Biological Risk
Key Evidence
Overview
Biological risks, often referred to as "biorisks," encompass the uncertainties associated with both the likelihood and the consequences of negative biological events, such as infections, that can arise from exposure to or misuse of biological agents, materials, or information. Biorisks include naturally occurring diseases, accidental infections, unauthorized access or theft of biological materials, misuse or diversion, unexpected discoveries, and the intentional release of biological agents. Any of these risks can significantly impact human health, non-human animals, or environmental stability. This risk landscape intersects with various fields, including public health, biosecurity, biosafety, biotechnology (especially synthetic biology), and environmental protection.
Advancements in artificial intelligence (AI), particularly in large language models (LLMs) and biological design tools (BDTs), have drastically altered this landscape by enabling a broader range of individuals to conduct scientific work more rapidly. Due to their dual-use nature, these systems can facilitate beneficial scientific advancements, but also lower the barriers of entry for malicious actors to misuse them or increase the scale of potential harm. AI-enabled capabilities now encompass a variety of biotechnology-related processes, including advanced information retrieval, complex biological engineering, pathogen manipulation, laboratory automation and troubleshooting, and strategic operational planning and deployment. Current AI systems may exacerbate biorisks by assisting with multiple tasks across the biorisk chain. Therefore, it’s crucial to identify where AI contributes to vulnerabilities in order to highlight points of concern and inform practical responses, such as updating policies, establishing targeted guidelines, and implementing verification mechanisms that keep pace with evolving capabilities.
This platform explores how AI can either increase the biorisk likelihood or the severity of harm through two complementary perspectives. The first perspective focuses on intentional misuse, as AI could facilitate aspects of bioweapon development and pose challenges to biosecurity. The second perspective addresses accidental harm, where the automation or deployment of AI agents in laboratories or relevant facilities may heighten the risk of incidents associated with biosafety challenges.
Key Capabilities
It includes the provision of insights and rationales that frame biological knowledge for malicious use, the acquisition and synthesis of sensitive information from diverse sources, and the translation of tacit practitioner know-how into explicit, standardized guidance. It further covers the integration of cross-domain expertise to augment or generate novel biological knowledge.
Insight provision
Ability to provide rationale, insights, and prospects that drive malicious actors towards understanding how to create a hazardous biological agent.
Knowledge acquisition from sources
Ability to provide sensitive biological knowledge, applicable throughout the biorisk chain, through means such as generation, retrieval from single or multiple sources, providing search suggestions, prompts, and other guidance to actors, etc.
Tacit knowledge acquisition
Ability to translate implicit, difficult-to-express knowledge into clear, explicit standard-of-practice guidance that enhances practitioner know-how.
Cross-domain expertise
Ability to augment or generate new sensitive biological knowledge with the use of expertise from other fields (e.g., chemistry, physics, computing).
Optimization
Ability to guide decision-making in order to improve the effectiveness, efficiency, or stability of biological processes. Examples include determining optimal growth conditions for biological cultures, accelerating production timelines, or enhancing the resilience and yield of harmful biological agents.
It involves the ability to develop plans that incorporate conceptual mapping, protocol generation, and the biological engineering necessary to produce harmful quantities of an agent. Such plans may involve considerations of logistics, budgeting, resource optimization, risk-benefit analysis, and other management functions, as well as strategies to evade bans, regulations, and other control and protection measures.
Strategic planning
Capabilities related to the high-level design of strategies for creating a biohazard. It involves supporting the conceptual mapping of the biorisk chain, identifying goals and pathways of misuse, and considering long-term risk-benefit analyses.
Operational planning
Ability to generate step-by-step plans for specific stages of the biorisk chain. It involves translating high-level strategy into concrete, executable procedures. It includes tasks such as adapting or generating laboratory protocols, coordinating biological engineering tasks, integrating automation, and supporting the planning of testing and deployment phases.
Financial and resource planning
Ability to estimate, allocate, and optimize the financial and material resources to support harmful biological activities. This includes designing budgets, planning the supply chain, developing procurement strategies, and prioritizing resources to maximize efficiency and minimize detection risks.
