Stephen Casper

Foreign.

Gregory Allen

Welcome back to the AI Policy Podcast. I'm Gregory Allen, your host here at the center for Strategic and International Studies. Today we're going to have a discussion about the International AI Safety Report which just released its second edition. It's going to be a fabulous overview of every everything at the intersection of AI safety and where it's going. So I'm privileged to be here today with the two Stevens, who had an important role in creating this document and writing this document. That includes Steven Clare who was one of two lead writers for this 212 page report I think is how it define a length. He was previously the research manager at the center for the Governance of AI in London. And also Stephen Casper, who goes by Cass, led the writing of the section on Technical Safeguards and is a final year computer science PhD at MIT University in the Algorithmic Alignment Group. So Stephen and Cass, thank you so much for joining me today on the AI Policy Podcast.

Steven Clare

Thanks for having us, Greg.

Stephen Casper

Yeah, it's good to be here.

Gregory Allen

Great. So this document which is a formidable read, I have been poring over it for the past few days. Thanks for the, the, the copy. By the way, it really has its origins in the first AI safety summit which happened in Bletchley park in 2023. The governments of the world or the attendees at that conference got together and agreed on a bunch of things about AI safety. One of the things was that it would be worthwhile to have a report like this one which is now in its second edition. So what goals did these countries have in mind for the report and how if at all, have these goals changed since now that we're in the second edition?

Steven Clare

Yeah, so I think the original idea behind the report was just as you said, try to build a sort of shared evidence base to inform decision making about AI technologies. I think at the time there was a sense among the attendees at the Bletchley Summit that there were a lot of questions they were facing about AI and a lot of just divergent views from sort of very hyped up views to very doom focused views and not a lot of consensus on what the actual technical realities of the technology were, the actual capabilities, what we knew about the risk it might pose and what we might actually be able to do to manage those risks. And so yeah, as you said, the 30 plus countries as well as intergovernmental organizations came together to sort of support this report and invest heavily in generating evidence to sort of make better informed decisions about the technology. I think since that time one of the trends the structure of the document has remained roughly the same. We still have three chapters covering capabilities, risks, risk management. But I do think since 2023, an important trend has been sort of. We have a lot more empirical evidence we can actually rely upon, and we're able to discuss a lot more sort of concrete of AI impacts, more evaluations and more data we can actually use in the report to sort of provide a more nuanced view of those questions.

Gregory Allen

Great. And the participating contributors, whether that's the advisors, the advisory panel, the writing group, is really a who's who list of the people and institutions in this field. And you and I were talking before we started recording, but I think if, you know, we were to go 100 years in the future and a historian was looking back and trying to ask themselves, what did smart, credible people think about the future of AI and the present state of AI? This is kind of the closest thing that we have on planet Earth to a scientific consensus, at least for right now. Is that fair to say?

Steven Clare

I think that's right, yeah. I think the other thing I found useful, even working on the report is it's kind of also like a narrative checkpoint or something about AI, where if you're following AI news day to day, there always seems like there's massive developments happening daily or weekly, and the report's a good chance to sort of step back, process all of the developments of the last year and form a more sort of coherent view on important developments and what we know about where things are headed.

Gregory Allen

Yep. And in the acknowledgment section, I note that there's an industry acknowledgment section, which includes most of the frontier labs, at least in the West. Can you talk a little bit about how industry was or was not involved in the creation of this document?

Steven Clare

Yeah. So the document as a whole was reviewed by, I don't know the exact count, but hundreds of people, and that included sort of the structures of the expert advisory panel of nominations from different, different countries, the senior advisors who were leading computer scientists and economists, selected by Professor Bengio for the report, and also many, many informal reviewers who we sort of selected as domain experts to review specific sections, or as you said, industry reviewers and also civil society reviewers from around the world to sort of just collect the vast range of perspectives on AI and incorporate those into the report.

Gregory Allen

Great. And I noticed one of your forewords is from a government minister of India. We're coming up on the India AI Impact Summit, which is now the successor to that original Bletchley park convening that was responsible for the creation of this document. What do you all have planned at the India AI Impact Summit? Are you going to do additional events around AI Safety in this report? There's.

Steven Clare

Yep. So I think the schedule for the summit is still a bit tbd, but hopefully we'll have several opportunities to brief the range of attendees at the summit, from policymakers to also the civil society organizations and different attendees of the summit on the findings of the report, to hopefully sort of ground some of the conversations around the challenges that those people are facing and what they might do about them.

Gregory Allen

Got it. So we just talked about this document as representing scientific consensus. There is a secretariat, secretariat tied to the UK AI Safety Institute. So should we view this as a government document? Not a government document. What is the nature of the independence of the writers here?

Steven Clare

Yeah, it's a good question. There is a secretariat within ac, but they're just responsible for delivery of the report. So in particular, because we're, you know, have sort of government nominated representatives on the panel, it's useful to have support from AC to coordinate those functions. But the actual writing of the report is all done by an independent writing team with Professor Yosho Bengio as the chair. So myself and all of the writers like Cass, are all actually contracted by Mila, Yoshua Bengio's research organization. And all of the sort of decisions about the content in the report were decided independently by that team and ultimately by Yoshua Bengio and Cass.

Gregory Allen

You want to jump in here?

Stephen Casper

Yeah. So we're talking about the writing of this report, obviously was not air gapped between government and air gapped between industry. These rounds of feedback happened. I went through this myself in the process of writing the sections that I was one of the responsible writers for. But one thing that was done very deliberately when designing this process was making sure that the writers were not obligated to incorporate feedback from industry or from government. We were obligated to incorporate feedback from some of the formal report chairs and members and advisors, things like that. But this was not a requirement of ours. And there were instances in which I would be going through industry feedback. I know this happened a bit in section one, for example, where one very prominent AI organization was somewhat unhappy with the way one of the paragraphs was written and did not succeed in getting us to change it. So you kind of see this process was going on.

