⚡ Quick Summary
This report is the AI Security Institute’s first public synthesis of two years of frontier model evaluations across cyber, chemistry & biology, autonomy, safeguards, loss-of-control risks, and societal impacts. It documents a sharp acceleration in AI capabilities, with multiple domains now exceeding PhD-level or expert human performance, and task horizons doubling roughly every eight months. At the same time, it shows that safeguards are improving unevenly, remain brittle under expert attack, and do not automatically scale with model capability. The report is not a forecast or benchmark of specific models, but a trend-focused, evidence-driven snapshot aimed at policymakers, developers, and safety researchers who need to reason about near-term risk, misuse, and governance gaps.
🧩 What’s Covered
The report opens with a clear methodological framing: AISI evaluates over 30 frontier systems using task-based benchmarks, long-form tasks, agent environments, red-teaming, and human-impact studies. The focus is on trends, not naming or ranking vendors.
A major section is dedicated to agentic capabilities. The data shows that AI systems can now autonomously complete software tasks that would take human experts over an hour, with success rates exceeding 40% by mid-2025. Cyber task horizons and autonomy both show exponential-like growth, with task length doubling approximately every eight months. Scaffolding and tool access emerge as decisive factors: well-designed agent scaffolds can outperform newer base models, sometimes by large margins.
In chemistry and biology, the report documents a clear crossing of expert baselines. Models outperform PhD-level experts on open-ended QA, protocol generation, and troubleshooting. Notably, AI-generated experimental protocols became practically feasible in late 2024, and troubleshooting performance now exceeds human experts by up to 90%. Multimodal models can interpret lab images and provide PhD-level advice, significantly lowering barriers to wet-lab competence. These advances are framed explicitly as dual-use, with implications for both scientific acceleration and misuse risk.
Cyber capabilities show a similar pattern. Models now reliably complete apprentice-level tasks and have begun to succeed on expert-level challenges requiring over a decade of human experience. However, performance drops sharply in long, multi-stage cyber range scenarios, indicating that end-to-end autonomy remains fragile. Improved scaffolding again significantly raises performance and efficiency, suggesting that current evaluations may underestimate real-world ceilings.
Safeguards are examined in depth. AISI finds universal jailbreaks for every system tested, although the effort required has increased for some leading models, especially in biological misuse domains. Crucially, safeguard robustness varies widely across providers, misuse categories, and access types. There is little correlation between model capability and safeguard strength; robustness is primarily driven by investment and design choices, not intelligence alone. Open-weight models are highlighted as particularly difficult to defend.
The report also explores loss-of-control risks, focusing on self-replication and sandbagging. Success rates on simplified self-replication tasks rose from under 5% in 2023 to over 60% by 2025, though real-world replication remains unlikely. Sandbagging can be induced in controlled settings, but no evidence of spontaneous sandbagging was found in thousands of evaluation runs. Detection methods exist but degrade as tasks become more complex.
Finally, societal impacts are assessed. The report documents growing persuasive power of conversational AI, increasing emotional reliance by users, and early signs of AI agents being entrusted with high-stakes actions such as financial transfers. While AI use for political information does not yet outperform internet search in spreading misinformation, the direction of travel is clear and monitored closely.
💡 Why it matters?
This report provides one of the clearest empirical foundations currently available for AI governance discussions. It shows that capability growth is not speculative but measurable, rapid, and already surpassing human experts in sensitive domains. At the same time, it demonstrates that safeguards, evaluations, and governance mechanisms are lagging and uneven. For regulators and risk owners, the key insight is that capability alone is a poor proxy for safety, and that governance must explicitly account for scaffolding, access models, and deployment context.
❓ What’s Missing
The report deliberately avoids naming models or developers, which strengthens neutrality but limits operational benchmarking. Economic impacts, labour displacement, and environmental effects are largely out of scope. While societal impacts are explored, they remain early-stage and UK-centric. The report also acknowledges that it may underestimate real-world capability ceilings due to limited access to fine-tuning APIs, inference-time compute, and bespoke scaffolding.
👥 Best For
Policymakers working on AI safety and national security, AI governance and risk professionals, frontier model developers, red-teamers and evaluators, and researchers focused on misuse, autonomy, and loss-of-control risks.
📄 Source Details
Published December 2025 by the UK AI Security Institute. Based on evaluations conducted from 2023–2025 across more than 30 frontier AI systems, combining internal testing with selected external benchmarks.
📝 Thanks to
The AI Security Institute research team and contributors for producing a rare, methodologically transparent view into frontier AI capability trends and their governance implications.
