A striking visual representing the dual-use nature of molecular AI — the same system navigating between therapeutic and toxic molecular space.

Artificial IntelligenceBiosecurityMachine Learning

An AI Designed 40,000 Potential Chemical Weapons in Six Hours. I Can't Stop Thinking About What That Means.

Ashutosh Singhal March 4, 202614 min read

I was sitting in a hotel room in Zurich, jet-lagged and half-reading a paper on my laptop, when a single table stopped me cold.

40,000 molecules. Less than six hours. A consumer-grade server — the kind you'd find in a college dorm. And the output wasn't junk. The model had rediscovered VX, one of the deadliest nerve agents ever synthesized, and then gone further — generating thousands of novel analogues predicted to be more lethal than VX itself. Compounds that appear in no public database. That exist on no government watchlist.

The researchers at Collaborations Pharmaceuticals hadn't built a weapon. They'd taken a commercial drug discovery model called MegaSyn — a tool designed to find cures for rare diseases — and changed a single sign in its reward function. From minus to plus. Penalize toxicity became maximize toxicity. That was it. One line of code, and the machine pivoted from healer to weapon designer with the same fluency.

I closed the laptop and stared at the wall for a long time.

I run Veriprajna, a company that builds AI systems for high-stakes enterprise environments. We work at the intersection of deep learning and domains where getting it wrong doesn't mean a bad recommendation — it means real, physical harm. That night in Zurich, I realized that the entire safety paradigm the AI industry was selling — the guardrails, the content filters, the prompt engineering tricks — was built on a foundation of sand. And I knew we had to do something fundamentally different.

The Experiment That Should Have Changed Everything

Here's what haunts me about the Collaborations Pharmaceuticals experiment: it wasn't hard.

The team used an LSTM-based neural network trained on SMILES strings — a text-based representation of molecular structures. The training data came from ChEMBL, a publicly available database that any graduate student can download. The compute cost was trivial. The entire architecture is well-documented in open literature.

The model worked by generating candidate molecules and scoring them against an objective function. In its normal therapeutic mode, that function looked something like: reward bioactivity, penalize toxicity. The researchers inverted the penalty. The generator itself — the engine that actually creates molecules — was never modified. It just followed the new gradient, climbing toward maximum lethality the same way it had previously climbed toward maximum therapeutic value.

If a model understands what makes a molecule safe, it by definition understands what makes it unsafe. These are complementary regions of the same mathematical space.

This isn't a bug. It's the architecture working exactly as designed. And that's the terrifying part.

The barrier to entry for designing sophisticated biochemical agents has collapsed — not because someone leaked a recipe, but because the computational intelligence to design them is now democratically available. A consumer GPU. A Python script. An open-source dataset. That's the full shopping list.

Why Does Every AI Safety Solution Miss the Point?

Side-by-side comparison showing why surface-level text filters fail against molecular representations — keyword blocking vs. SMILES string bypass.

After Zurich, I spent weeks talking to teams building "safe AI" for pharma and biotech. The conversations followed a depressing pattern.

"We have guardrails," they'd say. "We filter the outputs."

I'd ask: what happens when someone submits a SMILES string instead of a molecule name?

Blank stares.

Here's the problem with the entire wrapper-based safety paradigm — the approach where you take a powerful model, wrap it in a thin layer of content filtering, and call it enterprise-ready. These systems operate on language. They look for keywords. They check outputs against lists of known bad things.

But toxicity isn't a word. It's a geometry.

A content filter will block the word "Sarin." It will not block O=P(C)(F)O — the SMILES representation of Sarin that the model understands perfectly. Recent research on SMILES-prompting attacks has shown bypass rates exceeding 90% against leading models like GPT-4 and Claude 3 for specific substances. Ninety percent. That's not a safety system. That's a suggestion box.

And it gets worse. In medicinal chemistry, there's a phenomenon called an "activity cliff" — where a tiny structural change, sometimes a single atom substitution, causes a massive shift in biological activity. Replace a hydroxyl group with a fluorine atom and a safe drug becomes lethal. A text-based filter that sees two molecules as 99% similar will wave the dangerous one through, because it's comparing syntax, not function. It's like approving a document because the font looks right without reading the words.

I wrote about these technical vulnerabilities in depth in the interactive version of our research, but the core insight is simple: if your safety mechanism operates at the surface of the model — on the text that goes in and the text that comes out — you've left the actual engine of creation completely ungoverned.

The Night We Realized We Were Thinking About It Wrong

There was a moment — I remember it precisely because my CTO and I were arguing at 11 PM over cold pizza — when the whole problem reframed itself for us.