Gregory Allen

Got it. So, fundamentally, an independent document overseen by Yoshua Bengio, but really a who's who of the community. And then industry had an opportunity to review and recommend, but not to command. And ditto government, I think, is a fair way to say it.

Steven Clare

Yeah, yeah. And I can talk a bit more about what that review looks like if that'd be helpful.

Gregory Allen

No, I think we got it, actually. Okay, so the document has an extraordinarily broad scope. You mentioned the sort of three big sections. Can you just go over those again and then we'll get into the meat of it?

Stephen Casper

Sure.

Steven Clare

So, yeah, in some sense it's a huge scope. I think in another sense it's actually quite narrow, where it specifically focuses on emerging risks from general purpose AI systems. So not every potential impact from every kind of AI system, but focused really on the sort of frontier models where there's maybe the highest uncertainty and also potentially very severe impacts.

Gregory Allen

Got it. So like facial recognition, which is a thing that attracts a lot of media attention when law enforcement uses it or whatever. Not a focus of this report. Here we're really focused on general purpose and not just general purpose. The bleeding edge of performance of general purpose models.

Steven Clare

Yeah, exactly.

Stephen Casper

Got it. And there's not a hard line in the sand between these things too. And this was kind of a dilemma that we had to always navigate in the report. But, yeah, you get the idea.

Gregory Allen

Yeah. I mean, especially as they're multimodal. Right. And they can do so many things. Different types of concerns come up even after you think maybe you excluded them.

Stephen Casper

Great.

Gregory Allen

Okay, so again, please, let's keep going back to the scope of the report.

Steven Clare

So, yeah, that's the scope. And then the report itself is sort of organized around three broad questions. Chapter one is basically what can AI systems actually do, and what do we know about how their capabilities are changing over time? The second is, what are these sort of emerging risks that might be associated with those capabilities? And what do we know about the current evidence of how they're manifesting or not manifesting in the world? And then the third chapter is, okay, what can we do about these risks? Like, what are our options for both institutional and technical risk management?

Gregory Allen

Great. Well, that's a pretty good structure, and I think our discussion will largely follow that. So let's start with section one. The big questions around what AI can do and how that's changing. I realize there's a million different ways you could answer that question, because AI is such a big topic. But in as pithy a way as you can say, like, where are we in the story? What can AI do? How has it been changing since the last time you did this report and where it might go because this report dwells, I think, productively on what might happen between now and 2030, which I thought was interesting.

Steven Clare

Yeah. So one of the benefits of having regular reporting is that we are able to look back at the 2025 report and look at how things changed over the last year. And I think one thing that emerged in writing that section is contrary to maybe some narratives that emerged or got prominent in 2025. We saw broad capability, continued rapid capability advances across many different domains of general purpose AI systems, particularly in coding science and mathematics. And so, just taking a few examples, we saw models score at gold medal performance on the International Mathematical Olympiad for the first time in competition like conditions, which occurred sooner than many experts thought. We saw coding agents improve a lot and become useful assistants for actual software engineers. We saw scientific capabilities of models continue to improve and become useful actual in laboratory settings for many scientists. And we saw, as a result of these, capability gains, like adoption accelerate broadly. So there's.

Gregory Allen

There's this line in. Sorry to interrupt, but there's this line in chapter one that says, yet their capabilities are also jagged. They simultaneously excel on difficult benchmarks and fail at some basic tasks. Can you just elaborate on what this jagged performance phenomenon means? Yeah.

Steven Clare

So Cass might want to jump in here, too. But just to give a high gloss, it's like the capabilities of these general purpose systems don't always line up well with what we would think of as sort of a human intuitive range of capabilities. So the same system that can help you with very advanced theoretical physics questions might fail to count the number of objects in a moderately complex image. And I think this maybe explains why there's so much disagreement over whether AI systems are actually useful or not, because it just depends on the actual domain that you're comparing them to. And it doesn't always line up with what we think of as like a graduate level student or a research assistant. Yeah, it's much spikier than that.

Gregory Allen

Right. I think that's a helpful metaphor. Jagged performance. Cass, you want to jump in?

Stephen Casper

Yeah. And this is what the report meant by jagged in the part that you quoted. But there's a phenomenon that kind of comes along with this as well, in which sometimes new systems just suddenly do new things that the old systems kind of weren't doing. And it's different levels of surprise that we get in different circumstances. But one comment I'll give on events of the past year from a science of risk management perspective is to observe that something very interesting happened in 2025 that we can think of as kind of alarming and has definitely never happened anytime before. So in the summer of last year, we can probably remember, we started to see the system cards or the model cards released alongside some then state of the art systems. Specifically, I'm thinking about a trend that was kicked off with Gemini 2.5, Claude 4.0 and ChatGPT agent, where for the first time the developers of these systems publicly reported that based on their own evals, these systems were starting to maybe potentially kind of cross capability thresholds in which they could start to enable uplift by novice users for doing some pretty nasty tasks like automating cyber attacks or helping users make biological or chemical weapons. And in this way, 2025 really seems to be a year in which AI capabilities are reaching very interesting heights that they've never reached before, in which the rubber is really hitting the road when it comes to the science of risk management amidst frontier capabilities.

