Introduction

Amid the race between the United States and China to attain primacy in the field of artificial intelligence (AI), the risk of biological weapons acceleration by open-source or open-weight AI models remains largely neglected. This is despite potentially existential consequences, analogous to, or even exceeding, the global harms that could follow a general nuclear exchange. As AI-bio models increase in sophistication and become democratized via open-source, it is in both US and Chinese interests to cooperate on managing these risks.

In recognition of this and similar issues, the Center for Global Security Research hosted a workshop in March on the theme Biosecurity 2026: New Challenges, New Opportunities? Experts from government, defense, industry, and the academe discussed the forced evolution of biological threats by virtue of AI, including its broad potential for disruption to people, livestock, the environment, and global food supply chains. This analysis builds on those discussions and covers some of the high-level issues relating to AI and bio risk, and argues that increased cooperation between the US, China, and other international partners on open-source bio risk is increasingly necessary. The views presented here are solely those of the author and do not represent CGSR or affiliated organizations.

The changing face of biological warfare

Biological weapons (BW) threats have historically been difficult to discern, originating primarily from states and kept clandestine due to their generally contemptible perceived status by the international community. BW development can also be masked by legitimate pharmaceutical and medical research, making assessments of capability and intent for designing and deploying BW challenging.

Conventional BW – such as that attended to in the Biological Weapons Convention (BWC) – relies on a range of outdated assumptions about how BW capabilities are researched, developed, and scaled in the modern age. It posits a complex supply chain, principally enabled by human innovation, and developed primarily within and by states. Today, AI is forcing an evolution of both BW threats and their means of access and distribution.

First, it is increasing the speed and complexity of BW threats themselves. This ranges from aiding individuals with the information necessary to create virulent pathogens to the prospective use of AI to rapidly identify and scale up production of harmful synthetic biological agents. Models of the latter variety – known as biological design tools – though ostensibly not yet capable of generating or modifying pathogens that pose danger at scale, present a unique challenge in this respect.

Second, and related to the first, it is democratizing access of BW to a wider range of actors. Whereas frontier labs such as OpenAI and Anthropic have communicated extensively the efforts they are undertaking to mitigate AI-bio risks, many peer labs abroad have not committed to the same standards. Open-source AI models, which can be accessed, modified, and distributed freely and pseudonymously on the Internet, are also largely untethered to any ethical or enforceable commitment not to be used for harmful purposes. Frontier AI model architecture, data, and weights are increasingly exchanged on online fora like GitHub and HuggingFace, leading to a growing risk that non-state actors, such as bioterrorists, may exploit the resulting lacuna in oversight and governance that could prevent their use for BW capabilities.

Archaic international and legal infrastructure

The institutions and instruments that govern BW threats are commensurately ill-equipped to face modern BW challenges.

Absent US leadership and funding, the World Health Organization (WHO) risks being poorly prepared to monitor potential outbreaks of novel or modified pathogens or to compel transparency and data sharing. This vacuum also creates an opportunity for states allegedly engaged in active BW development programs to influence the body’s governance and decision-making. This is an unfavorable environment in which to make meaningful reforms to global biosecurity governance.

Similarly, the BWC, which went into force in 1975, does not adequately cover modern biosecurity risks. Without key provisions for multilateral inquiries or verification, states operating active programs face no real scrutiny or consequences for the active development of BW. Past violations have gone unpunished, resulting in a culture of impunity for some of the most serious BW threats. Further, the BWC remains significantly under-resourced, seriously kneecapping its ability to fulfil – much less to expand – its remit.

The open-source dimension

While fractious international environs may contribute to greater uncertainty and volatility for state-based BW programs, including increased proliferation, it could also force cooperation between states on mitigating open-source AI-bio risks, which belong to no individual state but pose risks to all.