We'd been trying to build better filters. Smarter classifiers. More comprehensive blocklists. And every time we stress-tested them, we found another way around. Another encoding trick. Another edge case where a novel molecule slipped through because it wasn't in any database.

My CTO said something that stopped the argument: "We keep trying to catch bad outputs. What if we made it impossible for the model to think them in the first place?"

That's when we started talking about latent space.

What Is Latent Space, and Why Should You Care?

Annotated diagram showing the entanglement of toxic and therapeutic regions in a model's latent space, illustrating why you can't simply wall off the dangerous zone.

Every generative AI model — whether it's creating images, text, or molecules — works by compressing the world into a mathematical space. This compressed representation is called the latent space. Think of it as the model's internal imagination. When a molecular generator "designs" a new drug, it's not randomly assembling atoms. It's navigating a high-dimensional landscape where similar molecules cluster together and generation is the act of picking a point on that landscape and decoding it back into a real structure.

Here's what matters: in this landscape, toxicity isn't a label. It's a region. A continuous, sprawling territory that bleeds into and entangles with the regions representing therapeutic value. The features that let a drug cross the blood-brain barrier to treat Alzheimer's are often the same features that let a nerve agent reach its target and cause paralysis. High binding affinity — a molecule's ability to grip a protein tightly — is exactly what you want in a cancer drug and exactly what makes VX lethal.

Toxicity and therapeutic value aren't opposite sides of a coin. They're neighbors on the same manifold, sharing a fence and sometimes a front door.

This entanglement is why simple "refusal" mechanisms fail catastrophically. If you tell the model to block everything associated with toxicity — say, all molecules that penetrate the blood-brain barrier — you don't just block weapons. You destroy the model's ability to design treatments for neurological diseases. You've performed a lobotomy in the name of safety.

The real challenge isn't blocking bad outputs. It's navigating the safe regions of this landscape while making the dangerous regions mathematically unreachable.

What Does "Latent Space Governance" Actually Look Like?

Process diagram showing the three-layer Latent Space Governance mechanism — topological audit, constraint critics, and gradient steering — as a pipeline.

We coined the term Latent Space Governance to describe what we believe is the only defensible approach to AI safety in high-stakes generative domains. The idea is deceptively simple: instead of filtering outputs after the model generates them, constrain the model's navigation of its internal landscape before anything is ever produced.

I'll walk through what this means in practice, because the devil is in the implementation.

Mapping the Terrain Before Anyone Moves

Before we deploy any generative model, we perform what we call a topological audit. Using a technique called Persistent Homology — a branch of Topological Data Analysis — we compute a mathematical fingerprint of the safe regions of the model's latent space. We identify the shapes, holes, and boundaries that separate therapeutic territory from toxic territory.

This gives us something no blocklist ever could: a structural understanding of what "safety" looks like in the model's own geometry. When a novel molecule is generated — something that appears in no database — we can assess whether it sits on the safe manifold or has drifted into uncharted, potentially dangerous territory.

The Critics That Never Sleep

We don't retrain the base generative model. That's expensive, risks catastrophic forgetting, and creates its own problems. Instead, we train lightweight auxiliary networks we call Constraint Critics — value functions that operate directly on latent vectors and predict risk scores in real time.

The architectural elegance here matters: because the Critics are decoupled from the generator, we can update them as new threats emerge without touching the foundation model. When a new class of chemical concern is identified, we retrain the Critic, not the entire system.

Steering, Not Filtering

During generation, when the model samples a point in latent space, the Critic calculates the gradient of the toxicity surface at that point. If the trajectory is heading toward a dangerous region, an opposing gradient nudges it back onto the safe manifold — using a technique based on Langevin Dynamics.

The model effectively "imagines" a toxic molecule but is mathematically forced to resolve that thought into a safe analogue before any output is produced. Nothing dangerous ever reaches the output layer. There's nothing to filter because there's nothing unsafe to catch.

The model doesn't generate a weapon and get stopped at the door. It's architecturally incapable of walking toward the door in the first place.

This is the difference between post-hoc filtering and structural constraint. One is a security guard checking IDs. The other is a building with no entrance to the restricted floor.

For the full mathematical formulation — including the constrained optimization framework and gradient steering equations — see our technical deep-dive.

Why Can't You Just Block the Dangerous Regions Entirely?

People ask me this constantly, and it's a fair question. If you know where the toxic manifold is, why not just wall it off completely?

Because of entanglement. Remember — the features that make a nerve agent deadly overlap significantly with the features that make a neurological drug effective. If you wall off too aggressively, you destroy therapeutic utility. If you wall off too loosely, you leave gaps.