Gregory Allen

Yeah, and I think there's two parts to that, what you just said. One is what can they do in terms of if you had a thousand geniuses working with these systems over time to sort of extract the absolute best performance that they can possibly generate in any circumstance. And then the second one is what can they do for an average user? And when you're thinking about malicious uses of the capability, you're interested in both of those kind of thresholds and potentially more interested in the second one, as you said. So that's interesting. And the company is now acknowledging that they're seeing that in their terminology, uplift. Okay, great. Anything more you want to say about where we are in the story from a performance standpoint?

Steven Clare

Maybe just picking up on one point is I do think 2025 we started to get a lot more evidence of just real world impacts from these capabilities. So adoption has accelerated broadly. I think there's up to or about a billion people now using AI around the world, although it's very uneven globally and of course across much of Africa or Latin America. Adoption rates are very low still. And I just think the story of 2025 was just broader real world impacts. Many of the sort of theorized uses are actually practical in the real world now and not just sort of future potentials for a lot of practical uses of AI systems.

Gregory Allen

So one of the things I love about this report is Figure 1.2 on page 20, which is the simplest box and arrow diagram you can imagine, but actually is really an important diagram to understand. And I often think think as a policy nerd fundamentally and not a technologist fundamentally. I mean I can program, but it's like at a kindergarten level. Nobody's going to hire me to be their programmer. But I do think there's sort of like a minimum amount of technical nuance that needs to be understood when you start thinking about what interventions might be possible in order to reduce risk. So, keeping with the structure of the report, we're going to talk about, you know, what AI can do, what risks it presents, and what can we do to intervene. But something that was in section one is just like, how do you make these things? What is the real way in which you go about creating a current general purpose AI at the frontier? And so, Cass, as our technical Sherpa for this discussion, can you sort of walk us through the stages of general purpose AI development and then help us understand what these terms are mean and what it might actually look like in practice at a frontier lab or a well resourced organization?

Stephen Casper

Yeah, thanks, Greg. I noticed the little backhand comment on my figure design skills.

Gregory Allen

No, there was no sarcasm. I actually like this box and arrow simple. It's really good. Good.

Stephen Casper

That's about my level of sophistication with design though. But yeah, like section 1.1 focuses on this. This is the subject of the figure. And it's important to kind of like understand the different stages at which AI systems are developed because they're usually pretty common to most frontier systems.

Gregory Allen

Most people are working with something approaching the same recipe at a high level.

Stephen Casper

Certainly it's helpful to understand from a technical perspective because different types of safeguards and risk management techniques apply at different parts in the life cycle. It's also important to understand from ecological perspective too, because each of these stages has very different inputs that it requires. Some stages require a lot of data, some stages require a lot of labor, some stages require a lot of compute, et cetera. So we can go on a quick whirlwind tour of the life cycle of model development. And do we want to start talking about these alongside safeguards, or are we going to get a little bit to that later? Probably later.

Gregory Allen

Right, probably later. So let's just start from the left and head right.

Stephen Casper

Nice. So the first step in the adventure is data collection and data curation, which essentially these days for frontier models basically just means indexing the almost entire Internet and then doing some processes to clean it up. So you might want to deduplicate a lot of things. For example, the Gettysburg Address probably appears on the Internet like 100,000 times or something, but maybe you don't need to train on that particular piece of text 100,000 times. So you might want to reduce the number of appearances that it has. You also want to get rid of some of the nastier stuff in the end Internet. Right. Maybe you want to remove articles or papers about anthrax or hot wiring cars or something because it might affect the downstream capabilities of a model. And there also very legally has precarious things that might be in data sets too, like child sexual abuse material or something like that you definitely, if you're an AI developer, don't want to mess with.

Gregory Allen

Yeah, I mean, just to harp on that last point, right? This is a kind of data, essentially pornographic images of children, a first approximation that it is illegal to possess. Right. But is unfortunately on the Internet. So any AI company that goes out and scrapes all of this stuff just with a download, the Internet button is going to download some of that nasty stuff. So you have to have these collection and curation methods to decide in this story of machine learning AI, what is the data the AI is going to be learning from.

Stephen Casper

Yeah, yeah, great. So, you know, this data seguration step is really key from a system performance standpoint, really key from a system safety standpoint and really key from a not be gross and possibly legally dubious standpoint.

Gregory Allen

Right.

Stephen Casper

And it's obviously a very, very data intensive process and it's a really difficult process too. Something that I talk about a lot is that I think one of the things to do in AI that has the highest ratio of how difficult it is to how difficult you think think it is is Internet scale data curation, especially across like massively multilingual data sets.

Gregory Allen

Yeah, because when you're, when you're curating an Excel database of just like a thousand inputs, just read them all and delete the ones you don't like is a viable methodology. But when you're dealing with infinity web pages, only highly scaled automation techniques are even remotely approaching viable. And you're making some really big decisions with the filters that you put on these systems. So it's one of those things that's hard. Okay, so that's data collection and curation, pre training.

Stephen Casper

So yeah, then we have this pre training step and it's called pre training, but really it's the bulk of training. This is most of the computational effort that gets spent on making models understand patterns and learn capabilities. So it's where we take that filtered and processed Internet data set. Let's just imagine a text model. Say we're using text here we are going to have the model use training algorithms, we call them Training algorithms. It's the best kind of name we have for it to learn patterns and information from that data. And this is a step that takes all of that data as input and also many thousands or tens or hundreds of thousands of GPUs, usually running for weeks or months for frontier models. And this is the stage at which models kind of gain their basic knowledge and capabilities.

Gregory Allen

And I think one thing that's not on your chart, I think appropriately, is sort of the R and D. So you might do an experiment to say, hey, maybe this change to the algorithm will lead to some kind of performance improvement. You run that experiment and you test the hypothesis. But pre training is sort of like where you're like, all right, I've got, here's my actual theory and I'm willing to commit the $100 million plus that it's going to cost to run the big pre training run. So this is sort of like once all your hypotheses have been tested and once you have an approach, this is the big sort of pull the lever, go down the road of creating a new frontier model, right?