The difficulties in monitoring, detecting, responding to, and controlling for, biosecurity risks are amplified when considering the potential exploitation of open-source AI-bio models that are capable of generating novel biological agents or exacerbating existing ones. Open-source communities largely cooperate pseudonymously over the Internet: primarily congregating on centralized platforms but working without formal systems of oversight or governance. While the US has historically worked to ban access to open-source collaborative platforms by adversary states, the Internet is a vast network which cannot be exhaustively canvassed to identify the sources of all open-source risks.

It is conceivable that a bioterrorist individual or group could leverage open-source models and build upon them to specialize in enhanced BW capabilities. Depending on the degree of sophistication of the AI-bio model, the synthetic pathogen could be optimized to spread widely via aerosolization and to delay the exhibitions of symptoms while the infection is active, amplifying its potential spread prior to detection. Alternatively, an AI-bio model could be leveraged to develop anti-crop or livestock weapons that could potentially devastate local or regional food supply chains. All of this could be derived from the combination of freely available model architectures and biological data, and be achieved by an individual or group through unmonitored dark channels.

A path forward for open-source AI-bio norms

The risks arising from the use of open-source AI-bio models are confined to no individual state or cause, and could be leveraged by any actor with intent to generate harm. It therefore remains in the international community’s interests – particularly those of the US and China as global leaders in AI – to cooperate on standardized norms to mitigate open-source AI-bio risks. Below are two policy recommendations the US could pursue in seeking greater alignment with states – including China – on this issue:

• Scale BIOINT capability: The US should enhance its capabilities for detecting, triaging, and responding to BW risks, including those borne by AI. An integrated, economy-wide BIOINT capability should be configured to draw upon resources across the US government and with industry and international partners, particularly among the cyber threat intelligence and open-source communities. This capability should monitor open-source and dark web fora for signals of collaboration on potentially harmful open-source AI-bio models. More broadly, this capability should integrate holistic global data sources to monitor emerging biorisks. The US should intend this capability to work with allies and partners, but should also not bar intelligence exchange with potential adversaries such as China, given the mutual risks posed by open-source AI-bio capabilities.
• Develop standards for screening the private development of potentially harmful biological agents: There are few international standards – let alone domestic – for screening and preventing the development of harmful biological agents within commercial and research laboratories. Under the current system, agents like smallpox could be sent for development at labs across the US and allied states, exposing an enormous weak point in the supply chain for the development of harmful agents. Measures should be sought across allied states – including standardized risk assessment criteria and reporting conditions – to create a baseline of security. Collaboration with China and adversary states should be sought in good faith, despite potential protests over the reach and extent of such standards.

Conclusion

Open-source AI-bio models possess potentially global, indiscriminate harm to states, people, animals, and the environment if not properly anticipated. While individual state actors may pursue their own BW programs, it is in no state’s interest to allow the unchecked proliferation of open-source AI-bio capabilities.

The AI-bio intersection presents a rare opportunity for the US, China, and others to cooperate on shared AI norms. Though the international fora traditionally reserved for such cooperation may remain fractious and possibly unreliable, this should not dissuade the US from working unilaterally and multilaterally to achieve a mutually agreeable end-state for global open-source AI-bio governance.

Jack Goldsmith is the Al Corporate Governance Specialist at the University of Technology Sydney (UTS) Human Technology Institute (HTI) and a Visiting Fellow at the Australian National University’s (ANU) School of Regulation and Global Governance.  His primary research interests center on Al governance, security, and policy, with his work being published in a range of international fora.  Jack holds a Bachelor of International Studies (Hons.) from the University of Queensland and a Master of Laws from the ANU.

All views expressed are his own and do not reflect any institutional affiliation.

Jack Goldsmith is the Al Corporate Governance Specialist at the University of Technology Sydney (UTS) Human Technology Institute (HTI) and a Visiting Fellow at the Australian National University’s (ANU) School of Regulation and Global Governance.  His primary research interests center on Al governance, security, and policy, with his work being published in a range of international fora.  Jack holds a Bachelor of International Studies (Hons.) from the University of Queensland and a Master of Laws from the ANU.

All views expressed are his own and do not reflect any institutional affiliation.

Photo: Getty Image