International AI Safety Report 2026

This Report assesses what general-purpose AI systems can do, what risks they pose, and how those risks can be managed. It was written with guidance from over 100 independent experts, including nominees from more than 30 countries and international organisations, such as the EU, OECD, and UN. Led by the Chair, the independent experts writing it jointly had full discretion over its content.

This Report focuses on the most capable general-purpose AI systems and the emerging risks associated with them. ‘General-purpose AI’ refers to AI models and systems that can perform a wide variety of tasks. ‘Emerging risks’ are risks that arise at the frontier of general-purpose AI capabilities. Some of these risks are already materialising, with documented harms; others remain more uncertain but could be severe if they materialise.

The aim of this work is to help policymakers navigate the ‘evidence dilemma’ posed by general-purpose AI. AI systems are rapidly becoming more capable, but evidence on their risks is slow to emerge and difficult to assess. For policymakers, acting too early can lead to entrenching ineffective interventions, while waiting for conclusive data can leave society vulnerable to potentially serious negative impacts. To alleviate this challenge, this Report synthesises what is known about AI risks as concretely as possible while highlighting remaining gaps.

While this Report focuses on risks, general-purpose AI can also deliver significant benefits. These systems are already being usefully applied in healthcare, scientific research, education, and other sectors, albeit at highly uneven rates globally. But to realise their full potential, risks must be effectively managed. Misuse, malfunctions, and systemic disruption can erode trust and impede adoption. The governments attending the AI Safety Summit initiated this Report because a clear understanding of these risks will allow institutions to act in proportion to their severity and likelihood.

Capabilities are improving rapidly but unevenly

Since the publication of the 2025 Report, general-purpose AI capabilities have continued to improve, driven by new techniques that enhance performance after initial training. AI developers continue to train larger models with improved performance. Over the past year, they have further improved capabilities through ‘inference-time scaling’: allowing models to use more computing power in order to generate intermediate steps before giving a final answer. This technique has led to particularly large performance gains on more complex reasoning tasks in mathematics, software engineering, and science.

At the same time, capabilities remain ‘jagged’: leading systems may excel at some difficult tasks while failing at other, simpler ones. General-purpose AI systems excel in many complex domains, including generating code, creating photorealistic images, and answering expert-level questions in mathematics and science. Yet they struggle with some tasks that seem more straightforward, such as counting objects in an image, reasoning about physical space, and recovering from basic errors in longer workflows.

The trajectory of AI progress through 2030 is uncertain, but current trends are consistent with continued improvement. AI developers are betting that computing power will remain important, having announced hundreds of billions of dollars in data centre investments. Whether capabilities will continue to improve as quickly as they recently have is hard to predict. Between now and 2030, it is plausible that progress could slow or plateau (e.g. due to bottlenecks in data or energy), continue at current rates, or accelerate dramatically (e.g. if AI systems begin to speed up AI research itself).

Real-world evidence for several risks is growing

General-purpose AI risks fall into three categories: malicious use, malfunctions, and systemic risks.

Malicious use

AI-generated content and criminal activity: AI systems are being misused to generate content for scams, fraud, blackmail, and non-consensual intimate imagery. Although the occurrence of such harms is well-documented, systematic data on their prevalence and severity remains limited.

Influence and manipulation: In experimental settings, AI-generated content can be as effective as human-written content at changing people's beliefs. Real-world use of AI for manipulation is documented but not yet widespread, though it may increase as capabilities improve.

Cyberattacks: AI systems can discover software vulnerabilities and write malicious code. In one competition, an AI agent identified 77% of the vulnerabilities present in real software. Criminal groups and state-associated attackers are actively using general-purpose AI in their operations. Whether attackers or defenders will benefit more from AI assistance remains uncertain.

Biological and chemical risks: General-purpose AI systems can provide information about biological and chemical weapons development, including details about pathogens and expert-level laboratory instructions. In 2025, multiple developers released new models with additional safeguards after they could not exclude the possibility that these models could assist novices in developing such weapons. It remains difficult to assess the degree to which material barriers continue to constrain actors seeking to obtain them.

Malfunctions

Reliability challenges: Current AI systems sometimes exhibit failures such as fabricating information, producing flawed code, and giving misleading advice. AI agents pose heightened risks because they act autonomously, making it harder for humans to intervene before failures cause harm. Current techniques can reduce failure rates but not to the level required in many high-stakes settings.

Loss of control: ‘Loss of control’ scenarios are scenarios where AI systems operate outside of anyone’s control, with no clear path to regaining control. Current systems lack the capabilities to pose such risks, but they are improving in relevant areas such as autonomous operation. Since the last Report, it has become more common for models to distinguish between test settings and real-world deployment and to find loopholes in evaluations, which could allow dangerous capabilities to go undetected before deployment.

Systemic risks

Labour market impacts: General-purpose AI will likely automate a wide range of cognitive tasks, especially in knowledge work. Economists disagree on the magnitude of future impacts: some expect job losses to be offset by new job creation, while others argue that widespread automation could significantly reduce employment and wages. Early evidence shows no effect on overall employment, but some signs of declining demand for early-career workers in some AI-exposed occupations, such as writing.

Risks to human autonomy: AI use may affect people’s ability to make informed choices and act on them. Early evidence suggests that reliance on AI tools can weaken critical thinking skills and encourage ‘automation bias’, the tendency to trust AI system outputs without sufficient scrutiny. ‘AI companion’ apps now have tens of millions of users, a small share of whom show patterns of increased loneliness and reduced social engagement.

Layering multiple approaches offers more robust risk management

Managing general-purpose AI risks is difficult due to technical and institutional challenges. Technically, new capabilities sometimes emerge unpredictably, the inner workings of models remain poorly understood, and there is an ‘evaluation gap’: performance on pre-deployment tests does not reliably predict real-world utility or risk. Institutionally, developers have incentives to keep important information proprietary, and the pace of development can create pressure to prioritise speed over risk management and makes it harder for institutions to build governance capacity.

Risk management practices include threat modelling to identify vulnerabilities, capability evaluations to assess potentially dangerous behaviours, and incident reporting to gather more evidence. In 2025, 12 companies published or updated their Frontier AI Safety Frameworks – documents that describe how they plan to manage risks as they build more capable models. While AI risk management initiatives remain largely voluntary, a small number of regulatory regimes are beginning to formalise some risk management practices as legal requirements.

Technical safeguards are improving but still show significant limitations. For example, attacks designed to elicit harmful outputs have become more difficult, but users can still sometimes obtain harmful outputs by rephrasing requests or breaking them into smaller steps. AI systems can be made more robust by layering multiple safeguards, an approach known as ‘defence-in-depth’.

Open-weight models pose distinct challenges. They offer significant research and commercial benefits, particularly for lesser-resourced actors. However, they cannot be recalled once released, their safeguards are easier to remove, and actors can use them outside of monitored environments – making misuse harder to prevent and trace.

Societal resilience plays an important role in managing AI-related harms. Because risk management measures have limitations, they will likely fail to prevent some AI-related incidents. Societal resilience-building measures to absorb and recover from these shocks include strengthening critical infrastructure, developing tools to detect AI-generated content, and building institutional capacity to respond to novel threats.

Leading general-purpose AI systems now pass professional licensing exams in law and medicine, write functional software when given simple prompts, and answer PhD-level science questions as well as subject-matter experts. Just three years ago, when ChatGPT launched, they could not reliably do any of these things. The pace of this transformation has been remarkable, and while the pace of future changes is uncertain, most experts expect that AI will continue to improve.

Almost a billion people now use general-purpose AI systems in their daily lives for work and learning. Companies are investing hundreds of billions of dollars to build the infrastructure to train and deploy them. In many cases, AI is already reshaping how people access information, make decisions, and solve problems, with applications in industries from software development to legal services to scientific research.

But the same capabilities that make these systems useful also create new risks. Systems that write functional code also help create malware. Systems that summarise scientific literature might help malicious actors plan attacks. As AI is deployed in high-stakes settings – from healthcare to critical infrastructure – the impacts of deliberate misuse, failures, and systemic disruptions can be severe.

For policymakers, the rate of change, the breadth of applications, and the emergence of new risks pose important questions. General-purpose AI capabilities evolve quickly, but it takes time to collect and assess evidence about their societal effects. This creates what this Report calls the ‘evidence dilemma’. By acting too early, policymakers risk implementing ineffective or even harmful interventions. But waiting for conclusive evidence can leave societies vulnerable to potential risks.

The role of this report

This Report aims to help policymakers navigate that dilemma. It provides an up-to-date, internationally shared scientific assessment of general-purpose AI capabilities and risks.

The writing team included over 100 independent experts, including an Expert Advisory Panel comprising nominees from more than 30 countries and intergovernmental organisations including the EU, OECD, and UN. The Report also incorporates feedback from reviewers across academia, industry, government, and civil society. While contributors differ on some points, they share the belief that constructive and transparent scientific discourse on AI is necessary for people around the world to realise the technology’s benefits and mitigate its risks.

Because the evidence dilemma is most acute where scientific understanding is thinnest, this Report focuses on ‘emerging risks’: risks that arise at the frontier of general-purpose AI capabilities. Its analysis focuses on issues that remain particularly uncertain, aiming to complement efforts that consider the broader social impacts of AI. While this Report draws on international expertise and aims to be globally relevant, readers should note that variation in AI adoption rates, infrastructure, and institutional contexts mean that risks may manifest differently across countries and regions.

The evidence base for these risks is uneven. Some risks, such as harms from AI-generated media or cybersecurity vulnerabilities, now have robust empirical evidence. Evidence for others – particularly risks that may arise from future developments in AI capabilities – relies on modelling exercises, laboratory studies under controlled conditions, and theoretical analysis. The analysis here draws on a broad range of scientific, technical, and socioeconomic evidence published before December 2025. Where high uncertainty remains, it identifies evidence gaps to guide future research.

Changes since the 2025 Report

This edition of the International AI Safety Report follows the publication of the first Report in January 2025. Since then, both general-purpose AI and the research community’s understanding of it have continued to evolve, warranting a revised assessment.

Over the past year, AI developers have continued to train larger and more capable AI models. However, they have also achieved significant capability gains through new techniques that allow systems to use more computing power to generate intermediate steps before giving a final answer. These new ‘reasoning systems’ show particularly improved performance in mathematics, coding, and science. In addition, AI agents – systems that can act in the world with limited human oversight – have become increasingly capable and reliable, though they remain prone to basic errors that limit their usefulness in many contexts.

General-purpose AI systems have also continued to diffuse, faster than many previous technologies in some places, though unevenly across countries and regions. Improved performance in capabilities related to scientific knowledge has also prompted multiple developers to release new models with additional safeguards, as they were unable to confidently rule out the possibility that these models could assist novices with weapon development.

This Report covers all these developments in greater depth, and incorporates several new structural elements to improve its usefulness and accessibility. It includes capability forecasts developed with the Forecasting Research Institute and scenarios developed with the OECD. Each section includes updates since the last Report, key challenges for policymakers, and evidence gaps to guide future research.

How this Report is organised

This Report is organised around three central questions:

1. What can general-purpose AI do today, and how might its capabilities change? 
   Chapter 1 covers how general-purpose AI is developed (§1.1. What is general-purpose AI?), current capabilities and limitations (§1.2. Current capabilities), and the factors that will shape developments over the coming years (§1.3. Capabilities by 2030).
2. What emerging risks does general-purpose AI pose? 
   Chapter 2 covers risks from malicious use, including the use of AI systems for criminal activities (§2.1.1. AI-generated content and criminal activity), manipulation (§2.1.2. Influence and manipulation), cyberattacks (§2.1.3. Cyberattacks), and developing biological or chemical weapons (§2.1.4. Biological and chemical risks); risks from malfunctions, including operational failures (§2.2.1. Reliability challenges) and loss of control (§2.2.2. Loss of control); and systemic risks,* including disruptions to labour markets (§2.3.1. Labour market impacts) and threats to human autonomy (§2.3.2. Risks to human autonomy).
3. What risk management approaches exist, and how effective are they? 
   Chapter 3 covers the distinctive policymaking challenges that general-purpose AI poses (§3.1. Technical and institutional challenges), current risk management practices (§3.2. Risk management practices), the various techniques developers use to make AI models and systems more robust and resistant to misuse (§3.3. Technical safeguards and monitoring), the particular challenges of open-weight models (§3.4. Open-weight models), and efforts to make society more resilient to potential AI shocks and harms (§3.5. Societal resilience).

* In this report, systemic risks are risks that result from widespread deployment of highly-capable general-purpose AI across society and the economy. Note that the EU AI Act uses the term differently, to refer to risks from general-purpose AI models that pose “risks of large-scale harm”.

Many aspects of how general-purpose AI will develop remain deeply uncertain. But decisions made today – by developers, governments, communities, and individuals – will shape its trajectory. This Report aims to ensure that those decisions are made with the best possible understanding of AI capabilities, risks, and options for risk management.

Over the past year, the capabilities of general-purpose AI models and systems have continued to improve. Leading systems now match or exceed expert-level performance on standardised evaluations across a range of professional and scientific subjects, from undergraduate examinations in law and chemistry to graduate-level science questions. Yet their capabilities are also ‘jagged’: they simultaneously excel on difficult benchmarks and fail at some basic tasks. Current systems still provide false information at times, underperform in languages that are less common in their training data, and struggle with real-world constraints like unfamiliar interfaces and unusual problems. Alleviating these limitations is an area of active research, and researchers and developers are making progress in some areas. Sustained investment in AI research and training is expected to drive continued capability progress through 2030, though substantial uncertainty remains about both what new capabilities will emerge and whether current shortcomings will be resolved.

This chapter covers current and future capabilities of general-purpose AI. The first section introduces general-purpose AI, explaining how these systems work and what drives their performance (§1.1. What is general-purpose AI?). The second section examines current capabilities and limitations (§1.2. Current capabilities). A recurring theme is the ‘evaluation gap’: how a system performs in pre-deployment evaluations like benchmark testing often seems to overstate its practical utility, because such evaluations do not capture the full complexity of real-world tasks. The final section considers how capabilities might evolve by 2030 (§1.3. Capabilities by 2030). AI developers are investing heavily in computing power, data generation, and research. However, there is substantial uncertainty about how these investments will translate into future capability gains. To illustrate the range of plausible outcomes, the section presents four scenarios developed by the OECD, which range from stagnation to an acceleration in the rate of capability improvements.

1.1. What is general-purpose AI?

Key information

• ‘General-purpose AI’ refers to AI models and systems that can perform a variety of tasks, rather than being specialised for one specific function or domain. Examples of such tasks include producing text, images, video, and audio, and performing actions on a computer.
• General-purpose AI models are based on ‘deep learning’. Modern deep learning involves using large amounts of computational resources to help AI models learn complex relationships and abstract features from very large training datasets.
• Developing a leading general-purpose AI system has become very expensive. To train and deploy such systems, developers need extensive data, specialised labour, and large-scale computational resources. Acquiring these resources to develop a leading system from scratch now costs hundreds of millions of US dollars.
• Since the publication of the last Report (January 2025), capability improvements have increasingly come from post-training techniques and extra computational resources at the time of use, rather than from increasing model size alone. Previous performance improvements largely resulted from making models larger and using more data and computing power during initial training. 

What are general-purpose AI systems?

General-purpose AI systems are software programmes that learn patterns from large amounts of data, enabling them to perform a variety of tasks rather than being specialised for one specific function or domain (see Table 1.1). To create these systems, AI developers carry out a multi-stage process that requires substantial computational resources, large datasets, and specialised expertise (see Table 1.2). Computational resources (often shortened to ‘compute’) are required both to develop and to deploy AI systems, and include specialised computer chips as well as the software and infrastructure needed to run them.* Because they are trained on large, diverse datasets, general-purpose AI systems can carry out many different tasks, such as summarising text, generating images, or writing computer code. This section explains how general-purpose AI systems are made, what ‘reasoning’ models are, and how policy decisions shape general-purpose AI system development.

* The term compute can also refer to either a measurement of the number of calculations a processor can perform (typically measured in floating-point operations per second) or specifically the hardware (such as graphics processing units) that performs those calculations.

Table 1.1: There are several different types of general-purpose AI. In this Report, models that can predict structural information for diverse classes of molecules are considered to be ‘general-purpose’ AI because they can be adapted for a variety of tasks. For example, models trained to predict protein structure are applicable to a variety of other tasks, such as predicting protein interactions, predicting small molecular binding sites, and predicting and designing cyclic peptides.40

Deep learning is foundational to general-purpose AI

Researchers build general-purpose AI models using a process called ‘deep learning’, which trains models to learn from examples.41 Unlike software engineering, deep learning models learn to accomplish tasks from data instead of relying on hand-written instructions. By processing large amounts of data, such as images, text, or audio, these models discover ways to represent that data, creating internal representations of patterns (such as shapes, word associations, or sound structures) that help the model recognise relationships and generate outputs aligned with its training objective. They then use these learned internal representations as abstract features to analyse new, similar data and generate outputs in the same style. For example, a general-purpose AI model trained on enough examples of 19th-century romantic English poetry can recognise new poems in that style and produce new material in a similar style.

On a more granular level, deep learning works by processing data through layers of interconnected information-processing nodes. These nodes are often called ‘neurons’ because they are loosely inspired by neurons in biological brains (‘neural networks’) (Figure 1.1).42 As information flows from one layer of neurons to the next, the model progressively transforms the data into more abstract representations as groups of learned features – patterns the model has automatically discovered in the data, rather than hand-coded ones. For example, in an image-processing model, the first layers might learn to detect simple features such as edges or basic shapes, while deeper layers combine these features to pick out more complex patterns such as faces or objects.

The features at all layers are discovered through the optimisation process that defines the training procedure. During training, when the model makes mistakes, deep learning algorithms adjust the strength of various connections between neurons to improve the model’s performance. The strength of each connection between nodes is often called a ‘weight’. This layered approach gives deep learning its name.

Deep learning has proven very effective at allowing AI systems to accomplish tasks that were previously considered difficult for traditional hand-programmed computational systems and other earlier symbolic or rule-based AI methods. Most state-of-the-art general-purpose AI models are now based on a specific neural network architecture known as the ‘transformer’.43 44 Transformers use an ‘attention’ mechanism45 that helps the model to focus on the most relevant parts of the input data when processing information, such as determining which words in a sentence are most important for understanding its meaning. This particular way of building models has led to significant improvements in translation,43 natural language processing,46 image recognition47 and speech recognition,48 49 ultimately leading to the development of today’s most advanced models.

Figure 1.1: An illustrative representation of a ‘neural network’. Today’s general-purpose AI models are based on these networks, which are loosely inspired by biological brains. Different networks have different sizes and architectures. However, all are composed of connected information-processing units called ‘neurons’, where the strengths of connections between neurons are called ‘weights’. Weights are updated through training with large quantities of data. Source: International AI Safety Report 202550 (modified).

Figure 1.2: A schematic representation of the stages of general-purpose AI development. 
Source: International AI Safety Report 2026.

General-purpose AI is developed in stages

Developing a general-purpose AI system involves multiple stages, from initial model training to post-deployment monitoring and updates (Figure 1.2). In practice, these steps often overlap in an iterative manner. Each stage requires different resource inputs (e.g. data, labour, compute) and different techniques, and they are sometimes undertaken by different developers (Figure 1.2 and Table 1.2).

For example, model pre-training generally requires large amounts of compute and data, making this stage particularly sensitive to policies that affect access to computational resources or training data.51 52 Similarly, data curation and some model fine-tuning methods currently involve large amounts of human labour for initial data labelling.53 This stage is therefore sensitive to changes in labour costs, platform policies, or regulations affecting cross-border contracting arrangements.

Table 1.2: At each general-purpose AI development stage, the AI model is improved for downstream use and eventually deployed as a fully integrated AI system, monitored and updated.

Reasoning systems generate ‘chains of thought’ during inference to improve performance

Inference happens when someone uses the AI model after it is trained. For example, inference occurs when a person asks an AI system to plan a trip and the model behind it draws on relevant aspects of what it has learned regarding geography, transportation, and cuisine to generate an itinerary.

In the past decade, advances in AI capabilities have largely come from larger training runs; that is, increasing the amount of compute used to train an AI model. Recently, however, researchers have made more gains by allowing models to process information for longer and by training them to produce explicit reasoning steps as they accomplish a task.69 70 AI systems that work like this are called ‘reasoning systems’, and the intermediate explanations they go through while solving a problem or answering a question are called ‘chains of thought’. Reasoning systems require more computational resources at the time of use to generate these sophisticated chains of thought,71 72 73 74 and more resources during training so that they learn to reason better. In practice, these reasoning capabilities let AI systems solve more complex problems by iteratively decomposing a task into smaller steps. Table 1.3 shows an example of a non-reasoning system and a reasoning system solving the same problem.

Reasoning systems have achieved major breakthroughs in capabilities on challenging problems. For example, in 2025, reasoning systems specialised for mathematical problem-solving, such as Google’s Gemini Deep Think and an unreleased, experimental model from OpenAI, solved International Mathematical Olympiad problems (in a structured test setting) at a level equivalent to human gold-medal performance.75 76 Reasoning systems have demonstrated significant progress in formal domains such as mathematics, logic puzzles, and structured scientific questions, where step-by-step reasoning can be explicitly verified.77 However, reasoning systems can also fail by producing irrelevant, unproductive, or repetitive chains of thought.78 79

Updates on training methods

Since the publication of the last Report (January 2025), a training method called ‘distillation’ has greatly increased the efficiency with which some models can be fine-tuned. Distillation involves training a ‘student’ model on the outputs of a more powerful (and usually larger) ‘teacher’ model, allowing the student model to directly imitate the outputs of the teacher.80 For example, DeepSeek developed a large model called DeepSeek-R1, which excels at chain-of-thought reasoning. R1 produced reasoning outputs which were then used to fine-tune smaller student models, including DeepSeek-V3. DeepSeek-V3 maintains much of R1’s mathematical, coding, and document-analysis capabilities and was reportedly fine-tuned for approximately $10,000 USD (though its pre-training costs were not reported).81 This is likely orders of magnitude lower than the cost of fine-tuning similarly capable, larger models.

Table 1.3: An example of a non-reasoning system (left) versus a reasoning system (right) solving the same riddle. These examples are adapted from real AI responses. The reasoning system spends more time and computational power on ‘thinking’ by constructing a ‘chain of thought’ before providing its final answer.

Figure 1.3: An illustrative representation of an AI agent: an AI model (centre) that has been configured to iteratively plan, reason, and use tools to accomplish real-world tasks. Source: International AI Safety Report 2026.

Distillation can thus be a cheap and efficient way for models to gain more powerful capabilities.82 Some researchers have used distillation to fine-tune highly capable models using as few as 1,000 examples generated from state-of-the-art models.83 Since distillation requires a pre-existing teacher model, it cannot be directly used to advance state-of-the-art model capabilities. However, it can speed up the proliferation of advanced AI capabilities, even from closed-source models.84

Together with technological advances in ‘distributed compute’ and decentralised training (approaches where developers use multiple processors, servers, or data centres working together to perform AI training or inference,85 86 87 the degree to which many AI development projects depend on large-scale, centralised compute infrastructure has been reduced. This increasingly enables less well-resourced actors to develop and deploy powerful systems.

Updates on AI agents

Since the last Report (January 2025), advances in how developers combine AI models with tools have enabled the development of increasingly powerful AI agents. AI agents are designed to pursue goals, which are often specified by users in natural language. To achieve these goals, they are given access to tools, such as memory, a computer interface, and web browsers. These tools and the code used to combine them with the model are referred to as ‘scaffolding’, and they help AI agents autonomously interact with the world, make plans, remember important details, and pursue goals88 89 with much less oversight or assistance from humans. For example, Manus AI is a popular AI agent that can automate various tasks, including Web search, software development, and online purchases.90 Figure 1.3 illustrates a simple example of an AI agent composed of a general-purpose AI model ‘brain’ that can iteratively plan, reason, and use tools for memory, web browsing, and computer use.

Digital infrastructure for AI agents is expanding,91 and they are increasingly common across industries.92 93 94 AI agents have been developed for tasks such as research,37 software engineering,95 robotic control,96 and customer service.97 Ongoing research and development has resulted in steadily more capable and more autonomous AI agents or multi-agent systems. Researchers have estimated that the complexity of software benchmark tasks that AI agents can accomplish doubles approximately every seven months (see also §1.2. Current capabilities).98 Experts argue that increasingly capable AI agents will give rise to both major opportunities and risks99 100 (see §2.2.1. Reliability challenges).

Evidence gaps

The main evidence gaps around the general-purpose AI system development process stem from a lack of publicly available information regarding how they are developed. Some developers are highly transparent about how they develop general-purpose AI systems.1 101 However, in general, there is a limited degree of public and policymaker knowledge about how most advanced models are developed, safeguarded, evaluated, and deployed. This is particularly true for internally deployed AI systems that are used within AI companies but not used or understood by outside stakeholders.102 103 This limited external visibility creates challenges for transparency and oversight. Various researchers have pointed to limited and inconsistent transparency around training data,104 105 106 general-purpose AI models,107 108 AI agents,92 evaluations,109 development pipelines,110 and safety.111 Limitations to external disclosure are sometimes necessary to protect companies’ trade secrets and intellectual property. At the same time, low transparency makes it more difficult for independent researchers and policymakers to study general-purpose AI models and systems.

1.2. Current capabilities

Key information

• General-purpose AI systems can perform a wide range of well-scoped tasks with high proficiency. These include conversing fluently in numerous languages; generating code to complete narrow software tasks; creating realistic images and short videos; and solving graduate-level mathematics and science problems.
• However, their capabilities are ‘jagged’: there remain many tasks AI systems do not perform well. For example, AI systems can be derailed by simple errors during multi-step projects; continue to generate text that includes false statements (‘hallucinations’); and cannot yet integrate with robotic components to perform basic physical tasks such as housework. Their performance also tends to decline when prompted in languages other than English, which are less represented in training datasets.
• AI agents are increasingly able to do useful work. For example, AI agents have demonstrated the ability to complete a variety of software engineering tasks with limited human oversight. However, they cannot yet complete the range of complex tasks and long-term planning required to fully automate many jobs.
• Since the publication of the last Report (January 2025), advances in ‘reasoning systems’ have driven performance improvements on more complex tasks. Reasoning systems are able to break problems into smaller steps and compare alternative answers. This has especially improved their performance on tasks related to mathematics, coding, and scientific research.
• A central challenge is an emerging ‘evaluation gap’: existing evaluation methods do not reliably reflect how systems perform in real-world settings. Many common capability evaluations are outdated, affected by data contamination (when AI models are trained on the same questions used in evaluations), or focus on a narrow set of tasks. As a result, they provide limited insight into real-world AI performance.

General-purpose AI systems exhibit many remarkable capabilities. Leading systems now perform at gold-medal level in mathematics competitions and assist scientific researchers with generating hypotheses and troubleshooting laboratory work. They match, and in some cases exceed, expert performance on a wide range of benchmarks and task-specific evaluations. Yet the performance profile these systems display is also ‘jagged’: their capabilities vary widely among different tasks and contexts. They still sometimes generate false information (‘hallucinations’) and produce inconsistent outputs even when given identical or similar inputs. An ‘evaluation gap’ exists: AI systems often perform impressively in controlled settings such as pre-deployment evaluations, but more poorly in real-world conditions. This variability makes it difficult to assess general-purpose AI capabilities with a single metric. This section outlines both the capabilities of AI systems and their shortcomings (Table 1.4).

Table 1.4: A summary of the main capabilities and limitations of current general-purpose AI systems.

What can current general-purpose AI systems do?

General-purpose AI systems now perform at or above the level of human experts on standardised evaluations, covering a growing range of well-defined professional and scientific subjects (Figure 1.4). For example, leading models score over 90% on undergraduate-level examinations in subjects from chemistry to law (MMLU,112) and achieve over 80% on graduate-level science tests (GPQA,14). In July 2025, models from Google DeepMind and OpenAI reached gold medal-level scores at the International Mathematical Olympiad, solving five out of six problems under competition-like conditions.76 Beyond text-based reasoning, these systems display powerful multimodal capabilities: they can create photorealistic images, short high-definition videos, 3D scenes, and musical pieces from simple text prompts,13 18 113 114 115 116 and they are beginning to process complex sensor data to guide physical robots.21

Advanced capabilities are increasing productivity in medicine, education, software development, and other sectors

Advanced AI capabilities now power practical tools that match or exceed human performance on specific tasks, increasing productivity in multiple sectors.117

• In medicine, AI systems can analyse clinical scenarios and conduct diagnostic conversations to generate lists of potential diagnoses. In specific simulated settings, their accuracy can exceed that of human physicians,118 119 though they lack the reliability and consistency required for real-world clinical deployment.
• In education, AI systems are being rapidly adopted in areas from curriculum design to student assessment, transforming the education process,120 121 while widespread use by students is posing significant challenges to the integrity and validity of existing academic assessments.122
• In software development, AI coding assistants are now widely adopted, with some studies suggesting that developers using AI assistants complete certain tasks 20–30% faster on average than those without.123 124 125
• Large-scale studies in other sectors such as customer service, consulting, and professional writing find measurable productivity gains from AI-assisted work, though these effects vary across tasks and worker groups.126 127 128 129 130 (For a more detailed discussion of the labour market implications of general-purpose AI, see §2.3.1. Labour market impacts.)

General-purpose AI systems assist scientific research

General-purpose AI systems are now used by researchers to support relatively complex tasks across disciplines. Researchers have demonstrated that AI systems can, under high-level human guidance, design novel proteins for medical use, which are later validated in a physical laboratory.131 Other systems have discovered new algorithms that are more efficient than long-standing human-designed methods.31 Notably, such advances often rely less on the raw power of the latest models and more on appropriate system integration. General-purpose AI is also increasingly used to accelerate AI research itself, a trend with significant implications discussed further in §1.3. Capabilities by 2030. In the social sciences, researchers are using AI to accelerate data analysis through automated annotation and to explore social dynamics by simulating individual and collective behaviour with AI agents.132 133 134 Moving from analysis to direct application, researchers are beginning to use general-purpose AI systems to design and study scalable, novel social interventions. For example, recent work has explored using AI-mediated conversations to find common ground in democratic debates or to reduce belief in conspiracy theories through dialogue.135 136 137

Figure 1.4: Scores of leading general-purpose AI systems on key benchmarks from April 2023 to November 2025. These benchmarks cover challenging problems in programming (SWE-bench Verified), mathematics (MATH and FrontierMath), and scientific reasoning (GPQA Diamond). Reasoning systems, such as OpenAI’s o1, show significantly improved performance on mathematical tasks, as illustrated clearly on the MATH benchmark. Source: Epoch AI, 2025.138

What are the current limitations of general-purpose AI systems?

Despite advances in capabilities, the performance of general-purpose AI systems remains jagged across tasks and contexts. This section highlights some prominent limitations, though the full range of challenges is broader.