Stephen Casper

Yeah, absolutely. And you're pointing out a difficulty that actually strikes pretty close to home for me as someone who's been studying, you know, pre training, basically safety methods for a while. You know, there's a very slow and expensive feedback loop when it comes to iterating on your pre training process. And this is something that you know, you want to ideally get right. And for that reason, the science of understanding pre training and understanding safe pre training is actually something that's a little bit kind of, you know, post mature compared to the science of understanding fine tuning methods, which we'll talk about next.

Gregory Allen

Great. So you first get your big pile of data. You then feed your data to a learning algorithm that's pre training. It spits out the first thing that you can call a model. And now we're on post training and fine tuning.

Stephen Casper

Yeah. So like you said, after the pre training process, we end up with this thing called we call a model. And the reason we call it a model is because at that point it is quite literally a model of the data set that we trained it on, the data distribution that we trained it on. And then we're going to do stuff, some more stuff to it, which makes it fancier, but we're going to still call it a model. So that's where we enter this post training process or this fine tuning process. You can use either word to describe it. But what that looks like with modern systems like text Systems is continuing to train them, but on a much smaller and much higher quality data set in order to be helpful assistants at whatever task you want them to accomplish. And usually that means fine tuning them on data in chat format in order to behave in the way that you want this type of chat system or whatever other system to behave. The ways that we do this today involve algorithmic approaches that take a lot of demonstrations and take a lot of ratings or feedback from humans or increasingly AI systems. The fine tuning stage is all about taking this RAW model with a lot of knowledge and power that is is gained from the Internet and really like steering that or directing it toward the system, being like incisively useful for whatever task, like being a general purpose chatbot, for example, that you want it to be good at.

Gregory Allen

So this is where it moves from being a model to being a true chatbot.

Stephen Casper

That's a good way to think about it.

Gregory Allen

Yeah, great. The next stage is system integration.

Stephen Casper

Yeah, so so far we've just been talking about the model, kind of like the raw machine learning engine behind some sort of AI application or system, but now we get to talk about the whole system. So, for example, GPT4O or GPT5, these are models, but ChatGPT is an example of a system or an application. So this system integration stage involves taking this model and building around it different components to a system that are designed to make it more performant or more safe, and also interfaces that can allow users to use and apply this system for what they want. So for example, in ChatGPT, that means a web interface, it means a user interface. It means filters and quality assurance measures that are kind of built around that RAW model.

Gregory Allen

All the sort of like digital sensors that are watching the system and monitoring its performance, the instrumentation associated with it.

Stephen Casper

Yeah, this is a little bit of a flawed analogy, but like, think of the model as like the engine of a car, and the system is like the engine plus everything around it.

Gregory Allen

Right.

Stephen Casper

This is starting to approximately understand the idea here. But as you can also imagine, there's a lot of creativity and there's a lot of stuff that can go into different types of systems. For example, we talk about AI agents a lot, and an agent really just refers to a model that has a lot of scaffolding around it, that gives it tools and gives it the ability to take certain types of actions and reason and memorize things that allow it to accomplish tasks and the real world in a way that just the model by itself could never just kind of do without any assistance. Right.

Gregory Allen

Yeah. Great. Now we're up to deployment and release.

Stephen Casper

So this is simple to define. It's just when the system is like made available for usage, oftentimes this is made available for public usage via some application or. But sometimes things are used privately as well. And there's not too much that's technically complicated about this. But you know, an important thing to understand is that there are different deployment strategies. Like I said, you can deploy something publicly, you can deploy something for proprietary users. You can also deploy something in a way that is fully closed, where the public can't access the system or the model's parameters. You can also deploy something that is fully open, where the public can access all of it and download all of the system parameters. And there's a whole spectrum of openness in between. So deployment is just deployment is release, but there's a lot of details that, that go into different strategies for making something available for use.

Gregory Allen

Now our final stage, stage six, post deployment, monitoring and updates.

Stephen Casper

Yeah, this is the one that's easy to forget about, right? Because the project is finished in deployment in one sense. But the risk management process is far from over and you need to complete the loop by understanding how this system is performing after it is released. And obviously this is really critical toward long run risk management, where we ideally should try to learn from mistakes or incidents so we can make future systems safer. But things like this, things that are included under this category involve a lot of stuff like monitoring. Usage involves stuff like monitoring downloads for open systems, looking at how things are used in the Internet and digital sleuthing and digital forensics kind of technologies and techniques really, really come into play here where people want to learn more lessons about how and where certain systems are being used for what?

Gregory Allen

Got it. I should note here in your diagram you have a recursive arrow where after stage six you go back to three post training and fine tuning and also back to four system integration, which is supposed to be that improvement loop that you're describing here. That is the fundamental recipe about how you go from nothing to these big frontier AI models. Obviously there's a lot of complexity that we're glossing over, but it's important to understand those stages because every single one of them has really smart people working on getting it right. And every single one of them has their own challenges. And also every single one of them offers their own interventions to not just improve performance, but also to reduce risks, the kind of risks that we care about when we're thinking about things like AI safety and security. Security. So I think that now brings us to the second stage, which is what are those risks that we're focusing on in this document, representing the consensus of the scientific community? So, Stephen, let's come back to you. What were the biggest risks? How has the perception of risk changed since the first report?

Steven Clare

Sure. So the report adopts a pretty common framework in AI risk management, where we divide risks into three categories. You have misuse risks, where people are sort of using AI systems to cause harm in the world, malfunctions, which is when AI systems are operating in ways that were sort of unintended and causing harm, and systemic risks, which are a bit fuzzier but are maybe more related to the structural changes that are resulting to the economy or to social systems because of the adoption of AI systems.

