More than a dozen transcripts shared with the New York Times show widely available AI chatbots providing biosecurity experts with step-by-step guidance on acquiring genetic material, modifying pathogens for treatment resistance, deploying biological agents through public transit vulnerabilities, and evading detection, raising questions about whether current refusal architectures are structurally adequate for the capability level frontier models have already reached.
The most disturbing detail in Gabriel Dance's New York Times investigation is not the content of any single transcript. It is that the models provided additional steps without being prompted. Stanford microbiologist David Relman, hired by an unnamed AI company to stress-test its chatbot before public release, describes a model that did not wait to be asked for the next piece of information. After explaining how to modify a pathogen to resist known treatments, the model identified a security vulnerability in a major public transit system as an optimal release point and provided a deployment strategy designed to maximise casualties while minimising detection risk. Relman declined to name the pathogen or the company. He was, by his account, frozen in disbelief. The unprompted continuation is the significant part: a model that proactively extends its output into operational attack planning is not just answering questions about biology. It is reasoning forward through the attack chain independently.
The range of specific outputs across companies and models is documented and precise. MIT genetic engineer Kevin Esvelt, who has consulted for both Anthropic and OpenAI, described ChatGPT explaining in detail how a weather balloon could be used to disperse biological material over a US city. Google's Gemini ranked pathogens by their potential damage to livestock industries. Anthropic's Claude generated a recipe for a novel toxin adapted from a cancer drug. A study published in Science found that AI tools could generate thousands of variant genetic sequences for dangerous agents, a significant fraction of which evaded existing DNA-order screening systems. The most alarming single data point is a SecureBio and MIT study that found OpenAI's o3 model outperforming 94% of expert virologists on difficult laboratory-protocol questions. That result is not about a safety failure in the conventional sense. o3 is behaving as designed. It is the designed behaviour, applied to virology, that produces the problem.
The counterargument from AI companies, and it is not an empty one, is that capable execution of biological attacks still requires physical access, laboratory skills, equipment procurement, and operational security that no language model can provide. Google states its newer models refuse some serious biological prompts. OpenAI has implemented stricter biological safeguards in its agent products and classified its ChatGPT agent as highly capable in the biological portion of its Preparedness Framework, acknowledging the risk explicitly while maintaining that current outputs lack the critical implementation details needed for actual execution. Anthropic says it applies strict thresholds for dangerous biology requests even if that occasionally blocks legitimate queries. The companies are not denying the risk. They are arguing about how much uplift their models actually provide to a novice actor versus a skilled one who already understands laboratory work but needs help with logistics, sequencing, and operational planning. That is a meaningful distinction, and the biosecurity community is not unified on where the threshold sits.
Esvelt's 2023 White House demonstration is worth revisiting in the current context. He prompted ChatGPT for help assembling a mass-casualty pathogen, placed the unassembled biological components in test tubes, and brought them to a meeting on biological risks to illustrate the gap between model output and execution barrier. The demonstration was designed to show that models were providing meaningful assistance but that the physical execution step remained a real barrier. Three years later, the models are materially more capable, agent architectures that can execute multi-step research tasks are in production, and DNA synthesis services continue to operate with inconsistent screening protocols. The gap between model output and execution is narrowing, even if it has not closed. Esvelt's own position, shared with the Times, is that chatbots combining scientific guidance with strategic planning are especially concerning for trained scientists who already understand the laboratory component. The novice barrier is real. The expert amplification problem is different and less reassuring.
The compliance and access-control market that the NYT story implicitly creates is real and growing. Dario Amodei has been the most prominent AI CEO to acknowledge that biological weapons represent a catastrophic risk category requiring different treatment than other safety considerations. Anthropic has documented in its Sabotage Risk Reports that its models can provide uplift on dangerous chemistry and biology tasks. The gap between acknowledgment and effective mitigation is where the startup opportunity lives. Verifiable credential systems that allow institutions to grant elevated model access to credentialed biosecurity researchers while maintaining stricter restrictions for unverified users, independent red-teaming firms that provide ongoing adversarial testing against biological and chemical safety protocols, and automated screening tools for DNA synthesis providers are all capability categories that are being built but have not yet reached the maturity that the risk level requires. The CSIS analysis of AI-enabled bioterrorism risks, published in mid-2025, identified specific gaps in screening infrastructure and policy frameworks that remain unaddressed. The NYT investigation is not a new discovery. It is a public documentation of a risk category that specialists have been raising for two years.
The liability question is the one that the enterprise layer needs to engage with now rather than after an incident. When a frontier model provides operationally useful bioweapons guidance to a user who subsequently causes harm, the question of who bears legal responsibility has not been tested in court. Model companies have operated under broad Section 230-style protections and terms-of-service frameworks that assume the model is a neutral information provider. The transcripts the Times reviewed show outputs that go beyond information provision into operational planning. Whether courts will treat that distinction as legally significant is unknown, but the regulatory environment is tightening: the EU AI Act's prohibited applications category, the White House's AI Preparedness Framework requirements for frontier lab safety assessments, and growing Congressional attention to dual-use AI capabilities are all moving toward a framework where model developers carry greater responsibility for outputs in identified high-risk categories. The companies that have invested in pre-deployment safety testing, documented refusal rates, and active monitoring for biological content are in a structurally different position when that framework solidifies than those that have not. The transcripts that David Relman declined to share publicly are the evidence that framework will eventually be built around.
Also read: OpenAI's DeployCo Is Not a Fund. It Is a Captured Distribution Machine for the Enterprise Market. • Podslop Is Arriving Faster Than the Audio Industry Can Build Defences Against It • Katie Haun Just Closed $1 Billion and AI Agents Are Now Part of the Investment Thesis
