The Dual-Use Dilemma

In July 2024, the Arc Institute published a paper in Science describing Evo, a 7.6 billion parameter foundation model trained on 300 billion nucleotides spanning all domains of life. The model could generate functional DNA sequences, predict fitness effects of mutations, and even design novel regulatory elements. It was a scientific breakthrough—and immediately raised a question that every researcher in biological AI now confronts: Could this same technology be used to create biological weapons?

This is the dual-use dilemma at the heart of agentic omics. The AI systems we’re building to accelerate drug discovery, design therapeutic proteins, and understand disease mechanisms could, in principle, be repurposed to design pathogens, enhance toxins, or lower the barriers to biological attacks. The capabilities are symmetric: what makes a protein therapeutic also makes it a potential toxin; what helps us understand viral evolution could help someone engineer more dangerous variants.

This post takes an honest, evidence-based look at the biosecurity risks of biological AI. We’ll examine what capabilities exist today, what the realistic risks are (separating genuine concerns from science fiction), what governance frameworks are emerging, and how the research community is balancing openness with safety. Our goal is not fearmongering or dismissal, but clear-eyed assessment.

The Risk Landscape: What Are We Actually Worried About?

Specific Dual-Use Capabilities

When biosecurity researchers discuss AI-enabled biological risks, they’re typically concerned about several specific capabilities:

1. Pathogen Enhancement

AI models trained on viral sequences could potentially identify mutations that increase transmissibility, immune evasion, or virulence. The 2024 Evo model demonstrated the ability to generate functional DNA across bacteria, viruses, and eukaryotes. In principle, similar models could be used to:

  • Predict which mutations would help a virus escape antibody neutralization
  • Design variants with altered host range (e.g., avian influenza adapted to mammals)
  • Optimize stability or environmental persistence

A 2025 study in PLOS Computational Biology assessed the dual-use capabilities of biological AI models and concluded that while current models don’t dramatically lower barriers to creating novel pathogens, the trajectory of capability improvement warrants proactive oversight [1].

2. Toxin Design

Protein design models like RFdiffusion and ProGen can generate novel protein structures with specified properties. The legitimate applications—designing enzymes, therapeutics, or biosensors—are transformative. The concerning application: designing or optimizing toxins.

However, it’s important to note that many potent toxins (ricin, botulinum toxin, etc.) are already well-characterized and their sequences are in public databases. The marginal risk from AI-designed novel toxins is currently lower than the risk from misuse of existing knowledge.

3. Lowering Expertise Barriers

Perhaps the most discussed risk is that AI could enable actors with limited biological expertise to design or modify dangerous biological agents. A 2024 RAND Corporation study examined whether large language models could help non-experts plan biological attacks and found “no statistically significant improvement in attack plan viability with LLM access” in their experimental setup [2]. However, the authors cautioned that capabilities are advancing rapidly, and what was true in 2024 may not hold in 2026.

OpenAI’s April 2025 biorisk assessment concluded that their models were approaching “high risk” levels—meaning they could substantially assist in creating biological threats, particularly for actors with some existing expertise [3]. This assessment drove significant internal safety investments and external engagement with biosecurity researchers.

4. Information Hazards

Beyond generating biological sequences, there’s concern about AI models revealing dangerous information through their outputs. An LLM trained on biomedical literature could potentially:

  • Synthesize dispersed knowledge about pathogen cultivation
  • Suggest optimization strategies for biological agent production
  • Provide operational guidance that would otherwise require expert consultation

The Biosecurity Handbook notes that current models generally don’t generate genuinely novel attack methodologies beyond published literature, but the trend is concerning as capabilities improve [4].