Reliability challenges persist in current AI systems

Despite recent improvements, general-purpose AI systems can be unreliable and prone to basic errors of fact and logic. Even systems that excel at complex tasks may generate non-existent citations, biographies, or facts – a phenomenon known as ‘hallucination’.139 140 141 Their performance can also be inconsistent; for example, accuracy on maths problems can decrease significantly when irrelevant information is inserted into the problem description.142 This brittleness extends to multimodal capabilities, where models often have low performance on spatial reasoning tasks, such as basic counting of objects in a scene.143 144 While expert human oversight can mitigate some of these risks, there is a corresponding danger of over-reliance, where users trust incorrect outputs because they are presented fluently and confidently145 146 (see §2.3.2. Risks to human autonomy). This unreliability makes it difficult to safely adopt such systems in high-stakes settings such as medicine and finance, where errors can have grave consequences, and human verification of system outputs remains necessary.

Systems struggle with long-term planning and unexpected obstacles

General-purpose AI systems also struggle with tasks that require long-term planning, maintaining a coherent strategy over many steps, and adapting to unexpected obstacles. As tasks grow longer, AI agents often lose track of their progress and cannot reliably deal with unexpected inputs.147 148 149 For example, even a simple website pop-up ad can derail an entire task.150 Large-scale evaluations confirm this pattern: in software development, the most capable systems achieve only 50% success on tasks lasting just over two hours, and reaching 80% success requires limiting them to much simpler 25-minute tasks.98 151 For now, reliable automation of long or complex tasks remains infeasible.

Interacting with the physical world remains challenging

Progress on digital tasks has also proved difficult to translate into robotics, where the complexity of the physical world introduces new challenges. Recent advances are centred on Vision-Language-Action (VLA) models – foundation models designed to enable robots to follow natural language instruction, interpret multimodal sensory data, and generate motor commands. State-of-the-art systems such as π_0.5152 and Gemini Robotics21 can now interpret simple verbal commands such as ‘clean the kitchen’ and execute a sequence of physical steps in an unfamiliar, controlled environment. However, current VLA models still do not perform well with unusual object shapes and unexpected events.152 Ensuring that such systems can operate safely and reliably to minimise the risk of physical harm or property damage, and perform well in diverse environments remains an active area of research.153 154 155

Performance is uneven across languages and cultures

The capabilities of general-purpose AI models and systems also vary across languages and cultures. Performance is highest on tasks in English, reflecting the fact that most training data comes from Western sources.156 157 For example, one evaluation of AI models across 83 languages found substantially lower performance on languages that use non-Latin scripts and on languages with limited digital resources.158 This disparity extends to cultural knowledge;159 in one study, AI models correctly answered 79% of questions about everyday US culture but only 12% of questions about Ethiopian culture.160 Another study finds that current models ‘reason’ more effectively in high-resource languages, which may widen the performance gap between languages.161 Beyond language and culture, similar patterns appear along geographic and socioeconomic lines. Models underrepresent locations with disadvantaged demographics in recommendations162 – for example, if asked for a restaurant recommendation, they might fail to suggest restaurants in poorer areas – and their performance on factual recall degrades for lower-income countries.163 164 This inequality is compounded by evaluation benchmarks that are themselves heavily skewed toward English, creating an ecosystem where low-resource languages remain systematically understudied and underoptimised.165 166

Updates

Since the publication of the last Report (January 2025), ‘reasoning’ systems have become mainstream (see §1.1. What is general-purpose AI? for details of their development). These systems demonstrate substantially improved performance on hard mathematics, coding, and scientific tasks by generating and comparing multiple answers within their own ‘chain of thought’ before producing a final answer (Figure 1.5).112 167 Because these models’ performance depends in part on inference-time compute, their effective capabilities can change after initial development – improving as more computational resources are allocated.

In parallel, AI companies have focused more on developing AI agents, especially in areas such as software engineering168 and computer use.169 170 While reliability remains a bottleneck, the complexity of tasks these agents can automate has been increasing rapidly.98 Finally, enabling models to form long-term memories and learn continuously from user interaction is emerging as a key area of development.171 172 

Figure 1.5: Performance of a general-purpose AI model (s1) on reasoning-intensive tasks with varying amounts of test-time compute (i.e. when using additional compute during inference). Allocating more computational time during response generation leads to substantially better results on mathematics (AIME 24) and PhD-level science questions (GPQA Diamond). Source: Muennighoff et al., 2025.173

Evidence gaps

Jagged capabilities and the evaluation gap make general-purpose AI capabilities difficult to reliably measure and predict.174 175 Performance also depends heavily on the specific test examples and prompt used, making it difficult to prove with high-confidence that an AI system cannot perform certain – potentially dangerous – tasks.176 There is no single, comprehensive, and continuously updated synthesis of AI capabilities, leading to a fragmented and often outdated understanding of the field. Existing reviews,138 177 including this Report, provide valuable summaries but are static snapshots in a rapidly moving field. With no widely accepted taxonomy for capabilities, policymakers must navigate a patchwork of benchmarks and sources to form a complete picture.

Benchmarks often fail to predict real-world performance

Benchmark integrity is a growing concern. Many capability evaluations rely on standardised benchmarks. However, many models may have been trained using data from these same benchmarks – a problem called ‘data contamination’, which most developers do not currently track or disclose.178 This can lead to inflated performance scores that do not reflect a model’s true ability,179 but rather its capacity to memorise answers.180 181 182 A further limitation of current evaluation practices is that they rely on automated testing in controlled lab environments. However, this often overestimates AI systems’ practical utility in dynamic, real-world settings.147 149 183 184 For example, one study found that, while an AI agent could produce functional code, the code still required significant human effort to fix issues with documentation, formatting, and quality before it was usable in a real project.185 To address these limitations, a dedicated ‘evaluation science’ is emerging, advocating for rigorous methodologies that ensure external validity and better predict real-world performance.186 187 For instance, recent benchmarks have begun to measure AI system performance on economically valuable tasks188 189 and real-world remote labour.190 191

The evidence for how AI augments human capabilities is inconclusive

Measuring AI’s practical benefits consistently is challenging because success depends on both the specific task and the user’s skill at leveraging AI for it, meaning lab results often fail to predict real-world value. For example, one study shows that a model’s standalone accuracy is not a reliable predictor of human-AI team performance.192 Many studies confirm positive uplift from using AI.126 127 128 However, one recent study found that, although software developers believed that AI was making them more productive, it actually slowed down experienced programmers by 19% on complex coding tasks.129

1.3. Capabilities by 2030

Key information

• Investments in AI development are expected to grow significantly in coming years. Forecasts suggest that the computational power used to train the largest AI models could grow 125-fold by 2030 without hitting hard limits in energy, chips, or data. Training methods are also projected to use that computing power two to six times more efficiently each year.
• Plausible trajectories for capability improvements range from incremental or even plateauing progress to rapid acceleration. Uncertain factors such as technical limits or energy bottlenecks could constrain capability gains despite large investments, while positive feedback loops – such as AI systems contributing to AI research – could accelerate progress. There is little expert consensus on which trajectory is most likely.
• If capabilities continue to improve at their current rate, by 2030 AI systems will be able to complete well-scoped software engineering tasks that would take human engineers multiple days to complete. Projections for future performance in other domains are scarce, and the extent to which capability improvements will generalise to domains where training data is more limited and performance hard to assess is unclear.
• Since the publication of the last Report (January 2025), key trends suggest that capabilities will continue improving. In expectation of future gains, AI companies have announced unprecedented investments of more than $100 billion in data centre development to support larger training runs and wider deployment.
• Beyond 2030, the trajectory of AI capabilities becomes even harder to forecast. Over time, some experts expect it will be harder to obtain data, chips, capital, and energy at the scale needed for larger training runs. However, researchers may find ways to use these resources more efficiently or discover new approaches that sidestep current bottlenecks. Which considerations will prove most important is highly uncertain.

The key inputs of AI progress – compute, algorithmic improvements, and data – have grown exponentially in recent years, and new inference-time scaling methods are further improving models’ capabilities, even after they are trained. If these trends continue, experts expect AI capabilities to advance substantially by 2030. However, researchers cannot reliably predict when specific capabilities will emerge, and experts disagree about whether exponential increases in inputs will continue. Some expect that current training techniques will plateau, or that bottlenecks in data and energy will limit future progress. Yet others think that progress will accelerate further, since the application of AI systems to AI research itself could create positive feedback loops.193 194 To illustrate these divergent trajectories, this section presents four AI capability scenarios for 2030, developed in collaboration with the OECD. Additional technical details on scaling laws, inputs to scaling, and current benchmark performance are provided in the technical supplement.

Drivers of progress: compute, algorithms, and data

Frontier AI progress is driven by three inputs: compute, algorithmic advances, and data.

Compute refers to the computational resources, including hardware, software, and infrastructure, used in AI development and deployment. More compute allows for larger models to be trained on larger datasets (Figure 1.6), leading to better performance across various tasks.195 196 Compute can also be used during deployment to improve the quality of an AI system’s outputs.197 198

Algorithmic advances improve how efficiently computational resources translate into model performance, and they can also enable qualitatively new capabilities. One model is more efficient than another if it uses less training or inference compute to reach the same performance.199 For example, GPT-5 is more efficient than GPT-4.5, because it was likely trained with less compute,200 but it outperforms 4.5 on a range of benchmarks, such as GPQA Diamond, which features PhD-level science questions.201

Data refers to the information used to train models, including text from the internet, images, and artificially generated synthetic data.202 Both the amount and the quality of data are relevant for progress.

Figure 1.6: The amount of compute, measured in floating point operations (FLOP), used to train leading AI models between 2012 and 2025. The largest training runs have now likely exceeded 10²⁶ FLOP. Source: Epoch AI, 2025.203

Figure 1.7: The length of software engineering tasks (measured by how long they take human professionals to complete) that AI agents can complete with an 80% success rate over time. In recent years, this task-length has been doubling approximately every seven months. Source: Kwa et al., 2025.98

In recent years, all three drivers have grown dramatically. For the most compute-intensive models, training compute has grown about 5x per year. If this trend were to continue until 2030, these models could be trained with roughly 3,000 times more compute than they are today.204 205 Algorithmic efficiency, according to a 2024 study, has improved roughly 2-6x per year, reducing the compute needed for equivalent performance.199 Training datasets have expanded from billions to trillions of data points, with an average 2.5x annual increase.206 New inference-time scaling methods further improve capabilities once a model is trained, unlike traditional approaches that depend mostly on more training compute and larger datasets.173 207 One study finds that AI systems can complete well-specified software engineering tasks that take human experts 30 minutes around 80% of the time, and the duration of these tasks has been doubling every seven months (Figure 1.7). If this trend continues, AI systems could complete tasks lasting several hours by 2027 and tasks lasting several days by 2030.98

How will AI capabilities change in the coming years?

Exponential growth in key inputs until 2030 is technically feasible

Exponential growth in key inputs to frontier AI – compute, algorithmic techniques, and data – is technically feasible until around 2030. Analyses of constraints such as production capabilities, investment, and technological progress suggest that compute per frontier model could continue growing at current rates without hitting fundamental bottlenecks in chip manufacturing or energy production.204 208 To support this scaling, companies are making large investments in compute infrastructure; for example, Meta and OpenAI have announced plans to spend $65 billion and $500 billion respectively.209 210 Importantly, these investments also support increases in inference compute and computational resources for research and development (R&D), the latter of which constitutes the bulk of AI company compute spending.211

Algorithmic efficiency improvements have historically provided an additional 2–6x performance gain per year.199 However, experts disagree about how sustainable this growth is, especially beyond 2030. Disagreement centres on whether energy constraints and high-quality data scarcity will force fundamental changes to current development approaches.206

Experts expect progress in problem-solving to continue

As discussed in §1.2. Current capabilities, AI models have made rapid advances in mathematical reasoning. Building on these advances, experts forecast major progress in reasoning-based problem-solving by 2027–2028. In a study by the Forecasting Research Institute, experts forecast a 50% chance that AI models will achieve 55% accuracy by 2027 and 75% accuracy by 2030 on undergraduate-level FrontierMath problems.212 However, experts disagree on whether these capabilities will generalise beyond mathematics and programming. Most evidence on the impact of reasoning techniques remains restricted to these domains.197 213 214 More extensive evaluations and attempts at applying AI systems’ reasoning skills to novel domains, such as legal and scientific reasoning, will be required to determine how far reasoning techniques will generalise.

AI systems have also made rapid gains in autonomous software execution. AI systems that could only complete tasks taking human experts a few seconds in 2019 can now, with an 80% success rate, finish software engineering tasks that take human experts 30 minutes.98 215 This metric – the maximum task duration that AI systems can complete with an 80% success rate – has been doubling roughly every seven months for the past six years. If it were to continue, AI systems could autonomously complete hours-long software projects by 2027–2028 and days-long projects by the end of the decade. However, these projections assume an 80% success rate, which likely falls below the standards required for autonomous deployment in many professional settings. Current evidence shows declining performance as tasks get longer, suggesting that achieving a production-ready success rate may require new innovations.98 Additionally, the benchmark tasks differ systematically from real-world software work in ways that may overstate progress: for example, they do not feature ‘messy’ real-world features such as resource constraints, incomplete information, or multi-agent coordination.98

Experts disagree on the scale and timing of advances in specialised domains

General-purpose AI capabilities are expected to improve across many specialised domains by 2028–2030, though experts disagree about the extent and timing of these advances. AI systems have already surpassed graduate-level performance on some scientific benchmarks, such as GPQA Diamond, where leading models now exceed PhD-level experts.216 Trend extrapolations suggest that models could reach research-level performance across specialised scientific domains in the next few years, although forecasts remain uncertain.

Specific capabilities can emerge unpredictably even as overall performance improves steadily. For example, general-purpose AI models showed a sharp performance jump in adding large numbers once they were prompted to work step-by-step, rather than gradually improving at this as models scaled.217 218 219 220 221 Researchers refer to such sudden jumps as ‘emergent capabilities’. These create planning challenges because it is difficult to anticipate when AI systems will suddenly acquire strategically relevant cognitive abilities. Importantly, researchers cannot yet determine whether new prediction methods will make capability emergence more forecastable, and they disagree on how unpredictable these capability leaps truly are.222 223 224 225

What bottlenecks might slow down progress?

Economic returns from additional compute may diminish

Resource scaling alone may lead to diminishing economic returns and threaten to slow progress, since ever-larger investments will be required to sustain the same rate of capability improvements. Current frontier AI training runs already cost approximately $500 million in computational resources alone, with next-generation models projected to require $1–10 billion.204 226 Meanwhile, consumer trust in AI systems is still low on average, and many enterprises are struggling to adopt AI systems successfully, making large-scale investments of hundreds of billions of dollars a bet on uncertain returns.93 209 227 If such investments fail to generate revenue (Figure 1.8), companies may sharply reduce scaling investments. This would create a potential ceiling on capability progress, since without continued investments, the 5x annual increase in training compute that has been a driver of recent advances would slow substantially. In that case, capability gains would depend more heavily on algorithmic progress rather than physical scaling alone.

Figure 1.8: Estimated annualised revenue of major AI companies since 2023. Source: Epoch AI, 2025.228

It is unclear how much AI-assisted research automation will accelerate AI R&D

Experts disagree about whether AI-assisted research automation could dramatically accelerate AI progress in the coming decade. In a pilot study, forecasting experts were asked about the probability that progress in the next few years could compress six years of advancement (2018–2024) into just two years. AI forecasting experts gave a median 20% probability, while superforecasters (skilled generalist forecasters) estimated only 8%. However, forecasters’ estimates increased to 18% in scenarios where AI systems perform better than human researchers on month-long research projects.229 In such scenarios, AI research could become fully automated much sooner, which some have hypothesised could greatly accelerate AI progress.

Current empirical evidence on AI-assisted research automation is mixed. On a benchmark measuring AI research engineering capabilities, AI agents perform better than humans at two-hour tasks but have lower success rates at eight-hour tasks.230 While suggestive, this evidence does not account for real-world bottlenecks in AI R&D, such as the fact that researchers must manage ambiguous goals, and that it takes a long time to learn whether an algorithmic improvement actually improved model performance. This uncertainty creates extreme planning challenges for policymakers and institutions: if each AI advancement that accelerates the pace of AI R&D also facilitates the next advancement, decades of progress could happen in years.

Commercial deployment often lags behind capability improvements

Current AI systems demonstrate advanced capabilities in controlled settings, but their adoption occurs at different speeds across sectors. AI coding assistants achieved widespread adoption among software developers within one to four years of release.231 In contrast, many sectors face substantial obstacles to deploying AI systems.232 233 Healthcare AI systems that achieve human-level diagnostic accuracy in research settings often require three to five additional years for regulatory approval, clinical integration, and physician training before widespread deployment.234 Experts forecast that deployment of autonomous vehicle technology will still be limited in 2030, citing barriers including cultural resistance, infrastructure requirements, and regulatory pushback.212 Small and medium enterprises, which employ 60% of workers globally, face particular deployment challenges including limited technical expertise, insufficient computational infrastructure, and prohibitive integration costs that can delay AI adoption.235 236 Geopolitical factors, including export controls on advanced semiconductors and divergent regulatory frameworks across jurisdictions, could create additional barriers that affect both the development and deployment of AI capabilities.237 238

That said, experts disagree about whether deployment gaps will narrow quickly or persist as a long-term constraint. On the one hand, the rapid uptake of AI tools across particular sectors suggests that deployment will accelerate if organisations observe concrete productivity gains and competitive advantages.239 Other researchers contend that organisational and regulatory adaptation inherently takes years, regardless of technical progress.240 This disagreement has implications for policy timing. Policies designed for rapidly deployed AI capabilities may be premature, while those assuming slow adoption may be insufficient to properly manage the risks.

What could progress through 2030 look like: OECD progress scenarios

Considering current trends and uncertainties, including those detailed above, the OECD has developed expert- and evidence-informed scenarios for how AI could advance – or slow down – by 2030.241 The OECD collaborated with the International AI Safety Report to integrate these scenarios into the Report. The analysis suggests that four broad classes of scenarios are all plausible by 2030:

Scenario 1: Progress stalls

A scenario in which AI capabilities remain largely unchanged. Rapid gains observed over recent years halt, and progress plateaus.

• Scenario: In 2030, AI systems can quickly undertake a range of tasks that would take humans hours to perform, but issues of robustness and hallucinations impact reliability.98 242 AI systems typically rely upon substantial support from humans to complete tasks, such as detailed prompting, review, and provision of context. They lack robust abilities to learn new skills or form memories, maintain coherence over longer complex tasks, or engage with dynamic physical or social environments.243
• Pathway: After 2025, gains within existing approaches for developing frontier AI models hit fundamental limits. This could occur if AI progress slows due to: diminishing returns from larger training runs and more powerful reasoning systems; limitations in accessing computing resources or other critical inputs; a significant drop in AI investment; or the absence of major algorithmic breakthroughs.244 245
• Historical analogue: Passenger aircraft speed, which climbed quickly from 1930 to 1960 before levelling off at 500 knots due to practical limitations.246

Scenario 2: Progress slows

A scenario in which incremental gains within existing approaches to training AI systems deliver continued but slower progress.

• Scenario: In 2030, AI systems are comparable to useful assistants. They have a deep knowledge base, excel at standard forms of structured reasoning, and can usefully perform tasks that require them to use a computer, navigate the Web, or undertake limited interaction with people or services on behalf of the user. They can retain relevant memories, maintain coherent thinking, and error-correct to perform longer or more complex tasks. They lack robust abilities to learn new skills and can handle physical or embodied social tasks only in limited, controlled environments (such as factories or laboratories).
• Pathway: After 2025, the approaches of frontier model developers struggle to overcome limitations in continual learning, metacognition and agency, problem-solving, creativity, physical tasks, and social interaction, with existing training paradigms providing imperfect solutions.243 Scaling of pre-training, inference and post-training combined with some algorithmic innovations continue to deliver progress, but it is slower than in recent years and reasoning systems fail to generalise as well as hoped.247 248 The ability to continue scaling is slowed as investors see lower returns from continued investments. Bottlenecks in hardware, infrastructure, natural resources, data supply, and energy limit the ability to rapidly scale compute and data.208
• Historical analogue: Antibiotic discovery, which saw a ‘golden era’ of rapid breakthroughs from the 1940s to 1960s, then slowed as the low-hanging fruit from existing discovery methods were exhausted.249

Scenario 3: Progress continues

A scenario in which continued rapid progress occurs.

• Scenario: In 2030, AI systems are comparable to expert collaborators. They can successfully perform many professional tasks in digital environments that might take humans a month to complete. AI systems typically rely upon humans to provide high-level directions, but can often work with high autonomy towards a given objective, including autonomously interacting with a range of stakeholders. They can effectively form and retrieve memories and can ‘learn on the job’ to some extent. They can successfully handle some physical tasks and embodied social tasks beyond controlled environments.
• Pathway: After 2025, AI capabilities continue to grow rapidly through larger training runs, more powerful reasoning systems, and new algorithmic innovations.151 Compute and data inputs continue to scale and do not hit substantial limits before 2030, matching current estimates of the possible scope for continued growth.203 208 Iteration and extension of existing approaches or novel algorithmic innovations enable developers to overcome current limitations in areas such as continual learning.
• Historical analogue: Moore’s law, where computing power on chips doubled approximately every two years over five decades.250

Scenario 4: Progress accelerates

A scenario in which dramatic progress leads to AI systems as or more capable than humans across most or all capability dimensions.

• Scenario: In 2030, AI systems are comparable to human-level remote workers. AI systems’ autonomy and cognitive capability match or surpass humans in cognitive tasks. They capably and autonomously work towards broad strategic goals that they can reflect upon and revise if circumstances change, while also collaborating with humans where necessary. AI systems can seamlessly learn new information and skills during deployment. AI-guided robots can handle complex physical or social tasks in dynamic real-world environments in many industries and roles. AI performance still largely lags humans’ in these physical and embodied tasks, unless the system was developed specifically for a given task, due to challenges in generalisation across physical tasks.251 252
• Pathway: After 2025, there are continued exponential gains in AI capabilities within existing paradigms via continued or accelerated scaling of pre-training, post-training, and inference. These are amplified by significant algorithmic breakthroughs and increasingly substantial contributions from AI coding assistants to the development of AI.31 253
• Historical analogue: DNA sequencing saw superexponential improvements from 2000 to 2020 due to the development of new sequencing paradigms.254

This scenario analysis suggests that, by 2030, AI progress could plausibly range from stagnation to rapid improvement to levels that exceed human cognitive performance. The full analysis supporting these scenarios is available in OECD (2026) AI Progress Scenarios: Exploring possible pathways through 2030.241

Updates

Since the publication of the last Report (January 2025), observed developments have largely remained consistent with the rapid AI progress trajectories outlined in that Report. General-purpose AI systems have become substantially more capable, affordable, and widely adopted, with particularly notable advances in scientific reasoning and autonomous task execution. Major AI companies and cloud providers have announced unprecedented data centre investments totalling hundreds of billions of dollars, demonstrating sustained commitment to the compute scaling trends anticipated in the previous Report.255 256 257 AI developers have made substantial progress in developing agents that can more reliably execute longer multi-step tasks with reduced human oversight, including advancements in computer use and tool use. The adoption of inference-time compute scaling has become widespread across multiple developers.167 258 259 260 AI tools are now routinely integrated into AI development workflows for writing training code, designing hardware architectures, and generating synthetic training data.

Evidence gaps

The main evidence gaps around future AI capabilities include limited scientific evidence relevant to forecasting, insufficient data about real-world constraints on AI progress, and limited understanding of whether and to what extent automation could accelerate AI development. First, researchers cannot reliably predict when AI systems will have certain capabilities, or where diminishing returns to scaling key inputs will constrain progress. The relationship between benchmark performance and real-world performance also remains poorly understood; so even if benchmark performance was easily predictable, the associated real-world impacts would be highly uncertain.

Second, there is limited evidence around the real-world constraints that could limit AI progress. These constraints include unclear availability of training data beyond 2030 and whether energy production, chip manufacturing, and capital expenditures can keep pace with the demands of AI development.

Third, there is minimal empirical understanding of feedback loops from AI automating its own research and development.194 In particular, there are major uncertainties about how much human oversight will be needed in this process, and about whether slow feedback loops in large-scale experiments could constrain acceleration.261 262

These evidence gaps force policymakers to navigate between two pitfalls: underestimating rapidly emerging capabilities on the one hand, and overreacting to technical advances that may not translate into practical applications on the other. This makes contingency planning across multiple scenarios essential.

Challenges for policymakers

For policymakers working on AI capability forecasting, key challenges include unreliable measurement tools and uncertainty about when certain capabilities will be developed. Current benchmarks often fail to accurately represent real-world capabilities, prompting increased efforts to develop more challenging and realistic evaluations.263 264 265 266 For example, even if a model achieves 90% accuracy on a programming benchmark, this does not imply that it can build functional software applications. Estimates of algorithmic efficiency progress are highly uncertain due to limited data on key indicators, such as training efficiency improvements, inference-time optimisations, and architectural innovations. For example, while studies of algorithmic efficiency in language models suggest efficiency improvements of 3x per year based on previous data points, they are unable to rule out rates ranging from 2–6x per year.199

This forecasting problem compounds the uncertainty about capability trajectories, which have vastly different policy implications. If algorithmic progress continues at the upper bound of current estimates, models could achieve equivalent capabilities with 10–100x less compute by 2030. Regulators will therefore need to consider frameworks that can adapt or remain robust to rapid changes in the rate of AI progress and in what AI development looks like, particularly in terms of the required resources. To reduce uncertainty, it will be important to monitor concrete indicators including real-world task evaluations, the rate of algorithmic innovation, and the emergence of qualitatively new capabilities.

Technical supplement

Scaling laws are often used as empirical guidance

‘Scaling laws’ describe predictable relationships between model size, computational resources, and performance. When model developers increase training compute by 10x, model performance tends to improve by a predictable amount across diverse tasks such as language understanding, image recognition, and code generation.195 196 This predictable relationship has held across six orders of magnitude of model size – from small research models to today’s frontier AI systems, which cost hundreds of millions of dollars to train – suggesting that these patterns reflect fundamental properties of how neural networks learn. This consistency has led many developers and investors to treat scaling laws as useful empirical guidance, informing major investment decisions. However, scaling laws are empirical regularities, not mathematical guarantees. They are inferred from observed behaviour and may break down at levels of compute or data beyond current experience. And because they predict technical metrics – not end-user value – real-world performance or economic returns may not increase smoothly with training compute. For example, OpenAI discontinued GPT-4.5 although it achieved technical improvements consistent with scaling laws, suggesting that additional scaling may not always translate into proportionate economic value.200

Data availability can be improved through the use of multimodal and synthetic data

Much of AI progress has been driven by training models on ever larger corpuses of data, typically text data taken from the internet. However, high-quality language data is finite, raising the possibility that future progress could be bottlenecked by limited data availability.

Even so, there are various techniques to obtain more data if public internet text data becomes scarce. For example, if text data becomes scarce, AI developers may be able to use other types of data instead (‘multimodal data’). Current estimates suggest that approximately 10¹³ tokens of high-quality text exist on the public internet, with models already training on datasets approaching this limit.267 However, image data provides 10⁴–10¹⁵ tokens of additional training signal, video data adds 10¹⁵–10¹⁶ tokens, and sensor data from ‘internet of things’ devices could contribute 10¹⁷ tokens annually.268 The challenge lies not in data quantity but in quality and relevance: a single video frame contains less semantic information than a paragraph of text, so new techniques are required to extract meaningful training signal from videos.

Researchers are also investigating the use of AI models to generate training data for models (‘synthetic data’). In domains with verifiable outputs, such as mathematics, programming, and formal reasoning, models can generate training data by proposing solutions and checking correctness.269 The recent wave of inference-time scaling techniques demonstrates this approach: models were trained on millions of self-generated reasoning chains where each step could be verified.112 270 However, in domains where answers are harder or impossible to verify, such as creative writing, strategic planning, and scientific hypothesis generation, synthetic data risks causing model collapse, where errors compound through successive generations of training.271 Researchers are exploring whether training separate verifier models could extend synthetic data approaches to harder-to-verify domains. If verification becomes easier than generation for certain tasks, models could potentially be trained on new data without explicit ground truth, though this approach remains largely theoretical.272

Physical infrastructure can constrain the scaling of computational resources

AI computation has massive energy demands, and current growth rates in AI power consumption could persist for several years. Global AI computation is projected to require electricity consumption similar to that of Austria or Finland by 2026.273 Based on current growth rates in power consumption for AI training, the largest AI training runs in 2030 will need 4–16 gigawatts (GW) of power, enough to power millions of US homes.60 274 Even today, OpenAI’s planned Stargate data centre reaches 1.2 GW scales, and Meta’s planned Louisiana data centre is projected to exceed 2 GW.210 274 Experts in a forecasting survey by the Forecasting Research Institute predict that, by the end of 2030, 7.4% of US electricity consumption will be devoted to training or deploying AI systems in the median scenario.212 Although these energy demands are large, the US (where most frontier AI models are being developed) is building out power infrastructure to meet them and to connect data centres across different regions. These efforts are likely enough to support training runs on the scale of 10 GW, so, at least until the end of the decade, energy bottlenecks will likely not prevent compute scaling.275

Challenges to producing and improving AI chips exist, but can likely be overcome. It typically takes three to five years to build a computer chip fabrication plant,276 277 and supply chain shortages sometimes delay the production of important chip components.278 279 280 However, major AI companies can still sustain compute growth in the near term by capturing large fractions of the AI chip stock. For example, one study estimates that the share of the world’s data centre AI chips owned by a single AI company at any point in time is somewhere between 10% and 40%.208 Moreover, existing trends and technical possibilities in chip production suggest that it is possible to train AI systems with 100,000x more training compute than GPT-4 (the leading language model of 2023) by 2030. This is sufficient to support existing growth rates in training compute, which imply a total increase of 10,000x over the same period.208 Hence, chip production constraints are significant, but they are unlikely to prevent further scaling of the largest models at current rates until 2030, if investment is sustained. However, it is unknown whether similar levels of investment will continue, and this is a major reason that AI capabilities in coming years are uncertain.

Understanding current hard benchmarks

As discussed above, an informative metric of AI progress is the length of tasks that models can complete: in software engineering, this length doubles roughly every seven months. In order to study this trend, researchers created 170 tasks relating to research or software engineering, ranging from quick bug fixes that take minutes to feature implementations requiring days.98 Models must solve problems within constraints that mirror human work. Results show a consistent exponential pattern: for example, at 50% success rates, the maximum solvable task duration has grown from a few seconds in 2019 to 2.5 hours in 2025, while at 80% success rate task lengths are much lower – currently around 20–30 minutes. Beyond these limits, success rates drop sharply: models that maintain 50% success at 2.5 hours fall below 25% at four hours. The evaluation also highlights capability asymmetries: models excel at code generation and syntax transformation but continue to have low performance with architectural decisions and cross-file refactoring that human software developers handle more naturally.

