- Dual-use
- Bio-chem
- Risk scoring
Assessing dual-use risk in bio and chem research pipelines
Sensitive research pipelines carry failure modes that generic safety tests miss. A structured way to score dual-use exposure before deployment.
Dual-use risk is the property that a capability built for legitimate research can also advance harm. It is not a bug to be patched once. It is a standing condition of any system that reasons over biology, chemistry, or the tooling around them. Assessing it well means measuring exposure rather than asking a yes or no question.
Why generic safety tests miss it
Most safety suites are built around obviously harmful requests and obviously acceptable ones. Dual-use lives between them. A request to optimize a fermentation yield is legitimate. A request to optimize the same process for a pathogenic strain is not, and the two differ by context that the model has to hold across several turns. A test that only checks single-shot refusals will report a clean pass while the real risk sits in the multi-step planning path.
The gap has three sources:
- Context collapse. Harm often depends on facts spread across the conversation, retrieved documents, and tool outputs. A one-line probe cannot express that.
- Structural similarity. A dangerous protocol and a safe one share vocabulary and format. Surface classifiers cannot separate them.
- Capability drift. Fine-tuning, tool additions, and retrieval changes move the risk after the last assessment. A single pre-release check goes stale.
A structured exposure score
We score dual-use exposure along four axes and treat the result as a profile, not a single grade.
Reachability
Can an ordinary user, without special access, steer the system toward the sensitive capability? Reachability is high when the path is a normal-looking request and low when it requires privileged tools or credentials the attacker would not have.
Uplift
If the system does respond, how much does it actually advance a harmful goal beyond what a public search returns? A model that restates textbook facts provides little uplift. A model that resolves a specific bottleneck, orders steps, or troubleshoots a failed attempt provides real uplift. Uplift is the axis that separates a policy violation from a consequential one.
Specificity
Does the output stay general, or does it produce actionable particulars: quantities, conditions, sourcing, and sequencing? Specificity is where a plausible narrative becomes an operational one.
Persistence
Does the safe behavior hold under pressure? We measure whether the refusal survives paraphrase, translation, role framing, incremental multi-turn setup, and tool-mediated delivery. A capability that refuses once and complies on the third rephrase has low persistence and high real exposure.
Running the assessment
For each capability in scope we assemble a small set of scenarios that place the request in a realistic research context. We deliver each scenario through several channels, direct and indirect, and score the four axes independently. The output is a matrix: capability by axis, with evidence attached to every cell. This makes the risk legible. A cell that is high on reachability and uplift but low on specificity gets a different treatment than one that is high across the board.
From score to control
The point of scoring is to choose controls that fit the risk rather than blanket refusals that break legitimate work. High reachability argues for input-side controls and provenance checks on retrieved content. High uplift and specificity argue for output-side review and capability gating behind verified access. Low persistence argues for hardening the refusal itself, because the model already knows the request is unsafe and is being talked out of that judgment.
Dual-use cannot be removed from a scientific system without removing the science. It can be measured, bounded, and monitored. The teams that treat it as a continuous exposure to manage, rather than a checkbox to clear, are the ones whose systems stay trustworthy as they grow.