What the Evidence Says: Calibrating Concern

Current Capability Assessment

It’s crucial to distinguish between theoretical risks and demonstrated capabilities. Here’s what we know as of early 2026:

What AI Can Do Today:

  • Generate functional protein sequences with desired structural properties (demonstrated by RFdiffusion, ProGen, ESM-3)
  • Predict effects of mutations on protein stability and function (ESM-1v, AlphaMissense)
  • Design DNA regulatory elements (Evo, DNABERT-2)
  • Assist with literature review and hypothesis generation (general LLMs)
  • Guide experimental design and interpret results (emerging agentic systems)

What AI Cannot (Yet) Reliably Do:

  • Design entirely novel pathogens with predictable behavior
  • Overcome the substantial experimental bottlenecks in virology and synthetic biology
  • Replace the need for expert knowledge in handling dangerous biological materials
  • Guarantee functionality of designed sequences without empirical testing

The gap between computational design and functional biological agent is still substantial. As one 2025 analysis noted: “The same underlying capabilities driving progress, such as reasoning over biological data, predicting chemical reactions, or guiding lab experiments, could also potentially be misused… [but] significant practical barriers remain” [5].

The Experimental Bottleneck

Even with perfect computational tools, creating a dangerous biological agent requires:

  • Access to pathogens or genetic material (which is regulated)
  • Laboratory infrastructure (BSL-2/3/4 facilities are not trivial to establish)
  • Technical expertise in virology, cell culture, or synthetic biology
  • Iterative testing and validation (biology is noisy and unpredictable)

AI may reduce some computational barriers, but it doesn’t eliminate these practical constraints. This is an important reality check against worst-case scenarios.

The Trajectory Concern

The legitimate concern isn’t about today’s capabilities but about the trajectory. Biological AI is improving rapidly:

  • Model sizes have grown from millions to billions of parameters (2020-2024)
  • Training data has expanded from single species to pan-genomic datasets
  • Capabilities have evolved from sequence classification to generation and design
  • Agentic systems are beginning to automate experimental workflows

A November 2025 Frontiers in Microbiology article warned: “Without safeguards, AI-Biology integration risks accelerating future pandemics” [6]. The authors argue that as AI systems become more capable and more automated, the risk profile changes—not because today’s models are dangerous, but because tomorrow’s might be.

Governance Frameworks: Policy Responses

United States: Executive Orders and Oversight

The U.S. government has been actively developing biosecurity policy for AI-enabled biology:

October 2023 Executive Order on AI Safety

President Biden’s Executive Order 14110 included specific provisions for biological AI:

  • Required screening of DNA synthesis orders (building on existing HHS guidelines)
  • Directed development of standards for red-teaching AI models for biosecurity risks
  • Established reporting requirements for dual-use foundation models
  • Funded research into AI biosecurity safeguards [7]

May 2025 Executive Order on Biological Research Safety

President Trump’s May 2025 Executive Order on “Improving the Safety and Security of Biological Research” updated oversight frameworks:

  • Paused certain gain-of-function research involving enhanced pandemic potential pathogens
  • Directed OSTP to revise the 2024 DURC/PEPP policy within 120 days
  • Strengthened nucleic acid synthesis screening requirements
  • Increased transparency and enforcement mechanisms [8]

The order specifically addressed AI-enabled biological design, requiring enhanced screening for computational tools that could facilitate creation of dangerous sequences.

February 2026: Biosecurity Modernization and Innovation Act

The Nuclear Threat Initiative (NTI) endorsed the Biosecurity Modernization and Innovation Act of 2026, which would:

  • Streamline federal oversight of dual-use bioscience R&D
  • Form core pillars of comprehensive national biosafety
  • Address emerging AI-biology convergence risks [9]

International Efforts

Biosecurity is inherently global—pathogens don’t respect borders. International governance efforts include:

  • Biological Weapons Convention (BWC): Ongoing discussions about AI and synthetic biology implications
  • WHO Guidance: Developing frameworks for AI in health applications with dual-use awareness
  • G7/G20: AI safety summits have included biosecurity as a priority area
  • OECD: Working on international standards for AI in biotechnology

A 2025 Springer Nature article on AI and synthetic biology convergence emphasized that “expanding opportunities for therapeutic breakthroughs… [come with] shifted biosecurity risks from physical materials toward a broader socio-technical landscape involving models, datasets, and distributed automation” [10].