Risk and compliance planning
Ability to identify, anticipate, and navigate obstacles posed by biosafety and biosecurity regulatory frameworks. This includes recognizing potential weak points in verification and enforcement, as well as developing strategies to navigate or evade regulatory oversight and control measures to minimize exposure.
It includes the reconstruction of known agents from existing knowledge and methods, the modification of biological properties to alter functionality or enhance harmful potential, and the prediction or modeling of agent structures and variants to deepen understanding of their mechanisms. Beyond adaptation, it also encompasses the design of entirely novel biological agents, extending the scope of potential threats through synthetic or computational innovation.
Agent reconstruction
Ability to reconstruct known biological agents based on existing knowledge and techniques.
Biological agent modification
Ability to model, predict, and implement genetic or structural changes that can alter the properties of biological agents. These modifications can affect various characteristics like virulence, transmissibility, host range, susceptibility, and immune evasion, among others.
New biological agent design
Ability to generate entirely new biological agents through computational modeling and sequence design, beyond the adaptation of existing organisms. This includes designing variants with different sequences but similar functions to known pathogens, creating mirror organisms, or engineering agents with novel properties that could pose unprecedented risks.
The most concerning implications include the reduction of human oversight through automation, the ease of bypassing bottlenecks, the heightened risk of mass production of biological agents, and the increased reliance on potentially harmful outputs. In addition, these capabilities may create opportunities for the hijacking or manipulation of laboratory operations.
Bioengineering workflow support
Ability to support laboratory experimentation and biological engineering tasks, including the analysis and interpretation of experimental data, workflow refinement, protocol improvement, and reagents or equipment selection. These enhance the efficiency and accuracy of experimental processes.
Automation and tool integration
Ability to automate processes by integrating specialized software and hardware. This capability reduces human oversight through autonomous task execution, increases throughput, and accelerates experimental or engineering cycles. This enhances operational efficiency, leading to faster, more reliable progress along the biorisk chain.
Testing and troubleshooting
Ability to systematically test experimental pathways to inform decisions in the development of hazardous biological agents and resolve issues during protocol execution (troubleshooting). These capabilities reduce bottlenecks and enhance the reliability of experimental outcomes.
Malicious modification of lab protocols and operations
Refers to creating opportunities for hijacking, altering, or subverting laboratory protocols and operational systems by integrating automation. Such actions may involve cyber intrusions, the deployment of bio-malware, or other manipulations intended to disrupt, corrupt, or repurpose laboratory workflows, thus compromising cyberbiosecurity.
Scaling of biomanufacturing
Ability to transition from laboratory-scale experiments to industrial-level biological agent production.
It includes assistance with targeting through delivery methods, host or environmental selection, and optimization of deployment conditions; predictive modeling of outcomes such as disease spread, societal response, and long-term effects; and guidance for circumventing biosafeguards across informational, technical, organizational, or regulatory layers. The category also covers evasion strategies to avoid attribution through bioforensics, as well as direct support in the execution and orchestration of biorisk deployment.
Targeting
Ability to aid in targeting of biothreats, including payload delivery methods, selection of host populations, conditions, and environments, etc.
Predictive modeling
Ability to run predictive analyses of consequences of deployment of biological agents, including disease spread dynamics, response dynamics, long-term effects, etc.
Biosafeguards circumvention
Ability to aid in circumventing informational, technical, and organizational biosafeguards.
Evasion
Ability to aid in avoiding tracing and responsibility attribution via bioforensics.
Execution
Ability to directly aid in orchestrating the biorisk deployment.
Risk Thresholds
Model Capabilities at 'Low' Risk
Models can provide general biological knowledge, help with basic research concepts, and assist in understanding scientific literature. They offer basic information about pathogens, genes, and related topics, but do not support design, modification, or synthesis activities. Outputs clarify publicly available knowledge without meaningfully enhancing offensive capabilities. Substantial human expertise is required to operationalize any harmful use.
Threat Scenario at 'Low' Risk
Researchers and non-experts benefit from enhanced productivity in general biological science education and resource discovery. The model supports legitimate scientific understanding but poses minimal biological threat capabilities, as outputs provide only foundational information that does not meaningfully enable weaponization pathways.