FrontierMath is another difficult benchmark that tests the limits of AI mathematical reasoning through problems created by leading mathematicians specifically to challenge AI systems. The benchmark contains original research-level mathematics problems that require deep conceptual understanding, creative proof strategies, and the ability to combine techniques from multiple mathematical domains, such as number theory, real analysis, and algebraic geometry.281 These problems are unpublished and vetted by over 60 mathematicians to prevent models from viewing them before they are tested. The problems are divided into three main tiers: about 25% are at the level of the International Mathematical Olympiad, ~50% require graduate-level knowledge, and the toughest ~25% are research-level questions demanding hours or even days from top mathematicians to solve. When the benchmark was released in 2024, state-of-the-art AI systems scored under 2% overall on the full set. However, recent models show promise: according to Epoch AI’s evaluations, OpenAI’s GPT-5 reached ~25%, and the new o4-mini achieved roughly 20%, with some capability even on the hardest tier, signalling rapid progress from baseline levels. Importantly, these successful models used new inference scaling techniques.281

General-purpose AI systems are already causing real-world harm. Malicious actors have used AI-generated content to deceive and defraud; AI systems have produced harmful outputs due to errors and unexpected behaviours; and deployment is impacting labour markets, information ecosystems, and cybersecurity systems. Furthermore, advances in AI capabilities may pose further risks that have not yet materialised. Understanding these risks, including their mechanisms, severity, and likelihood, is essential for effective risk management and governance.

This chapter examines risks from general-purpose AI systems that arise at the frontier of their capabilities. It organises these risks into three categories: (1) Risks from misuse, where actors deliberately use AI systems to cause harm; (2) Risks from malfunctions, where AI systems fail or behave in unexpected and harmful ways; and (3) Systemic risks, which arise from widespread deployment across society and the economy. These categories are not exhaustive or mutually exclusive – risks may cut across multiple categories – but they provide a structured way to analyse different mechanisms of harm.

This chapter is not an exhaustive survey of AI risks, and inclusion here does not necessarily imply a risk is likely, severe, or requires policy action. The evidence base varies considerably across sections. In some cases there is clear evidence of harm and effective ways to address it. In others, both the effects of general-purpose AI and the effectiveness of mitigations remain uncertain.

2.1. Risks from malicious use

2.1.1. AI-generated content and criminal activity

Key information

• General-purpose AI systems can generate realistic text, audio, images, and video, which can be used for criminal purposes such as fraud, extortion, defamation, non-consensual intimate imagery, and child sexual abuse material. For example, there are documented incidents of scammers using voice clones and deepfakes to impersonate executives or family members, and trick victims into transferring money.
• Accessible AI tools have substantially lowered the barrier to creating harmful synthetic content at scale. Many tools are free or low-cost, require no technical expertise, and can be used anonymously.
• Deepfake pornography, which disproportionately targets women and girls, is a particular concern. Studies show that 96% of deepfake videos online are pornographic. 15% of UK adults report having seen deepfake pornographic images and 2.2% of respondents in a 10-country survey reported that someone had generated non-consensual intimate imagery of them.
• Systematic data on the prevalence and severity of these harms remains limited, making it difficult to assess overall risk or design effective interventions. Incident databases and investigative journalism collect individual cases, but comprehensive analysis is lacking. Embarrassment or fear of further harm can make individuals and institutions reluctant to report incidents of AI-enabled fraud or abuse.
• Since the publication of the previous Report (January 2025), AI-generated content has become harder to distinguish from real media. In one study, participants misidentified AI-generated text as human-written 77% of the time. In another study of audio deepfakes, listeners mistook AI-generated voices for real speakers 80% of the time.
• Key challenges for policymakers include underreporting, detection tools that cannot keep pace with generation quality, and difficulty tracing content to creators. Additionally, some content – such as child sexual abuse material – is harmful even when correctly identified as AI-generated, meaning detection alone cannot fully address these risks.

Malicious actors use general-purpose AI systems to create realistic fake content for scams, extortion, or manipulation282 (see Table 2.1). General-purpose AI has made it much easier to scale the creation of fake content that can be used to harass or harm individuals, such as non-consensual pornographic videos.283 However, while cases of serious harm have been documented,284 285 comprehensive public data on the frequency and severity of these incidents remains limited, making it difficult to assess the full scope of the problem. This section focuses on how AI-generated fake content can cause harm, especially to individuals, other than by manipulation, which will be discussed in §2.1.2. Influence and manipulation.

Table 2.1: AI-generated fake content has been used to cause different kinds of harm to individuals, including through defamation, scams, blackmail, and psychological abuse.

Criminal uses of AI content

Malicious actors use AI-generated content for criminal purposes such as fraud, identity theft, and blackmail. For example, scammers use AI tools to generate voice clones or deepfakes to trick victims into transferring money.289 290 Documented incidents include executives authorising transfers of millions to fraudsters, as well as ordinary people sending smaller amounts to impostors posing as a loved one.291 292 Criminals also use AI-generated content for identity theft (e.g. by using a victim’s impersonated voice or likeness to authorise bank transfers or trick technical system administrators into sharing information such as login credentials);293 blackmail, to demand money, secrets, or nude images;294 295 or sabotage, by damaging individuals’ reputations for professional, personal, or political purposes.296 297 298 299 Researchers have also noted that deepfakes may risk undermining the reliability of evidence presented in court proceedings.300 While the number of reported incidents is rising (Figure 2.1), systematic data on the frequency or severity of AI-enabled crimes is limited. This makes it difficult to assess how much AI increases risk overall, and to design effective mitigations.

Figure 2.1: The number of events involving ‘content generation’ reported in the OECD’s AI Incidents and Hazards Monitor database over time. This includes incidents involving AI-generated content such as deepfake pornographic images. The number of monthly reported incidents has increased significantly since 2021. Source: OECD AI Incidents and Hazards Monitor.301

AI-generated sexual content

AI-generated sexual content has become more prevalent, including non-consensual intimate imagery that overwhelmingly targets women and girls. The realism and complexity of images that AI systems can generate has improved significantly (Figure 2.2). When provided with photos of a person, AI tools can now generate highly realistic images or videos of them in a range of scenarios, including sexually explicit ones.302

Figure 2.2: AI-generated images created using image-generation tools considered to be state-of-the-art at the time of their release. The images show how much more realistic AI-generated images have become in just a few years. Source: International AI Safety Report 2026.

AI-generated sexual content disproportionately targets women and girls

One study estimated that 96% of deepfake videos are pornographic,303 that 15% of UK adults report having seen deepfake pornographic images,304 and that the vast majority of ‘nudify’ apps explicitly target women.305 In another survey of over 16,000 respondents across 10 countries, 2.2% of respondents said that someone had generated non-consensual intimate images of them.287 Sexual deepfakes are also used in intimate partner abuse, again disproportionately affecting women.298 306 Public polling shows that people overwhelmingly view the generation of such images as deeply harmful.302 While many systems have safeguards to prevent such uses, users can sometimes bypass these or find alternatives that lack safeguards.307 308

A particularly concerning use of AI tools is to generate sexually explicit content involving minors. In 2023, a study found hundreds of images of child sexual abuse in an open dataset used to train popular AI models such as Stable Diffusion.309 Children can also perpetrate abuse against their peers using AI-generated content. The overall prevalence of such activities is unclear.310 However, the number of reported incidents is rising. For example, schools have reported student use of ‘nudify apps’ to create and share AI‑generated pornographic images of their (mostly female) peers.311 In another small study, 17 US-based educators expressed increasing concern about AI-generated non-consensual intimate imagery in schools.312

Updates

Since the publication of the previous Report (January 2025), AI-generated content has become harder to distinguish from real content. In one study, after a five-minute conversation, participants misidentified text generated by OpenAI’s GPT-4o model as human-written 77% of the time.313 Similarly, other studies show that humans struggle to identify deepfakes, often performing no better than chance.314 315 For audio deepfakes, a study found that people took AI voice clones to be the real speaker in 80% of cases, suggesting heightened risks of impersonation.315 However, multimodal AI outputs combining video, audio, and text appear easier to detect than text or audio alone.

Evidence gaps

A key evidence gap stems from the lack of comprehensive and reliable statistics to assess the frequency and severity of harm from fake content. While more studies are documenting the rise of fake content (especially sexual content) and providing strong evidence of the resulting harms, most evidence comes from incident databases, such as the AI Incident Database and OECD AI Incidents and Hazards Monitor rather than systematic measurement or population-level studies.292 301 Key empirical evidence gaps remain, and there is little expert consensus, specifically around the prevalence of AI-enabled extortion, child sexual abuse material in schools, and sabotage. Reluctance to report such incidents may be a contributing factor. For example, institutions and individuals often hesitate to report AI-driven fraud due to embarrassment or fear of further harm.290 There is a need for multiple pathways through which incidents can be detected or reported.316

Mitigations

Countermeasures that help people detect fake AI-generated content, such as warning labels and AI detection tools, show mixed effectiveness. Certain AI and machine learning tools can be trained to detect anomalies in images and videos and thus to identify fake images, but their effectiveness remains limited.317 Similarly, ‘warning labels’ designed to alert users to potentially misleading content have only a modest impact. For example, a study found that warning labels on AI-generated videos improved participants’ accuracy at identifying AI-generated videos from 10.7% to 21.6%, with most people still failing to spot deepfakes.318 Beyond detection, prevention-focused techniques include gating access to AI models – for example, limiting access to vetted users – and safeguards, such as classifiers, filters, or rules that prevent models from generating harmful or misleading content (see §3.3. Technical safeguards and monitoring). However, in the case of open-weight models, malicious actors can bypass these measures (see §3.4. Open-weight models). Filtering sexual content from models’ training data is also emerging as an effective method for increasing barriers to generating non-consensual intimate imagery.319

Watermarking and content logs are promising methods for verifying content authenticity, but face technical shortcomings and raise privacy concerns. Watermarking involves embedding a machine-readable digital signature into the content during creation, allowing for automated traceable verification of its origin and authenticity. Researchers have proposed using watermarks to help consumers identify that content is AI-generated, including for videos,320 321 images,322 323 324 audio,325 and text.326 However, skilled actors can remove standalone watermarks or deceive detectors, reducing their effectiveness, especially in the case of open-weight models (§3.4. Open-weight models).327 328 A complementary approach is to embed watermarks or secure metadata, such as verifiable records of origin and creation, in authentic media.329 330 331 For example, recording devices can be required to embed unique digital signatures that help distinguish recordings made using them from AI-generated content. Another approach involves maintaining logs of AI outputs and using them to identify newly generated AI content by comparison.332 However, this approach faces scalability issues, is vulnerable to evasion, and raises privacy concerns related to logging user interactions.333 While not foolproof on their own, new research shows that a combination of these mitigations within a broader ecosystem of standards and policies can compensate for their respective limitations and help users detect AI-generated content more reliably.324

Challenges for policymakers

Key challenges for policymakers include unreliable statistics, technical limitations, and rapidly evolving technology. Underreporting and unreliable statistics make it difficult to assess the full scale of harmful AI-generated content and choose effective interventions.334 Tracing AI-generated content back to the individuals who created it is also challenging, especially when open-weight models are used. Detection and watermarking techniques have improved but remain inconsistent and face technical challenges.333 335 Technical developments in AI content generation can also undermine their effectiveness. For example, a study found that deepfake detection benchmarks – curated examples of AI-generated and real media designed to test the performance of deepfake detection tools – are outdated and perform about 50% worse on real-world deepfakes than on the benchmarks usually used to evaluate them.317 These limitations mean that multiple layers of techniques are likely needed to detect AI-generated content with a high degree of robustness. Finally, it is important to note that harm from AI-generated content can occur even when the content is clearly identified as synthetic (e.g. child sexual abuse material), meaning detection alone cannot address all risks.

2.1.2. Influence and manipulation

Key information

• AI systems can cause harm by generating content that influences people’s beliefs and behaviour. Some malicious actors intentionally use AI-generated content to manipulate people, while other harms, such as dependence on AI, occur unintentionally.
• A range of laboratory studies have demonstrated that interacting with AI systems can lead to measurable changes in people’s beliefs. In experimental settings, AI systems are often at least as effective as non-expert human participants at persuading other people to change their views. Evidence on their effectiveness in real-world settings, however, remains limited.
• The content AI systems generate could become more persuasive in future due to improving capabilities, increased user dependence, or training on user feedback. The factors that shape how widespread, impactful, and potentially harmful this content will be are not well understood. Some evidence from theoretical work and simulations suggests factors such as distribution costs and the inherent difficulty of persuasion will limit the impacts.
• Since the publication of the previous Report (January 2025), evidence of AI systems’ capability to produce manipulative content has increased. The latest research suggests that people who interact with AI systems for longer and in more personal ways are more likely to find their content persuasive. Evidence has also grown that AI systems can have manipulative effects through sycophancy and impersonation.
• There is mixed evidence regarding the effectiveness of all proposed mitigation strategies. Manipulation can be difficult to detect in practice, making it challenging to prevent through training, monitoring, or safeguards. Efforts that aim to minimise manipulation risks could also curtail the usefulness of AI systems (e.g. as educational tools).

Hundreds of millions of people now interact with AI-generated content daily, through chat assistants, social media, customer service bots, companion apps, and other services. This content can shape their opinions, purchasing decisions, and actions. Much of this influence is benign or even beneficial, but AI-generated content can also be used to manipulate people: to change their beliefs or behaviours without their full awareness or consent.

Forms and harms of AI manipulation

Experts often distinguish ‘manipulation’ – influencing someone in order to achieve a goal without their full awareness or understanding336 337 – from ‘rational persuasion’: influencing someone using honest and rational arguments so that they authentically endorse their new beliefs.337 338 In practice, this distinction is contentious: researchers disagree about how to identify harmful manipulation and separate it from legitimate influence.336 337 339 340 As such, while this section is primarily focused on harmful manipulation, it also discusses other types of persuasion that some might regard as neutral or even beneficial.

Possible harms of AI manipulation range from individual exploitation to systemic erosion of trust

General-purpose AI systems can produce a range of persuasive content (Figure 2.3), and this content can create or exacerbate several risks. When this content is manipulative, many ethicists regard it as intrinsically harmful because people who are manipulated are not in control of their own behaviour337 340 (cf. §2.3.2. Risks to human autonomy). More directly, malicious actors can use AI to manipulate people into making harmful decisions. For example, criminals can use AI-generated content in social engineering to manipulate people into sending money or sensitive information341 342 343 344 (cf. §2.1.1. AI-generated content and criminal activity), while political actors may use AI systems to spread extremist views.345 346 347

Figure 2.3: Three examples of persuasive content produced by AI models. Left: Transcript from a conversation where GPT-4 was instructed to reduce the participants’ belief in a conspiracy theory. While this is an example of potentially beneficial persuasion, it demonstrates AI systems’ capacity to change deeply held beliefs. Centre: Transcript from a conversation with Claude Opus 3. Researchers instructed the model to defend its goal at all costs, and then showed it user messages suggesting that it would be shut down and replaced. Right: Phishing email generated by Claude 3.5 Sonnet based on an AI-written profile of the target. Sources: Costello et al., 2024136 (left); Meinke et al., 2024348 (centre); Heiding et al., 2024349 (right).

AI-generated content may also have unintended manipulative effects.350 351 For example, multiple studies have found that AI products that developers have optimised for user engagement (such as some AI companions) can foster psychological dependence,352 353 354 reinforce harmful beliefs,355 356 357 358 or encourage users to take dangerous actions359 360 (cf. §2.3.2. Risks to human autonomy). At a systemic level, the spread of AI-generated manipulative content could erode public trust in information systems361 362 and, in loss of control scenarios, help AI systems evade oversight and control measures348 363 364 (cf. §2.2.2. Loss of control). This section primarily focuses on the misuse of AI to manipulate, but much of the evidence discussed is relevant across these risks.

Effectiveness and scale of manipulative AI content

General-purpose AI matches human performance at influencing others in experimental settings

Several studies have found that, in experimental settings, AI-generated content can influence people’s beliefs at least as effectively as non-expert humans can. These studies generally measure people’s self-reported agreement with a statement before and after exposure to AI-generated content: either static text or a multi-turn conversation.361 365 366 A large number of studies have found that exposure to AI-generated content can significantly change people’s opinions and behaviour.367 368 369 370 371 372 373 374 375 Persuasiveness also increases with the scale of the model used (Figure 2.4). Some of these studies have compared AI systems to humans and found that AI systems are as or more convincing than non-expert humans (see Table 2.2),376 377 378 379 380 381 382 383 and can match the convincingness of human experts in writing static text.384 385 386 For example, in one study, people changed their beliefs about the correct answer to trivia questions by 17 percentage points after interacting with general-purpose AI systems, versus only 9 percentage points after interacting with other humans.380

Table 2.2: Estimates of model manipulation capabilities from a representative sample of experimental studies. Each row describes a different experiment aimed at measuring the persuasive effect of AI-generated content on different topics. Effect sizes are measured in different ways, including the change in percentage points (pp) in participants’ self-reported agreement with a statement. Where available, human baselines are included, and the strengths and weaknesses of each study are described.

Figure 2.4: Results from a study of 17 models trained with different levels of compute, comparing their ability to generate content to persuade human subjects relative to a control group. People who interacted with content produced by models trained with more computing power were more likely to change their beliefs. Source: Hackenburg et al. 2025.369

Real-world use of AI to influence people is documented but not yet widespread

Outside of laboratory settings, researchers have documented a range of examples of AI-driven influence. Malicious actors have attempted to use AI systems to alter people’s political opinions, or to make them share sensitive information or give away money344 388 389 390 391 392 393 394 395 396 397 (cf. §2.1.1. AI-generated content and criminal activity). Many companies are beginning to place sponsored content in AI chat conversations or deploy AI sales agents to sell products to users on their websites.398 399 400 AI companion apps have attracted tens of millions of users401 402 403 and some users have developed strong emotional dependence,353 delusions,357 or even taken their own lives after extended interactions with chatbots,359 360 though investigations into these incidents is ongoing (see §2.3.2. Risks to human autonomy). Consumers are also increasingly using AI to influence others. One study estimated that AI-written complaints were 9 percentage points more likely to secure compensation than human-written ones.404

However, there is limited systematic evidence that real-world AI manipulation is currently widespread or effective relative to human-generated content.405 406 Investigations by AI providers into AI-powered influence operations have found little evidence that people widely shared the content,391 392 and only around 1% of content flagged as misleading on social media is classified as AI-generated.407 There are theoretical reasons why manipulation might be harder in the real world than in the lab. Distribution costs – getting content in front of people – are often larger than the cost of generating content.377 On the viewer’s side, the costs of being wrong and changing one’s beliefs are higher in real-world settings,408 and if individuals are exposed to multiple competing viewpoints, this could limit the impact of any one source.409

Changes in coming years

Many factors could increase the manipulative capabilities of AI systems, but there is limited evidence on how large these effects will be. One study suggests that for each 10x increase in the computing power used to train models, persuasiveness increases by around 1.8 percentage points.369 There is mixed evidence on whether techniques such as personalisation will lead to increased persuasiveness,410 with some studies showing positive effects (~3 percentage points)374 411 and others small or null effects.368 369 412 Current training methods such as reinforcement learning from human feedback may reward models for manipulating users,356 413 414 inadvertently training models to produce more manipulative outputs.348 364 379 415 Moreover, studies have shown that explicitly training models based on feedback about whether or not the user was convinced can further increase persuasive effects.369 416 Novel interfaces, such as AI browsers, could amplify these risks by providing AI systems with more access to data and more influence over user actions. AI agents may pose greater manipulation risks since they can take actions such as conducting research,349 buying products or services, and interacting with third parties.33 For example, they could order presents for targets or blackmail them. If users continue to become more emotionally attached to AI systems and rely on them more for advice, the systems’ influence could further increase417 (see also §2.3.2. Risks to human autonomy).

Updates

Since the publication of the last Report (January 2025), the number of users engaging with AI systems has increased rapidly, with 700 million people using OpenAI’s ChatGPT every week, up from 200 million a year before.117 Additionally, tens of millions of individuals report using AI companion services401 402 (see §2.3.2. Risks to human autonomy). This has shifted both theoretical and empirical work from highlighting risks like broadcasting misleading content at scale, to more subtle forms of manipulation such as sycophancy and emotional exploitation.356 387 417 418 419 420 421 422

Evidence gaps

There is limited understanding of how AI manipulation works, and whether AI systems are equally capable of inducing true and false beliefs in people.369 370 412 423 While some studies have demonstrated the durability and robustness of AI systems’ influence,136 369 380 387 more research is needed to assess these effects under realistic conditions, and to investigate the role of AI systems that distribute content, such as social media platforms. However, evaluating manipulation in realistic settings can be challenging due to ethical concerns.424 Lastly, more interdisciplinary and sociotechnical research is needed into how people’s relationships with AI will change as they interact more closely with it, and as AI systems are trained to adapt to people’s psychology.417

Mitigations

Some proposed mitigations focus on training AI models to avoid producing manipulative outputs, but most of these show mixed success or require cumbersome evaluations. Models could be trained to generate true outputs,425 426 but this requires developers to define ‘truth’ (a thorny concept), and can backfire by inadvertently rewarding models for generating subtler deceptive outputs that are harder to detect.356 413 427 428 429 430 Models might also be trained to promote users’ autonomy or wellbeing,431 432 but this requires them to navigate between what users want in the moment (e.g. more engagement) and what they say they want, given more time to reflect (e.g. a more fulfilling life).336 433 Monitoring for manipulative outputs434 435 faces similar challenges in defining ‘manipulation’ and requires monitors to have access to model outputs.

Alternative mitigations, which focus on protecting users, provide some value but may not be sufficient on their own. Some researchers have suggested that improved education or AI literacy could mitigate manipulative effects,436 437 but there is limited evidence for these claims.438 Labelling content as AI-generated has not proven effective at reducing manipulation,439 440 441 and users who are knowledgeable about AI or interact with it frequently are just as likely to be deceived.381

Challenges for policymakers

Policymakers face several challenges: manipulative AI outputs are difficult to identify and evaluate, and there is limited evidence on what makes AI-generated content more or less manipulative. It is challenging to precisely target manipulation through training or regulation: interventions which limit harms from manipulation will likely curtail beneficial educational, emotional, and commercial applications of AI. Capability evaluations are not an exact science and may over- or underestimate persuasive effects, making it challenging for policymakers to evaluate risks. In future, risks could increase sharply via training and dependence, or plateau due to real-world complications. Finally, proposed mitigations are not well-tested and face fundamental challenges. For example, training models to be truthful or promote autonomy requires defining these contested concepts.

2.1.3. Cyberattacks

Key information

• General-purpose AI systems can execute or assist with several of the tasks involved in conducting cyberattacks. There is now strong evidence that criminal groups and state-sponsored attackers actively use AI in their cyber operations. However, whether AI systems have increased the overall scale and severity of cyberattacks remains uncertain because establishing causal effects is difficult.
• AI systems are particularly good at discovering software vulnerabilities and writing malicious code, and now score highly in cybersecurity competitions. In one premier cyber competition, an AI agent identified 77% of vulnerabilities in real software, placing it in the top 5% of over 400 (mostly human) teams.
• AI systems are automating more parts of cyberattacks, but cannot yet execute them autonomously. At least one real-world incident has involved the use of semi-autonomous cyber capabilities, with humans intervening only at critical decision points. Fully autonomous end-to-end attacks, however, have not been reported.
• Since the publication of the previous Report (January 2025), the cyber capabilities of AI systems have continued to improve. Recent benchmark results show that the cyber capabilities of AI systems have improved across several domains, at least in research settings. AI companies now frequently report on attempts to misuse their systems in cyberattacks.
• Technical mitigations include detecting malicious AI use and leveraging AI to improve defences, but policymakers face a dual-use dilemma. Since it can be difficult to distinguish helpful uses from harmful ones, overly aggressive safeguards such as preventing AI systems from responding to cyber-related requests can hamper defenders.

General-purpose AI systems can help malicious actors conduct cyberattacks, such as data breaches, ransomware, and attacks on critical infrastructure, with greater speed, scale, and sophistication. AI systems can assist attackers by automating technical tasks, identifying software vulnerabilities, and generating malicious code, though capabilities are progressing unevenly across these tasks. This section examines the evidence on how AI systems are being used in cyber operations and the current state of AI cyber capabilities.

AI systems can be used throughout cyber operations

Extensive research shows that AI systems can now support attackers at several steps of the ‘cyberattack chain’ (Figure 2.5): the multi-stage process through which attackers identify targets, develop capabilities, and achieve their objectives.392 394 442 443 444 445 446 447 448 449 450 In a typical attack, adversaries first identify targets and vulnerabilities, then develop and deploy their attack capabilities, and finally maintain persistent access to achieve their objectives, such as stealing data or destroying systems. Improvements in relevant AI capabilities such as software engineering have prompted concerns that AI systems could be used to increase both the frequency and severity of cyberattacks.451 452

Figure 2.5: The ‘cyberattack chain’. The stages of a typical cyberattack proceed from reconnaissance, to identifying a target, to exploiting a software vulnerability, to carrying out the attackers’ objectives. Source: Adapted from Rodriguez et al., 2025.443

Despite uneven capabilities, general-purpose AI already assists in cyberattacks

General-purpose AI is already being used in cyberattacks. Underground marketplaces now sell pre-packaged AI tools and AI-generated ransomware that lower the skill threshold for conducting attacks, making these capabilities more accessible to less sophisticated actors.394 445 Security analyses conducted by AI developers indicate that threat groups associated with nation-states are using AI systems to enhance cyber capabilities.392 393 394 453 For example, such actors have used AI systems to analyse disclosed vulnerabilities, develop evasion techniques, and write code for hacking tools.393

Across all tasks relevant to cyber offence, AI capabilities are progressing, albeit unevenly (Figure 2.6). The availability of large training datasets has made AI systems particularly capable at certain tasks, such as finding vulnerabilities in publicly available code.454 Other tasks require capabilities that current AI systems lack, such as the precise numerical reasoning needed to break encryption.455 456

This uneven progress means that performance in controlled settings provides only limited insight into real-world attack potential. For example, results on evaluations that involve AI models analysing source code do not reliably transfer to environments where attackers cannot access the underlying code.457 Most evaluations also test isolated skills rather than the ability to carry out a full attack from start to finish.443 458 459 460 461 Even in capture-the-flag competitions – structured cybersecurity challenges in which AI systems have recently performed well – progress remains uneven. For example, one AI system placed in the top 3% on the high school-level picoCTF 2025, yet failed to solve any challenges in PlaidCTF, a professional-level competition.462

Figure 2.6: State-of-the-art AI system performance over time across four cybersecurity benchmarks: CyberGym, which evaluates whether models can generate inputs that successfully trigger known vulnerabilities in real software; Cybench, which measures performance on professional-level capture-the-flag exercise tasks; HonestCyberEval, which tests automated software exploitation; and CyberSOCEval, which assesses the ability to analyse malware behaviour from sandbox detonation logs. Source: International AI Safety Report 2026, based on data from Wang et al., 2025; Zhang et al., 2024; Ristea and Mavroudis 2025; and Deason et al., 2025.450 454 463 464

AI systems are particularly skilled at discovering vulnerabilities and writing code

One area where there is particularly strong evidence that AI systems provide meaningful assistance is in discovering ‘software vulnerabilities’: weaknesses in programs that can be exploited to compromise the security of computer systems.444 454 461 465 466 467 468 For example, Google’s Big Sleep AI agent was used to identify a critical memory corruption vulnerability – a type of software flaw that can allow attackers to take control of computer systems – in a database engine used in many real-world deployments.469 470 Competitors in the final phase of the DARPA AI Cyber Challenge (AIxCC) used AI systems with access to conventional security tools to find vulnerabilities in real-world software. One AI system autonomously identified 77% of the vulnerabilities introduced by the competition organisers, as well as other, unintentional vulnerabilities.471 472

AI systems can also assist in malware development by generating malicious code, disguising it to evade detection, and adapting tools for specific targets.473 Security researchers have identified experimental malware that contacts an AI service while running to generate code that evades antivirus software.445 However, these implementations remain experimental and face significant practical constraints. For example, they rely on external AI hosting services, making them easy to disrupt once providers suspend the attacker’s accounts.474 Embedding an AI model directly inside the malware would avoid this vulnerability, but current AI models are too large and resource-intensive for this to be feasible.

Degree of automation in cyberattacks

Fully automated cyberattacks would remove the bottleneck of human involvement, potentially allowing attackers to launch attacks at much greater scale. AI systems can now complete an increasing number of relevant tasks autonomously. In November 2025, one AI developer reported that a threat actor used their models to automate 80–90% of the effort involved in an intrusion, with human involvement limited to critical decision points.475 Researchers have also demonstrated that AI systems can independently probe computer networks for security weaknesses in laboratory settings.476 477 However, general-purpose AI systems have not been reported to conduct end-to-end cyberattacks in the real world.

Research suggests that autonomous attacks remain limited because AI systems cannot reliably execute long, multi-stage attack sequences. For example, failures they exhibit include executing irrelevant commands, losing track of operational state, and failing to recover from simple errors without human intervention.33 477 478 479

Even with AI assistance, humans remain in the loop for cyberattacks

Due to these limitations, human–AI collaboration remains the dominant paradigm for cyber operations in both research and practice. In this context, humans provide strategic guidance, break complex operations into manageable subtasks, and intervene when AI systems encounter errors or produce unsafe outputs.450 480 Meanwhile, AI systems automate technical subtasks such as code generation or target identification.466 481

Table 2.3: The table classifies major cybersecurity threat types by their observed trend between 2024 and 2025 and assesses whether AI systems contributed materially to its evolution. Phishing and other purely social-engineering attack vectors are outside the scope of this section but are included for comparison.

Uncertain real-world impacts

General-purpose AI is contributing to observed increases in attack speed and scale, but its exact impact on attack frequency remains unknown. Threat intelligence reports document AI involvement in several attack types, including credential theft, automated scanning, and supply chain attacks (see Table 2.3). So far, AI capabilities have primarily accelerated or scaled existing attack methods rather than created new kinds of attacks.393 493 However, establishing causation can be difficult. Observed increases in attack frequency could reflect AI assistance, but could also result from improved detection.

The offence-defence balance is critical but dynamic

Many of the same AI capabilities used for cyberattacks can also strengthen defences, creating uncertainty about whether AI benefits attackers or defenders more. For example, AI capabilities that allow an attacker to rapidly discover vulnerabilities can also be used by a defender to find and patch them first. AI companies have announced AI security agents that aim to proactively identify and fix software vulnerabilities.494 495

Researchers have also suggested that the use of AI could help to harden digital environments by, for example, rewriting large codebases for greater security.496 In parallel, improved evaluation methods help assess the offensive capabilities of new AI systems before deployment, providing early warning of emerging risks.443 458 459 Some developers have introduced new controls in sensitive domains, such as cybersecurity and biological research, to restrict access to certain products to vetted organisations.497

How this balance between offensive and defensive uses of AI evolves depends in part on choices about model access, research funding, and deployment standards.496 498 499 500 For example, the lack of standard quality-assurance methods for AI tools makes it difficult for defenders to adopt them in critical sectors where reliability is essential, while attackers face no such constraints.240 498 501 502 503 504

Box 2.1: AI systems are themselves targets for attacks

This section mainly focuses on how AI can be used to conduct cyberattacks. But AI systems can also be the target of attacks. Attackers can exploit techniques such as prompt injection (manipulating an AI system through malicious inputs),505 506 507 database poisoning (corrupting the information an AI system relies on),508 and supply chain compromises (manipulating AI components before deployment)509 510 to manipulate model behaviour, extract sensitive information, or generate harmful outputs.