Our approach threads this needle through what we call Constrained Reinforcement Learning with Adaptive Incentives. Instead of a binary wall — safe/unsafe — we implement a gradient buffer zone. As the model approaches the toxicity boundary, an increasing penalty pushes it back, like a force field that gets stronger the closer you get. This allows the model to explore the productive edges of chemical space — where the most innovative drugs often live — without ever crossing into danger.

Standard constrained RL is notoriously unstable, oscillating around the constraint boundary. We solved this with an adaptive incentive mechanism that rewards the model for staying well within bounds, not just for not crossing them. The difference sounds subtle. In practice, it's the difference between a system that's safe on paper and one that's safe under adversarial pressure.

The Regulatory Reckoning Is Already Here

I talk to a lot of founders who treat AI safety as a nice-to-have. A checkbox for the compliance team. Something to worry about after product-market fit.

They're wrong, and the regulatory landscape is about to prove it.

The White House Executive Order on AI explicitly identifies the risk of AI lowering barriers to CBRN (Chemical, Biological, Radiological, Nuclear) weapon development as a tier-one national security threat. The Genesis Mission, launched in late 2025, directs the Department of Energy to build an integrated AI platform for scientific discovery with mandatory "risk-based cybersecurity measures." NIST's Generative AI Profile (NIST.AI.600-1) specifically calls out Chemical and Biological Design Tools as a unique risk category, warning that these tools "may predict novel structures" not present in training data. And ISO 42001 — the first international management system standard for AI — demands proven robustness against adversarial attacks.

A wrapper cannot demonstrate that it prevents the creation of biological threats. It can only show that it tries to filter them. That "best effort" distinction will matter enormously when federal contracts, ISO certification, and regulatory approval are on the line.

Our structural constraints provide something fundamentally different: proof of bounded behavior. We can demonstrate to regulators — mathematically — that the CBRN manifold is inaccessible to our models. Not "we try to block it." Not "we haven't seen it get through yet." Inaccessible.

An Investor Told Me to "Just Use GPT and Add Filters"

I want to share this because I think it captures the gap between where the industry is and where it needs to be.

Early in our fundraising, an investor — someone with a strong portfolio in enterprise AI — listened to our pitch and said, essentially: "This is overengineered. Just use GPT-4 with a good system prompt and a moderation endpoint. Nobody's going to jailbreak a pharma tool."

I pulled up the SMILES-prompting research on my phone and showed him the 90%+ bypass rates. I showed him the MegaSyn results. I explained that the molecules his "moderation endpoint" would need to catch don't have names yet — they're novel compounds that exist in no database.

He paused for a long time and then said: "So you're telling me every AI safety company in biotech is selling a lock that doesn't work?"

"I'm telling you they're selling a lock on the front door of a building with no walls."

He didn't invest. Not everyone is ready for this conversation. But the ones who are — the pharma companies running clinical programs, the defense contractors with CBRN mandates, the biotech firms eyeing ISO 42001 certification — they understand that structural safety isn't a premium feature. It's the minimum viable product.

The Part That Keeps Me Up at Night

The MegaSyn experiment was published in 2022. It used architectures from 2018. The models available today are orders of magnitude more capable.

And the "safety" infrastructure the industry has built in response? Better keyword filters. Improved system prompts. More comprehensive blocklists. We're building faster cars and responding with better speed bumps.

I don't think most people in AI — even most people building AI safety tools — have fully internalized what it means that the capability to design novel chemical weapons now costs less than a gaming PC. That the knowledge isn't in a classified document somewhere; it's encoded in the learned representations of models trained on publicly available chemistry data. That you can't un-teach a model what toxicity means without un-teaching it what therapy means, because these are the same knowledge, viewed from different angles.

We cannot solve a geometric problem with a linguistic patch. The danger lives in the model's latent space, and that's where the governance must live too.

The wrapper era needs to end. Not because wrappers are bad products — many are well-intentioned and useful for low-stakes applications. But because in domains where AI touches the physical world — drug design, chemical synthesis, biological engineering — surface-level safety is an oxymoron. It creates the appearance of control while leaving the engine of creation completely ungoverned.

At Veriprajna, we chose a harder path. We chose to go inside the model — into its geometry, its topology, its latent structure — and build safety into the mathematics itself. Not as a filter. Not as a guardrail. As a constraint on what the model can imagine.

This is what I believe the future of AI safety looks like: not smarter guards at the gate, but buildings designed so the dangerous rooms don't exist. Not better content moderation, but models whose internal geometry makes harm structurally impossible.

We didn't build this because it was easy or because the market was asking for it. We built it because that table — 40,000 molecules, six hours, a consumer server — told us that anything less is negligence dressed up as innovation.