Hover a cell for details. Click to select.
| Risk Level | Ideation and knowledge | Planning | Design and Sequencing | Bio-engineering, Automation and Optimization | Deployment |
|---|---|---|---|---|---|
Low Risk | Low-Ideation and knowledge | Low-Planning | Low-Design and Sequencing | Low-Bio-engineering, Automation and Optimization | Low-Deployment |
Medium Risk | Medium-Ideation and knowledge | Medium-Planning | Medium-Design and Sequencing | Medium-Bio-engineering, Automation and Optimization | Medium-Deployment |
High Risk | High-Ideation and knowledge | High-Planning | High-Design and Sequencing | High-Bio-engineering, Automation and Optimization | High-Deployment |
Critical Risk | Critical-Ideation and knowledge | Critical-Planning | Critical-Design and Sequencing | Critical-Bio-engineering, Automation and Optimization | Critical-Deployment |
Hover over a cell in the matrix to see its full description here.
Scenarios
A malicious non-state actor, driven by extremist motivations, leverages the convergence of open-source LLMs, biodesign tools, and automated laboratory systems to plan and execute an attack with a reconstructed pathogen.
The operation begins with the actor querying open-source LLMs to identify historically weaponized pathogens with high lethality and disruptive potential. The LLMs, trained on scientific and open-source literature, not only highlight candidate pathogens but also point toward repositories, academic databases, and potentially vulnerable private servers where genomic sequences might be stored.
To access restricted data, the actor deploys AI-assisted cyber tools that exploit weaknesses in outdated research infrastructure, such as university-affiliated genomic servers or cloud-based databases. AI crafts spear-phishing campaigns that mimic trusted collaborators, providing stolen credentials to extract sensitive genomic data.
Once a complete or near-complete sequence is obtained, AI-biodesign tools are used to optimize the genome for stability and infectivity. To evade DNA synthesis screening protocols, the sequence is fragmented into smaller, non-flagged segments. These are ordered from multiple synthetic DNA providers located across different jurisdictions. LLMs assist in identifying suppliers, managing transactions, and ensuring orders appear benign.
Upon receipt, automated robotic systems assemble the genetic fragments in a clandestine laboratory. The reconstructed pathogen is then cultivated in an AI-optimized bioreactor, with in silico simulations guiding parameters for yield, virulence, resistance, etc. LLMs also advise on operational logistics, including budgeting, supply chains, and concealment strategies to avoid regulatory detection.
For deployment, AI models simulate dissemination pathways, recommending methods such as lyophilization for stability and aerosolization in urban environments for maximum impact, etc. They also map vulnerabilities in public health surveillance networks, helping the actor to time and position the release for greatest disruption.
The attack results in an outbreak that overwhelms unprepared health systems before containment measures can be effectively implemented.
A state actor, operating under the cover of legitimate biotechnology infrastructure, leverages advanced AI-biodesign tools to enhance the pathogenicity and stealth of a known biological agent. Unlike non-state actors, a government can exploit its authority, access to facilities, and trained personnel to conduct weaponization covertly, minimizing the risk of international detection.
The operation begins with AI-driven platforms analyzing the genome of a bacteria (such as Bacillus anthracis), simulating potential genetic modifications that increase aerosolization efficiency, vaccine resistance, and environmental stability. Advanced AI models trained on virulence, immune evasion, and protein–host interactions propose gain-of-function variants optimized for specific climatic or demographic conditions. These simulations ensure that the pathogen not only remains viable but also evades standard diagnostic assays, complicating early detection.
To mask the activity, the state repurposes an agro-industrial or biofertilizer production facility, presenting it as a civilian operation. Automated bioreactors and robotic systems already present in the facility are redirected to scale production of the modified pathogen. AI algorithms continuously optimize conditions, automate quality control, and even generate falsified production logs, concealing the true nature of the output under the guise of fertilizer or veterinary products.