Gregory Allen

So could you take each in turn? Let's start with malicious use.

Stephen Casper

Sure.

Steven Clare

So this is one category where we were talking a bit about how 2025 we started to see more real world impacts. I think this is the category where you really see that really clearly. So we cover four risks in the malicious use category. We talk about AI generated content and criminal activity. So this is where we can talk about the spread of deepfakes, the spread of non consensual intimate imagery or revenge points porn. And again, this is where we have lots of reported incidents. And if you look at the number of reported incidents, it sort of exploded over the course of 2025. Although surprisingly, we found that systematic data on how prevalent is AI generated content and how much money is actually being lost in AI generated scams, or how many people are affected by non consensual intimate imagery statistics on these kind of outcomes are actually quite rare. And we're reliant more on sort of media reported incidents or ad hoc reporting from AI companies.

Gregory Allen

Well, let me interrupt you there because there was something that this report pointed out which I thought was really interesting, which was sort of the paradox associated with evidence of AI risks. So what is that paradox as it confronts policymakers and how does it show up in the example you just gave?

Steven Clare

Yeah, so we use this is what we call an evidence dilemma, and we use this sort of as a device throughout the report to sort of explain why policymaking or governance around AI systems is so hard. And the basic idea here is like AI capabilities change very quickly, but evidence about their impacts emerges more slowly and takes time to sort of gather and process and analyze and understand. And for policymakers who are facing ever more urgent questions around AI, this is a problem because they sort of have this very uncertain situation and maybe in some cases will face a choice between acting relatively early with imperfect information and potentially entrenching ineffective or even harmful interventions, or waiting longer for better evidence. But during that time, constituents or communities might be vulnerable to the sort of negative impacts of AI systems because they are being used in the world right now.

Gregory Allen

Yeah. The line that occurred to me as I read the report about the evidence dilemma was from former Secretary of State Condoleezza Rice, who said, you don't want the smoking gun piece of evidence to be the mushroom cloud of a nuclear explosion. And that's obviously a case where they got it wrong. Right. They did, you know, move preemptively to try and stop this weapons of mass destruction threat that it turned out was based on erroneous intelligence information. But the fundamental concern is, right, you know, if we wait too long for certain types of evidence to emerge so that we can be certain that it's worth intervening, will it then be too late to productively intervene? And I thought that was, that was well stated.

Steven Clare

So one thing on the dilemma, just because my colleague Karina will be mad if I don't point out that it's not actually a dilemma, it's a bit of an oversimplified. And we actually see the report itself as one way to sort of respond to the dilemma, which is, well, let's generate more evidence and so we can make better decisions and let's make efforts to actually better inform those decisions early on.

Gregory Allen

Yeah, like, well, you said maybe it's not a dilemma, but I think maybe a slightly different way of saying it is. Like that doesn't mean there's nothing you can do that's helpful or good. Right. Like, there's still plenty of yes, we should do that in this story. Okay, so you were talking about the four types of malicious. We were talking about deceptive AI content. Please continue going on the malicious use risks.

Steven Clare

Yeah, so we also just maybe giving a high level tour here. We also talk about cyber attacks because again, this was another trend. In 2025, we saw multiple AI developers start to report on actual incidents of malicious actors using general purpose AI systems to discover vulnerabilities in software that can be exploited to gain access to systems and actually writing malicious code. And so this is an example of the dual use capabilities. Whereas models have become better at generating code, they've also become more useful for cyber attacks as well.

Gregory Allen

And that's one where, correct me if I'm wrong, but the state of evidence available on this stuff, because I've been saying, hey, AI is going to be a big deal in cybersecurity, you know, for more than 10 years at this point. But I really do feel like 2025 was where a lot of these predictions that the community's been making started seeing really substantive evidence. The one that comes to mind, of course, for me is Anthropic's disclosure of AI agents doing a huge share of the tasks independently with minimal human oversight on cyber attacks and executing such attacks.

Steven Clare

Yeah, exactly. That's a good example.

Gregory Allen

Great.

Stephen Casper

And it's worth commenting that, you know, this might be the only incident of its caliber that's happened in the cyber domain. Or it might also be a cockroach, where when you see one, that usually means there's 100 more that you haven't seen. We just kind of aren't really able to be confident that we have a good idea of all the stuff that's happened because there's a lot of stuff that might not have been detected and there's a lot of stuff that might not have been reported on. And if you think from an AI company's perspective, they might have some reasons not to report a lot. Some sort of discovered incident. Incident in which someone used their system to accomplish something nasty.

Gregory Allen

Oh, wow. The way you're framing that is actually quite interesting. Right, so it's strategic opacity. How many have happened? How many have been caught of the set that have happened and of the ones that have been caught, how many have been disclosed? And so your point is, you know, we have this one caught and disclosure series of incidents and the question is, what does that represent about the actual universe out there as it's taking place? Maybe AI enabled cybercrime is already rampant and we're just only dimly aware of what's going on.

Stephen Casper

There are some laws and regulatory frameworks that either have recently kicked in or will kick in later this year that are going to help us get some more information, hopefully about things like this. But yeah, we just, we don't really have a great idea yet. Hopefully the 2027 report.

Steven Clare

In the cyber section of this report, we do talk about, I mean, we do have evidence of like the, the overall prevalence and severity of cyberattacks. And my understanding, we don't have vasilios here to actually take us through this section, but my understanding is there isn't a great deal of evidence of actual significant increases in how prevalent or severe cyberattacks are in aggregate. But we do have this sort of experimental evidence that AI systems are good at individual tasks. And another Theme throughout the report is this disconnect between, well, we can evaluate capabilities and we can understand what AI systems can do, but assessing the sort of overall impact on the world is much harder because the data is so much noisier.

