Question 1

We already use Claude with ASL-3 protections. Do we still need this?

Accepted Answer

Anthropic's ASL-3 constitutional classifiers protect the Claude API against general CBRN uplift. They do not protect your fine-tuned biology models, your REINVENT or Chemistry42 pipelines, your retrieval-augmented scientific assistants, or any open-weight model running on your VPC. If your researchers prompt Claude for a protein design and then feed that design into an open-weight generative tool, the safety gap is in the second step, not the first. ASL-3 is a ceiling at the API boundary. We build the floor everywhere else in the pipeline.

Question 2

Doesn't machine unlearning just work? The WMDP paper showed random-chance results on biosecurity questions.

Accepted Answer

RMU brings WMDP-Bio performance close to random chance, which is real and measurable. It is also recoverable. Lucki et al. (ICLR 2025) showed that relearning on public medical articles (or even Harry Potter wiki text) can jog an RMU-unlearned model back toward pre-unlearning performance on the forget set. UIPE (arXiv 2503.04693) helps. SAE feature ablation helps. Sharpness-aware minimization helps. None of them provably stop a determined adversary with fine-tuning access. Any pharma telling its board that unlearning is a solved problem is setting up a bad meeting in 18 months. We treat unlearning as one layer in a defense-in-depth architecture, and we run relearning attacks against your model on a continuous cadence so the degradation is measured, not assumed.

Question 3

We use Chemistry42 and it has 460+ medicinal chemistry filters. Isn't that enough?

Accepted Answer

Chemistry42's MCFs are excellent at what they are designed to do: rejecting PAINS compounds, reactive groups, metabolic liabilities, and known toxicophores. They are structural-alert rules. They will not flag a molecule that is geometrically adjacent to a nerve agent in the latent space of a generative model but does not match a known toxicophore pattern. They will not detect activity cliffs where a single fluorine-for-hydroxyl substitution on a therapeutic scaffold converts it into a lethal agent. And they are not a defense against a reward-function flip in a REINVENT config. We layer on top of Chemistry42: latent-space proximity scoring against a CWA manifold we map for you, activity-cliff detection via MaskMol-style image representations, and reward-function immutability so a researcher cannot invert the sign and have it take effect without a second control.

Question 4

What about DNA synthesis screening at Twist or IDT? Isn't that the real last line of defense?

Accepted Answer

It was, and the Paraphrase Project (Microsoft / Twist / IDT, Science, October 2025) showed that for most of 2024 and 2025 it was not working against AI-paraphrased toxin variants. Microsoft Research generated thousands of synthetic ricin homologs using EvoDiff; they slipped past the homology-based screening at every major provider. Patches have since been distributed globally, but as of early 2026 the situation is: commercial DNA vendor screening is improving, no longer catastrophic, still not a substitute for in-house pre-order screening. We deploy a pre-synthesis screening stage in the pharma's own environment that runs IGSC-style homology plus a functional-prediction layer against the sequences your generative tools have just produced, before anything leaves for the vendor. That is where the liability actually lives.

Question 5

What does a full engagement look like, honestly?

Accepted Answer

A first engagement is typically a 6 to 10 week biosecurity audit across the client's existing generative chemistry and biology stack. We inventory every model, every hook point, every place a researcher can reach an inference endpoint. We map what safety layers exist today (often: nothing beyond default refusal training). We run GeneBreaker-style and SMILES-prompting attacks against representative models to get baseline attack success rates. Deliverable is a written risk register, a control matrix mapped to ISO 42001 A.9.2 and A.10.3 and NIST AI 600-1 section 2.1, and a prioritized build plan. From there, implementation is per-capability: latent governance middleware on a specific platform is typically 10 to 16 weeks, unlearning on a specific biology model is 8 to 14 weeks plus compute. We do not promise we can make your open-weight model jailbreak-proof. We promise we can make the attack measurably more expensive and the control framework defensible to an auditor or an insurer.

Question 6

How do you handle the fact that our model is open-weight and could be exfiltrated?

Accepted Answer

Honestly. We acknowledge the residual risk in writing, in the audit report, so that when a board asks the question it is not a surprise. The technical mitigations are: (1) unlearning with UIPE-hardened parameter extrapolation, which raises the cost of relearning recovery from a few hundred dollars of GPU time to a more substantial investment; (2) continuous weekly relearning red-team with automated metrics, so drift is detected early; (3) watermarking and activation-based provenance tracking so an exfiltrated model is traceable. None of these convert open-weight to closed-weight. They shift the threat actor profile from opportunistic to determined, which is the realistic goal for a consultancy. If your threat model includes nation-state adversaries with unlimited compute, the only real answer is closed-weight deployment on frontier models with ASL-3 or better controls, and we will tell you that in the first meeting.

Question 7

We need ISO 42001 certification in the next 12 months. Where does this fit?

Accepted Answer

ISO 42001 Annex A includes control A.9.2 (AI System Safety) and A.10.3 (Adversarial Attacks). For a biotech running generative models, the auditor will expect a documented control framework that addresses CBRN risk specifically, not generic AI ethics language. Our engagement deliverable is structured as an auditor-ready control matrix: each control clause in Annex A mapped to a specific technical mitigation in your pipeline, each mitigation mapped to evidence (red-team reports, constraint-violation logs, unlearning certifications, relearning attack results). We have written these to pass internal audits at pharma ISO pilots. The EU AI Act Article 55 obligations for GPAI providers with systemic risk overlap substantially; one evidence package typically serves both.

Your generative models already know how to design nerve agents. The question is what you've done about it.

The 2022 MegaSyn paper was not a warning. It was a receipt.