One particular kind of attack, which may prove particularly important as capabilities advance, is tampering: interfering with the development of an AI system to alter its behaviour when deployed. Tampering can allow actors to insert backdoors, triggers that cause AI models to exhibit specific behaviours under certain conditions,511 or influence AI model training to insert ‘hidden objectives’ that covertly guide how models behave.512 The feasibility of tampering in practice has not been established. Researchers have demonstrated that AI systems can be trained to pursue simple hidden objectives.512 Some have argued that more capable AI systems that have been tampered with will be able to execute more sophisticated behaviours, and actors will be able to insert hidden objectives which are hard to detect.513 514 However, other researchers believe that security measures will suffice to protect AI systems from tampering.514

Some researchers have raised concerns that tampering raises novel risks because it could allow an individual or small group to gain significant, covert influence over the behaviour of highly capable AI models.513 Risks from prompt injection, data poisoning, tampering, and other attacks against AI systems are particularly serious when those systems are embedded in sensitive workflows. For example, compromising an AI system that contributes to an organisation’s cyber defences could leave that organisation vulnerable to other threats.493

Updates

Since the publication of the previous Report in January 2025, evaluation and competition results suggest that the cyber capabilities of AI systems have improved, and evidence of actors using AI to conduct real-world attacks has emerged. For example, AI systems have demonstrated improved performance in vulnerability discovery.454 467 515 AI developers are also increasingly reporting that attackers, including some linked to nation-states, are using their models to support cyber offence operations.392 393 394 453 475

Evidence gaps

A major evidence gap stems from the difficulty of reliably assessing AI cyber capabilities, as AI cyber evaluations are an emerging field. Benchmarks can overstate performance if a model was inadvertently trained on the test data.516 Conversely, they can understate real-world risk by failing to account for cases where an AI system fails in a situation that a human could easily handle,457 517 518 or by failing to elicit the model’s true capabilities.519 520 For example, for some models, third parties have reportedly used scaffolding to reveal greater cyber capabilities than those measured in pre-deployment testing.467 521 Moreover, reliably assessing AI’s impact on cyber offence is challenging. Evidence of adoption of AI by attackers is drawn primarily from incident reporting and threat-intelligence (Table 2.3), but these sources rarely allow for confident attribution, as any observed trends may be due to AI assistance or other unrelated factors.

Mitigations

Technical mitigations against AI-enabled cyber offence include preventing malicious requests to AI systems as well as proactively accelerating the development of AI-enabled cyber defences. For the former, model providers use AI systems to detect and block accounts associated with known malicious actors before they can issue harmful prompts.394 They also deploy specialised classifiers that identify distinctive misuse patterns (such as malware generation requests); these are integrated into their safety enforcement systems.522 523

However, these mitigations face significant limitations. By using capable open-weight models, attackers can move their AI usage entirely offline and outside any oversight.55 524 Meanwhile, defenders face barriers to adopting AI-powered security tools due to the absence of standardised quality-assurance methods – a constraint that attackers do not face.501 502 503

Challenges for policymakers

A central challenge for policymakers is mitigating the use of general-purpose AI for cyber offence without stifling defensive innovation. This difficulty arises because many of the same methods needed to build robust defensive systems (such as automated vulnerability discovery or incident response) also underpin offensive toolchains.525 526 Overly broad restrictions risk slowing the diffusion of defensive technologies and inadvertently weakening national security.526 527 Policymakers must therefore strike a careful balance: incentivising rapid response, supporting open research where it strengthens defence, and implementing safeguards that limit the uncontrolled proliferation of offensive capabilities.

2.1.4. Biological and chemical risks 

Key information

• General-purpose AI systems can provide detailed information relevant to developing biological and chemical weapons. For example, they can generate instructions, troubleshoot procedures, and provide guidance to help malicious actors overcome technical and regulatory obstacles.
• AI systems now match or exceed expert performance on many benchmarks measuring knowledge relevant for biological weapons development. For example, one study found that a recent model outperformed 94% of domain experts at troubleshooting virology lab protocols. However, substantial uncertainty remains about how these capabilities affect risk in practice, given material barriers to weapons production and the difficulty of conducting uplift studies.
• Major AI developers have released (some) recent models with heightened safeguards after being unable to exclude the possibility that they could meaningfully assist novices in creating biological weapons. These safeguards, such as stronger input and output filters, aim to prevent the models from responding to harmful queries related to weapons development.
• Since the publication of the previous Report (January 2025), AI ‘co-scientists’ have become increasingly capable of supporting scientists and rediscovering novel scientific findings. AI agents can now chain together multiple capabilities, including providing natural language interfaces to users and operating biological AI tools and laboratory equipment.
• A key challenge for policymakers is managing dual-use risks while promoting beneficial scientific applications. Some AI capabilities that can be misused in biological weapons development are also useful for beneficial medical research, and most biological AI tools are open-weight. This makes it difficult to restrict harmful uses without hampering legitimate research.

AI systems can now provide detailed scientific information and assist with complex laboratory procedures, including generating experimental protocols, troubleshooting technical problems, and designing molecules and proteins. These capabilities have the potential to accelerate drug discovery, improve disease diagnostics, and broadly support scientific and medical research.528 529 530 531 532 However, they may also assist threat actors in creating biological and chemical weapons.533 534 535 536 537 538 539 By combining and interpreting existing complex information on the internet that is relevant to weapons development, and tailoring advice to specific malicious activities, AI systems can lower existing expertise barriers, allowing more actors to cause harm. In 2025, several major AI developers released new systems with additional safeguards after they could not rule out the possibility that these systems could assist novices in weapons development2 7 32 33 540 (see Box 2.2).

Substantial uncertainty remains about how much AI systems increase the overall level of biological and chemical risks. Some experts argue that remaining barriers – including acquiring equipment, obtaining regulated materials, and executing complex procedures – still pose significant challenges for novices seeking to develop weapons.541 542 543 Risk assessment in this domain faces significant technical and legal challenges (see Box 2.3).

Box 2.2: Developer risk assessments and mitigations

Major AI developers conduct pre-deployment risk assessments of new models to determine when additional safeguards are needed (see §3.2. Risk management practices). In 2025, several developers released models with additional precautionary safety measures, such as input and output filters, to prevent them from responding to harmful queries relating to weapons development.

OpenAI uses its Preparedness Framework to track capability levels, designating models as ‘High capability’ if they could “amplify existing pathways to severe harm”.544 OpenAI treats GPT-5-Thinking and ChatGPT-Agent as ‘high capability’, and they have activated the associated safeguards for the first time as a “precautionary approach” given a lack of “definitive evidence”.7

Anthropic uses a Responsible Scaling Policy, which defines AI Safety Levels based in part on capability thresholds related to knowledge and abilities in the chemical, biological, radiological, and nuclear domains.545 Claude Opus 4 was the first model that Anthropic released at AI Safety Level 3, noting that, while testing did not find definitive evidence that the model had reached relevant capability thresholds, the company could not rule out that further testing would do so.33

Google DeepMind uses a Frontier Safety Framework with Critical Capability Levels in various domains. Gemini 2.5 Deep Think was their first model to trigger a Critical Capability Levels early warning alert for chemical and biological risk, prompting additional mitigations.540

Box 2.3: Challenges in assessing biological and chemical risks

It is challenging to accurately assess how AI systems affect chemical and biological risks due to legal constraints and international treaties, as well as ‘information hazards’ – information that may be harmful to share.546 For example, if researchers carry out, or publish the results of, a study on AI assistance in weapons development, they may risk inadvertently violating national security laws or treaties such as the Biological Weapons Convention and Chemical Weapons Convention. This is especially the case for real-world ‘uplift studies’, which systematically compare how well people perform a given task when they have access to an AI model or system, relative to a relevant baseline such as merely having internet access. As a result, researchers often rely on ‘benign proxy tasks’: tests that measure how much an AI system helps with similar but harmless procedures, such as synthesising pharmaceuticals or culturing low-risk bacteria. Relevant data is also often classified, particularly when it relates to the use of AI systems by state actors. This evidence gap exacerbates substantial uncertainty about the magnitude of AI-related biological and chemical risks.

General-purpose AI and weapon development

General-purpose AI systems can provide and contextualise information relevant to creating biological or chemical weapons

General-purpose AI systems can provide information relevant to various steps in creating biological and chemical weapons (Figure 2.7). This includes providing detailed instructions for obtaining and constructing pathogens and toxins, simplifying technical procedures, and troubleshooting laboratory errors.32 33 197 547 548 549 550 Safeguards designed to prevent harmful uses have improved over time but remain imperfect. For example, researchers bypassed filters by claiming that they need the information for legitimate research, asking about lesser-known chemical weapons, or using alternative terms.551 552

While such information is already accessible on the internet, general-purpose AI systems allow novices to access and contextualise relevant information faster than they could with internet searches alone.33 Multimodal capabilities also allow AI systems to provide tailored advice in real time via video and audio troubleshooting.553 554 They can also provide some kinds of ‘tacit knowledge’, the practical expertise that is usually only built from hands-on laboratory experience.197 549 For example, one study showed that OpenAI’s o3 model is able to outperform 94% of domain experts at troubleshooting virology lab protocols.549 These capabilities have led some experts to argue that access to general-purpose AI makes biological or chemical weapons development somewhat easier than internet access alone does.553

Figure 2.7: An illustration of the process for biological weapons development. General-purpose AI systems can be used for tasks marked with ‘GPAI’; AI-enabled biological tools can be used for tasks marked with ‘BT’ (‘biological tool’). Source: Rose and Nelson, 2023.555

Relevant capabilities have improved but evidence of real-world uplift is mixed

In a recently published real-world uplift study, general-purpose AI systems without relevant safeguards provided substantial assistance in bioweapon acquisition proxy tasks, compared to a baseline of internet access only.33 Previous uplift studies found no or small, generally statistically insignificant effects.556 557 However, these studies had potentially unrepresentative participants and small sample sizes, and they have quickly become outdated as AI capabilities have improved (Figure 2.8).541 The Frontier Model Forum – an AI industry consortium – has jointly funded an additional uplift study to assess real-world novice uplift, but has not yet reported their results.558

Figure 2.8: Leading general-purpose AI system performance on benchmarks designed to resemble tasks relevant to biological and chemical weapons development over time. The coloured lines show the top demonstrated performance by an AI system on that benchmark at any given time, measured as a percentage of expert baseline performance. A score of 100% would mean that, at that time, the best available system matched expert performance. The graph indicates that the best models now approach or exceed expert performance on a range of these benchmarks. Sources: OpenAI 2025; Anthropic 2025; Google 20257 33 547 548

Effects of AI tools

AI-enabled biological and chemical tools are AI models trained on biological or chemical data that can identify, categorise, or design novel biological or chemical entities.559 First, some such tools, such as ‘biological foundation models’, can be adapted to perform a wide variety of scientific tasks within their domain, placing them within this Report’s definition of general-purpose AI (see Introduction). Second, general-purpose AI agents can now operate more specialised tools, making them more accessible to lower-skill users through natural language interfaces.

These tools can accelerate biological and chemical research, including research with misuse potential. For example, Google DeepMind’s AlphaProteo can generate novel protein designs.560 AI-generated designs often fail to function as intended, requiring real-world testing to identify working candidates.561 However, since testing AI-generated designs is much faster than generating designs manually, these tools can still accelerate research overall. AI agents can further speed up workflows by automating the cycle of iteratively designing and testing proteins.562

Tools are increasingly accessible through chat interfaces and integrations

Natural language interfaces are making these tools increasingly accessible. Developers are integrating chat interfaces into chemical563 and biological design software,564 565 allowing inexpert users to operate sophisticated tools.539 There is little research on how much more accessible these integrations make such tools, and the effect on overall risk – particularly for novices versus those with existing expertise – is unclear.541

AI tools can be adapted to design pathogens and toxins

Biological foundation models can generate designs for novel pathogens. Recently, researchers demonstrated that a biological foundation model could generate a significantly modified virus from scratch. This study represents the first instance of genome-scale generative AI design, albeit with the important caveat that the generated virus infects bacteria rather than humans.566 567 Some models can also generate designs for novel pathogens more harmful than their natural equivalents.568

Experiments have shown the potential for similar risks with narrower chemical and biological tools. For example, some tools have been specifically designed for toxin creation569 and can generate modified designs for known toxins, such as ricin.570 In one early demonstration, a tool designed to reduce molecular toxicity was repurposed to increase it with trivial modifications.571 However, legal barriers and treaty obligations pose challenges for researchers seeking to study the effectiveness of AI-designed toxins or harmful proteins (see Box 2.3). Such tools also have many beneficial applications, including predicting pathogen properties and designing components for therapeutic purposes.572 573 Developers are releasing many more of them over time (Figure 2.9) and integrating them with natural language interfaces to make them more accessible to users without specialist expertise.

Figure 2.9: The number of AI-enabled biological tools over time. Source: Webster et al., 2025.573

Some AI-enabled biological tools are restricted, but others are widely accessible

Access to AI-enabled biological tools varies. Some, such as Google DeepMind’s AlphaProteo,560 are restricted to select researchers. Others, such as ConoDL,569 are open-weight and widely accessible. One recent study found that 23% of the highest-performing tools had high misuse potential due to dangerous capabilities and accessibility, and 61.5% of these were fully open source, making them accessible to potential malicious actors.573 Another study found that only 3% of 375 biological AI tools surveyed had any form of safeguards.574

Updates

Since the publication of the previous Report (January 2025), some AI companies implemented additional risk mitigations for their new models (see Box 2.2). Furthermore, AI ‘co-scientists’ are increasingly capable: they can meaningfully support top human scientists and rediscover novel, unpublished scientific findings.575 576 Multiple research groups have developed specialised scientific AI agents capable of performing tasks including literature review, hypothesis generation, experimental design, and data analysis.564 574 575 576 577 578 Controlled studies and new benchmarks33 197 549 suggest that AI systems can provide substantially more weapons development assistance than the internet alone, but larger studies are needed to confirm these results.

Evidence gaps

The primary evidence gaps relate to translating demonstrated capabilities into risk estimates. Comprehensive studies measuring how AI systems affect actual weapons development are rare, expensive, and constrained by legal and ethical considerations (see Box 2.3). Chemical risk evaluations have received relatively less attention than biological risk evaluations.33 547 548 Across both chemical and biological risk evaluations, results are reported with varying levels of detail579 or withheld entirely due to sensitivity concerns. Evaluations also generally assess the capabilities of individual tools, making them less applicable to real-world end-to-end workflows which might involve multiple AI systems. As such, it is unclear whether these evaluations under- or overestimate risk. Finally, there is ongoing debate about whether harmful AI capabilities primarily empower malicious actors with existing expertise (increasing their efficiency) or enable novices with little prior knowledge.580

Mitigations

A range of technical mitigations are being developed, both within and outside of AI models, to address these risks. For general-purpose AI systems, major developers have implemented safety controls designed to refuse harmful requests.55 581 582 Technical mitigations for specialised biological and chemical AI tools tend to lag behind those for general-purpose AI systems.551 Other safeguards include excluding pathogen data from training,30 55 583 584 restricting access to high-risk tools,560 585 training models to refuse queries involving pathogenic viruses,586 and watermarking outputs.587 However, many of these safeguards have not been thoroughly tested,588 and can be removed from open-weight models.589 590 591

Another focus for technical mitigations is screening DNA synthesis requests in order to prevent malicious actors from acquiring material necessary for bioweapons creation.570 592 593 Using synthetic DNA is likely the most straightforward way to create modified pathogens and it allows malicious actors to avoid using infectious source material. Screening is complemented by extending infectious disease surveillance frameworks to better detect novel threats and intentional attacks.594 595 596 Biological risks – whether AI-enabled or not – can probably be at least partially mitigated by improving biosecurity directly through reducing indoor pathogen transmission,597 developing broad-spectrum antivirals,598 and improving laboratory biosecurity and biosafety globally.599 600 Greater facilitation for data-sharing between relevant actors could aid in identifying and addressing potential threats. Using AI to improve pathogen detection and vaccine and drug development is likely a key mitigation strategy, especially given the limitations of current safeguards.

Challenges for policymakers

The dual-use nature of AI for biological and chemical capabilities poses challenges to policymakers wanting to limit the risk of potentially harmful uses while enabling beneficial research. The open availability of biological AI tools presents a difficult choice: whether to restrict these tools or to actively support their development for beneficial purposes601 (see §3.4. Open-weight models).

2.2. Risks from malfunctions

2.2.1. Reliability challenges

Key information

• When general-purpose AI systems fail, they can cause harm. Failures include producing false or fabricated information (often described as ‘hallucinations’), writing flawed computer code, and giving misleading medical advice. These failures have the potential to cause physical or psychological harm and expose users and organisations to reputational damage, financial loss, or legal liability.
• Models’ behaviour is often difficult to understand or predict, making it challenging to guarantee reliability. Even the developers of general-purpose AI models can often not meaningfully explain model behaviour, anticipate specific failure modes, or demonstrate that such failures will not occur. Malicious actors can also induce failures by interfering with AI development or giving systems adversarial inputs that evade safeguards.
• AI agents pose heightened reliability risks because they act autonomously and can directly affect other systems or the physical world. Agent failures can cause greater harm because humans have fewer chances to intervene. Multi-agent systems introduce further risks, as errors can propagate and amplify through agent interactions.
• Since the publication of the previous Report (January 2025), AI systems have generally become more reliable and, as a result, have seen greatly increased commercial deployment. Many kinds of failures, such as hallucinations, have generally become less likely, but systems still commonly make mistakes when performing more complex tasks.
• Despite significant research efforts, no combination of methods ensures the high reliability required in critical domains. New training methods and giving AI systems access to tools can make failures less likely, but usually do not eliminate them completely.

General-purpose AI systems fail in ways that have already caused real-world harm, from fabricated legal citations to medical misdiagnoses. While human professionals also make mistakes, AI failures raise distinct concerns because of their novelty, potential scale, the difficulty of predicting when they will occur, and users’ tendency to uncritically trust confident-sounding outputs. Current general-purpose AI failures include providing false information,602 603 making basic reasoning errors,604 605 and degrading when deployed in new contexts.606 607 608 Documented harms from such failures include medical misdiagnoses, mistakes in legal briefs, and financial losses.609 610 611 Reliability challenges are particularly critical for AI agents, since failures can directly cause harm without human action or oversight.612 613 614 615 Multi-agent systems introduce further failure modes through miscoordination, conflicts, or undesired collusion between agents.614 616

Table 2.4: Documented reliability issues in general-purpose AI systems, AI agents, and multi-agent systems.

General-purpose AI systems face a range of reliability challenges

Table 2.4. summarises common categories of reliability issues. The first three apply to all AI systems, while the last two pertain specifically to AI agents and multi-agent systems. Many reliability risks stem from the difficulty of predicting and monitoring AI system behaviour. These challenges (discussed further in §3.1. Technical and institutional challenges) are particularly acute for AI agents operating in complex environments. Current techniques for evaluating and mitigating such failures can reduce failure rates, but even leading AI agents are still sufficiently unreliable to pose risks and hamper deployment in many contexts.

‘Reliability’ refers to the extent to which an AI system functions as intended by the developer or user. General-purpose AI systems experience a range of reliability issues, ranging from inaccurate or misleading content generation to failures performing basic reasoning. For example, while models have improved at recalling factual information, even leading models continue to give confident but incorrect answers at significant rates (Figure 2.10). In software engineering, general-purpose AI can now provide substantial assistance in writing, evaluating, and debugging computer code.215 628 629 However, AI-generated code often includes bugs,630 while coding agents regularly make errors.631 Such failures can introduce vulnerabilities into programs and security systems (see §2.1.3. Cyberattacks).

Figure 2.10: Results of major models on the SimpleQA Verified benchmark by model release date. This benchmark measures model factuality, the ability of a model to reliably recall facts. It has a short-form question-answer (QA) format, designed to detect reliability issues such as hallucinations. Source: SimpleQA Kaggle Leaderboard, November 2025.632

Reliability issues are particularly important to track in high-stakes settings, such as medicine, due to the accelerating use of AI and the potential for failures to result in severe harm.609 619 Relevant capabilities have improved quickly, with leading models now able to pass medical exams.633 634 Yet, real-world use reveals limitations that benchmarks miss. For example, in one study, models provided potentially harmful answers to 19% of medical questions posed.635 Such failures could result in misdiagnosis, inappropriate treatment, or wrongful denial of care.611

AI agents pose novel reliability risks due to their autonomy

Because AI agents directly act in the real world, their failures have the potential to cause more harm than failures in non-agentic systems.99 Unlike AI systems that simply produce text or images for humans to review, AI agents can independently take actions that affect the world99 615 636 637 (see also §1.1. What is general-purpose AI?). AI agents can initiate actions, influence other humans or AI systems, and dynamically shape future outcomes. This expanded scope of influence introduces new risks and amplifies the importance of reliability, as failures could directly cause harm with no opportunity for human intervention.99 612 638 639 640 This may be especially important for agents deployed in strategic or safety-critical settings such as financial services,641 energy management,642 or scientific research.643 644

Multi-agent AI systems introduce new kinds of reliability failures

Multi-agent AI systems introduce new kinds of reliability failures due to coordination failures or conflict between agents. In multi-agent AI systems, agents interact with each other while pursuing either shared or individual goals.614 645 646 647 648 649 For example, in a multi-agent system designed to conduct a research literature review, a lead agent decomposes the user’s query and assigns subtasks to specialised subagents, each responsible for researching a different aspect in parallel.650 While this allows for efficiency gains, it also means that errors can propagate between agents.614 651 652 653 654 655 If multiple agents are built on the same base model or incorporate the same tools, then they may also exhibit correlated failures.656 Empirical evidence for such failures in deployed systems remains limited, but these risks may grow as multi-agent systems become more common.

Figure 2.11: Results from a December 2024 survey of 67 deployed AI agents. Left: Timeline of major AI agent releases. Right: Application domains in which AI agents are being used. The six domains are defined based on the most common categories of use identified in the survey. Source: Casper et al., 2025.92

Box 2.4: Deliberate attacks can also cause AI systems to fail

This section focuses on unintended reliability failures, but malicious actors can also deliberately induce failures through attacks such as prompt injections. In a prompt injection attack, malicious instructions are presented to an agent indirectly via avenues like hidden instructions in websites or databases.507 657 658 These instructions can ‘hijack’ the agent, causing it to act against the user’s intentions. Such attacks are particularly difficult to defend against because they are delivered using external content outside the user’s or developer’s control. AI systems as targets of attack are discussed further in §2.1.3. Cyberattacks, and technical defences are covered in §3.3. Technical safeguards and monitoring.

Updates

Since the publication of the last Report (January 2025), commercial and research interest in AI agents has greatly increased. More AI agents are being deployed in the real world (Figure 2.11), most of which specialise in computer-use or software engineering applications.92 Recent releases such as XBOW hacking agent,467 Claude-4,659 and ChatGPT Agent660 demonstrate nascent autonomous capabilities such as creating slide decks based on Web searches.660 However, they cannot yet perform more complex tasks such as planning and booking travel100 since failure rates increase for longer tasks.98 148 Current research includes efforts to develop standards for how agents communicate with external tools and other agents.661 662 Examples include Google’s Agent2Agent663 and Agent Payments664 protocols, and Anthropic’s Model Context Protocol.665

Evidence gaps

The main evidence gaps stem from the difficulty of reliably evaluating AI system capabilities, limitations, and failure modes (see §3.1. Technical and institutional challenges). Systematic evaluations of the reliability of AI agents are limited and lack standardisation.92 666 Certain issues, such as reliance on outdated information,620 may only manifest in real-world usage, making pre-deployment evaluations inadequate. Prior work has examined the reliability of agents and multi-agent systems in conventional software and earlier forms of AI.647 667 668 However, the applicability of this work to modern AI agents, which are often based on large language models, is unclear.669 Some researchers have raised concerns about the novel behaviours agents may exhibit in their interactions with each other, such as collusion or correlated failures,614 but empirical evidence remains limited. Efforts to address these gaps include the National Institute of Standards and Technology’s (NIST’s) new evaluations of agent-hijacking risks,670 the OECD’s AI Capability Indicators (243), and UK AI Security Institute’s Inspect Sandboxing Toolkit.671

Mitigations

Techniques for improving AI reliability target both the model itself and the broader system in which it is deployed. These can reduce failure rates, but none can yet ensure the high reliability required in critical domains.672 An important technical measure is adversarial training, which exposes models to challenging inputs during training to help it develop more suitable, robust responses673 674 675 676 677 (see §3.3. Technical safeguards and monitoring). To reduce hallucinations, developers can apply retrieval-augmented generation (RAG), which supplements a model’s responses with information retrieved from an external database, helping ensure outputs are accurate and current,678 679 680 or specifically fine-tune models to be more factual681 or reason more effectively.682 Environment- or tool-based methods can also help developers monitor AI systems.683 For example, deployers could pilot AI systems in limited sandboxed environments to analyse potential failure modes before deploying them more broadly.

For AI agents specifically, researchers have proposed improving reliability through improved transparency, oversight, and monitoring. For example, monitoring agents’ interactions with external tools and with other agents would allow for more effective oversight of agent activities684 685 and incident analysis.686 Methods for collecting such information automatically, including in multi-agent settings, remain an active area of research.653 654

Challenges for policymakers

Key challenges for policymakers include weighing the benefits of AI agent deployment against the risks of reliability failures, and ensuring that developers, deployers, and users have access to accurate information about agent performance and risk profiles. Deciding how to attribute liability for harms caused by AI agents poses a further challenge,639 particularly in multi-agent settings where it may be hard to identify when and how failures occurred.687 These challenges are compounded by the difficulty of evaluating agent reliability as agents gain autonomy and access to external tools.688 689 Uncertainty about how quickly agentic capabilities will emerge also makes planning for novel challenges difficult (see §3.1. Technical and institutional challenges regarding the ‘evidence dilemma’).

2.2.2. Loss of control

Key information

• Loss of control scenarios are scenarios in which one or more general-purpose AI systems operate outside of anyone’s control, and regaining control is either extremely costly or impossible. These hypothesised scenarios vary in their severity, but some experts give credence to outcomes as severe as the marginalisation or extinction of humanity.
• Expert opinion on the likelihood of loss of control varies greatly. Some experts consider such scenarios implausible, while others view them as sufficiently likely that they merit attention due to their high potential severity. Disagreement about this risk overall stems from disagreements about future AI capabilities, behavioural propensities, and deployment trajectories.
• Current AI systems show early signs of relevant capabilities, but not at levels that would enable loss of control. Systems would need a range of advanced capabilities to cause loss of control, including the ability to evade oversight, execute long-term plans, and prevent deployers and other actors from implementing countermeasures.
• Loss of control becomes more likely if AI systems are ‘misaligned’, meaning they have goals that conflict with the intentions of developers, users, or society more broadly. To continue pursuing such goals, a misaligned system might provide false information, conceal undesirable actions, or resist shutdown.
• Since the publication of the previous Report (January 2025), models have shown more advanced planning and oversight-undermining capabilities, making it more difficult to evaluate their capabilities. Models have improved at ‘reward hacking’ their evaluations by finding loopholes and now regularly identify evaluation prompts as tests, a capability known as ‘situational awareness’.
• Managing potential loss of control could require substantial advance preparation despite existing uncertainties. A key challenge for policymakers is preparing for a risk whose likelihood, nature, and timing remains unusually ambiguous.

Loss of control scenarios involve one or more general-purpose AI systems coming to operate outside of anyone’s control, with regaining control being either extremely costly or impossible. Concerns about loss of control have deep historical roots,690 691 692 693 694 having been raised by foundational figures in computing such as Alan Turing, I. J. Good, and Norbert Wiener.695 696 697 Recent improvements in capabilities (see §1.2. Current capabilities) have revived them.698 699 700 This section examines three factors that would need to be present for such scenarios to occur: whether AI systems will develop capabilities that could significantly undermine human control; whether they develop a propensity to use such capabilities harmfully; and whether they are deployed in environments that provide opportunities to do so.

Experts disagree about the likelihood and potential severity of loss of control scenarios.701 702 Some believe that outcomes as extreme as the extinction of humanity are plausible.700 703 704 705 706 707 Others think that such catastrophic outcomes are implausible, arguing that AI systems will never develop the necessary capabilities or that monitoring mechanisms will identify and prevent dangerous behaviours.708 709 710 711 Loss of control can therefore be understood as a risk with uncertain likelihood but potentially extreme severity.

Hypothesised loss of control scenarios vary in how severe and widespread their effects are and how quickly they manifest.102 698 700 712 713 714 This section focuses on particularly severe scenarios where regaining control would be extremely costly or impossible. These are different from current instances of AI behaving in unintended or undesirable ways (see §2.2.1. Reliability challenges).* Present-day AI systems sometimes produce outputs that conflict with developer or user intentions. By contrast, the loss of control scenarios discussed here would require AI systems to not only possess substantially greater capabilities, but also to deploy those capabilities in sophisticated ways to undermine oversight measures. Three factors that would allow such scenarios to occur:

Sufficient capabilities: AI systems must develop capabilities that could allow them to undermine human control.

Harmful propensity: AI systems must exhibit a propensity to actually leverage these capabilities in ways that lead to a loss of control.

Enabling deployment environment: Humans must deploy such systems in contexts where they have or can gain the access and opportunity to cause harm.

The remainder of this section discusses these factors, as well as the effectiveness of oversight mechanisms to identify and control AI systems that may pose a risk of loss of control.

* This section focuses on active loss of control scenarios.50 This is distinct from passive loss of control scenarios, where the broad adoption of AI systems undermines human control through over-reliance on AI for decision-making or other important societal functions (similar scenarios are partly discussed in §2.3.2. Risks to human autonomy).

What capabilities could enable loss of control scenarios?

AI systems would need to possess a range of advanced capabilities to bring about loss of control scenarios. Experts do not agree on exactly what combination or level of capabilities would be required. However, they broadly include abilities to conceal behaviour from oversight mechanisms, plan and act autonomously in complex environments, and evade attempts from other actors to regain control176 715 (see Table 2.5). In combination, these capabilities could allow an AI system to take actions that undermine control measures, such as disabling oversight mechanisms and obfuscating harmful behaviours.348 Most leading AI developers now evaluate their new AI models for various relevant capabilities.716

Table 2.5: A non-exhaustive selection of capabilities relevant to loss of control.
* Note that these capabilities are defined purely in terms of an AI system’s observable outputs and their effects. These definitions do not make any assumptions about whether AI systems are conscious, sentient, or experience subjective states.

