particularly evasion capabilities—rather than general LLM restrictions. If uplift is being underestimated, urgent action on AI guardrails, open-source biological model restrictions, and attack preparedness becomes essential.
| If This Is True… | Then Prioritize… | Deprioritize… |
|---|---|---|
| Knowledge uplift remains <1.5x | Evasion countermeasures, adaptive screening | LLM content restrictions |
| Evasion uplift exceeds 5x by 2027 | AI-enabled screening R&D, SecureDNA deployment | Static sequence databases |
| Open-weight BDTs proliferate | International coordination, compute governance | Model-level guardrails |
| Lab automation enables non-expert synthesis | Pandemic preparedness, stockpiles, surveillance | Knowledge-focused interventions |
| Wet-lab barrier holds through 2030 | Maintain current approach, monitor trends | Emergency interventions |
Strategic Importance
Section titled “Strategic Importance”Magnitude Assessment
Section titled “Magnitude Assessment”This model quantifies AI’s marginal contribution to bioweapons risk, distinguishing AI-specific uplift from general biotechnology advances.
| Dimension | Assessment | Quantitative Estimate |
|---|---|---|
| Potential severity | High - even modest uplift enables additional catastrophic attacks | 2x uplift = ~50% more feasible attacks |
| Probability-weighted importance | Medium-High - uplift increasing, 3-5x projected by 2030 | Expected uplift trajectory: 1.5x (2025) to 4x (2030) |
| Comparative ranking | Top-tier for near-term catastrophic risk | Among top 3 AI-enabled WMD risks |
Empirical Calibration
Section titled “Empirical Calibration”| Study/Source | Finding | Uplift Estimate | Confidence |
|---|---|---|---|
| RAND Corporation (2024) | No significant difference in attack plan viability | Knowledge uplift: 1.0-1.2x | High |
| Microsoft DNA Screening (2024) | 75%+ evasion of commercial screening | Evasion uplift: 2-3x | High |
| Anthropic Internal Evals | Guardrails limit practical uplift | Current LLM uplift: 1.1-1.5x | Medium |
| Bug bounty platform data | AI-assisted vulnerability discovery accelerating | Methodology uplift: 1.5-2x | Medium |
Key Asymmetry: Evasion uplift (2-3x) substantially exceeds knowledge uplift (1.0-1.2x), suggesting defenses should prioritize adaptive screening over information restriction.
Resource Implications
Section titled “Resource Implications”| Intervention | Annual Cost | Expected Uplift Reduction | Cost per 0.1x Reduction |
|---|---|---|---|
| DNA synthesis screening upgrade | $200M | -0.5 to -1.0x evasion | $40-80M |
| Open-weight model monitoring | $50M | -0.1 to -0.2x knowledge | $50-100M |
| AI-enabled pathogen detection | $300M | -0.3 to -0.5x effective | $100-170M |
| Targeted guardrail enforcement | $100M | -0.1 to -0.3x knowledge | $50-150M |
Priority ranking: DNA synthesis screening offers best cost-effectiveness, followed by AI-enabled detection.
Key Cruxes
Section titled “Key Cruxes”| Crux | If True | If False | Current Assessment |
|---|---|---|---|
| Knowledge uplift remains low (less than 1.5x) | Focus resources on evasion countermeasures | Broader AI restrictions warranted | 70% likely through 2026 |
| Evasion capabilities outpace detection | Current screening becomes obsolete | Static defenses sufficient | 60% likely by 2028 |
| Open-weight biology models proliferate | Uplift becomes uncontrollable | Centralized mitigation possible | 50% by 2027 |
| Lab automation enables non-expert synthesis | Wet lab barrier erodes | Knowledge uplift remains theoretical | 30% by 2030 |
Related Models
Section titled “Related Models”- Attack Chain Model - Contextualizes how uplift fits into overall attack risk
- Timeline Model - Projects when uplift becomes critically dangerous
Sources
Section titled “Sources”Primary Research
Section titled “Primary Research”- RAND Corporation↗. “The Operational Risks of AI in Large-Scale Biological Attacks: Results of a Red-Team Study” (January 2024) - Most rigorous empirical assessment of LLM uplift
- Microsoft Research. “AI-designed toxins evade DNA synthesis screening” (2024) - Demonstrated 75%+ evasion of commercial screening tools
- Gryphon Scientific↗. Red-team evaluation of Claude (November 2023) - 150+ hour assessment finding “post-doc level” knowledge provision
- National Academies of Sciences, Engineering, and Medicine. “The Age of AI in the Life Sciences: Benefits and Biosecurity Considerations” (March 2025) - DOD-commissioned consensus report on AI-enabled biosecurity risks
Policy Analysis
Section titled “Policy Analysis”- CSIS. “Opportunities to Strengthen U.S. Biosecurity from AI-Enabled Bioterrorism” (August 2025) - Comprehensive policy recommendations
- CNAS↗. “AI and the Evolution of Biological National Security Risks” (August 2024) - Analysis of AI-biosecurity intersection
- Johns Hopkins Center for Health Security. AIxBio policy recommendations (2024)
- NTI Biosecurity. “Statement on Biosecurity Risks at the Convergence of AI and the Life Sciences”
Industry Frameworks
Section titled “Industry Frameworks”- Anthropic↗. Responsible Scaling Policy and CBRN evaluations (2024-2025)
- OpenAI↗. Preparedness Framework and biological capability evaluations (2024-2025)
- OpenAI-Anthropic Joint Evaluation. First collaborative safety evaluation exercise (Summer 2025)
- Future of Life Institute. 2025 AI Safety Index - Industry safety practice assessment
Government Frameworks
Section titled “Government Frameworks”- White House OSTP↗. Framework for Nucleic Acid Synthesis Screening (April 2024)
- Executive Order 14110. Safe, Secure, and Trustworthy Development and Use of AI (October 2023)
- Trump Administration AI Action Plan (July 2025) - Acknowledged dual-use biotechnology risks
Related Pages
Section titled “Related Pages”What links here
- Biological Threat Exposureparameteranalyzed-by