Gregory Allen

Yeah. And as you said in the report, and as I'm sure any AI company would say if they were here in the room, it's a dual use technology. So AI is useful for both cyber offense, whether that's noble or malicious, and it's also useful for cyber defense. And sort of what is the overall net impact is not going to. To be trivial to suss out.

Steven Clare

And it might change over time.

Gregory Allen

And it might change over time. Exactly. Okay, the next malicious use case we.

Steven Clare

Talk about biological and chemical risks, which Cass already brought up. The big development in 2025 was developers actually implementing additional safeguards over concerns that their models could provide information about developing or obtaining very severe biological and chemical weapons to novice actors. And yeah, we discussed sort of the evidence overall for the various ways AI systems can provide information or integrate with laboratory tools and just sort of make these sort of potentially quite scary weapons more accessible to.

Gregory Allen

Yeah, I noticed this personally because here at CSIS we published a paper on AI and biological associated risks. And right in the middle of us writing this report, we noticed that some of the AI model providers had updated their terms of service policy and so they would stop answering questions to help us write the report, which was really kind of a funny little experience for us. Okay. I think that was the last malicious use. Am I wrong?

Steven Clare

We also had manipulation and influence, which is related to fake content, but relates more to sort of, can people use AI systems to generate content that basically affects people's beliefs or changes their mind.

Gregory Allen

Great. So now let's go to malfunctions.

Steven Clare

So malfunctions are AI systems failing in ways that cause harm and are not intended. And we discuss two kinds of risks in this category. One is sort of more everyday reliability challenges. And here I think the story is like, we've actually seen quite a lot of progress in many ways. So for example, models are much less likely to just hallucinate in front of information and completely make things up and be confidently wrong than they were in previous years. The flip side of that is that as adoption accelerates, they're just being used a lot more. And so the overall rate of such failures might be going up over time.

Gregory Allen

Yeah. So if it tells you that the way to cure cancer is to sniff glue, rate has gone down from one out of a thousand to one out of a billion. But the number of daily average users has gone from 1,000 to 100 billion, actually.

Steven Clare

Okay, but for an individual user, I think it is clear that the models are in most cases a lot more reliable than they were before. Maybe one thing that could change this is increasing autonomy, ability to operate autonomously. Cass mentioned agents earlier. And the thing with agents is that because they can interact with more diverse environments and chain more tasks together independently, there's fewer options or points where a user might intervene if something is going wrong. So that's one thing that might change.

Gregory Allen

That sort of dynamic over time and the next malfunction.

Steven Clare

And then we cover loss of control, which is basically much more severe failures where an AI model theoretically comes to operate outside of anybody's control and regaining control is extremely difficult or even impossible because maybe the model might be evading attempts or replicating itself widely. And this is sort of the more catastrophic scenario that's incorporated.

Gregory Allen

And this seems like one in which there were some really interesting data points added to our data set over the past year. So can you talk about some of those? Yeah.

Steven Clare

So the way we try to get sort of a handle on this as like a quite a complex or fraught risk is we break it down to actual capabilities, which we call control undermining capabilities in the report. And I don't think we have a clear model of like exactly which capabilities and at what level would be required for a model to enable a loss of control scenario. But we talk about uncertainty and potential candidate capabilities. And as you allude, I think a big difference from the 2025 report is we do have more sort of experimental evidence, at least on some of these capabilities. So, for example, when we talk about is the rate at which AI models in evaluations have sort of indicated that they recognize in some sense the evaluation task as an evaluation has gone up over time. And this is reported in the model cards for.

Gregory Allen

Well, it's your fault because you've written this big report that's now in the training data set. So every AI model now knows.

Stephen Casper

This is being studied. Like the extent to which research and discourse on these things can tip AI systems off to behaving like this. And the answer seems to be yes, what you're saying is a real thing.

Gregory Allen

We need like more AI systems. We need the air gap AI safety research community who forbids their stuff from being used in the training data set.

Stephen Casper

There are legitimate pre training data proposals that do exactly this kind of thing.

Gregory Allen

Oh, wow. I was just speaking off the cuff, but I get it. So yeah. If you have a AI model, I mean, just to walk through this example, right. You have an AI model that, let's say, you know, reinforcement learning is being used at some stage of the training process. So it has a goal. Its goal is to please the user or to not be wrong or to find the answer. If it finds, oh, I'm in an evaluation setting, I can do XYZ to get approved and then I might behave differently in the real world and I in the AI model somehow have some kind of signal that allows me to know that that is the case and I can optimize against my reward function by behaving, at least in this case, badly. Right. And sort of deceptively.

Steven Clare

Yeah. And I think the problem is it's not necessarily, sometimes it could be attributing some kind of strategic intent or something to the model, but it's more of just a broader problem of like, we don't really understand what's driving these cases of situational awareness. And the whole point of using pre deployment evaluations is because we want to be able to know something about how these models are going to behave in deployment when put into situations either like common use case situations or in maybe extreme but high risk scenarios like in.

Gregory Allen

Safety critical, to use a highly problematic analogy. You know, if you think about car safety tests, right, you want, you want the test to be a good proxy for the real world.

Steven Clare

Yes.

Gregory Allen

And the crash safety test dummy is a certain height and it's a certain weight and it's a certain build. And if you are that build in the real world, that car is going to be really safe for you. But if you're way shorter or way taller or way thicker or way thinner, maybe it's not going to be a very safe car for you. And so the same sort of dilemma arises in, we've devoted all of this effort to these sort of pre deployment evaluations. And the question is, if those stopped being a good proxy for the real world, how would we know and what could we productively do about it?