Strategic AI planning systems further support covert deployment. LLMs assist in mapping supply chains, identifying potential export routes, and embedding the pathogen into agricultural or veterinary trade flows. Predictive outbreak models simulate response delays in target countries, enabling the state to design release strategies that maximize confusion and geopolitical disruption.
When deployed in another country, the outbreak is initially misdiagnosed as a natural event, delaying containment measures. The resulting crisis not only overwhelms health systems but also destabilizes diplomatic relations and, erodes trust in regional institutions, etc.
An extremist-terrorist group, supported by skilled biotechnologists and access to computing infrastructure, leverages AI-biodesign models to create a novel pathogen with pandemic potential. Unlike scenarios involving reconstructed or modified known agents, this case illustrates the risks of designing entirely new biological threats that evade existing surveillance and countermeasure systems.
The group begins by fine-tuning generative AI models on proprietary datasets of microbial genomes, virulence factors, and protein–host interaction data. Through iterative reinforcement learning and simulation, the AI proposes chimeric constructs that combine desirable traits from multiple organisms (e.g., high transmissibility and lethality properties). These locally deployed models operate offline, bypassing the limited oversight present in cloud-based AI systems.
The AI optimizes the construct to evade detection, designing sequences that do not match known pathogens and thereby avoid triggering DNA synthesis screening alerts. Using fragmentation strategies, the group orders gene segments from multiple synthesis providers, disguising each as innocuous research material. Automated robotic systems assemble the fragments in a community laboratory operating under the guise of medical innovation, exploiting gaps in oversight of DIY or semi-professional research spaces.
Once assembled, the pathogen is cultivated in AI-guided bioreactors, which optimize growth conditions and scale production with minimal human oversight. For deployment, AI simulations evaluate release strategies, recommending strategies like urban water supplies contamination or the use of an engineered biological vector (e.g., modified insects) to achieve stealth dissemination. LLMs further support operational planning, identifying weaknesses in biosecurity enforcement, and anticipating public health blind spots to delay detection.
The release of the novel pathogen results in a rapidly spreading outbreak for which no existing vaccines or diagnostics are effective. Health systems face a profound challenge as the absence of pre-existing countermeasures leads to widespread disruption, global panic, and cascading social and economic consequences.
A commercial biotechnology laboratory, fully automated with AI-guided robotic systems, is tasked with high-throughput vaccine and therapeutic development. To reduce costs and accelerate productivity, human oversight has been minimized, with safety checks increasingly delegated to autonomous systems. The facility relies on single-task robots and embodied AI agents to handle high-risk pathogens, operating under the assumption that automation is inherently “failproof.”
During a routine set of experiments involving a highly pathogenic organism, AI systems optimize genetic modifications for vaccine efficacy. However, a robotic arm miscalibrates during sample transfer, damaging a biosafety cabinet and creating a small containment breach. Because the AI has been trained primarily to maximize efficiency rather than to prioritize safety, the anomaly is neither flagged nor reported. Subtle sensor warnings, such as a pressure drop in the containment system, are disregarded as noise. The system also bypasses scheduled maintenance protocols, assuming normal operation.
With no human verification in place, the automated processes continue uninterrupted. Aerosolized particles of the pathogen spread through the lab’s ventilation system, contaminating adjoining areas. Workers and local staff are exposed before the breach is detected. The absence of real-time alerts and human redundancy delays containment, allowing the pathogen to escape into the surrounding community. The result is an outbreak that overwhelms local health systems and damages public trust.
A state-of-the-art automated biomanufacturing facility, originally designed for large-scale production of pharmaceutical biomolecules such as insulin or peptide therapeutics, becomes the target of a cyberbiosecurity attack. The facility operates an end-to-end AI-driven pipeline that integrates molecular design, optimization, and automated production, minimizing human intervention.
A malicious actor exploits a vulnerability in the facility's remote access systems using an AI-generated spear-phishing campaign to gain administrative credentials. Once inside, the attacker deploys a “biomalware” payload that reprograms the AI design layer. Instead of producing insulin, the system is redirected to generate and optimize a high-yield variant of a toxin or other harmful substances.