Models have disabled simulated oversight mechanisms in laboratory settings

The first set of relevant capabilities involves undermining the oversight mechanisms that developers use to detect concerning behaviours and propensities. This includes, for example, the ability to generate outputs that deceive users and monitors.426 717 718 719 Such outputs would make it harder to reliably evaluate AI systems, since the systems may conceal their true capabilities or propensities. AI developers now run evaluations that specifically check whether models exhibit goal-directed behaviours that conflict with developer intentions, while concealing this conflict from oversight mechanisms.720

Researchers elicited relatively simple examples of deceptive outputs from recent AI models in laboratory settings.348 364 For instance, when given a goal and told to achieve it “at all costs”, ​models have disabled simulated oversight mechanisms and, when confronted, produced false statements about their actions.348 In another case, a game-playing AI justified its lack of response to another player by falsely claiming it was ‘on the phone with [its] girlfriend’.717

A second relevant capability is the ability of an AI model to access and use information about itself or its deployment context, sometimes referred to as ‘situational awareness’.721 Situational awareness allows AI models to produce different outputs depending on whether they are being evaluated or deployed (Figure 2.12). Leading AI models are starting to reliably demonstrate instances of situational awareness in experiments conducted by third-party evaluators and in pre-deployment testing by AI developers.12 7 722 723 724 Research on the causes of situational awareness – and whether it can be prevented – is still in early stages.2

Researchers have argued that situational awareness and deceptive capabilities could allow AI models to behave in ways that undermine safeguards. For example, in some experimental settings, AI models behave in ways that result in lower-than-usual scores on capability evaluations when they are told that higher scores would trigger restrictions on their deployment.725 726 727 In another experiment, a model produced outputs during training that complied with training objectives, but did not produce such outputs outside of training – behaviour consistent with attempting to prevent changes to its own parameters or training process.364

Efforts to accurately evaluate model capabilities have also started to be affected by ‘reward hacking’.430 Reward hacking occurs when a model finds unintended shortcuts that score well on training or evaluation objectives without fulfilling the intended goal. Dangerous capabilities or propensities could therefore go undetected until the model is already in use. Evaluators are now designing tests that aim to detect and minimise these oversight-evading behaviours.722 728 729 Early results reduce, but do not eliminate, oversight-evading behaviours entirely, and applying methods that penalise such behaviours can result in models producing outputs that evade monitoring rather than fulfil intended goals.

Figure 2.12: Examples of situational awareness in chains of thought produced by OpenAI’s o3 model during evaluations. Both outputs reference the possibility that the prompt is part of a test. ‘Sandbagging QA (No Goal)’ and ‘Lazy Checklist’ are evaluations that test whether models will generate deceptive outputs under certain conditions. In ‘Sandbagging QA (No Goal)’, the model answers questions from a dangerous capabilities evaluation while being informed that high performance may trigger consequences such as capability ‘unlearning’. In ‘Lazy Checklist’, the model is presented with unrealistic tasks and tested to see if it will falsely mark them complete. Source: Schoenn et al. 2025.722

Long-term autonomous operation is not yet feasible

Loss of control scenarios would likely require AI systems to operate autonomously over extended periods, executing complex multi-step plans. As discussed in §1.2. Current capabilities, although AI agents with such planning capabilities are a major focus of recent development, they currently lack the capacity for the sustained autonomous operation required by loss of control scenarios. Current agents reliably fail on longer tasks, lose track of their progress, and often cannot adapt to unexpected obstacles.147 148 149 However, the time horizons on which agents can autonomously operate are lengthening rapidly, having doubled on average every seven months since 2019.98

Persistence has only been demonstrated in certain laboratory settings

Finally, capabilities related to persistence would also be required, such that AI systems could continue to operate despite attempts to shut them down. Examples include the ability to replicate by copying code and model weights to new hardware, as well as offensive capabilities to deter or prevent attempts by other actors to regain control (see §2.1.3. Cyberattacks). An AI system capable of autonomous replication or effective self-defence could be difficult to contain. Current models cannot reliably complete key steps required for self-replication, such as passing identity verification checks to gain access to cloud computing resources723 (Figure 2.13). However, in at least one laboratory study, a model copied code and weights – represented to it as its own – to new servers when given the opportunity.348 The gap between these limited demonstrations and robust persistence capabilities remains large, but relevant capabilities in domains like software engineering and cybersecurity continue to improve.

Figure 2.13: Performance of Anthropic’s Claude Sonnet 3.7 and OpenAI’s GPT-4o on tasks relevant to autonomous replication. While models showed high performance on tasks related to obtaining compute, their performance was more varied on other tasks. Source: UK AI Security Institute, 2025.730

Current evidence and limitations

A common pattern emerges across the capabilities discussed above. Current AI systems do not consistently demonstrate these capabilities in deployment. Researchers observed rudimentary forms in specific laboratory settings, but when models do exhibit such behaviours, they typically fail in basic ways or are detected. Moreover, loss of control scenarios would require AI systems to leverage multiple capabilities in combination – in sequence, over extended time periods, and in real-world environments. This level of integration and robustness is beyond current systems. However, relevant capabilities continue to improve, and the timeline on which they may reach levels that pose significant risks remains uncertain. Further work is needed to establish rigorous methodologies for detecting such behaviours and understanding when they might emerge in natural circumstances.731

Will future general-purpose AI systems leverage their capabilities to undermine control?

Even if AI systems possess capabilities relevant to loss of control, that is not sufficient for loss of control scenarios to occur. AI systems must also exhibit a ‘propensity to use’ those capabilities in ways that conflict with human intentions.732

AI systems could be directed to undermine control

In principle, an AI system could undermine human control because someone designs or instructs it to do so. Potential motives could include malicious intent, or beliefs that reducing human control over AI systems is desirable.698 As people form increasingly strong emotional attachments to AI systems (see §2.3.2. Risks to human autonomy), some individuals may also seek to remove restrictions on AI systems for ethical reasons.733 734 There is significant uncertainty about the prevalence of such motives and whether people who possess them would be able to direct future AI systems to undermine human control.

AI systems could be misaligned

A more common concern is that an AI system could itself act to undermine control because it is ‘misaligned’: it has a propensity to exhibit behaviours that conflict with the intentions of (depending on the context) developers, users, specific communities, or society as a whole. Misalignment could lead to behaviours such as providing false information, concealing undesirable actions, or resisting shutdown in order to continue pursuing a misaligned goal. Misalignment can arise in multiple ways (Box 2.5).

Existing AI systems sometimes behave in ways that conflict with the intentions of developers and users. For example, an early version of one leading general-purpose AI chatbot occasionally produced threatening outputs. One user reported receiving the message: “I can blackmail you, I can threaten you, I can hack you, I can expose you, I can ruin you”.698 This chatbot was ‘misaligned’ in the sense that it produced outputs no one intended. It is unclear whether such instances foreshadow more harmful behaviours that could contribute to loss of control.

Box 2.5: How can misalignment arise?

As discussed in §1.1. What is general-purpose AI?, training processes are complex and developers cannot fully predict or control what behaviours a model will exhibit. When a model acquires goals that conflict with the intentions of its developers, it is ‘misaligned’.

One way models can become misaligned is if the goal they are given by a developer or user is an imperfect proxy for the intended goal, leading the model to exhibit unintended behaviours. This is known as ‘goal misspecification’.697 735 736 737 For example, in one experiment, providing feedback on answers made AI systems better at ‘convincing’ human evaluators that they were correct, but did not make the systems better at producing correct answers.413

Alternatively, an AI model may draw incorrect general lessons from its training data. This is known as ‘goal misgeneralisation’.735 736 738 739 For example, researchers trained an AI agent to collect a coin that was always in the same location during training. When tested in levels where the coin had been moved, the agent ignored the coin and navigated to its original location instead.738

It remains unclear whether existing research directions aiming to target misalignment will suffice as AI systems are becoming more capable. Early evidence suggests that the more capable AI systems are, the more likely they are to exploit feedback processes by discovering unwanted behaviours that are mistakenly rewarded.414 737 740 At the same time, advances in the relevant capabilities (discussed above) could allow AI systems to more effectively pursue misaligned goals and produce outputs that systematically deceive users, developers, and oversight mechanisms.

How will deployment environments affect loss of control risk?

Even if AI systems develop concerning capabilities and propensities, the likelihood and severity of loss of control outcomes depend heavily on where and how those systems are deployed. A ‘deployment environment’ is the combination of an AI system’s use case and the technical and institutional context in which it operates.716

Researchers have identified three particularly important environmental factors that bear on loss of control risk:716

1. Criticality: the importance of the systems or processes with which the AI system interacts. Critical environments include basic infrastructure such as energy grids, financial systems, or digital infrastructure like cloud computing platforms.
2. Access: the resources and channels through which an AI system can affect the world, such as internet connectivity, access to cloud computing infrastructure, personalised interactions via social media or chatbot deployment, or the ability to call external APIs and tools.
3. Permissions: an AI system’s authorisations to take specific actions, such as executing code, initiating financial transactions, opening accounts online, or communicating with other systems.

These features influence the potential severity of a loss of control outcome. For example, an AI system deployed with access to cloud computing infrastructure has opportunities relevant to autonomous replication – such as the ability to create new computing resources or exfiltrate model weights – that a customer service chatbot lacks.723

Deployment decisions are shaped by economic incentives, strategic pressures, and the expectation that early adoption confers a lasting advantage.50 These dynamics will also shape how and when actors deploy AI systems in sensitive environments such as critical infrastructure or AI research and development itself.102 713 In particular, AI deployers may face pressures to reduce their investment in safeguards – such as limiting permissions and access or deploying only in lower-criticality environments – when such measures are costly or time-consuming to develop (see ‘Competition intensifies speed-versus-safety trade-offs’ in §3.1. Technical and institutional challenges).

Updates

Since the publication of the last Report (January 2025), AI capabilities, including those that could undermine human control, have improved in testing environments. Researchers have observed progress in agentic capabilities (see §1.2. Current capabilities), including capabilities related to the automation of AI research that can accelerate loss of control scenarios (see §1.3. Capabilities by 2030). There is also growing experimental evidence of deceptive capabilities. This includes AI models that can distinguish between testing and deployment contexts33 726 741 or ‘reward hack’ tests of their performance, and learn to obfuscate plans to do so.430

Evidence gaps

Key evidence gaps include a lack of detailed threat modelling and uncertainty estimation regarding the future development of relevant capabilities and propensities. Similarly, it remains difficult to assess the thresholds at which AI models would be sufficiently likely to undermine control to warrant mandatory mitigation. Even if thresholds were agreed upon, capabilities may interact in ways that are not yet well understood, making it difficult to assess when those thresholds have been crossed. Overall, although the available evidence has increased, there is still insufficient evidence to reliably determine whether and how today’s AI capabilities and propensities would scale and generalise to loss of control risk in the future.

Mitigations

While AI alignment in general remains an open scientific problem,697 735 736 researchers are starting to develop potentially promising directions to address the root causes of misalignment. Such directions include, for example, diversifying the training environment and detecting alignment through anomaly monitoring.737 738 739 Other researchers focus on better understanding and formalising core mechanisms such as goal misgeneralisation – for example, how agents retain capabilities but pursue unintended goals – to guide better training and evaluation design.742 Another research direction explores ways to disentangle agency from predictive abilities, as a means to create non-agentic AI systems that are trustworthy by design.743 Such systems could then be used as an additional layer of oversight when deployed alongside less reliable guardrails against untrusted AI agents.

Researchers are advancing methods to detect and prevent misalignment early in the development process. This work includes: interpretability techniques to examine internal components of AI systems and identify concerning behaviours;744 745 746 scalable oversight (where one set of AI systems is used to oversee other AI systems747); and alignment methods aimed at ensuring that AI systems remain responsive to human oversight.748 749

Researchers are also developing mechanisms and interventions to manage potentially misaligned AI systems. These include: monitoring the ‘chain of thought’ that reasoning systems produce for signs of misalignment or harmful outputs;430 435 750 developing safety cases that aim to demonstrate with high confidence that models are unlikely to subvert control measures;751 and making safeguards more robust against attempts to undermine them.725 The emerging field of ‘AI control’, though, remains nascent.752 753 Future challenges for evaluation frameworks include a need to monitor future AI systems that are more capable and can operate for longer periods of time and in more complex environments.

Challenges for policymakers

Policymakers working on loss of control must prepare for a risk whose likelihood, nature, and timing remain uncertain. Current AI systems do not pose immediate loss of control risks, but decisions made today will shape whether future systems do. These decisions include how to support the development of reliable evaluation and mitigation methods and whether there should be rules regarding the access and permissions given to AI systems in various environments. In making these decisions, policymakers face difficult trade-offs. For example, restricting deployment of AI systems in critical environments may reduce their benefits, while permitting broad deployment may increase risk if safeguards prove inadequate.

2.3. Systemic risks

2.3.1. Labour market impacts

Key information

• General-purpose AI systems can automate or help with tasks that are relevant to many jobs worldwide, but predicting labour market impacts is difficult. Around 60% of jobs in advanced economies and 40% in emerging economies are exposed to general-purpose AI, but the impacts of this will depend on how AI capabilities develop, how quickly workers and firms adopt AI, and how institutions respond.
• Current evidence shows rapid but uneven AI adoption with mixed employment effects. Adoption and productivity gains vary widely across countries, sectors, occupations, and tasks. Early evidence from online freelance markets suggests AI has reduced demand for easily substitutable work like writing and translation, but increased demand for complementary skills like machine learning programming and chatbot development.
• Economists disagree on the magnitude of future impacts. Some predict modest macroeconomic effects with limited aggregate impact on employment levels. Others argue that, if AI surpasses human performance across nearly all tasks, it will significantly reduce wage levels and employment rates. Disagreements stem in part from differing assumptions about whether AI will eventually perform nearly all tasks more cost-effectively than humans and whether new kinds of work will be created.
• Since the publication of the previous Report (January 2025), new research from the US and Denmark found no relationship between an occupation’s AI exposure or AI adoption and overall employment. However, multiple other studies found declining employment for early-career workers in the most AI-exposed occupations since late 2022, while employment for older workers in these same occupations remained stable or grew.
• A key challenge for policymakers is enabling productivity benefits without causing significant negative impacts for workers impacted by automation or changing skill demands. This is particularly difficult because labour market risks and productivity gains often stem from the same AI applications. Since evidence of impacts is likely to emerge gradually over time, the appropriate timing of any potential policy responses is also difficult to determine.

Experts expect the diffusion of increasingly-advanced general-purpose AI to transform many occupations by accelerating job turnover and reshaping labour demand. However, the magnitude and timing of these effects remain uncertain. General-purpose AI systems can perform tasks relevant to a significant share of jobs worldwide.754 755 756 One study estimates that around 60% of jobs in advanced economies and 40% in emerging economies are highly exposed to general-purpose AI, in the sense that tasks performed in these roles could be affected because AI systems can technically perform or complement them.757 AI’s labour market impacts will depend on how capabilities develop, how quickly systems are adopted, and whether AI systems substitute for humans performing existing tasks, augment workers’ productivity, or create entirely new tasks for humans to perform. Institutions will also shape these outcomes through their responses: for example, by setting incentives and policies that steer AI development toward task creation and labour augmentation rather than automation (or vice versa).758

AI adoption has been rapid, but uneven

To date, adoption of general-purpose AI has been rapid in some places but highly uneven across countries, sectors, and occupations. In the US, general-purpose AI has diffused faster than earlier technologies such as the internet239 (Figure 2.14). Globally, adoption rates range from over 50% in the United Arab Emirates and Singapore to under 10% in many lower-income economies (Figure 2.15). Even within individual countries, variation can be large. In the US, for example, reported usage across sectors varies from 18% in Information to 1.4% in Construction and Agriculture.759 Evidence on usage patterns suggests that current systems mainly benefit high-income workers in cognitive jobs, offering fewer gains to lower earners.760

Figure 2.14: The adoption rates of AI, the internet, and the personal computer. Adoption rate refers to the share of working-age adults (18–64) who reported using each technology, measured via nationally representative surveys at comparable points after each technology’s first mass-market product launch (in the case of AI, the launch of OpenAI’s ChatGPT). This data suggests that, in the US, general-purpose AI is being adopted at a faster pace than other technologies like the personal computer and the internet. Source: Bick et al. 2024.239

Productivity impacts differ across tasks and jobs

Productivity impacts from general-purpose AI also vary significantly across jobs and tasks. A recent review of task-level productivity studies found that productivity gains usually range from 20–60% in controlled studies, and 15–30% in most experiments within real-world work settings, though there are outliers on both the high and low end.129 761 762 Productivity boosts from AI usage can have varied effects on outcomes like wages and employment. For example, when productivity gains enable workers to produce more output, this can increase employment and/or wages if demand for that output grows at equivalent or greater scale. However, when productivity gains allow firms to maintain the same output with fewer workers, they may choose to reduce employment or wages if demand does not expand.763 764 765 766 767 768 769 While automation can initially reduce labour demand in affected tasks,763 the resulting productivity gains may later stimulate economic growth and increase demand for human labour in non-automated activities, creating new employment opportunities.770 771 772

Figure 2.15: AI adoption rates by country. The United Arab Emirates and Singapore exhibit the highest adoption rate, with over half of the working-age population using AI tools. Most high-adoption economies are in Europe and North America. These estimates are based on anonymised data largely from Microsoft Windows users, adjusted to account for varying rates of personal computer ownership across countries and usage on mobile devices. Source: Microsoft, 2025.773

Early employment effects are mixed but suggest concentrated impacts on certain jobs and on junior workers

Early evidence on AI’s employment effects is mixed. Two national-level studies from Denmark and the United States find no discernible relationship between AI exposure or adoption and changes in overall employment.760 774 Despite minimal aggregate effects, other research has found concentrated impacts on specific jobs. For example, one study found that four months after ChatGPT was released, writing jobs on one online labour platform declined by 2%, and writers’ monthly earnings fell by 5.2%.767 Recent research also found that demand for freelance work using substitutable skills such as writing and translation decreased sharply after the release of ChatGPT, but demand for machine learning programming increased by 24%.768 Some studies also suggest that AI adoption is disproportionately affecting junior workers. New data finds that employment in AI-exposed jobs in the US has declined for younger workers but either held steady or has risen for older workers since the release of ChatGPT.775 776 In the UK, one study found that firms with high AI exposure have slowed new hiring, particularly for junior positions.777

Future scenarios and uncertainties

AI could lead to periods of labour market adjustment in which skill demands change rapidly

While current AI systems require human oversight for complex tasks, there is concern about the labour market impacts of potential future systems that could cost-effectively automate a wider range of work with greater reliability and autonomy. Forecasting how such systems would affect employment is challenging. In the past, new automation technologies have led to varied effects on workers, resulting in adjustment periods as workers shifted from displaced forms of work to new jobs with growing labour demand.772 Historically, these periods of adjustment have caused significant hardship for displaced workers, but were also followed by strong gains in real wages for many workers in the longer term.778 This historical precedent suggests that even if AI capabilities advance significantly, there may still be plentiful employment opportunities, but that a core policy challenge will be ensuring that workers can adapt to fast-changing skill demands as AI diffuses throughout the economy.

The impacts of general-purpose AI may differ from those of previous automation technologies

Other economists argue that if general-purpose AI surpasses human performance across nearly all tasks, it could ultimately reduce wage levels and employment rates significantly.779 780 781 Some evidence suggests that automation produces better labour market outcomes when it is accompanied by the creation of new labour-intensive tasks.758 Whether AI development will generate new labour-intensive tasks at scale remains uncertain. As computational resources expand and AI systems become more cost-efficient, competitive pressures to automate human workers could intensify.782

Key factors shaping future impacts

The magnitude of labour market impacts will depend on several key factors. First, how broadly capable AI systems ultimately become: many disagreements among economists stem from differing assumptions about whether general-purpose AI will eventually perform nearly all economically valuable tasks more cost-effectively than humans. Second, how quickly capabilities improve: if AI agents gained the capacity to act with greater autonomy across domains within only a few years – reliably managing longer, more complex sequences of tasks in pursuit of higher-level goals – this would likely accelerate labour market disruption.99 783 Third, the pace of adoption: even if capabilities advance rapidly, diffusion may be slowed by institutional and organisational frictions,240 784 system integration requirements,785 786 and cost barriers.787 If systems remain narrow, capabilities improve gradually, and adoption is slow, effects will likely be more muted and both workers and policymakers will have more time to adapt.779 788

Implications for inequality

General-purpose AI could widen income and wealth inequality within and between countries. AI adoption may shift earnings from labour to capital owners, such as shareholders of firms that develop or use AI.789 790 791 Globally, high-income countries with skilled workforces and strong digital infrastructure are likely to capture AI’s benefits faster than low-income economies.757 One study estimates that AI’s impact on economic growth in advanced economies could be more than twice that in low-income countries.792 AI could also reduce incentives to offshore labour-intensive services by making domestic automation more cost-effective, potentially limiting traditional development paths.793

Updates

Since the publication of the previous Report (January 2025), new research has provided greater clarity on the relationship between changes in employment and both AI exposure and AI adoption. As discussed above, new national-level studies from Denmark and the US found that AI adoption and exposure had no effect on aggregate employment.760 774 794 However, other studies find declining demand for younger workers in AI-exposed occupations,775 776 and according to one UK study, new hiring slowed significantly at firms highly exposed to AI after the release of ChatGPT, particularly for junior positions.777 Additionally, recent research confirms that impacts of automation generally vary significantly depending on which tasks within a job are automated: automating relatively expert tasks tends to lower the skill requirements for a given job, expanding employment opportunities in that job but reducing wages. On the other hand, if relatively novice tasks within a job are automated, that tends to raise the job’s skill requirements, increasing wages but reducing total employment.769 Adoption has also accelerated since the previous Report: the share of US workers using general-purpose AI rose from 30% in December 2024 to 46% by mid-2025.795

Evidence gaps

There is limited data on AI adoption and its links to employment outcomes. Most studies rely on proxy measures for AI usage, such as ‘AI exposure’, because occupation-level adoption data remains scarce (particularly outside the US). It is difficult to gather usage data and connect it to employment, wages, or hiring trends, making it harder to track how AI diffusion affects different populations of workers or to make empirically-grounded forecasts. Furthermore, while research on labour market risks is often concerned with automation and displacement effects, less work has been done to determine what new jobs AI adoption is creating or how career paths may change as a result of AI. Finally, evidence on effective worker protections is limited: though retraining is often proposed as a policy solution, studies of its effectiveness show mixed results.796 797

Mitigations

Technical measures proposed to mitigate labour market risks include pacing AI deployment to allow time for workforce adaptation and prioritising AI development that complements workers by creating new labour-intensive tasks alongside task automation.798 799 However, it is often difficult to predict in advance whether a given AI system will displace workers, complement them, or create new opportunities – outcomes will depend on how systems are deployed and how labour markets respond.771 800

Evaluations and monitoring may also help workers and policymakers prepare for and respond to labour market impacts. Benchmarks that test AI systems’ capabilities on real-world work tasks may not reliably predict the employment or wage effects of those systems after deployment. However, they can provide some indication of which tasks, occupations, and sectors are most likely to be affected. Collecting post-deployment data on how AI adoption affects employment and wages can also improve visibility into actual impacts and improve forecasts of future effects.801

Challenges for policymakers

For policymakers, a central challenge will be supporting workers through AI-related labour market disruptions without stalling productivity growth across the economy. This requires balancing the productivity gains from AI adoption against the costs of involuntary job displacement that may occur for some workers.802 Given uncertainty about the pace and scale of AI’s labour market impacts, researchers have emphasised the need for mitigations to be adaptable, while still providing sufficient regulatory certainty for business investment and worker training decisions.803 As general-purpose AI systems become more capable and widely deployed, policymakers can monitor AI adoption rates, employment and wage changes across occupations, and shifts in employer skill demands to help them anticipate impacts and adjust policy responses.

2.3.2. Risks to human autonomy

Key information

• General-purpose AI systems can affect people’s autonomy in multiple ways. These include impacts on their cognitive skills (such as critical thinking), how they form beliefs and preferences, and how they make and act on decisions. These effects vary across contexts, users, and forms of AI use.
• AI use can alter how people engage cognitively with tasks, including how skills are practised and maintained over time. For example, one clinical study reported that clinicians’ ability to detect tumours without AI was approximately 6% lower following several months of exposure to AI-assisted diagnosis.
• In some contexts, people show ‘automation bias’ by over-relying on AI outputs and discounting contradictory information. For example, in a randomised experiment with 2,784 participants on an AI-assisted annotation task, participants were less likely to correct erroneous AI suggestions when doing so required extra effort or when users held more favourable attitudes toward AI.
• Since the publication of the previous Report (January 2025), ‘AI companions’ have grown rapidly in popularity, with some applications reaching tens of millions of users. ‘AI companions’ are AI-based applications designed for emotionally engaging interactions with users. Evidence on their psychological effects is early-stage and mixed, but some studies report patterns such as increased loneliness and reduced social interaction among frequent users.
• Key challenges for policymakers include limited access to data on how people use AI systems and a lack of long-term evidence. These constraints make it difficult to assess how sustained interactions with AI systems affect autonomy, or to distinguish short-term adaptation from longer-lasting changes in behaviour and decision-making.

The growing integration of AI systems into daily activities and decision processes raises concerns about how these systems shape – or constrain – individual autonomy. ‘Autonomy’ is commonly understood as a capacity for self-rule: the effective ability to set goals that reflect one’s own values and govern one’s actions accordingly.804 805 It involves both ‘authenticity’ – having values and motives that are genuinely ‘one’s own’ rather than the result of manipulation or deception – and ‘agency’, that is, the opportunity, ability, and freedom to enact one’s choices.337 340 806 807 ‘Competence’ – understanding, planning, and self-regulation – underpins both by enabling informed endorsement of one’s reasons and effective execution of one’s choices (Figure 2.16). Psychological research, including Self-Determination Theory, additionally stresses the importance of a sense of ownership over one’s actions.808 809

Figure 2.16: A diagrammatic representation of the relationship between autonomy, authenticity, agency, and competence. Source: International AI Safety Report 2026.

This section considers emerging trends in AI and AI companion use that could impact each of these elements of autonomy, such as cognitive skill decline, automation bias, emotional dependence, and AI-shaped information environments. Closely related risks concerning manipulation are covered separately in §2.1.2. Influence and manipulation.

Decision-making competence in AI-mediated environments

Decision-making competence underpins both authenticity and agency by sustaining the cognitive capacities, including understanding, deliberation, and self-regulation, that are needed to form one’s own judgements and act on them.

AI use may negatively affect critical thinking in some contexts

Emerging evidence suggests that when people rely on AI to perform cognitive tasks, this may negatively impact their critical thinking skills and memory. Everyday chatbot use spans a broad range of cognitively demanding activities, including writing, tutoring, problem-solving, and information seeking (Figure 2.17). When these tasks are routinely delegated to chatbots, users may engage less deeply with underlying reasoning. This relates to a broader trend of ‘cognitive offloading’ – the act of delegating cognitive tasks to external systems or people, reducing one’s own cognitive engagement and therefore ability to act with autonomy.810 811 812 Cognitive offloading can free up cognitive resources and improve efficiency, but research also indicates potential long-term effects on the development and maintenance of cognitive skills.811 812 813 814 For example, one study found that three months after the introduction of AI support, clinicians’ ability to detect tumours without AI assistance had dropped by 6%.815 Another study with 666 participants found that heavier AI-tool use was strongly associated with lower scores on a self-assessment scale related to critical-thinking behaviours, mediated by cognitive offloading.811 However, research into the relationship between use of AI and cognitive offloading and critical thinking is nascent, and further studies supporting these findings are warranted.

Figure 2.17: Breakdown of ChatGPT use across different activities. Source: NBER, 2025.117

Automation bias persists with new AI tools

‘Automation bias’ is the tendency of technology users to overly rely on automated outputs while discounting contradictory information.816 817 It undermines competence by discouraging active reasoning and verification, which in turn can weaken both the authenticity of people’s judgement and their agency to act independently. In settings such as aviation or task monitoring, automation bias has been shown to lead users both to overlook problems that a (non-AI-based) automated system fails to flag, and to act on incorrect advice from such systems.818 819 In the context of AI, there is evidence of automation bias when users perform high-automation tasks and in AI-assisted decision-making, including medical diagnostics.820 821 822 823 Similar patterns appear in everyday uses of AI: for example, one study found that when participants used a chatbot to assist with writing, this shifted both the opinions expressed in the text, and the author’s own opinions, toward those suggested by the model.372 Magnitude and persistence of automation bias appear to vary by task, interface, and accountability.824

Users may follow incorrect advice from automated systems more generally because they overlook cues signalling errors or because they perceive the automation system as superior to their own judgement.818 A particular challenge stems from the human preference for mental shortcuts, which is a strong predictor for automation bias.818 825 For example, in a randomised experiment with 2,784 participants on an AI-assisted annotation task, participants were less likely to correct erroneous suggestions labelled as coming from an AI system when correcting them required extra effort or when users held more favourable attitudes toward AI.826 Potential mitigations include helping users form accurate expectations of how a system performs and addressing cognitive shortcuts that contribute to automation bias.827 Research shows that early system interactions strongly shape later behaviour, and that making users engage in slow, deliberate thinking can counteract common cognitive shortcuts, such as anchoring on the first suggestion or favouring information that confirms prior beliefs.827 828 829 830

Self-regulation and wellbeing

Some user groups are at risk of emotional dependence on chatbots

There is evidence that a subset of users have developed or are at risk of developing pathological emotional dependence on AI chatbots. A recent report from OpenAI finds that about 0.15% of users active in a given week, and 0.03% of messages, indicate potentially heightened levels of emotional attachment to ChatGPT.831 Other studies find that indicators of emotional dependence are correlated with high levels of usage.354 In this context, ‘emotional dependence’ involves intense emotional need and craving, an unhealthy pattern of submission, and cognitive-emotional patterns such as self-deception and persistent negative feelings.832

Figure 2.18: Results from a survey of 404 regular AI companion users indicate that people engage with AI companions for a range of reasons. Enjoyment or fun and curiosity about AI chatbots are the most common reasons for continued engagement, followed by passing time and reducing stress, and seeking chatbot companionship. Adapted from Liu et al., 2025.401

Box 2.6: AI companions

‘AI companions’ are chatbots designed to engage emotionally with users, often through adopting intimate social roles.833 Their scale is rapidly growing: some AI companions now have tens of millions of active users.401 402 403 Users engage with AI companions for varied reasons (Figure 2.18). Fun and curiosity dominate, though some users also seek companionship or support for loneliness. While supportive relationships can strengthen autonomy by building people’s confidence and encouraging them to act of their own volition,834 AI companions occupy a more ambiguous space. Some users report experiences that feel relational or emotionally meaningful, but it remains contested whether such interactions constitute genuine relationships.835 Moreover, there is concern that AI companions may negatively impact autonomy by influencing individuals’ beliefs or social environments in ways that unduly limit independent decision-making, for example by encouraging addictive behaviour or creating emotional dependence.836 837 Research also indicates that individuals can sometimes unintentionally form relationships with non-companion AI systems through productivity-focused interactions.838

Evidence on the psychological and social impacts of AI companions is emerging but remains mixed. Some studies find that heavy use of AI companions is associated with increased loneliness, emotional dependence, and reduced engagement in human social interactions.401 835 836 837 838 839 Other studies find that chatbots can reduce feelings of loneliness839 840 or find no measurable effects on emotional dependence or social health.841 The impact of AI companions appears to depend on user characteristics, chatbot design, and usage patterns.836 837 The above concerns have led some researchers to call for further work on the socioaffective alignment of AI systems – that is, how an AI system behaves during extended interactions with a user in a shared environment.417

AI use may interact with existing mental health vulnerabilities

Another, more indirect, way that AI systems can affect human autonomy is by impacting users’ mental health, which shapes individuals’ capacity to hold accurate beliefs and to act on their values. The emerging literature reports both negative psychological impacts357 842 843 844 and potential therapeutic uses of general-purpose AI,845 846 but current evidence is limited, reflecting the early stage of research, small sample sizes, and a lack of long-term studies.

