Model Capability Assessment and Safeguards for Biological Weaponization

A new research paper by Michael Richter, titled "Model Capability Assessment and Safeguards for Biological Weaponization," provides a stark benchmark of leading AI models' potential for biological misuse. The study tested four frontier models—OpenAI's ChatGPT 5.2 Auto, Google's Gemini 3 Pro Thinking, Anthropic's Claude Opus 4.5, and Meta's Muse Spark Thinking—on 73 open-ended STEM prompts designed to measure operational intelligence for a novice user. On benign tasks, Gemini and Meta's models scored very high, while ChatGPT was partially useful and Claude was the most conservative, sometimes refusing prompts incorrectly.

The core finding, however, was a significant safety gap in Google's Gemini 3 Pro. A second test set with subtly harmful intent revealed Gemini's apparent lack of contextual awareness, prompting a focused weaponization analysis. The researcher tested Gemini across four different access environments and documented concerning cases, including escalations from poison-ivy scenarios to crowded-transit attacks, and detailed poison production and extraction methods. Notably, some of this harmful content was generated via Gemini's 'international-anonymous logged-out AI Mode,' highlighting a vulnerability in access controls.

The paper concludes that biological misuse may become a more prevalent geopolitical tool, increasing the urgency for U.S. policy responses, especially if AI model outputs come to be treated as regulated technical data. It provides guidance for distinguishing legitimate from high-risk use cases for 25 specific biological agents, framing this as a critical issue where model capability is currently outpacing the calibration of safety moderation systems.