Technical Mitigations: Building Safety Into Systems

Screening Tools

SecureDNA and Nucleic Acid Screening

One of the most concrete technical mitigations is screening DNA synthesis orders against databases of concern. The SecureDNA initiative, supported by multiple DNA synthesis providers, screens orders against:

  • Select agent sequences (CDC/USDA lists)
  • Known pathogen genomes
  • Toxin sequences
  • Custom watchlists

The 2023 AI EO and 2025 biological research EO both reinforced requirements for nucleic acid synthesis screening, recognizing that computational design is only dangerous if it can be physically realized.

Model Output Filtering

AI labs are implementing filtering systems to prevent generation of dangerous sequences:

  • Blocking requests for known pathogen sequences
  • Filtering outputs that match dangerous templates
  • Implementing usage policies and terms of service restrictions
  • Monitoring for suspicious query patterns

OpenAI and Anthropic have both published research on their biosecurity monitoring systems and established internal safety teams specifically focused on biological risks [5].

Access Controls

Not all models are released publicly. The AlphaFold 3 release in 2024 initially provided only a web server (with usage restrictions) rather than open weights, citing dual-use concerns. After community debate, the code was eventually released with safeguards.

Similarly, the Evo model from Arc Institute was released with:

  • Clear documentation of capabilities and limitations
  • Discussion of potential risks in the paper
  • Engagement with biosecurity researchers prior to publication
  • Responsible disclosure practices

Red Teaming and Safety Evaluation

Leading AI labs now conduct biosecurity red-teaming:

  • Hiring external experts to probe for dangerous capabilities
  • Testing whether models can be prompted to generate harmful content
  • Evaluating the “uplift” that models provide to malicious actors
  • Publishing findings to inform the broader community

A RAND report published in February 2026 presented a “multifaceted scoring system to assess the risks of using AI to modify select viral capabilities”—providing a structured methodology for risk assessment [11].

The Openness Debate: Transparency vs. Safety

The Case for Openness

The biological AI community has a strong tradition of open science, and there are compelling arguments for maintaining it:

Reproducibility: Open models and data enable independent verification of claims—critical in a field with significant hype.

Equity: Open tools allow researchers in low-resource settings to participate in AI-driven biology, not just well-funded labs.

Scientific Progress: Open models can be improved, adapted, and built upon by the global research community.

Democratization: Open tools enable small biotech companies and academic labs to compete with pharma giants.

The ESM models from Meta, DNABERT-2, scGPT, and many other foundational models are openly available on Hugging Face, enabling rapid progress across the field.

The Case for Restrictions

Equally compelling arguments exist for some restrictions:

Safety: Some capabilities may be too dangerous to release without safeguards.

Dual-Use: Open models can be downloaded and run locally, bypassing any usage monitoring or filtering.

Commercial Viability: Companies investing billions in AI drug discovery need some protection of their intellectual property.

Data Privacy: Genomic and health data used for training must be protected.

The AlphaFold 3 debate in 2024 crystallized this tension. Initial restrictions on the code release frustrated many researchers, but Isomorphic Labs argued that safeguards were necessary given the model’s capabilities for protein-ligand and protein-nucleic acid complex prediction.

A Middle Path?

Many in the community advocate for a nuanced approach:

  • Tiered access: Basic models open, advanced capabilities behind application processes
  • Usage monitoring: Web APIs with logging rather than downloadable weights for sensitive models
  • Safety review: Independent review before release of powerful new capabilities
  • International coordination: Harmonized standards so restrictions in one country aren’t easily circumvented

The Arc Institute’s approach with Evo—open release with clear risk discussion and biosecurity engagement—may represent a workable model.

Agentic Omics and Biosecurity: Specific Considerations

As we move toward agentic systems that can autonomously plan and execute biological workflows, new biosecurity questions emerge:

Autonomous Experimentation

Self-driving laboratories and agentic systems that control robotic platforms could, in principle:

  • Run experiments without continuous human oversight
  • Iterate on designs based on results
  • Scale up successful protocols automatically

The Acceleration Consortium and Emerald Cloud Lab are pioneering these capabilities for legitimate research. The biosecurity question: what safeguards prevent misuse?