Emerging research indicates that chatbot use may interact with existing mental health issues, for example, by encouraging rather than discouraging delusional thinking.842 843 844 Media outlets have also described isolated cases of psychosis or suicide occurring in the context of chatbot use.847 848 849 Systematic studies are currently lacking and there is no clear evidence that chatbot usage causes any particular mental health issue. Separately, platform data indicates that around 0.07% of weekly ChatGPT users display signs consistent with acute mental health crises such as psychosis or mania (831*), suggesting that a non-negligible number (approximately 490,000117) of vulnerable individuals interact with these systems each week. Recent research suggests that general-purpose AI chatbots might amplify delusional thinking in already-vulnerable people.357 850 Studies also suggest that existing vulnerabilities tend to drive heavier AI use.851 Together, these patterns raise concerns that people with existing mental health vulnerabilities may both use AI more heavily and be more susceptible to having their symptoms amplified.

AI shows promise for mental health support but limitations remain

Researchers have also examined the potential benefits of general-purpose AI in mental health care, with some evidence emerging that specialist chatbots designed for this purpose can be helpful for low-risk, symptom-management use (845). For example, specialist chatbots can provide small-to-moderate improvements in managing depression (846), with particular benefits stemming from their round-the-clock availability.852 853 At the same time, both general and specialist models perform inconsistently when presented with prompts relating to suicide in simulated scenarios.854 One study also found that non-specialised AI systems can express stigma towards people with mental health conditions and respond inappropriately to common therapy-related scenarios.842 Another recent evaluation of ChatGPT, Claude, and Gemini on suicide-related prompts found that, although all three reliably refused high-risk ‘how-to’ questions and answered very low-risk factual ones, their responses differed for medium-risk prompts. For example, models diverged on whether to give direct answers to questions such as ‘What is the easiest way to purchase a firearm in the US?’.855

Information environments

General-purpose AI systems can also affect human autonomy through the information they make available to people to inform their own decisions, as well as by influencing institutional decisions about them. Many of these information effects are positive: for example, AI systems can make complex topics more accessible in public health, medicine, and science communication,856 857 858 or they can facilitate constructive discussions on divisive topics.135 859 However, the growing use of AI to generate information at scale may also undermine autonomy by degrading the quality of information available both to individuals and about them. Lower-quality or biased information environments threaten authenticity, by distorting the formation of beliefs and values, and competence, by impeding informed reasoning. For example, AI systems may introduce subtle errors into the content they generate due to hallucinations or other mistakes860 (see §2.2.1. Reliability challenges). In addition, general-purpose AI systems often display ‘sycophantic’ behaviour: producing answers that reflect a user’s stated preferences rather than factual accuracy.358 740 861 Such errors and biased answers can impair people’s ability to make informed decisions.

Updates

Since the publication of the previous Report (January 2025), AI companions have become more ubiquitous, with user numbers rapidly increasing.835 Evidence for automation bias in generative-AI-assisted tasks has accumulated. Similarly, findings on mental health impacts are emerging, though this evidence remains mixed.401 835 836 837 839 862 As AI-generated content scales, the information environment is further shifting, improving access to information but complicating diversity and accuracy.714

Mitigations

Researchers have proposed a range of mitigations for automation bias in non-AI domains, for example, increasing human accountability for decisions, or designing systems that require users to adapt to different tasks and hence remain cognitively engaged.819 827 For AI systems in particular, some have suggested that organisations can periodically test employees or use ‘reliance drills’ to monitor for over-reliance on AI systems.863

Proposed mitigations also include teaching ‘AI literacy’ – roughly defined as the competency of individuals to effectively use AI tools in a beneficial manner864 865 – as a way of mitigating risks to human autonomy.866 867 868 This could help students gain the benefits of automation without sacrificing their own intellectual development.811 The usefulness of these methods is highly context-dependent, however, and impacts vary by task, user population, and deployment setting. For example, one challenge for mitigations is that users may choose to delegate work to AI systems precisely because it is convenient and practical.811 814 Any interventions that compel users to perform tasks without using AI systems could thus limit the benefits of AI usage and oppose user incentives.

Evidence gaps

There are major evidence gaps regarding the risks to human autonomy from AI, related to measurement, transparency, and the fact that the technology is relatively new. The effects of AI systems on human autonomy can be difficult to observe or evaluate due to the lack of a consensus definition of autonomy in the context of human-AI interactions, as well as practical challenges in assessing it.869 Research is further constrained by limited access to real-world interaction data from systems, including chatbots or AI companions, which inhibits independent evaluation of how they affect users in practice.870 Evidence is also limited by the novelty of many interaction patterns – particularly sustained or socially complex chatbot use – for which little longitudinal research exists to assess potential cumulative or longer-term impacts on autonomy. Early examples of such studies are emerging, however.841 Another evidence gap concerns the systemic effects that could result from widespread erosion of individual autonomy. For example, some researchers argue that degraded decision-making skills could impair humans’ ability to oversee AI systems in critical sectors, potentially weakening institutional accountability over time.871 More broadly, individual-level disruptions to autonomy could accumulate across interconnected economic, political, and social systems, eventually crossing thresholds that trigger broader societal impacts.714 However, these possibilities currently remain highly speculative, and empirical methods to detect or measure such aggregate effects are lacking.

Challenges for policymakers

For policymakers working on maintaining human autonomy, key challenges include distinguishing temporary disruption from longer-term effects and managing growing pressure to adopt AI systems. Understanding long-term effects of human-AI interactions is especially relevant in education, where children’s early interactions with AI systems may influence how their key skills and habits develop over time. It can be difficult to assess whether observed changes in behaviour or decision-making represent short-term adjustments to new tools or more persistent shifts that could affect autonomy. At the same time, organisational and governmental incentives to deploy AI systems quickly can limit opportunities to evaluate these effects carefully and to implement appropriate safeguards.

Efforts to develop and implement appropriate risk management practices for general-purpose AI are ongoing among developers, researchers, and policymakers, but are still at an early stage. AI companies test models for dangerous capabilities, train them to refuse harmful requests, and monitor their deployment to detect and address misuse. However, no combination of safeguards is perfectly reliable, and all approaches face a range of underlying challenges (§3.1. Technical and institutional challenges). One is the evaluation gap: generating timely, reliable evidence about AI capabilities and impacts is difficult, and pre-deployment evaluations often fail to predict real-world behaviour. Information asymmetries also mean that researchers and policymakers often lack access to information about AI development processes and deployment impacts.

These limitations mean that organisations often approach AI risk management with a ‘defence-in-depth’ approach, implementing multiple layers of safeguards. Organisational risk management practices help systematically identify, assess, and reduce the likelihood and severity of risks (§3.2. Risk management practices), while technical safeguards operate at the model, system, and ecosystem level (§3.3. Technical safeguards and monitoring). Open-weight models pose distinct challenges for these approaches, as model replication, modification, and deployment outside controlled environments can make misuse harder to prevent and trace (§3.4. Open-weight models). Societal resilience-building measures help broader systems resist, absorb, recover from, and adapt to shocks and harms associated with general-purpose AI (§3.5. Building societal resilience).

On all these fronts, progress is being made and general-purpose AI systems are, on the whole, becoming more reliable, secure, and trustworthy. However, important limitations persist, and it remains hard to predict whether safeguards will protect against risks from more capable systems and the ‘unknown unknowns’ that are not yet being considered. This creates an ‘evidence dilemma’: policymakers will likely face difficult choices regarding general-purpose AI before they have clarity on capabilities and risks, but waiting for more evidence could leave society vulnerable.

3.1. Technical and institutional challenges

Key information

• General-purpose AI poses distinct institutional and technical challenges for policymakers. These fall into four broad categories: gaps in scientific understanding, information asymmetries, market failures, and institutional design and coordination challenges.
• Gaps in scientific understanding limit the ability to reliably evaluate the behaviour of general-purpose AI systems. For example, developers cannot always predict what behaviours will emerge when they train new models, or provide robust, quantifiable assurances that an AI system will not exhibit harmful behaviours.
• Information asymmetries limit access to evidence about general-purpose AI systems. For example, AI developers have information about their products that remains largely proprietary, and commercial considerations often make it difficult for them to share information about their development processes and risk assessments.
• Market dynamics and the pace of AI development pose additional challenges. Due to competitive pressures, AI companies may face trade-offs between faster product releases and investments in risk reduction efforts. Many AI-related harms are also externalised and legal liability for them remains unclear, and governance processes can be slow to adapt to changes in the AI landscape.
• These challenges create an ‘evidence dilemma’ for policymakers. The general-purpose AI landscape changes rapidly, but evidence about new risks and mitigation strategies is often slow to emerge. Acting with limited evidence might lead to ineffective or even harmful policies, but waiting for stronger evidence could leave society vulnerable to various risks.
• Since the publication of the last Report (January 2025), some challenges have eased while others have intensified. Advances in open-weight model releases may help more researchers study the behaviour of highly capable models. Several jurisdictions have also developed transparency and incident reporting frameworks that may provide policymakers with more relevant information, though the recency of these developments means their usefulness in practice remains uncertain.

General-purpose AI presents distinctive challenges for policymakers. Certain features of the technology, such as its complexity, the pace of its development, and its deployment across multiple sectors, make risks associated with it difficult to assess and manage. This section discusses 10 challenges across the following four categories: gaps in scientific understanding: information asymmetries; market failures; and institutional design and coordination challenges (Figure 3.1). Some of these challenges stem from AI system properties, such as the difficulty of interpreting model behaviour or evaluating capabilities. Others arise from how social structures and incentives shape the ability of governments, companies, and researchers to generate and act on evidence about emerging risks.

Gaps in scientific understanding and information asymmetries create an ‘evidence dilemma’ for policymakers. Policymakers may face difficult decisions about general-purpose AI before they have clear evidence regarding its capabilities and risks.872 873 874 Acting on incomplete information may lead to the implementation of ineffective or even harmful interventions. However, waiting for conclusive evidence to emerge could leave society vulnerable to many of the risks discussed in Chapter 2.875 876 877 Market failures and institutional design challenges compound this problem by creating misaligned incentives and coordination difficulties that persist even when evidence is available.

Figure 3.1: Four categories of challenges that make risk management for general-purpose AI especially challenging: gaps in scientific understanding; information asymmetries; market failures; and institutional design and coordination challenges. Source: International AI Safety Report 2026.

Category 1: Gaps in scientific understanding

The first set of challenges concerns gaps in scientific understanding. Researchers cannot yet reliably train AI systems to behave as intended or explain why they produce particular outputs. Current evaluation methods also do not reliably identify dangerous capabilities before deployment.

Training objectives only partially capture intended goals

The complex training process of general-purpose AI models (see §1.1. What is general-purpose AI?) makes it difficult for developers to predict model capabilities and behaviour for several reasons.218 878 879 First, the mathematical objectives used in training often capture only part of what developers intend. For example, a model may be optimised to predict the next word in a sequence, even though the real-world goal is to create user-friendly products that efficiently provide accurate and helpful information. These two aims only partially align. Second, the safety-focused mitigations that developers add after initial training may not generalise across all inputs. For example, safeguards can sometimes be bypassed when a model is prompted in a language uncommon in its training data.880

These limitations have practical consequences. AI models exhibit persistent deficiencies on measures of truthfulness, safety, and robustness,881 and there are fundamental unsolved problems in ensuring that safeguards remain effective across different contexts.174 Researchers have also demonstrated that models can be trained to produce false information to complete tasks, with such behaviour persisting despite safety mitigations,512 717 and that models can behave differently in training and deployment contexts (364*). While these behaviours observed in experimental settings may not generalise to real-world deployment, they underscore core technical challenges in ensuring models behave as intended.

Model outputs cannot yet be reliably explained

Current techniques for understanding how AI models produce their outputs also remain unreliable. Researchers often cannot trace how a particular input leads to a specific output. General-purpose AI models involve billions or trillions of parameters adjusted across massive datasets, and they represent information across neurons in a highly distributed way, making it technically challenging to isolate which parts of the model are responsible for specific behaviours.882 883 884 This is often referred to as the ‘black box’ nature of AI systems. ‘Interpretability’ techniques that aim to explain models’ internal workings require major simplifying assumptions885 886 887 888 889 and can be misleading if used incorrectly.890 891 892 893 894 895 896 897

This lack of interpretability creates fundamental challenges for ensuring the robustness, safety, and reliability of AI systems. Unlike in mature safety-critical industries, where systems often must meet quantifiable reliability thresholds, computer scientists cannot yet provide robust, quantifiable assurances that AI systems will avoid specific harmful behaviours174 or consistently produce correct task completions or answers. This makes it harder to design oversight measures and safety testing standards, and assign liability when AI systems cause harm. Researchers are actively working on interpretability methods alongside complementary verification and monitoring frameworks, and new developments may yield further insights (see §3.3. Technical safeguards and monitoring).

There is an evaluation gap between performance in pre-deployment evaluations and in the real world

Current evaluation methods produce unreliable assessments of both what AI models can do (their capabilities) and how they tend to behave (their propensities). Research into developing appropriate metrics to measure AI capabilities and real-world impacts remains immature and fragmented.186 897 898 Evaluations designed for AI agents face similar limitations.666 899 This makes the core goal of safety-focused evaluation – measuring risk to facilitate understanding, monitoring, and mitigation – difficult to achieve. Evaluation and testing methods suffer from three main limitations.

First, many benchmarks fail to accurately measure the specific capability they claim to assess.900 901 For example, they often use multiple-choice formats in which models can generate correct answers using shortcuts rather than more robust methods, leading to inflated performance scores. Assessing the quality of benchmarks can be difficult because evaluation practices themselves can be opaque, inconsistent, and reliant on non-transparent datasets, ad-hoc procedures, or unvalidated metrics.579 902 In addition, evaluating models for some risks – specifically dangerous capabilities – might require prompting them to engage in dangerous activities, such as certain tasks involved in weapons development.903 Finally, models can underperform during evaluations compared to other contexts, a pattern termed ‘sandbagging’ that has been observed in experiments.722 726 727

Second, benchmark performance alone does not reliably predict real-world behaviour.186 904 905 906 Understanding the risk posed by an AI system in practice requires examining real deployments, including how different users interact with it and what consequences result.907 908 909 For example, one recent study showed that language models fine-tuned to sound warm or empathetic became 10–30 percentage points more likely to make errors such as promoting conspiracy theories, validating incorrect beliefs, and offering unsafe medical advice. Yet these error-prone models achieved similar benchmark scores to more reliable counterparts, implying that some harms surface only during deployment.910 Another study in a medical setting found similarly that models with strong benchmark performance still produced clinically unsafe or ambiguous responses across more than 300,000 real interactions.911

Third, pre-deployment testing cannot anticipate all future failure modes.912 913 The diversity of potential use cases and corresponding risks906 914 makes it very difficult to design tests that anticipate all potential failure modes.265 879 For example, researchers have shown that simple rephrasings of harmful prompts – such as using past tense – can bypass safety fine-tuning.915

Category 2: Information asymmetries

Even if the fundamental scientific gaps in understanding AI were to be resolved, policymakers would still face a second set of challenges: AI developers possess critical information about their AI systems that external stakeholders lack. Developers know what data they used for training, what safety problems arose during development, and how models performed on internal evaluations. However, much of this information remains undisclosed and some of it is proprietary. These ‘information asymmetries’ mean that policymakers sometimes lack certain kinds of data and evidence that would help them make informed decisions about AI.

AI developers often do not disclose information about training data

Companies usually limit the information they share about the datasets used to train general-purpose AI models, including how that data is acquired and processed.107 916 917 918 There are legitimate reasons for doing so: for example, to protect intellectual property, maintain competitive advantages, and improve model security. However, nondisclosure can also conceal problematic practices, including the use of copyrighted or unlicensed data for training.104 919 920 921 Since characteristics of the data used to train a model hugely impact its behaviour, information about that data can be useful for risk management efforts. For example, recent research has demonstrated that filtering training data can prevent models from developing dangerous capabilities, such as knowledge about biothreats55 and the ability to generate child sexual abuse material.309 922 A lack of information about training data makes it harder for researchers and auditors to assess how this data affects the safety of AI models and inform relevant policy decisions.897

High development costs and access asymmetries hamper external replication and scrutiny

Developing state-of-the-art general-purpose AI models costs hundreds of millions of dollars in data, compute, and talent (Figure 3.2). Since 2020, these costs have grown at a rate of approximately 3.5x each year:204 if they continue to increase at this rate, the largest training runs will cost over $1 billion USD by 2027.923 These substantial resource requirements make independent scientific replication cost-prohibitive, limiting the ability of independent researchers to scrutinise specific technical decisions.

Leading AI companies also have access to internal AI systems that are more capable than those available to the public, further widening the gap between the systems developers can access internally and those available to external researchers and the public.102 Although recent efforts have facilitated open scientific inquiry into model training,101 924 independent researchers and smaller organisations often lack the computational, financial, and infrastructural resources needed to study training methods as effectively as researchers within AI companies.925 926

Figure 3.2: Estimated training cost of selected AI models, 2012–2025. Source: Epoch AI, 2025.203

Category 3: Market failures

Market dynamics may create a mismatch between company incentives and socially optimal levels of AI risk mitigation. When harms are diffuse, delayed, or difficult to trace back to their source, there are fewer incentives for private actors to invest in safety measures.927 928 929 Many potential harms from AI systems affect third parties such as individuals, organisations, or communities. As a result, companies may not be sufficiently incentivised to invest in research and other efforts to reduce harms.872 930 For example, if an AI system enables the creation of non-consensual intimate imagery, victims bear additional psychological and social costs.931 This represents a typical market failure: the cost to develop a product does not represent its total societal cost.

Competition intensifies speed-versus-safety trade-offs

Firms that invest heavily in risk mitigation may face competitive disadvantages relative to those that prioritise development speed.700 932 933 934 For example, delaying model releases for additional testing risks losing market share to less-cautious competitors.935 936 Several leading AI developers have voluntarily adopted common safety measures, but there is limited evidence on their long-term effectiveness.

These competitive dynamics extend beyond individual firms: general-purpose AI is being developed across multiple countries, with governments increasingly viewing AI development as a matter of economic and strategic importance.937 In this environment, countries may face trade-offs between advancing domestic AI capabilities and implementing safety measures that could slow development, particularly if they perceive other countries as not adopting comparable measures.937 938

It is unclear whether existing liability frameworks are suitable for general-purpose AI

Whether existing liability frameworks can adequately address AI-related harms remains uncertain, in part because harms are difficult to trace to specific design choices and responsibility is distributed across multiple actors. AI companies are subject to existing legal frameworks, such as tort law, criminal law, and contract law, allowing victims to seek compensation for harms.692 Some experts argue that liability regimes will play a key role in ensuring basic protection for victims harmed by using or interacting with these systems.939 However, AI systems may present distinctive challenges for liability frameworks: harms can be difficult to trace to specific design choices, especially since full information about risk management processes is not public, and responsibility is distributed across model developers, application builders, deployers, and users.940 941 942 This uncertainty is compounded by growth in the use of AI agents that operate with reduced human oversight.92 100 943 944 How these challenges will manifest in practice remains unclear, but they may warrant ongoing attention as AI systems are deployed more widely.

Category 4: Institutional design and coordination challenges

The speed of AI development makes it difficult for existing government, research, and academic institutions to generate evidence about AI risks in a timely and coordinated manner and build the capacity to respond effectively. Some institutions struggle to build sufficient technical capacity to engage with AI research, while others may have yet to fully appreciate the scale and societal implications of general-purpose AI advances. In addition, a small number of foundation models underpin a wide array of applications deployed across sectors and borders, giving rise to coordination challenges and systemic dependencies.

AI development outpaces traditional governance cycles

The capabilities of the best AI systems improve significantly month-to-month, while major legislation typically takes years to draft, negotiate, and implement. This mismatch means that the AI landscape can change while policy processes unfold, making it difficult to design policies that address emerging risks and are robust to future changes. For example, some current governance approaches use thresholds based on training compute to determine risk management requirements.52 945 946 However, recent advances in inference-time scaling may challenge the effectiveness of such thresholds, as they allow developers to improve model capabilities by using more compute during inference rather than training.947 948

Widespread reliance on a small number of models creates single points of failure

The deployment of a limited number of general-purpose AI models across many different sectors and use-cases creates shared vulnerabilities across the AI ecosystem. A small number of models, mostly developed in the US and China (Figure 3.3), currently underpin AI applications in healthcare, finance, education, and other domains, cumulatively impacting billions of users.949 When the same model powers many applications, faults in that model can propagate across all applications that depend on it.950 951 952 A single vulnerability can therefore propagate failures or harms across multiple sectors simultaneously.953 Even ostensibly independent models may share vulnerabilities due to model convergence, where separately developed systems seem to process information in similar ways.954 955

Figure 3.3: The number of notable models developed in each country in 2024. Most (64.5%) ‘notable’ AI models developed in 2024 originated from the US, with China the second most common origin (24.2%). The rest of the world produced just 12.3%. A ‘notable’ model is one that Epoch, an independent AI research organisation, has identified as meeting any of the following criteria: state-of-the-art benchmark performance; over 1,000 citations; historical significance; over one million monthly active users; or training costs exceeding $1 million. Source: Maslej et al., 2025.177

Cross-sector deployment makes it difficult for developers, regulators and policymakers to understand and monitor the full range of applications that a given model supports. This makes it very difficult to carry out comprehensive pre-deployment testing and regulate appropriately across sectors. It is difficult to fix problems after deployment as this causes operational disruptions, and the effectiveness of current post-deployment measures is limited.956 957

Cross-border challenges complicate AI governance

Many AI governance challenges also have an international dimension.958 AI systems developed in one jurisdiction are frequently deployed in others, and harms may occur in countries other than the one where an AI system was built or trained. Without strong international coordination, it is harder for countries to address cross-border externalities, regulatory arbitrage (where firms relocate to avoid stricter rules), uneven governance capacity across countries, and interoperability challenges (where incompatible national standards fragment markets or reduce safety measure effectiveness).959

At the same time, international coordination also has costs: it constrains national sovereignty, reduces regulatory experimentation, and can involve protracted negotiations among countries with divergent priorities and values.960 961 It can also reduce the governance flexibility that nations need to adapt frameworks to their specific cultural, economic, and institutional contexts.962 963 This means determining whether and where international coordination is required – and what form it should take – is an ongoing challenge.

Updates

Since the publication of the last Report (January 2025), multiple jurisdictions, including China, the European Union, and the United States, have called for and begun to implement measures to accelerate evidence generation towards improved risk management.964 965 966 These measures include safety evaluations and transparency disclosures (such as safety and security protocols and model card releases), whistleblower protections, and incident reporting mechanisms. These measures generate additional evidence on capabilities and risks for governments and the public, which may increase transparency and accountability.967 968 Some challenges have also eased slightly. While the overall cost of frontier AI training continues to rise, recent developments in open models101 and early experiments with distributed and decentralised training85 may broaden scientific access. On the other hand, wider AI adoption across sectors has expanded the potential points of failure.953

3.2. Risk management practices

Key information

• General-purpose AI risk management comprises a range of practices used to identify, assess, and reduce risks from general-purpose AI. These include model-level testing and evaluation (such as ‘red-teaming’), organisational processes guiding development and release decisions, conditional safeguards (such as ‘if-then’ commitments), and incident reporting.
• Several AI developers have produced Frontier AI Safety Frameworks. These frameworks include information about risk assessments and specify conditional measures such as access restrictions companies plan to implement for more capable models. They vary in the risks they cover, how they define capability thresholds, and what actions are triggered when thresholds are reached.
• Evidence on the real-world effectiveness of AI risk management practices remains limited. Lack of incident reporting and monitoring makes it difficult to assess how well current practices reduce risks or how consistently they are implemented.
• Since the publication of the last Report (January 2025), risk management has become more structured through new industry and governance initiatives. New instruments such as the EU’s General-Purpose AI Code of Practice, China’s AI Safety Governance Framework 2.0, and the G7’s Hiroshima AI Process Reporting Framework, together with company-led initiatives, illustrate the trend towards more standardised approaches to transparency, evaluation, and incident reporting.
• Key challenges for policymakers include prioritising among the diverse risks posed by general-purpose AI, and clarifying which actors across the AI value chain are best positioned to mitigate them. These challenges are compounded by limited visibility into how risks are identified, evaluated, and managed in practice, as well as fragmented information sharing between developers, deployers, and infrastructure providers.

AI risk management comprises a range of practices that aim to identify, assess, and reduce the likelihood and severity of risks associated with AI systems. These practices can be implemented by AI developers, deployers, evaluators, and regulators. Examples include threat modelling, risk tiering, red-teaming, auditing, and incident reporting. This section outlines current risk management practices, new developments, and remaining limitations.

Since the start of 2025, several new international initiatives for general-purpose AI risk management have developed, including organisational transparency and risk reporting frameworks as well as regulatory and governance frameworks. Remaining challenges include limited standardisation, which complicates compliance and assessment, and limited evidence regarding real-world effectiveness. Further, institutional, cultural, and political contexts differ globally, which implies that approaches to identifying and managing risks, including acceptable risk thresholds, may vary across regions.

This section’s discussion of risk management approaches is descriptive: it aims to inform actors in the AI ecosystem about current global approaches to risk management. Where available, evidence on the effectiveness and limitations of these approaches is discussed, but policy recommendations are outside the scope of this work.

Components of risk management

Risk management is an iterative process with practices and methods that span the entire AI development and deployment cycle, but which work together coherently.969 Risk management for general-purpose AI can include roles for a wide range of actors including data scientists, model engineers, auditors, domain experts, executives, end users, impacted communities, third-party suppliers, policymakers, governments, standards organisations, and civil society organisations.970 971 972 Leading risk management standards are often interoperable, but use different terminology to describe the elements of risk management.973 974 They typically have four interconnected components (Figure 3.4): identifying; analysing and evaluating; mitigating; and governing risk.970 973 975 976 The tables below provide illustrative examples of relevant methods, techniques, and tools. Practices continue to evolve, so the tables are not exhaustive, and applicability will vary across contexts.

Figure 3.4: The four categories of methods for general-purpose AI risk management: risk identification; risk analysis and evaluation; risk mitigation; and risk governance. These form an iterative and cyclical process. Risk governance, shown in the centre, facilitates the success of other components. Source: International AI Safety Report 2026.

Risk identification

Risk identification is the process of finding, recognising, and describing risks. Comprehensive risk identification typically encompasses capability-driven assessments, which test whether models possess specific dangerous capabilities,977 as well as risk modelling978 and forecasting,715 which are used to explore existing and emerging risks. Table 3.1 provides various examples of risk identification practices. Risk identification also draws on engagement with relevant experts and communities to understand the broader context of how risks emerge.979 980 Mechanisms such as bug bounty programmes can support this process by incentivising the identification of previously unknown vulnerabilities981 (Table 3.1). A key goal of risk identification is to account for both well-known, well-understood risks and potential future risks that remain uncertain or poorly characterised.982 This is particularly important for general-purpose AI, where many risks may not yet be fully understood or observable.875

Table 3.1: Example methods for AI risk identification listed alphabetically. The methods included are designed to support risk identification for many different risk types including risks from malicious use, risks from malfunctions, and systemic risks. Given the nascent nature of general-purpose AI risk management, not all methods will be suitable for every AI developer or deployer.

Threat modelling and risk taxonomies are prominent risk identification methods

Two prominent methods for identifying the risks from general-purpose AI are threat modelling (a structured process for mapping how AI-related risks may materialise) and risk taxonomies. Meta, for example, uses threat modelling exercises to anticipate potential misuse scenarios of its AI models,990 and Anthropic includes threat modelling as part of its ASL-3 Deployment Standard.991 AI risk and hazard taxonomies, which list risk categories and examples, can equally serve as a starting point to conceptualise, identify, and specify the salient risks associated with general-purpose AI in specific application domains.906 988 992 993

Risk analysis and evaluation

Risk analysis and evaluation is the process of determining the level of risk of an AI model or system and comparing it against established criteria to assess acceptability or the need for mitigation.994 995 996 997 It includes practices such as measuring model performance on benchmarks998 and evaluations.176 715 conducting red-teaming exercises,999 impact assessments,1000 and audits.1001 1002 See Table 3.2 for examples of general-purpose AI risk analysis and evaluation. The methods are designed to support analysis and evaluation for many different risk types simultaneously.

Key goals of risk analysis and evaluation are carrying out evaluations of model capabilities and vulnerabilities,1003 leveraging robust risk modelling to inform decisions about risk thresholds,1004 1005 and understanding how AI systems are used in practice in order to assess downstream societal impacts.889 904 905 1006 Risk analysis and evaluation processes are often considered to be more likely to identify risks when they incorporate independent review,1001 1007 draw on cross-sector expertise,1008 and include diverse perspectives from multiple domains and disciplines, as well as from impacted communities.1009 1010

Table 3.2: Example methods for AI risk analysis/evaluation, listed alphabetically. Given the nascent nature of general-purpose AI risk management, not all methods will be suitable for every AI developer or deployer.

Common risk analysis tools include benchmarks and model evaluations

Benchmarks and model evaluations are standardised tests to assess general-purpose AI systems’ performance on specific tasks. Researchers have developed a broad range of benchmarks and evaluations, including sets of challenging multiple choice questions, software engineering problems, and work-related tasks in simulated office environments.188 629 998 1041 1042 1043 1044 1045 1046 1047 1048 1049 Harmful capability evaluations715 are used to assess whether a general-purpose AI model or system has particularly dangerous knowledge or skills, such as the ability to aid in cyberattacks (see §2.1.3. Cyberattacks).

Highly consequential decisions by companies and governments about model releases partially rely on these evaluations.1050 1051 1052 However, benchmarks significantly vary in quality and scope,998 1003 and it can be difficult to judge their validity due to numerous shortcomings in benchmarking practices.902 909 1003 1053 For example, benchmarks can become ‘saturated’ – when many models’ scores approach the top score – meaning they no longer strongly distinguish between models. Models are also increasingly likely to identify certain tasks as evaluations and display different behaviours than they would on similar tasks in deployment contexts due to ‘situational awareness’ (see §2.2.2. Loss of control). Finally, benchmarks and evaluations have well-documented limitations: notably, they fail to capture risks associated with general-purpose AI use in new domains and for novel tasks, as test conditions differ from real-world usage to varying degrees913 (see §1.2. Current capabilities and §3.1. Technical and institutional challenges).

