The Double-Edged Problem: What Dual Use Means for AI Development
Dual use is not a new problem. It predates AI by decades, showing up wherever powerful technology intersects with the possibility of misuse.
Nuclear physics enables both power generation and weapons. Encryption protects both privacy and criminal communication. Biology enables both medicine and bioweapons. The pattern is consistent: the same knowledge, the same tools, the same capabilities that produce enormous benefits also lower the barriers to producing enormous harms.
AI fits this pattern so precisely that dual use has become one of the central organizing concerns of AI safety research.
The dual use challenge in AI is distinct from earlier versions of the problem in one important way: the same model serves both beneficial and harmful uses simultaneously, without modification. A nuclear reactor and a nuclear weapon require different engineering. A biological research tool and a bioweapon require different expertise. A large language model that can explain organic chemistry to a student, help a researcher understand a scientific paper, and provide synthesis routes for dangerous compounds is the same model doing all three things. The capability doesn't bifurcate into safe and unsafe versions. It exists on a continuum, and where you draw the line determines what gets blocked and what gets through.
The most acute version of this concern involves biological, chemical, radiological, and nuclear weapons. AI systems with broad scientific knowledge can, in principle, lower the barrier to acquiring information that would previously have required specialized expertise, access to restricted literature, or connections to domain experts. The question researchers and policymakers wrestle with is: by how much? Providing meaningful uplift to someone attempting to cause mass casualties is categorically different from providing information that's freely available elsewhere, and the distinction matters for how AI systems should be designed and constrained. The research community has developed evaluations specifically designed to measure whether frontier models provide dangerous uplift on weapons-relevant queries, and the results of those evaluations inform decisions about what capabilities to include and what guardrails to implement.
Cybersecurity is another domain where dual use tension is acute and ongoing. Understanding how vulnerabilities work is prerequisite to both exploiting them and defending against them. A security researcher and a malicious attacker need much of the same knowledge. AI systems that can explain vulnerability classes, analyze code for security flaws, and help developers write more secure software are the same systems that can assist in developing exploits. The security community has operated under a dual use norm for decades, with practices around responsible disclosure and a general understanding that security knowledge is inherently dual use. AI accelerates the capabilities available on both sides of that dynamic without resolving the underlying tension.
Disinformation is a third domain where AI's dual use character is highly visible and actively contested. The same language model capabilities that help writers produce clear prose, help non-native speakers communicate more effectively, and help organizations draft communications at scale also make it easier and cheaper to produce persuasive false content at volume. The same image generation capabilities that enable creative work also enable the production of realistic fabricated images of real people in situations that never occurred. The dual use character here is not between legitimate research and catastrophic misuse. It's between beneficial applications and harms that are significant but not existential, which makes the policy tradeoffs harder rather than easier.
AI developers have responded to dual use concerns through several approaches, none of which fully resolves the underlying tension. Safety training attempts to make models refuse harmful requests, but as the jailbreaking literature documents extensively, these refusals are imperfect and can often be circumvented. Capability evaluations attempt to measure dangerous capabilities before models are deployed, informing decisions about what to release and with what safeguards. Staged deployment, releasing models to a small group of trusted users before broader release, allows for identification of dual use failure modes in lower-risk conditions. Access controls, requiring verification of identity or affiliation before granting access to certain capabilities, reduce but don't eliminate misuse risk.
The structural difficulty is that restricting access to AI capabilities imposes costs on legitimate users that are concrete and immediate, while the harms from dual use misuse are probabilistic and diffuse. A researcher who can't get useful information from an AI system because of overly broad restrictions experiences a direct loss of productivity. The harm prevented by that restriction is speculative: maybe that information would have been misused, maybe not, maybe it was available elsewhere anyway. This asymmetry in how costs and benefits are experienced creates systematic pressure toward less restriction, which is sometimes correct and sometimes not.
The dual use problem doesn't resolve. It gets managed, imperfectly, through ongoing calibration between capability and restriction, between openness and control, between the concrete benefits of powerful AI and the probabilistic harms of its misuse. The organizations building frontier AI systems are making those calibration decisions continuously, with incomplete information about how their systems are actually being used and what the counterfactual would be if specific capabilities were more restricted. That's an uncomfortable position to be in. It's also the position the field is actually in, and understanding it clearly is more useful than expecting a solution that doesn't exist.