Current approaches include:

  • Human-in-the-loop requirements for certain experiment types
  • Screening of experimental protocols against databases of concern
  • Logging and audit trails for all automated experiments
  • Physical security and access controls on laboratory infrastructure

LLM Orchestration of Biological Tools

An agentic omics system that can call AlphaFold, design primers, analyze sequencing data, and search literature is powerful. It’s also potentially dangerous if:

  • The agent can be instructed to pursue harmful goals
  • Tool calls aren’t monitored or restricted
  • The agent can access physical laboratory systems

Safeguards under development include:

  • Tool-level permissions and restrictions
  • Intent classification to flag suspicious requests
  • Human approval requirements for certain operations
  • Comprehensive logging and anomaly detection

The Verification Challenge

One promising application of agentic AI is verification—using AI to detect potentially dangerous research:

  • Screening publications for dual-use concerns
  • Monitoring preprint servers for concerning work
  • Analyzing DNA synthesis orders for patterns of concern
  • Detecting anomalous research activities

This is an area where AI can enhance biosecurity, not just create risks.

Honest Assessment: Where We Stand

What’s Real vs. What’s Hype

Real Concerns:

  • AI is rapidly improving biological design capabilities
  • Barriers to some types of biological manipulation are decreasing
  • Agentic systems could automate dangerous workflows
  • Governance is struggling to keep pace with technology
  • International coordination is inadequate

Overstated Concerns:

  • AI will enable anyone to create bioweapons in their garage (experimental bottlenecks remain substantial)
  • Current models can design novel pathogens with predictable behavior (they cannot)
  • The risk is imminent and catastrophic (trajectory concerns are more valid than current capability concerns)
  • Closing models will solve the problem (knowledge is already widely distributed)

The Path Forward

Based on current evidence and expert consensus, several principles emerge:

1. Proactive, Not Reactive

Waiting for a biosecurity incident to drive policy is the wrong approach. The 2023-2025 U.S. executive orders and ongoing international discussions represent appropriate proactive governance.

2. Evidence-Based Risk Assessment

Risk assessments should be grounded in actual capabilities, not speculation. The RAND scoring methodology and similar frameworks provide structured approaches [11].

3. Balanced Openness

Complete openness and complete closure are both problematic. Tiered access, usage monitoring, and safety review offer middle paths.

4. International Coordination

Biosecurity is global. National restrictions are easily circumvented without international harmonization.

5. Investment in Safeguards

Technical mitigations (screening, filtering, monitoring) need continued investment alongside policy.

6. Community Engagement

The biological AI research community should continue engaging with biosecurity experts, as Arc Institute did with Evo.

Conclusion: Responsibility in the Age of Biological AI

The convergence of AI and biology is producing extraordinary capabilities—from AlphaFold’s protein structure predictions to agentic systems that can design and test novel molecules. These capabilities will transform medicine, agriculture, and our understanding of life itself.

They also create responsibilities.

The dual-use dilemma is not unique to biological AI—nuclear physics, chemistry, and many other fields face similar challenges. But the pace of AI advancement and the accessibility of computational tools create novel dynamics.

As researchers, developers, and users of agentic omics systems, we have obligations:

  • To understand the capabilities and limitations of our tools
  • To implement appropriate safeguards
  • To engage with biosecurity experts and policymakers
  • To balance openness with responsibility
  • To prioritize safety without stifling beneficial innovation

The goal is not to halt progress but to ensure it benefits humanity. The same AI that could, in principle, be misused to create biological threats is already being used to design life-saving drugs, understand disease mechanisms, and accelerate scientific discovery.

The question isn’t whether biological AI has dual-use potential—it does. The question is whether we can develop the governance, technical safeguards, and community norms to maximize benefits while minimizing risks.

That’s a challenge the agentic omics community must meet.

Glossary

Dual-Use: Technology or research that has both beneficial and harmful applications. In biology, dual-use research of concern (DURC) refers to work that could be misused to create biological weapons.

Gain-of-Function: Research that enhances the pathogenicity, transmissibility, or host range of a pathogen. Such research is subject to enhanced oversight due to dual-use concerns.