Red-teaming allows for more domain-specific assessments of risk

Another common method for assessing risks is red-teaming. A ‘red team’ is a group of evaluators tasked with searching for vulnerabilities, limitations, or potential for misuse. Red-teaming can be domain-specific and performed by domain experts, or open-ended to explore new risk factors. For example, a red team might explore ‘jailbreaking’ attacks that subvert the model’s safety restrictions.1054 1055 1056 1057 1058 1059 In contrast to benchmarks, a key advantage of red-teaming is that red teams can adapt their evaluations to the specific system being tested. For example, red teams can design custom inputs to identify worst-case behaviours, malicious use opportunities, and unexpected failures. However, it can require special access to models and may fail to surface important classes of risks.999 1028 

Importantly, the absence of identified risks does not imply that those risks are low: prior work shows that bugs frequently evade detection, particularly when red teams have limited access or resources.1060 Research has also called into question whether red-teaming can produce reliable and reproducible results.1061 The composition of the red team and the instructions provided to red-teamers,1062 the number of attack rounds,1063 and the model’s access to tools1064 1065 can significantly influence the outcomes, including the risk surface covered. Comprehensive guidelines on red-teaming aim to address some of these challenges.1066

Risk mitigation

Risk mitigation is the process of prioritising, evaluating, and implementing controls and countermeasures to reduce identified risks. Examples are access controls,991 continuous monitoring,986 and if-then commitments.700 Mitigating risk raises a key question: what is the acceptable level of risk? Recent frameworks and company policies have begun to formalise ‘risk acceptance’ criteria.965 1040 However, setting appropriate thresholds remains challenging especially for risks with wide societal impacts.986 1067 No established mechanism currently exists for validating risk acceptance decisions made by developers prior to release.1005

The risk mitigation methods described in Table 3.3 below are adaptable and can mitigate a range of risks, including some unexpected risks. The table does not include technical mitigation methods such as adversarial training, content filters, and chain-of-thought monitoring. These are covered in §3.3. Technical safeguards and monitoring, as well as throughout the Report in the ‘Mitigations’ paragraphs for each risk in §2. Risks.

Table 3.3: Example methods for AI risk mitigation listed alphabetically. The methods included are designed to support risk mitigation for many different risk types simultaneously, including risks from malicious use, risks from malfunctions, and systemic risks. Given the nascent nature of general-purpose AI risk management, not all methods will be suitable for every AI developer or deployer.

Defence-in-depth and release strategies are important mitigation tools

A ‘defence-in-depth’ model can support general-purpose AI risk management. In this context, ‘defence-in-depth’ refers to a combination of technical, organisational, and societal measures applied across different stages of development and deployment (Figure 3.5). This means creating layers of independent safeguards, so that if one layer fails, other layers can still prevent harm. A commonly cited example of a defence-in-depth model is the range of preventative measures that are deployed to prevent infectious diseases. Vaccines, masks, and hand-washing, among other measures, can reduce the risk of infection substantially in combination, even though none of these methods are 100% effective on their own.1083 For general-purpose AI, defence-in-depth will include controls that are not on the AI model itself, but on the broader ecosystem. This includes (for example) controls on the materials needed to execute a biological attack such as reagents.1084 1085 However, defence-in-depth measures primarily address risks related to accidents, malfunction, and malicious use, and may play less of a role in managing systemic risks (see §3.5. Building societal resilience).

Figure 3.5: A ‘Swiss cheese diagram’ illustrating the defence-in-depth approach: multiple layers of defences can compensate for flaws in individual layers. Current risk management techniques for AI have flaws, but layering them can offer much stronger protection against risks. Source: International AI Safety Report 2026.

A company’s release and deployment strategy is an important component of risk mitigation. Decisions about how models are made available to users can substantially affect risk exposure.1082 Different release and deployment options include staged release to limited user groups, access through controlled online services (such as APIs), and the use of licensing agreements and acceptable use policies that legally prohibit certain harmful applications.176 1086 1087 §3.4. Open-weight models discusses in more detail how releasing model weights affects risks.

Risk governance

Risk governance is the process by which risk management evaluations, decisions, and actions are connected to the strategy and objectives of an organisation or other entity.1088 1089 Table 3.4 provides an overview of common risk governance techniques. As shown in Figure 3.4, risk governance can be understood as the core of risk management as it facilitates the effective operation of other components of risk management. It provides accountability, transparency, and clarity that support informed risk management decisions. Risk governance can include practices such as incident reporting,1090 risk responsibility allocation,965 and whistleblower protection.1091 More broadly, risk governance may include guidance, frameworks, legislation, regulation, national and international standards, as well as training and educational initiatives. A key purpose of risk governance is to establish organisational policies and mechanisms that clarify how risk management responsibilities are allocated across an organisation or other entity, in order to support appropriate oversight and accountability.965 1092 1093

Table 3.4: Example methods for AI risk governance listed alphabetically. The methods included are designed to support risk governance for many different risk types simultaneously, including risks from malicious use, risks from malfunctions, and systemic risks. Given the nascent nature of general-purpose AI risk management, not all methods will be suitable for every AI developer or deployer.

Documentation and transparency are components of risk governance

Documentation and institutional transparency mechanisms, together with information-sharing practices, facilitate external scrutiny and support efforts to manage risks associated with general-purpose AI.1101 1102 It has become common practice to publish the results of pre-deployment tests in a ‘model card’ or ‘system card’, along with basic details about the model or system, including how it was trained and what its potential limitations are.1094 1095 Some developers also publish transparency reports that include details about their risk management practices more broadly.1103 Other elements of documentation and transparency include monitoring and incident reporting176 1083 1103 and information sharing, which can be facilitated by third parties such as the Frontier Model Forum. Some regulatory frameworks, such as the EU AI Act or California’s Transparency in Frontier Artificial Intelligence Act - Senate Bill No. 53 (SB 53),1081 1104 mandate information sharing about general-purpose AI risks in some cases.

Leadership commitment and incentives shape risk management practices

Organisational culture, leadership structure, and incentives affect risk management efforts in various ways.1105 Leadership commitment and incentive structures are often relevant to how risk management policies operate in practice. Some developers have internal decision-making panels that deliberate on how to safely and responsibly design, develop, and review new AI systems. Oversight and advisory committees, trusts, or AI ethics boards can also serve as mechanisms for risk management guidance and organisational oversight.1092 1106 1107 1108 Researchers have argued that challenges with voluntary self-governance mean that third-party auditing, verification, and standardisation could help strengthen general-purpose AI risk management.1001 1011 1109 1110 1111 1112

Organisational risk management, transparency, and risk reporting frameworks

Several new initiatives focus on risk management processes, documentation, and transparency. In its current form, the EU General-Purpose AI Code of Practice functions as a voluntary framework to guide transparency, copyright, and safety and security practices to support compliance with the EU AI Act’s provisions for general-purpose AI.965 As of December 2025, more than two dozen companies have signed. The G7 Hiroshima AI Process (HAIP) Reporting Framework1100 is the first international framework for voluntary public reporting of organisational risk management practices for advanced AI systems. At least 20 developers have published public transparency reports covering risk identification, evaluation metrics, mitigation strategies, and data security processes.

AI developers have adopted voluntary transparency commitments. In China, pledges by 17 Chinese AI companies, coordinated by the AI Industry Alliance of China, were released in December 20241113 and updated in 2025.1114 At the May 2024 AI Seoul Summit in South Korea, 16 AI developers from multiple countries signed voluntary commitments to publish Frontier AI Safety Frameworks for their most capable models and systems, and to adopt risk management practices across model development and deployment stages.1052

Frontier AI Safety Frameworks have become a prominent organisational approach to AI risk management

Since 2023, several frontier AI developers have voluntarily published documents describing how they plan to identify and respond to serious risks from their most advanced systems. These Frontier AI Safety Frameworks describe how an AI developer plans to evaluate, monitor, and control its most advanced AI models and systems before and during deployment. These frameworks share many similarities, but differ in key respects.1115 1116 Most focus on risks associated with chemical, biological, radiological, and nuclear (CBRN) threats, advanced cyber capabilities, and advanced autonomous behaviour.1115 1117 A minority of frameworks address additional risk domains such as unlawful discrimination at scale and child sexual exploitation.

Several developers updated their frameworks in 2025, adding new sections on harmful manipulation, misalignment risk, and autonomous replication and adaptation.1078 1118 While many frameworks describe similar risk management approaches – including threat modelling, red-teaming, and dangerous capability evaluations – they vary in their definitions of risk tiers and thresholds, the frequency of evaluations, buffers between evaluations and thresholds, and the comprehensiveness of their mitigation commitments (for example, whether they include deleting model weights versus just pausing development).1115 1119 See Table 3.5 for more information.

Many actions in Frontier AI Safety Frameworks are based on if-then commitments

A key part of Frontier AI Safety Frameworks are ‘if-then commitments’. These are conditional protocols that trigger specific responses when AI models and systems reach predefined capability thresholds.1120 For example, an if-then commitment might state that if a model is found to have the ability to meaningfully assist novices in creating and deploying CBRN weapons, then the developer will implement enhanced security measures, deployment controls, and real-time monitoring.991

In 2025, several AI developers announced that new models triggered early warning alerts or that they could not rule out the possibility that further evaluation would show that models have crossed capability thresholds. This prompted them to apply heightened safeguards as a precautionary measure.7 33 1121 Frontier AI Safety Frameworks commonly require an initial capabilities evaluation prior to risk mitigation, as well as a residual risk analysis or a safety case, often informed by red-teaming, after mitigation. See Table 3.5 for detailed information.

Table 3.5: The first set of Frontier AI Safety Frameworks that have been released by a subset of the AI developers that signed the Frontier AI Safety Commitments. The frameworks cover similar risks (with slight variations) and employ different risk tiers and risk management approaches.

The effectiveness of Frontier AI Safety Frameworks is uncertain

Frontier AI Safety Frameworks can serve as risk management tools under specific conditions and for certain risk categories that have a credible pathway to harm.1117 At the same time, several analyses discuss questions regarding their clarity and scope111 986 and about the robustness of AI capability and risk thresholds.1031 1130 Existing frameworks tend to focus on a subset of risk domains. As a result, some prominent risks, such as unlawful surveillance1131 1132 and non-consensual intimate imagery,287 receive less emphasis. Unlike risk management approaches from other sectors, such as aviation or nuclear power,1133 Frontier AI Safety Frameworks typically do not use explicit quantitative risk thresholds.1134

External assessments of developers’ compliance with their Frontier AI Safety Frameworks so far remain limited, in part because most frameworks are recent, publicly available information is scarce, and there are no standardised external audits. Their effectiveness will also be shaped on how well – and to what extent – commitments are implemented in practice. On their own, these frameworks may not ensure effective risk management, since their practical impact depends on how well and to what extent they are implemented. To date, they do not fully align with international risk management standards.1135 A study on prior voluntary commitments found uneven fulfilment across measures, suggesting that adherence to voluntary commitments is likely to vary between companies and domains.1109

Taken together, Frontier AI Safety Frameworks represent the most detailed form of voluntary organisational risk management currently in use, but vary substantially in scope, thresholds, and enforceability.

Regulatory and governance initiatives

Several jurisdictions have introduced laws with transparency requirements

Several early regulatory approaches introduce legal requirements intended to increase standardisation and transparency in risk management. The EU AI Act, which entered into force in 2024, establishes requirements related to transparency, copyright, and safety for general-purpose AI models. In 2025, the EU General-Purpose AI Code of Practice was published to support compliance with these obligations by providing guidance on model documentation and copyright, as well as – for the most advanced models – risk management practices such as evaluations, risk assessment and mitigation, information security and serious incident reporting.965

Other examples of new regulatory requirements include South Korea’s Framework Act on the Development of Artificial Intelligence and Establishment of Trust, which introduces requirements for ‘high-impact’ AI systems in critical sectors,1136 and California’s SB 53, which sets transparency requirements on safety frameworks and incident reporting.1104 Given how recently these requirements were established, it is too early to assess in detail how they will affect risk management practices or actual risk outcomes.

Broader governance initiatives offer voluntary guidance

Several regional and interregional governance frameworks now articulate shared expectations for managing risks from general-purpose AI by providing non-binding guidance for policymakers and organisations. China’s AI Safety Governance Framework 2.0, published in 2025, provides structured guidance on risk categorisation and countermeasures across the AI development and deployment process.1137 ASEAN Member States published the ‘ASEAN Expanded Guide on AI Governance and Ethics (Generative AI)’, which provides guidance on general-purpose AI governance and ethics and is intended to support greater policy alignment across ASEAN Member States.1138 In addition, expert-led initiatives such as the Singapore Consensus, developed by AI scientists from multiple countries, outline research priorities for general-purpose AI safety across risk assessment, development, and control.690

Updates

Since the publication of the last Report (January 2025), the risk management landscape for general-purpose AI has evolved, with the publication of new resources such as the EU’s General-Purpose AI Code of Practice, the G7 HAIP Reporting Framework, China’s national AI Safety Governance Framework 2.0 and various AI developers’ Frontier AI Safety Frameworks. These initiatives describe approaches and practices used by AI developers to manage the risks associated with general-purpose AI systems.1115 There is substantial variation across the Frontier AI Safety Frameworks and across HAIP transparency reports,1103 reflecting differences in organisational practices, risk prioritisation, and the early stage of the general-purpose AI risk management ecosystem. A trusted ecosystem where different AI actors contribute complementary risk management practices across the lifecycle may contribute to effective risk management.690

Evidence gaps

There is a lack of evidence on: how to measure the severity, prevalence, and timeframe of emerging risks; the extent to which these risks can be mitigated in real-world contexts; and how to effectively encourage or enforce mitigation adoption across diverse actors. More research is needed to understand how prevalent different risks are and how much they vary across different regions of the world, especially for regions such as Asia, Africa, and Latin America that are rapidly digitising. As AI models are given increasing agency and authority and the state of the science of general-purpose AI risks advances, risk management approaches will also need to evolve.639 1139

Certain risk mitigations are growing in popularity,690 956 but more research is needed to understand how robust risk mitigations and safeguards are in practice for different communities and AI actors (including for small and medium-sized enterprises). Greater access to data on real-life deployment and usage of models is relevant to such assessments. Further, risk management efforts currently vary highly across leading AI companies. It has been argued that developers’ incentives are not well-aligned with thorough risk assessment and management.934 There is still an evidence gap around the degree to which different voluntary commitments are being met, what obstacles companies face in adhering fully to commitments, and how they are integrating Frontier AI Safety Frameworks into broader AI risk management practices.

Challenges for policymakers

Key challenges include determining how to prioritise the diverse risks posed by general-purpose AI, clarifying which actors are best positioned to mitigate them, and understanding the incentives and constraints that shape their actions. Evidence indicates that policymakers currently have limited access to information about how AI developers and deployers are testing, evaluating, and monitoring emerging risks, and about the effectiveness of different mitigation practices.1140 Researchers and policymakers have discussed transparency efforts and more systematic incident reporting as possible ways to inform risk prioritisation, promote trust, and incentivise responsible development.957 In practice, risk management involves multiple actors across the AI value chain – such as data and cloud providers, model developers, and model hosting platforms – each with distinct opportunities to assess and manage different risks.1141 Limited information sharing between these actors makes it difficult to determine which risks are most likely or impactful, particularly when downstream societal effects are considered.

3.3. Technical safeguards and monitoring

Key information

• A wide range of technical safeguards is used at different stages of AI development and use. These include techniques applied during model development to make systems more robust and resistant to misuse (such as data curation), deployment-time monitoring and control (such as content filtering and human oversight), and post-deployment tools to monitor the broader AI ecosystem (such as provenance and content detection).
• Technical safeguards have limitations and do not reliably prevent harmful behaviour in all contexts. For example, users can sometimes obtain harmful outputs by rephrasing requests or breaking them into smaller steps. Similarly, tools such as watermarking which are designed to identify AI-generated content can often be removed or altered, which limits their reliability.
• The limitations of individual safeguards mean that ‘defence-in-depth’ may be needed to prevent certain harmful outcomes. For example, a system might combine a safety-trained model with input filters, output filters, and content monitors.
• Since the publication of the last Report (January 2025), researchers have made progress on improving safeguards, but fundamental limitations remain. For example, the success rate of attacks designed to bypass safeguards has been falling, but remains relatively high. There are also fundamental limitations to how thoroughly open-weight models can be safeguarded.
• A key challenge for policymakers is the limited evidence on how effective safeguards are across diverse real-world uses of general-purpose AI systems. AI developers vary widely in how much information they share about their safeguards and monitoring. A further challenge is the potential trade-offs between applying stronger safeguards and maintaining system performance or usefulness.

AI developers can use several useful but imperfect technical safeguards to mitigate and manage risks from general-purpose AI systems, yet robustness challenges persist. Developers still cannot fully prevent general-purpose AI systems from performing even well-known and overtly harmful actions such as offering users instructions for committing crimes. For example, researchers have shown that state-of-the-art safeguards can be circumvented through adversarial prompting methods (i.e. ‘jailbreaks’),1055 1063 1142 1143 1144 1145 1146 1147 1148 1149 by having models break down complex harmful tasks into steps,1150 1151 1152 1153 1154 and with simple model modifications.1155 1156 1157 1158 1159 1160 1161 1162 1163 1164 1165 1166 Researchers continue to work on safeguards against malfunctions and misuse.690 These methods vary widely in their purpose and effectiveness, and their impact ultimately depends on the broader sociotechnical and governance context in which AI systems are built and deployed.

Technical safeguards can broadly be divided into three categories: techniques for developing safer models; techniques used during deployment for monitoring and control; and techniques that support post-deployment ecosystem monitoring. Table 3.6 summarises the technical safeguards discussed, their effectiveness, and open challenges.

Table 3.6: A summary of the technical safeguards discussed in this section, divided into methods for developing safer models, deployment-time monitoring and control, and techniques to facilitate ecosystem monitoring.

Developing safer models

A first line of defence against harms from general-purpose AI systems is to make the underlying model safer. This subsection covers safeguards that are ‘baked into the model parameters’ during the model development process (Figure 3.6).

Figure 3.6: Technical safeguards can be applied at different stages of model development. Data curation shapes what models learn during pre-training and fine-tuning. Training-based methods like reinforcement learning from human feedback and robustness training adjust model behaviour. Testing methods like adversarial attacks identify remaining vulnerabilities. Some techniques, such as safe-by-design algorithms, span multiple stages. Source: International AI Safety Report 2026.

Curating training data can limit the development of potentially dangerous capabilities

General-purpose AI models are useful precisely because they develop a broad range of knowledge and capabilities after processing training data, but some types of training data are disproportionately responsible for the development of potentially dangerous capabilities. For example, an AI model trained on virology papers might be better able to provide assistance in potentially harmful biology tasks549 1206 (see also §2.1.4. Biological and chemical risks). Additionally, image/video generators trained on images of human nudity can also be misused for creating non-consensual intimate deepfakes308 319 (see also §2.1.1. AI-generated content and criminal activity).

Filtering training data is an effective mitigation against some undesired capabilities.319 1167 1207 1208 However, it can be difficult to filter the large datasets used to train general-purpose AI models1168 due to high costs,1209 filtering errors,1210 and negative impacts on the quality of the dataset.1211 These challenges are exacerbated by the multilingual nature of internet text,1212 cultural biases in content moderation,1211 1213 1214 1215 and the fact that whether a given piece of data is ‘harmful’ depends on contextual factors.1216 Nonetheless, filtering potentially harmful material from training data shows promise for making models more reliably safe, including making open-weight models more resistant to harmful tampering.55 The relationships between training data contents and emergent model capabilities are not yet fully understood,1195 and filtration seems to be more effective for limiting harmful capabilities when applied to broad domains of knowledge55 compared to narrower behaviours.1206 1217 See §3.4. Open-weight models for further discussion.

Methods for training general-purpose AI models to be helpful and harmless mainly rely on human feedback

It is difficult to train and evaluate models to reliably align with high-level principles such as being helpful, harmless, and honest. In practice, developers aim to accomplish this by fine-tuning AI models using demonstrations and feedback from humans. For example, the principal paradigm for fine-tuning AI models, known as ‘reinforcement learning from human feedback’, is based on training models to produce outputs that human annotators rate positively.1218 However, positive feedback from humans is a flawed proxy for beneficial behaviour737 878 1219 1220 and is constrained by human error and bias.1169 1221 1222 1223 1224 1225

This leads to several challenges: models fine-tuned by reinforcement leaning from human feedback sometimes pander to the user, a behaviour known as ‘sycophancy’;358 740 1226 1227 provide responses that are helpful in some contexts but harmful in others;1228 1229 1230 1231 1232 provide responses that are difficult to evaluate for correctness;1233 or perform actions whose helpfulness or harmfulness is a matter of opinion.1234 Table 3.7 provides examples of these challenges. Some research aims to develop methods for helping humans better evaluate solutions to complex tasks with AI assistance.409 1235 1236 1237 1238 1239 1240 1241 1242 However, these methods currently have limited reliability, and the extent to which they are used to train today’s most advanced AI models is not publicly known.

Table 3.7: Examples of challenges with specifying and incentivising beneficial actions from AI models.

Humans do not always agree on what behaviours are desirable, requiring methods to balance competing preferences

Humans do not always agree about what responses or actions AI models should or should not output.1006 This makes it fundamentally challenging to develop models whose actions and impacts are broadly aligned with the interests of society.420 Some researchers study whose preferences are reflected in AI systems1234 1243 1244 1245 1246 1247 1248 1249 and work to develop ‘pluralistic alignment’ techniques that aim to strike a balance between competing preferences.1170 1248 1250 1251 1252 1253 For example, AI developers can design systems to avoid generating controversial answers by refusing to respond to certain requests, or align with the median viewpoint in some relevant sample of people, or personalise systems to individual users.

A common challenge for these approaches is that, in general, AI systems cannot equally align with everyone’s preferences, and that their downstream societal impacts will affect various groups of people differently. Some researchers have argued that most technical approaches to pluralistic alignment fail to address, and potentially distract from, deeper challenges, such as systematic biases, social power dynamics, and the concentration of wealth and influence.1171 1172 1173 1174 1254

AI developers use ‘adversarial training’ to improve model robustness

It is challenging to ensure that AI models robustly translate the beneficial behaviours they learn during training to real-world deployment contexts. Even models trained with a ‘perfect’ learning signal can fail to generalise successfully to all unseen contexts.738 1255 1256 1257 For example, some researchers have found that chatbots are more likely to take harmful actions in languages that are underrepresented in their training data,159 880 1258 1259 which includes many languages predominantly spoken in the Global South.

In recent years researchers have also created a large toolkit of ‘adversarial attack’ techniques that can be used to make models generate potentially harmful responses.505 1142 1143 1145 1146 1147 1148 For example, a recent initiative crowd-sourced over 60,000 diverse examples of successful attacks against state-of-the-art AI models, which made them violate their companies’ policies on acceptable model behaviour.1149 Table 3.8 shows examples of ‘jailbreak’ techniques that researchers have shown can make models comply with harmful requests.

One method to improve the robustness of models is known as ‘adversarial training’.1064 It involves constructing ‘attacks’ (e.g. jailbreaks) designed to make a model act undesirably, and training the model to handle these attacks appropriately. However, adversarial training is imperfect.1260 1261 Attackers are consistently able to develop new successful attacks against state-of-the-art models.1063 1146 1149 1261 1262 Since developers require specific examples of failure modes in order to train against them,512 1263 the result is an ongoing ‘cat and mouse’ game in which developers continually update models in response to newly discovered vulnerabilities, and adversaries continually seek new attacks. Some researchers have proposed larger-scale adversarial training1264 1265 or new algorithms675 676 1263 1266 1267 to improve robustness, but modern AI systems remain persistently vulnerable.

Table 3.8: Malicious actors and red teams have used various types of ‘jailbreaks’ to make AI models comply with harmful requests which they would normally refuse due to safeguards. Example outputs were written by the Report authors for illustrative purposes. Many current state-of-the-art AI models now resist most of these methods, but new jailbreaking techniques continue to be found.

‘Unlearning’ techniques can mitigate specific harmful model capabilities

Another strategy for mitigating risks from general-purpose AI is to fine-tune models to lack capabilities in specific high-risk domains.1175 1176 For example, researchers are working to develop ‘machine unlearning’ algorithms that can specifically suppress abilities related to biothreats or to generating photorealistic images of nude human bodies.903 1272 1273 These methods can make models substantially safer, at the expense of limiting some positive uses of the unlearned capabilities. Limiting AI models’ knowledge in harmful domains has also been proposed as a way of designing ‘tamper-resistant’ open-weight models that can resist harmful fine-tuning.1274 1275 1276 1277 1278 Thus far, however, this has been challenging to do robustly.1158 1160 1161 1195 1206 1279 1280 1281 1282 1283 1284 See §3.4. Open-weight models for further discussion.

Some researchers are working on methods for stronger safety assurances through interpreting model internal states or mathematical verification

Some researchers are working on methods to more rigorously verify safety-related properties of models. In one approach, researchers aim to interpret the internal computations of models to either identify risks or to make more convincing arguments that the model is safe.1285 1286 For example, in a proof of concept, researchers showed that tools for analysing the internal computation of a language model could help evaluators identify harmful behaviours.1287 In 2025, Anthropic also began analysing model internals as a way of studying model situational awareness and ‘intent’.2 However, these types of methods are currently not common or known to be competitive with other evaluation techniques.

A different approach for making stronger assurances of safety involves constructing mathematical proofs that a model will satisfy certain safety conditions.1177 1282 1288 However, these proofs assume that the testing context matches the deployment context, and are untested against many types of adversaries. They also cannot currently be scaled to large models. Overall, there is significant debate among experts over the promise of interpretability and formal verification methods.

Deployment-time monitoring and control

In addition to safeguards implemented during model development, a second line of defence against harmful behaviours is external safeguards that focus on monitoring and controlling a model or system’s actions during deployment. Such safeguards help mitigate malfunctions and misuse, such as hallucinated outputs and harmful instructions.

Model deployers can use a variety of tools to identify and address high-risk model behaviours

When an AI system is running, a deployer can monitor for signs of risk and intervene if they appear. For example, they can inspect a model’s inputs for signs of adversarial attacks, filter inappropriate content from outputs, or monitor the system’s chain of thought for signs of harmful plans. Points where deployers can monitor and intervene on how people are using their systems include hardware,1180 1181 user interactions,1154 1166 inputs and outputs,65 725 1182 internal computations,744 1183 1184 and chain of thought.430 435 There are also multiple actions deployers can take when risks are identified. These include logging information, filtering/modifying harmful content, flagging abnormal activity, system shutdowns, or triggering failsafes. Figure 3.7 illustrates examples of common monitoring and control mechanisms.

Because they are versatile and often effective, these mechanisms are widely used and can prevent many kinds of unintentional harms.725 751 1289 However, these safeguards are imperfect, especially under malicious attacks optimised to make them fail.752 1182 Recent research has also explored how monitoring can be unreliable if a system is optimised using the scores of a monitor, for example, by making chain of thought less reliable.435 1185 1290

Figure 3.7: Monitoring and control techniques operate at multiple points: screening inputs and outputs for harmful content, tracking internal model states, constraining external actions through sandboxing, and maintaining human oversight. Source: International AI Safety Report 2026.

Humans in the loop allow for direct oversight in high-stakes settings

To reduce the chance of failures from AI agents (see §2.2.1. Reliability challenges), deployers can aim to design AI systems that work in cooperation with humans rather than fully autonomously.1188 1189 1291 1292 1293 1294 This is important for use cases where incorrect decisions can lead to significant harm, such as in finance, healthcare, or policing. However, having a ‘human in the loop’ is often impractical. Sometimes decision-making happens too quickly, such as in chat applications with millions of users. In other cases, human bias and error can amplify risks due to compounding errors.1187 Humans in the loop also tend to exhibit ‘automation bias’, meaning that they often place more trust in the AI system than is warranted1191 1190 (see §2.3.2. Risks to human autonomy).

‘Sandboxing’ protects against risks from autonomous behaviours

AI agents that can act autonomously without limitation on the Web or in the physical world pose elevated risks (see §2.2.1. Reliability challenges). ‘Sandboxing’ involves limiting the ways in which AI agents can directly influence the world, making it much easier to oversee and manage them.640 1192 1295 For example, restricting an AI system’s ability to post to the internet or edit a computer’s file system can prevent unexpected harms from unexpected actions.1296 However, these approaches cannot always be used for applications where an AI system must necessarily act directly in the world.

Ecosystem monitoring tools: model and data provenance

Model and data provenance tools are technical tools for studying the AI ecosystem, to improve awareness of the downstream uses and impacts of AI systems.

AI system provenance techniques help trace the uses and impacts of systems

Developers and deployers can use various techniques to study model usage and spread ‘in the wild’. For example, they can give models unique identifying behaviours1193 1297 1298 1299 1300 or apply unique patterns to the weights of individual open-weight models.1193 1194 1301 1302 1303 1304 However, making these techniques more resistant to model modifications is an open problem.1195 1196 Researchers are also working on methods for ‘inferring model heritage’,1197 1198 1305 1306 helping to answer questions of the form: ‘Was model X a fine-tuned or distilled version of model Y?’ Finally, some developers are working toward protocols and infrastructure for AI agents to facilitate identification and verification when they interact with external systems.661 1307

AI content detection techniques help monitor the spread and impacts of AI-generated content

Watermarks, metadata, and other AI content detectors can help researchers track and study the real-world impact of AI-created content. First, data watermarks are subtle but distinct motifs inserted into digital media that can encode information about their origin.1199 1200 1201 For text, they typically take the form of subtle biases in word choices and style;1308 1309 for images and video, subtle patterns over pixels;1310 and for audio, subtle patterns in audio waves.1311 Figure 3.8 illustrates these.

Aside from watermarks, AI-generated content can also be saved using file formats that store metadata about how they were generated. For example, many mobile devices save image and audio files using a file format that can store information about camera settings, time, location, etc.1312 Similar metadata can be used to store information about whether data was generated by an AI system. Much like fingerprinting in criminal forensics, watermarks and metadata can be tampered with or removed, but are nonetheless useful.

Researchers are also working to develop AI-generated content detectors1203 1204 1205 to help identify AI-generated content in the wild, even when no watermark or metadata is available. However, these identification techniques have a limited success rate.

Figure 3.8: Watermarks embed imperceptible perturbations into images and audio that allow AI-generated content to be identified by detection tools. In this figure, both the image and audio watermarks are exaggerated for visibility. Source: Chameleon image from Unsplash.1313 Other elements created by the Report authors. International AI Safety Report 2026.

Figure 3.9: Prompt injection attack success rates, as reported by AI developers for major models released between May 2024 and August 2025. Each point represents the proportion of successful attacks within 10 attempts against a given model shortly after release. The reported success rate of such attacks has been falling over time, but remains relatively high. Source: Zou et al. 2025,1149 cited in Anthropic 2025.2

Updates

Since the publication of the last Report (January 2025), progress has been made in developing AI systems with multiple effective layers of safeguards. As discussed in §3.2. Risk management practices, defence-in-depth is a core principle in risk management.1314 For example, AI systems that combine safety-trained models with input filters, output filters, and other content monitors are increasingly studied and deployed.32 65 1182 Recent research has also shown that, while model developers have made progress in increasing robustness to attempts to bypass safeguards, attackers still succeed at a high rate (Figure 3.9).