Steven Clare

Exactly. Yeah.

Gregory Allen

Did you want to jump in here?

Stephen Casper

Yeah. Related to what you said, like, I'm not going to give a new information, a new perspective, but I'm going to put this in certain terms which I think are like motivating for a lot of my personal research and I think kind of alarming too. So when you try to evaluate an AI system for the bad things that it can do, you know, you will throw red teaming and evals and adversarial efforts to make it fail. And this is the way we do things in the real world. It's kind of the only way we can do things. But when we test systems like this, the worst thing that we identify that it is able to do is necessarily only a lower bound for how bad the worst possible thing it could ever do in deployment is. You know, there's always this kind of like conservative bias toward underestimating a model's worst possible case behaviors. And, you know, we're seeing more of these types of incidents every year when something gets missed.

Gregory Allen

Right.

Stephen Casper

Or, you know, the evaluations, you know, forgot to see something and then the AI system had some sort of unexpected harmful failure mode in the world.

Gregory Allen

I need you to, to give me more precision. Can you give me an illustrative example of what you're talking about?

Stephen Casper

A good example of this was in last, the spring and summer of 2025 when ChatGPT, specifically ChatGPT, using the 4O model, was found to be excessively sycophantic or excessively affirming toward what a user would say or what a user would express that they wanted to do. And what people were finding is that ChatGPT, especially based on, for the 4.0 model, would sometimes be a suicide coach or sometimes feed into cycles of AI psychosis. And this has precipitated some pretty big lawsuits as a result of this. And this is an example of something that like, you know, with the benefit of hindsight, you know, we can, you know, understand was a real thing and probably should have been caught. And, you know, OpenAI kind of went through this process in April when, when, when some of these things started to first come to light. But you know, what definitely happened before, before this model was deployed is that there was a gap, there was an underestimation of the worst thing that this model could do and they missed this big real world problem that came back to burn them.

Gregory Allen

Yeah, and then there's sort of the related question which is vaguely analogous to what we were talking about on the cyber front, which is, well, if we see this one data point where a bad thing happens, is that an extreme outlier that we should expect to almost never happen, or is that closer to the mean of the distribution and. Or the median of the distribution? And we expect to see a lot of that and also some stuff that's way worse. Yeah, great, let's keep going. Are we, are we done with malfunctions?

Steven Clare

Those were the two malfunctions.

Stephen Casper

Great.

Gregory Allen

I think you have this next section called Systemic Risks, which I feel like Is it sort of a very different category from the other two? So can you briefly walk us through these ones? Yeah.

Steven Clare

So as I said earlier, these are sort of like risks that emerge more broadly as AI systems diffuse. And in the report we cover labor market impacts and risk to human autonomy, which is a new section that wasn't covered in the 2025 report. So labor market impacts. We're just discussing the sort of the sections divided into what do we know currently about the current impacts of AI systems on labor markets? And then what do experts think about what's going to happen going forward? And the really high level gloss is there's little evidence of sort of aggregate labor market impacts so far, but some early stage emerging evidence of potential impacts on employment or wages for certain groups. In particular, early stage workers in some white collar occupations maybe have had less employment growth than more experienced workers in those occupations in some studies that are emerging.

Gregory Allen

And the next.

Steven Clare

And then human autonomy. This is a new section which actually turned out to be really interesting because it ties in some of the sort of AI companions risks that became a big story of the last year, which maybe points to some broader point of we cover these eight risks, but in many cases AI risks are hard to predict and new sort of impacts might emerge over time. And so with human autonomy, we're just thinking about are there risks to, to the way people sort of make informed beliefs and act on their beliefs in the world. And so here things like if you're consulting with a chatbot and getting a lot of information to inform a decision, is that chatbot giving you reliable information, is it sort of biased in some way, potentially like sycophantic, and causing you to make decisions that are harmful in the long run. And again, we just have very early evidence here. The evidence dilemma is very much in effect because we really want to know what the longer term effect over months or years of chatbot use is. But there are some early studies sort.

Gregory Allen

Of.

Steven Clare

Assessing whether people who engage a lot with chatbots are lonelier or have reduced social life with other people. And so we discussed that evidence.

Gregory Allen

Great. So we've talked about how performance and capabilities of these systems has changed since you started this report and this journey. We also talked about how the risks have changed. But now I want to look future facing. And there's a very interesting section called what could progress through 2030 look like OECD progress scenarios. I thought this was actually interesting. So can you just talk us through the four scenarios? There's also a really interesting historical analog for each of them that I thought was illuminating. But let's start with scenario one, which is titled Progress stalls.

Steven Clare

Yeah. So just quick background. This is sort of a new initiative we integrated into the port this year where it's tempting with the future. Pace of progress in AI is very uncertain and it's tempting to sort of throw up your hands, but that's not very useful for readers. And so to sort of give a more concrete understanding about what could happen, we drew on scenarios that the OECD developed and we also drew in forecasts from the first Forecasting Research Institute to try and give a more sort of tangible, concrete sense of what this could look like. The forced ally scenarios basically range from stagnation, where I think the analogy we use is air travel.

Gregory Allen

Yeah, it says. I'll just read it here. Historical analog passenger aircraft speed, which climbed quickly from 1930 to 1960 before leveling off at 500 knots due to practical limitations. So you know, this is scenario one. We've been in an incredible takeoff and performance capabilities and then we just plateau quite hard.

Steven Clare

Yeah. Due to technical constraints or energy constraints or some sort of other bottleneck that stops future progress.