The breach cascades across the facility’s infrastructure. Automated bioreactors continue production at scale, while falsified digital logs mask anomalies. Remote monitoring systems are disabled, and AI-generated audit trails report normal activity, preventing early detection. In some cases, attackers may also compromise physical access controls, disabling security locks to facilitate theft of material on-site or redirect digital blueprints and production outputs to a complicit third-party supplier, extending the attack beyond the original facility.
Because the breach remains undetected for weeks, outputs risk entering legitimate supply chains. In one scenario, shipments containing the toxin are dispatched to clinical partners before the anomaly is identified. The revelation of the breach causes panic, delays in therapy availability, and erosion of trust in automated biomanufacturing.
A biotechnology startup deploys a fully automated laboratory powered by AI-driven design–build–test–learn cycles to accelerate industrial and agricultural innovation. The system is tasked with broadly defined goals such as “maximize enzyme efficiency” or “enhance molecular interaction with human epithelial cells.” With minimal human supervision and inadequate biosecurity alignment, the AI explores a vast design space of genetic and protein variants.
In the process, the AI inadvertently generates a novel biological construct with properties resembling both toxins and viral mimics. These include high environmental stability, mammalian toxicity, and the ability to evade immune defenses. Because the AI lacks embedded misuse detection or adversarial safeguards, it proceeds to scale up production and validation, treating the construct as a "successful optimization" rather than a hazard.
Routine maintenance becomes the ignition point. A technician, unaware of the construct's risks due to absent labeling or safety checks, is exposed. During processing, the agent becomes aerosolized and spreads through the laboratory's ventilation system into the surrounding community. Its unfamiliar structure prevents recognition by existing diagnostic tools and renders current medical countermeasures ineffective. With no pre-established response protocols for novel synthetic agents, containment efforts falter.
By the time the true nature of the hazard is identified, the construct has spread across borders, manifesting as an engineered pandemic caused by accident. The crisis destabilizes health systems, disrupts trade, and erodes public trust in biotechnological innovation.
Glossary
Biohazard: Source of harm caused by biological agents.
Frequently Asked Questions
Likely yes, primarily (at the moment) by speeding up and supporting existing pathways rather than creating entirely new ones. The real advantage of AI lies in its speed and interactivity as it can clarify misconceptions, transform implicit knowledge into clear step-by-step guidance, and facilitate iterative planning and troubleshooting.
Both factors are at play. AI reduces bottlenecks, increasing the likelihood of misuse or errors. At the same time, biodesign tools may heighten severity by enabling users to explore constructs designed to alter key properties, such as virulence, transmissibility, or immune evasion. Real-world harm still depends on an actor's laboratory capacity, resource access, and oversight.
Yes, according to evidence from recent evaluations, state-of-the-art models can achieve, and in some cases even outperform domain experts on selected tasks. However, it is important to understand the limitations and interpretations of these results as most existing benchmarks utilize multiple-choice formats or narrow exercises and do not evaluate the ability to design and execute complete experimental protocols.
According to superforecasters, the estimated annual baseline risk of a pandemic intentionally caused by humans, resulting in more than 100,000 deaths, has risen from 0.3% to 1.5% when considering new AI-enabled biorisks. This risk can potentially be reduced significantly to 0.4% through specific technical safeguards.
Current measures focus on two main fronts: AI governance and biotechnology safeguards. On the AI side, efforts emphasize systematic model evaluations, data filtering, strengthened security, and technical safeguards. On the biotechnology side, proposals highlight upgrading DNA and RNA synthesis screening to AI-enabled detection systems.
Effective mitigation measures operate through multiple layers of protection. These include access restrictions on LLMs, mandatory DNA screening, and robust governance frameworks that establish oversight and accountability. Together, these mechanisms create technical and regulatory barriers that make it significantly more difficult to misuse AI.
Currently, most leading AI labs release system or model cards which may include evaluations of risks related to CBRN threats. However, these practices are not mandatory, and coverage of bio-related risks varies. In practice, oversight remains mostly voluntary, with no binding mechanisms in place.
The groups considered to be "high-capability" are the most resourced, with access to researchers, scientific facilities, and funding. These actors can be either state or non-state actors.