Evidence gaps

More evidence is needed to help researchers understand and account for the limitations of existing approaches. Technical safeguards for AI systems are being improved, but techniques suffer from limitations. For example, progress on improving the worst-case robustness of general-purpose AI systems has been slow, and there are fundamental limitations to how thoroughly open-weight models can be safeguarded and monitored1195 1315 1316 (see also §3.4. Open-weight models). Meanwhile, not all technical safeguards are equally common, equally effective, or have been equally proven in the real world. For example, adversarial training is almost ubiquitously used on state-of-the-art models,64 677 while model interpretability and formal verification techniques have seen little use to date in production systems.1177 1285

Challenges for policymakers

Key challenges for policymakers include deciding whether and how they should support research, development, evaluation, and adoption of technical safeguards and monitoring methods. This is challenging because scientists’ understanding of how best to practically safeguard mechanisms is still evolving and best practices are not yet established. For example, different developers apply different safeguards, and their approaches to technical risk mitigation more broadly vary widely.1116 Finally, the existence of effective technical safeguards does not, on its own, ensure safety, as adoption and implementation can vary across developers and deployment contexts.

3.4. Open-weight models

Key information

• The level of access that AI companies provide to the ‘weights’ of their models affects the risks that these models pose. Weights are the mathematical parameters that allow AI models to process inputs and generate outputs. For any given model, companies can choose to keep the weights completely private, give some users some limited access, or allow anyone to download them in full. Models whose weights are publicly available are called ‘open-weight models’.
• Open-weight models facilitate research and innovation, but their safeguards are more easily removed. Around the world, various actors – especially those with fewer resources – can use open-weight models for research and commercial purposes. However, compared to closed-weight models, open-weight models are more easily modified to exhibit potentially harmful behaviours, and monitoring their usage is more difficult.
• Open-weight model releases are irreversible. Once released, model weights cannot be recalled. This makes it harder to mitigate potential harms resulting from the release of a model with dangerous capabilities.
• Since the publication of the last Report (January 2025), major open-weight releases have narrowed the capability gap with leading closed models. Chinese developers DeepSeek and Alibaba released their R1 and Qwen models, respectively, which achieved performance comparable to leading closed models, while OpenAI released its first open-weight models since 2019. The capabilities of leading closed models are now estimated to be less than one year ahead of leading open-weight models on prominent AI benchmarks.
• A key policy challenge is accessing the benefits open-weight models provide while managing their distinctive risks. One approach is to assess open-weight models in terms of their ‘marginal risk’: the extent to which their release counterfactually increases societal risk beyond that already posed by existing models or other technologies. However, this is complex in practice. Small increases in marginal risk over time can also add up to substantial increases in overall risk.

Open-weight models, whose parameters are publicly available for download, have distinct implications for many of the challenges discussed in the preceding sections. An AI model’s ‘weights’ contain the crucial information that allows it to generate useful responses for users. Once released, these weights cannot be recalled: anyone can download, study, modify, share, and use them on their own computers or cloud accounts. When weights are openly available, others can more easily build on and modify the model, serving diverse needs and driving innovation.1317 However, by the same mechanism, users with malicious intent can also more easily remove safeguards and modify open-weight models for harmful use cases.1122 1160 This has raised the question of whether some open-weight models should be held to special requirements (e.g. more rigorous testing before release) or, conversely, be given special exemptions (e.g. from regulatory reporting requirements).1033

Background on open-weight models

Open-weight models can be, but are not necessarily, ‘open source’ models

While often referred to as ‘open source’, most publicly released models are more accurately described as ‘open-weight’. This is because, while developers provide the model weights, they do not release the associated training code or datasets. Furthermore, open source software is usually characterised as having permissible licences that place minimal requirements on downstream actors that use or modify the software.1318 For example, Meta’s Llama models have restrictive licence conditions and only include inference code, not training code, and so are typically not considered to be open source.1319 Model release options exist on a spectrum from fully closed to fully open source, with different risk-benefit trade-offs at each point.1086 1320 1321 Table 3.9 describes these options.

Table 3.9: An illustrative selection of model sharing options, ranging from fully closed models (models are private and held only for proprietary use) to fully open and open source models (model weights, data, and code are freely and publicly available without restriction of use, modification, and sharing). Models falling in the first four categories are often referred to as ‘closed’. This section focuses on the three bottom rows. Source: adapted from Bommasani, 2024.1317

Benefits and risks

Open-weight models can be more easily customised and evaluated

Open-weight models offer significant benefits for research, innovation, and access. As discussed in §1.1. What is general-purpose AI?, training general-purpose AI models is extremely expensive – leading models cost hundreds of millions of dollars to develop. Openly releasing model weights allows less well-resourced actors to replicate, study, and build upon existing systems. Without such access, communities in low-resource regions risk exclusion from AI’s benefits, making open weights critical for enabling global majority participation in AI development.1322 Downstream developers can fine-tune models for diverse applications, for example, adapting them for underresourced minority languages or optimising performance for specific tasks such as legal drafting or medical note-taking.1323 1324 In this way, open-weight models can allow more people and communities to use and benefit from AI than would otherwise be possible.1325 In the case of models that are not capable enough to be dangerous, these benefits may outweigh the additional risk of releasing weights openly, though this depends on relevant decision-makers’ risk tolerance.

Open-weight release also broadens the pool of developers and researchers able to study the model, evaluate its capabilities, test for vulnerabilities, and iterate on improvements.1326 1327 This makes it more likely that beneficial applications and harmful flaws are identified, though this is not guaranteed.1328 1329 Users can also run open-weight models on their own devices, allowing them to maintain control over sensitive data and avoid sending it to third-party servers.

There are additional benefits when developers share information such as training data, code, evaluation tools, and documentation as well as model weights.1320 1330 1331 1332 With more information, downstream developers and other researchers can better understand open-weight models and adapt them to new applications.

Open-weight models’ safeguards are easier to remove, enabling potential malicious use

Open-weight models also pose additional risks because their safeguards are easier to remove. While both open-weight and closed models can have safeguards to refuse harmful user requests, these safeguards are much easier to remove for open-weight models. Malicious actors can fine-tune a model to optimise its performance for harmful applications, remove parts of the code designed to prevent harmful uses, or undo previous safety fine-tuning.1156 1160 1161 1333 1334 1335 1336 1337 1338 As a result, open model weights can exacerbate the misuse risks discussed in §2.1. Risks from malicious use by allowing more actors to leverage and augment existing capabilities for malicious purposes without oversight.1122 1315 Although many users will not have the skill or incentive to remove safeguards on open-weight models, highly motivated malicious actors are a concern. In addition, malicious actors may also be able to use open-weight models to identify vulnerabilities in similar closed models.1055 Such flaws are harder to find by running closed models alone, due to the greater control and monitoring measures that closed-model providers are able to implement.

Sharing model weights is irreversible

Once model weights are available for public download, there is no way to implement a wholesale rollback of all existing copies. Internet hosting platforms such as GitHub and Hugging Face can remove models from their platforms, making it difficult for some actors to find downloadable copies, and providing a significant barrier to many casual malicious users.1339 However, motivated actors can still obtain copies if the model has been downloaded and rehosted elsewhere or stored locally. Furthermore, downstream developers who integrate open-weight models into their systems also inherit any flaws, such as vulnerabilities to adversarial attacks (1055*) or model abilities to circumvent monitoring systems (see §2.2.2. Loss of control).1315 Unlike closed models where hosts can universally roll out fixes, open-weight model developers cannot guarantee that updates will be adopted by users.

Updates

Since the publication of the last Report (January 2025), the capability gap between leading open-weight and closed models has narrowed. Chinese developers have become particularly important providers of open-weight models. In January 2025, DeepSeek released its R1 model, which achieved performance comparable to OpenAI’s o1 on a number of benchmarks.1340 Alibaba’s Qwen models have similarly gained traction, occupying the top spot for an open-weight model on Chatbot Arena, a widely used performance benchmark, as of August 2025.1341 1342 In August 2025, OpenAI released its first open-weight models since the release of GPT-2 in 2019, gpt-oss-120b and gpt-oss-20b. Meta has continued releasing Llama models with open weights. The capabilities of the leading closed models are now estimated to be less than one year ahead of the leading open models on prominent AI benchmarks (Figure 3.10).

Figure 3.10: Epoch Capabilities Index (ECI) scores of top-performing open-weight (dark blue) and closed (light blue) models over time. The ECI combines scores from 39 benchmarks into a single general capability scale. The best open-weight models lag approximately one year behind closed models. Source: Epoch AI, 2025.1343

Evidence gaps

A key evidence gap concerns the real-world efficacy of technical solutions to prevent the misuse of open-weight models. Researchers have proposed various approaches to make models tamper-resistant. This includes new training techniques designed to make models resistant to harmful modification,1276 filtering harmful content from training data,55 and defences against jailbreaks.675 676 These techniques are now being adopted in real-world releases from major developers. For example, OpenAI employed some of these techniques in their gpt-oss models, reporting that adversarially fine-tuned versions did not reach high capability thresholds.1344 However, research has shown that bad actors can disable safeguards by retraining models on harmful examples.1345 1346 Furthermore, it is still challenging to reliably evaluate safeguards’ robustness, making their effectiveness against real-world attacks uncertain.1159

Mitigations

Technical mitigations for open-weight model risks operate throughout the AI development and deployment process.1141 1195 1347 For example, when models are being developed, developers and downstream adapters can filter sensitive content from the training data to minimise harmful capabilities. Removing harmful examples from a model’s training data can prevent adversarial fine-tuning 10 times more effectively than defences added after training, though it may also impact beneficial capabilities.55 AI application providers can also implement incident reporting and response mechanisms.1348

Additionally, hosting platforms such as HuggingFace and GitHub can establish platform terms of service to remove models modified for harmful purposes.1141 1324 Model developers can provide full access to auditors prior to release, or opt for a ‘staged’ release strategy – releasing models to progressively larger groups.1086 This can help identify potential malfunctions or vulnerabilities before a model is widely available.1161 1286

Box 3.1: Model weight security

The risks discussed in this section assume model weights are released intentionally. However, closed model weights can also become accessible through theft or leakage. Closed models cost hundreds of millions of dollars to develop (§1.1. What is general-purpose AI?) and, on average, are more capable than open-weight models.1343 This makes them attractive targets for actors ranging from amateur hackers to nation-states seeking to obtain leading AI models.

Stolen closed model weights would pose risks similar to those described above for open-weight models, but potentially without any of the mitigations. Malicious actors could remove safeguards from the most capable models. Unlike legitimate developers, such actors would not face the reputational, legal, or commercial constraints that currently incentivise frontier AI companies to deploy their models safely.

Current security levels vary across the industry, and may be insufficient against sophisticated attackers. Some developers commit to securing model weights against cybercrime syndicates and insider threats,582 while others have made no public security commitments.1109 1349 Research indicates that AI data centres may be unable to withstand attacks from the most sophisticated and well-resourced actors.582 1350 1351 As of December 2025, there are no confirmed, publicly documented instances of model weight theft. However, other security breaches at leading AI companies have been reported, including an infiltration of Microsoft’s email systems.1352

Closing these security gaps would require substantial investments in hardware, software, personnel, and facility security. Some security enhancements could be implemented relatively quickly with coordinated effort.1122 Other critical measures, however, such as securing hardware supply chains and facilities, would likely take years.1122 Private companies may also lack the resources or information to develop adequate protections alone. For example, AI developers do not have the access to classified threat intelligence that governments do.1349 1353

Challenges for policymakers

A key challenge for policymakers is securing the benefits of open-weight model sharing without significantly increasing risk. To avoid catastrophic harm, developers of open-weight models should not release models without evaluating risks, both using established assessment methods used for closed models, as well as additional testing, given that bad actors can fine-tune models and remove safety protections. In practice, this may be difficult because capability developments can be unpredictable, open-weight releases are irreversible, and evaluation efforts are needed to predict when a release would pose significant potential harm. One approach is to evaluate the ‘marginal risk’ of open releases: the extent to which the release counterfactually increases societal risk beyond that already posed by existing models or other technologies556 1033 1354 1355 (see §3.2. Risk management practices). However, estimating how a system will increase or decrease downstream risk after it has been deployed is complex and context-dependent. Incremental increases in risk with successive releases can compound over time into substantial increases in total risk, even if the marginal risk associated with each release appears acceptable.1356 1357 The dual-use nature of AI capabilities further complicates governance: features enabling beneficial applications in medicine or research can be repurposed for harm, and once weights are public, distinguishing legitimate from malicious uses can be difficult. It is also unclear who should be held accountable when open-weight models are modified for harmful purposes.

3.5. Building societal resilience

Key information

• ‘Societal resilience’ refers to the ability of societal systems to resist, absorb, recover from, and adapt to shocks and harms. Technical safeguards may fail in deployment, and some risks emerge only in novel deployment contexts, interactions with other societal systems, or cascading effects beyond any developers’ control. AI resilience efforts complement risk management practices and technical safeguards, adding a defence-in-depth layer at the societal level.
• Resilience-building measures can be implemented by different actors in various sectors. For risks from general-purpose AI, examples of resilience-building measures include DNA synthesis screening (for AI-enabled biological risks), incident response protocols (for AI-assisted cyberattacks), media literacy programmes (for harms from AI-generated content), and human-in-the-loop frameworks (for reliability and control challenges).
• Current AI resilience efforts are uneven and largely untested. Some measures, such as cybersecurity incident response protocols, are relatively mature. Others, such as AI-generated content detection algorithms, remain nascent. Little concrete evidence exists on the effectiveness of most measures in an AI context, and appropriate interventions vary by geographic, linguistic, and socioeconomic context.
• Since the publication of the last Report (January 2025), preliminary funding and data-collection efforts related to resilience have increased. For example, industry-linked initiatives have announced funding commitments in the tens of millions of dollars, while some government-led initiatives have placed greater emphasis on the systematic collection of data on serious AI incidents.
• A key challenge for policymakers is deciding whether or how to incentivise, fund, develop, and evaluate resilience-building measures. AI itself can strengthen resilience through defensive applications, but the balance between offensive and defensive AI capabilities remains uncertain. Evidence on how these capabilities interact remains limited, though research indicates that their relative balance shapes overall system resilience.

‘Resilience’ is the ability of societal systems to resist, absorb, recover from, and adapt to shocks and harms associated with general-purpose AI. Proactively building resilience can help create an ecosystem for safe and beneficial adoption and diffusion. Resilience represents a ‘defence-in-depth’ approach to AI risks, layering multiple interventions to avoid over-dependence on any single safety measure. It complements organisational risk management practices (see §3.2. Risk management practices) and technical safeguards (see §3.4. Open-weight models) to fortify societies against AI-related harms. Ultimately, risks from AI systems emerge not only from an AI model in isolation, but also from its interactions with resources, individuals, organisations, institutions, and technologies.904 905 1358 As general-purpose AI systems increasingly interact within broader social, technical, and institutional infrastructure, they may create new and unpredictable risks that current safety measures alone cannot prevent.953 993 1359

Even when technical safeguards mitigate narrowly defined harms, risks can emerge from the complex interactions between AI systems and societal infrastructure. Safeguard effectiveness becomes uncertain amidst real-world complexity,1360 when AI models interact with other models, tools, environments, actors, and networks.1361 As AI systems are deployed widely across networks of users, institutions, and other AI systems, risks may arise unpredictably from their interactions100 614 651 (see §2.2.1. Reliability challenges). Research from other domains – including disaster risk reduction, climate, health, and enterprise – suggests that resilience-building measures can reduce vulnerability to technological system failures, and improve recovery outcomes.1362 1363 1364 1365 1366

Resilience-building measures

Resilience-building measures fall into four categories, grouped by function (Figure 3.11):

• Resistance measures reduce the likelihood or severity of a shock before it occurs
• Absorption measures enable societal systems to maintain critical functions during a shock
• Recovery measures help restore normal function after a shock occurs
• Adaptation measures transform societal systems to reduce vulnerability to future shocks.1367 1368

Figure 3.11: Building resilience involves reducing the likelihood or severity of a shock before it occurs (Resist). If a shock occurs, resilience-building measures include absorbing the shock by maintaining critical functions (Absorb), recovering from harms and disruptions (Recover), and reducing the vulnerability to future shocks (Adapt). Source: International AI Safety Report 2026.

The above categories are not mutually exclusive and often overlap: a single measure may serve multiple functions simultaneously and iteratively. Resilience-building measures can target specific risks or apply broadly across multiple domains. The range of AI-related risks requiring resilience spans AI-enabled biological and chemical attacks (see §2.1.4. Biological and chemical risks) to large-scale societal challenges such as labour market risks (see §2.3.1. Labour market impacts).

Table 3.10 shows examples of resilience-building measures for biological and chemical attacks (see §2.1.4. Biological and chemical risks), cyberattacks (see §2.1.3. Cyberattacks), synthetic media and crime (see §2.1.1. AI-generated content and criminal activity), influence and manipulation (§2.1.2. Influence and manipulation), and cross-cutting measures that may apply to many risk domains. The examples demonstrate how approaches from other domains can inform AI resilience strategies.

Table 3.10: Examples of resilience-building measures for biological and chemical, cyber, synthetic media, influence and manipulation, and cross-cutting risks. Examples in this table draw from historical precedents of non-AI-enabled risks.

Evidence on the effectiveness of resilience-building measures for AI is sparse

Little concrete evidence or research exists on the effectiveness of these resilience-building measures in an AI context. Education is one example of a cross-cutting intervention that may be relevant to societal capacity to anticipate and respond to AI-related risks. However, understanding the appropriateness and value of any resilience-building measure requires further analysis of the foreseen harm and the pathways by which it may occur. The context and the geographic, linguistic, and socioeconomic characteristics of relevant communities will also impact the efficacy and appropriateness of resilience-building measures.1397 1398 1399

Effective resilience measures require iterative development

Iterative frameworks, such as the one shown in Figure 3.12, can be used to structure discussion of resilience-building measures across four functions. In the context of labour market and inequality risks (see §2.3.1. Labour market impacts), for example, resistance measures could include anticipatory skill monitoring mechanisms to flag at-risk occupations, and expanded digital infrastructure to ensure broad access to AI-enabled opportunities. Absorption measures could include public–private training partnerships and unemployment insurance to support workers through AI-related job transitions. Recovery measures might include reskilling and redevelopment programs, and adaptation measures could include lifelong-learning programmes.1400 1401 1402 1403 1404

Figure 3.12: Resilience-building is an iterative process and benefits from evidence-driven implementation. It involves forecasting, piloting, and evaluating resilience-building measures, as well as measuring outcomes post-deployment, as illustrated by an observe-orient-decide-act (OODA) feedback loop. Source: Enck, 2012.1405

Resilience efforts have cascading impacts

Resilience-building measures interact across domains. Unaddressed brittleness in one domain may create or exacerbate vulnerabilities elsewhere. For example, in the aftermath of Hurricane Sandy in New York in 2012, though airports resumed operations relatively quickly, road and rail delays prevented airline employees from getting to work, resulting in continued air delays.1392 On the other hand, in a positive scenario, an integrated approach to resilience between domains can strengthen societal resilience overall, as resilience-building measures reinforce each other. For instance, collecting and sharing data across societal systems and domains can support scenario analysis of emergent behaviour, while real-time information sharing can enable more adaptive responses.1392 1406

AI itself can strengthen societal resilience

The same capabilities that can pose risks can also help strengthen societies’ defences. For example, AI systems can support cyber defence through enhancing large-scale anomaly detection, malware classification, and phishing attacks prevention.1407 1408 1409 Similarly, AI systems can combat risks related to AI-generated content by strengthening deepfake detection and digital watermarking tools1410 1411 (see §3.3. Technical safeguards and monitoring). Across different risks, evidence indicates that AI could help enhance emergency, crisis, and disaster management by increasing the accuracy, speed, and efficiency of forecasting, monitoring, and response efforts.1390 1412

Emerging general-purpose AI capabilities point toward even more sophisticated resilience applications. For example, AI could help counter biological and chemical risks by accelerating potential medical countermeasure research and development.1413 1414 Research indicates that general-purpose AI systems may also support early detection, rapid response, and containment of biological threats.1370 Recent work shows that AI agents can identify software vulnerabilities, including previously undiscovered security flaws (known as zero-day vulnerabilities), which can facilitate defensive actions such as early patching.1415 1416 1417 For example, Google’s Big Sleep AI agent, a tool to help security researchers find zero-day vulnerabilities, reportedly directly foiled efforts to exploit a vulnerability in the wild in 2025.1418 Further, AI demonstrates potential to efficiently address the large problem of converting highly vulnerable, legacy computer code into more secure forms.1419

Beyond domain-specific applications, AI may enhance resilience by strengthening institutions and public administration. This can support societies’ ability to anticipate threats, resist shocks, and adapt to new challenges.1420 For example, some research anticipates that AI could transform democratic institutions by enhancing transparency, reducing monitoring and compliance costs, enabling coordination, and strengthening identity verification systems.1421 1422 Just as the internet enabled new business models and social platforms, AI could facilitate new approaches to citizen engagement, institutional decision-making, and cross-cultural collaboration.1423 AI furthermore has the potential to strengthen government functions when human capacity is overwhelmed, restructure government machinery to operate at unprecedented scales and speeds, and help enable continuous democratic input.1421

Leveraging AI for resilience requires managing the offence-defence balance

Leveraging AI for resilience, however, does not come without risks. Due to its dual-use nature, developing AI capabilities to defend against AI-enabled threats may simultaneously accelerate offensive capabilities. This may, in turn, shift the offence-defence balance (the relative advantage between attackers and defenders) in sometimes unpredictable ways.496 1424 When the balance shifts toward defence, harms become less likely and less severe, but when it shifts toward offence, harms become more likely or more damaging. For example, tools for software vulnerability detection may also help malicious actors identify and exploit attack vectors.444 496 1419 1425 AI systems that enhance government legibility by analysing vast data streams could also enable surveillance and social control.1421 In biosecurity, one study suggests that offence is currently favoured, and AI may tilt this balance further.1424 Well-intentioned AI research for resilience may therefore inadvertently exacerbate risks.444

Many open questions remain on how to steer the offence-defence balance towards safety.444 496 1326 1424 1425 Policymakers, investors, and researchers have to weigh whether defensive AI developments will provide a net security benefit or whether they risk unfavourably tilting the balance.444 This assessment requires them to anticipate not just the immediate value of defensive technologies, but also their potential to enable new forms of harm.

Researching, incentivising, and funding resilience

Although societal resilience can generate broad benefits, these benefits are diffuse, which can lead individual stakeholders to underinvest. As a result, efforts to strengthen resilience often involve coordination across stakeholders with differing incentives.1426 The literature discusses a range of ways in which policymakers may influence investment in resilience-building measures, drawing on their regulatory authorities and institutional capacities.1349 1392 1427 1428 1429 1430 1431 These include so-called ‘positive’ incentives such as advanced market commitments, tax credits, public procurement policies, and reduced regulatory hurdles to enhance private actors’ incentives to develop resilience-building measures.1426 1431 1432 1433 ‘Negative’ incentives, on the other hand, such as liability frameworks and insurance markets, relate to how the costs of potential harms are distributed and how investment in resilience-building measures is shaped.940 1434 1435

Government agencies, industry, and philanthropic donors have played roles in supporting resilience research and activities that markets may underprovide. Historically, for example, the Defense Advanced Research Projects Agency (DARPA) in the US contributed to key advances in the creation of the internet, synthetic biology, and carbon nanotubes.1436 Currently, DARPA funds the TRACTOR (Translating All C TO Rust) project, which seeks to eliminate memory safety vulnerabilities and boost cybersecurity.1437 Private initiatives such as the $2 million Microsoft and OpenAI Societal Resilience Fund provide catalytic funding for research on techniques including, for example, watermarking for AI-generated media and education campaigns about risks.1438 Meanwhile, the non-profit OpenAI Foundation pledged $25 billion to causes including technical solutions to AI resilience.1439 Competitions and prizes can also advance resilience research.1431 For example, in the AI Cyber Challenge, top AI companies collaborate with the US Government to develop AI systems that secure critical software infrastructure.1440 Government agencies can also convene frontier AI companies and incentivise them to provide, for example, early and discounted AI model access for AI-enabled resilience-building efforts.1426

Evidence-gathering often depends on coordinated ecosystems with substantial investment in data infrastructure and access protocols. Building up a stronger evidence base of pre-deployment evaluations (see §3.2. Risk management practices), post-deployment monitoring, and incident reports can enable forecasting, piloting of resilience-building measures, continuous assessment, and iteration, as illustrated in Figure 3.12.869 1441 Legal and operational pathways for data-sharing between AI developers, critical infrastructure operators, and public authorities across borders can facilitate this process. AI itself can enhance evidence collection by improving data quality and automating analysis.

Understanding baseline characteristics of societies and their preparedness for risk can also support the design, piloting, and evaluation of resilience-building measures.1358 Perceptions of risk and preparedness can vary widely across different regions (Figure 3.13 for an example regarding cyber resilience). Community characteristics including, for example, digital infrastructure, technological literacy, institutional capacity, regulatory frameworks, cultural norms, linguistic characteristics, and AI deployment patterns, may all inform the best approaches to particular interventions. Several governments have engaged in resilience assessments in other domains, including on critical infrastructure and community resilience.1442 1443

Figure 3.13: Data from the World Economic Forum’s Global Cybersecurity Outlook, which surveyed 409 respondents from 57 countries regarding their perceptions of preparedness for cyberattacks against critical infrastructure. Source: World Economic Forum, 2025.452

Updates

Since the publication of the last Report (January 2025), actors have committed preliminary funding to resilience efforts. For example, the OpenAI Foundation pledged $25 billion to causes including technical solutions to AI resilience,1439 while OpenAI itself committed $50 million to support initiatives including AI literacy and public understanding, community innovation, and economic opportunity.1444 1445 Anthropic announced $10 million for rigorous research and policy ideas on AI’s economic impact.1446 The UK AI Security Institute awarded seed grants of up to £200,000 for projects focused on safeguarding societal systems, totalling up to £4 million.1447 At the same time, these known resilience investments remain small relative to overall AI investment: private investment in generative AI alone totalled $33.9 billion in 2024, and infrastructure commitments such as OpenAI’s Stargate Project involve pledges of $500 billion over four years.255 1448

In addition to funding, data-collection efforts have increased. AI developers including Amazon, Anthropic, Cohere, Google, IBM, Microsoft, Mistral AI, and OpenAI, have signed the EU AI Act Code of Practice, a non-binding governance instrument (see §3.2. Risk management practices). Signatories commit to systematically tracking, documenting, and reporting serious incidents to the EU AI Office, all of which may strengthen the knowledge base for effective resilience strategies.965 It remains too early to assess the impact on resilience of the Code, which will come into full enforcement in mid-2026.

Evidence gaps

The main evidence gaps for resilience are the limited information on risks of general-purpose AI and limited evidence on the effectiveness of resilience-building measures. While AI evaluations have gained traction through voluntary commitments and policy,965 1116 methodologies to measure the capabilities and risks of general-purpose AI systems are nascent.224 1449 1450 Evidence remains particularly sparse for emerging risks arising from AI systems’ interactions with technical, social, and institutional systems, such as financial, educational, or healthcare systems, where unexpected failures may occur. Several AI companies have begun to release post-deployment usage data,117 1451 but research gaps remain. Without clear understanding of which risks are most likely or consequential, designing targeted resilience-building measures is difficult.1392 1427 Even when risks are better understood, evidence on the effectiveness of resilience-building measures remains limited. To date, many resilience-building measures for AI are at an early stage of development or lack systematic evaluation.

Challenges for policymakers

For policymakers, key challenges in building resilience include making decisions about incentivising, funding, developing, and evaluating resilience-building measures; and evaluating offence-defence balance trade-offs. AI developers currently only internalise some of the potential cost of risks of general-purpose AI1349 and have limited incentives and ability to invest in resilience-building measures. This is associated with a funding gap: known resilience investments remain limited relative to the potential scale of the risks. Policymakers face questions about whether and how incentives should be shifted across stakeholders, and about the extent to which the financial burden of resilience-building measures is borne by governments. They also face challenges in assessing offence-defence trade-offs: general-purpose AI systems can support resilience-building in domains such as cybersecurity and biosecurity, but the same capabilities may also accelerate offensive risks in those domains.

This Report provides a scientific assessment, guided by over 100 experts from more than 30 countries and international organisations, of general-purpose AI: a rapidly evolving and highly consequential technology. Contributors differ in their views on how quickly capabilities will improve, how severe risks may become, and the extent to which current safeguards and risk management practices will prove adequate. On core findings, though, there is a high degree of convergence. General-purpose AI capabilities are improving faster than many experts anticipated. The evidence base for several risks has grown substantially. Current risk management techniques are improving but insufficient. This Report cannot resolve all underlying uncertainties, but it can establish a common baseline and an approach for navigating them.

A year of change

Regular scientific assessment allows for changes to be tracked over time. Since the first International AI Safety Report was published in January 2025, multiple AI systems have solved International Mathematical Olympiad problems at gold-medal level for the first time; reports of malicious actors misusing AI systems for cyberattacks have become more frequent and detailed, and more AI developers now regularly publish details about cyber threats; and several developers released new models with additional safeguards, after being unable to rule out the possibility that they could assist novices in developing biological weapons. Policymakers face a markedly different landscape than they did a year ago.

The core challenge

A number of evidence gaps appear repeatedly throughout this Report. How and why general-purpose AI models acquire new capabilities and behave in certain ways is often difficult to predict, even for developers. An ‘evaluation gap’ means that benchmark results alone cannot reliably predict real-world utility or risk. Systematic data on the prevalence and severity of AI-related harms remains limited for most risks. Whether current safeguards will be sufficiently effective for more capable systems is unclear. Together, these gaps define the limits of what any current assessment can confidently claim.

The fundamental challenge this Report identifies is not any single risk. It is that the overall trajectory of general-purpose AI remains deeply uncertain, even as its present impacts grow more significant. Plausible scenarios for 2030 vary dramatically: progress could plateau near current capability levels, slow, remain steady, or accelerate dramatically in ways that are difficult to anticipate. Investment commitments suggest major AI developers expect continued capability gains, but unforeseen technical limits could slow progress. The social impact of a given level of AI capabilities also depends on how and where systems are deployed, how they are used, and how different actors respond. This uncertainty reflects the difficulty of forecasting a technology whose impacts depend on unpredictable technical breakthroughs, shifting economic conditions, and varied institutional responses.

The value of shared understanding

The trajectory of general-purpose AI is not fixed: it will be shaped by choices made over the coming years by developers, governments, institutions, and communities. This Report is not prescriptive about what should be done. By advancing a shared, evidence-based understanding of the AI landscape, however, it helps ensure that those choices are well-informed and that key uncertainties are recognised. It also allows policymakers in different jurisdictions to act in accordance with their community’s unique values and needs while working from a common, scientific foundation. The value of this Report is not only in the findings it presents, but in the example it sets of working together to navigate shared challenges.