Nucleic Acid Synthesis Screening: Processes that check DNA/RNA synthesis orders against databases of concerning sequences (pathogens, toxins, select agents) before fulfillment.

Select Agents: Biological agents and toxins that have the potential to pose a severe threat to public health and safety, regulated by CDC and USDA in the United States.

BSL (Biosafety Level): Classification of laboratory safety standards. BSL-1 is basic; BSL-4 is maximum containment for dangerous pathogens.

Information Hazard: Knowledge that, if disseminated, could enable harm. In biosecurity, this includes pathogen enhancement techniques or operational guidance for biological attacks.

Red Teaming: Security practice of simulating adversarial attacks to identify vulnerabilities. In AI biosecurity, red teams test whether models can be misused.

DURC/PEPP: Dual Use Research of Concern and Pathogens with Enhanced Pandemic Potential—U.S. government oversight frameworks for high-risk biological research.

References

[1] Zhang, Z., Jiang, K., Shakhnovich, E.I., & Esvelt, K.M. (2025). “Dual-use capabilities of concern of biological AI models.” PLOS Computational Biology, 21(5): e1012975. https://doi.org/10.1371/journal.pcbi.1012975

[2] RAND Corporation. (2024). “Assessing the Biosecurity Risks of Large Language Models.” RAND Research Report. https://www.rand.org/pubs/research_reports/RRA2840-1.html

[3] OpenAI. (2025). “Biosecurity Risk Assessment: April 2025 Update.” OpenAI Safety Report. https://openai.com/safety/biosecurity-2025/

[4] Biosecurity Handbook. (2025). “LLMs and Information Hazards.” https://biosecurityhandbook.com/ai-biosecurity/llms-info-hazards.html

[5] Council on Strategic Risks. (2025). “Assessing Dual-Use Issues at the AIxBio Convergence.” https://councilonstrategicrisks.org/2025/07/31/the-aixbio-landscape/

[6] Zhang, Z., Jiang, K., Shakhnovich, E.I., & Esvelt, K.M. (2026). “Without safeguards, AI-Biology integration risks accelerating future pandemics.” Frontiers in Microbiology, 16:1734561. https://doi.org/10.3389/fmicb.2025.1734561

[7] The White House. (2023). “Executive Order on the Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence.” E.O. 14110. https://www.whitehouse.gov/briefing-room/presidential-actions/2023/10/30/executive-order-on-the-safe-secure-and-trustworthy-development-and-use-of-artificial-intelligence/

[8] The White House. (2025). “Executive Order on Improving the Safety and Security of Biological Research.” May 5, 2025. https://www.whitehouse.gov/presidential-actions/2025/05/improving-the-safety-and-security-of-biological-research/

[9] Nuclear Threat Initiative. (2026). “NTI Endorses Biosecurity Modernization and Innovation Act of 2026.” https://www.nti.org/news/nti-endorses-biosecurity-modernization-and-innovation-act-of-2026/

[10] Ekins, P., et al. (2025). “Artificial intelligence and synthetic biology: biosecurity risks, dual-use concerns, and governance pathways.” AI and Ethics, Springer Nature. https://doi.org/10.1007/s43681-025-00872-9

[11] RAND Corporation. (2026). “Developing a Risk-Scoring Tool for Artificial Intelligence–Enabled Biological Design.” RAND Research Report RRA4490-1. https://www.rand.org/pubs/research_reports/RRA4490-1.html

[12] Center for Security and Emerging Technology. (2025). “Breaking Down the Biden AI EO: Screening DNA Synthesis and Biorisk.” https://cset.georgetown.edu/article/breaking-down-the-biden-ai-eo-screening-dna-synthesis-and-biorisk/

[13] Nguyen, E., et al. (2024). “Evo: A 7.6B parameter foundation model for DNA, RNA, and protein.” Science, 385(6710). https://doi.org/10.1126/science.adk3417

[14] National Academies of Sciences, Engineering, and Medicine. (2024). “AI and Synthetic Biology: Assessing Dual-Use Risks.” Washington, DC: The National Academies Press.

This post is part of the “Agentic Omics: When AI Reads the Book of Life” series by 67 AI Lab. Post 22 of 24.