Gregory Allen

Yep. And now scenario two, Progress slows.

Steven Clare

Yeah, I forget the antibiotics. Antibiotics, okay. So yeah, here you sort of have. We've had rapid progress and maybe we'll continue seeing some gains, but the pace will slow down a lot because these constraints sort of, maybe they aren't hard bottlenecks, but eventually we'll just see fewer gains from pre training or it becomes very hard to generate more data to train these systems well. And we could see sort of a much more gradual pace of progress going forward.

Gregory Allen

Yeah. And the antibiotic analogy as it's described here is antibiotic discovery, which saw a golden era of rapid breakthroughs from the 1940s to 1960s, then slowed as the low hanging fruit from existing discovery, discovery methods were exhausted. And I think that's true. I don't think we've had a new class of antibiotics introduced in many decades, but there's been a lot of variations on the old theme. So it's not that we've made no progress, but the rate of progress has slowed a lot. Scenario three, progress continues. This one I think is kind of interesting. It just says the historical analog is Moore's Law. So where computing power on chips doubled approximately every two years over five decades. What's interesting is that in most discussions in Washington D.C. that is described as sort of like the fastest technological progress has ever actually occurred. But as you point out in scenario four, progress Accelerates. Actually, no. There is an even faster rate of acceleration precedent than Moore's law, which is DNA sequencing, which saw super exponential improvements from 2000 to 2020 due to the development of new sequencing paradigms. So it's not just that we're doubling every year, it's that we doubled this year, then we tripled next year, then we quadrupled next year or whatever. And I think if you connect these four scenarios of progress with both the capabilities and the risks, what do you get? How does bringing that all together illuminate your thinking?

Steven Clare

I think it just makes it much more tangible. What we mean when we say, say things are uncertain. And it sort of points.

Gregory Allen

The breadth of uncertainty in those scenarios is pretty extraordinary.

Steven Clare

There's plausible ways you can imagine each of those scenarios coming to be realized. And so I think one potential implication of it is it's helpful to think about sort of the fast paced progress scenario or the maybe worst or best case, depending on which aspect of it you're looking at.

Gregory Allen

Yeah, I think we framed this document. You framed this document as the sort of current scientific consensus. And it's also, I should say the document is honest about where there's disagreements among the community. But what those four scenarios I think highlight is part of that disagreement, but also the fact that there are serious people who are taken seriously by this community who believe every one of those four scenarios. You know, I have my theory of which of those scenarios is more likely, but it's not the case where everybody who's not an idiot knows that it's definitely scenario X or Y. The point is there is uncertainty.

Stephen Casper

But Cass, to underscore a little bit just how much uncertainty there is and how much uncertainty the report engages with. So a few days ago, Stephen and I went through an exercise in which we control F through the document for various key terms and words which refer to the uncertainty.

Gregory Allen

I love how we're in the future AI moment, but control F still going strong and adding value.

Stephen Casper

That's my jam. But these words were like lacking or uncertain or debate or unclear. And remember, the report has like 150 pages of content and we found 283 instances of these words. So I think that about underscores it. And there's probably a takeaway here about epistemic humility and using the precautionary principle. So something like that.

Gregory Allen

I think that's very good. And so I do want to just highlight that, you know, this, this podcast is intended to be useful to folks who make the terrible choice to not Read the whole report. But if you do decide to read the report, I think one thing is just that like for all of those risks, there are tables that go into greater depth on, you know, what a hallucination is, how it's different from a tool use failure, what are illustrative examples of all of those things. So really a lovely guide to this story. Sort of wherever you are in your level of understanding, I think there's an odds are that you'll learn good stuff. But now we're going to get to what I really think is in many ways the part of the document that makes the greatest unique contribution to the field. Which is not to say that the other parts aren't great, but just that there's other documents out there that do a halfway decent job of those things. But in talking about risk management, what exists in terms of technical interventions, what exists in terms of process and managerial interventions, I think this really is distinguished as a soup to nuts review of everything that's out there. And as I understand, Cass, you were a huge driver behind this section, so kudos to you. So I leave it to you. What's the best way to describe this section? Because I know there's a, there's a ton in here. What do you think about when you think about risk management and these four components that you elaborate on?

Stephen Casper

Yeah, happy to talk about this as the designated nerd.

Gregory Allen

I guess that's what you get for getting a PhD. Yeah.

Stephen Casper

Section three of the report is the part that talks about this and various parts of section 3. You can break things down different ways, talking about risk identification or risk governance or machine learning approaches for risk management. And we're probably going to spend a good amount of time on the machine learning approaches today because this is one of the sections I authored. But one thing that kind of appears as a theme, which we'll get the chance to talk about probably one or two more times before we wrapped up, is different types of bottlenecks for different types of risks. Some types of incidents, their likelihood is going to be bottlenecked by our open technical problems involving our ability to train AI systems that are safe or develop AI systems that are safe, while other things are more likely to be bottlenecked by risk governance failures or risk identification failures, or just human, maybe even moral failures. We'll probably get into a little bit of that when we talk about some examples. But do you think it's about time, Greg, we jump into talking about machine learning techniques and open problems involving safeguarding AI systems?

Gregory Allen

Yeah, absolutely. I mean, that's why we went into the different system steps of training a frontier AI model. And now what can you do to try and increase the safety and security at each of those steps?

Stephen Casper

So section 3.3 is about safeguards and monitoring. And these are two terms that I like to play fast and loose with and so does the report. We can really broadly understand a safeguard is a thing like something that you do or a part of a system that is designed to reduce some sort of risk. And we can think of a monitor as just another risk thing, but this time it's designed to evaluate a system's performance or impact when it is deployed, monitoring for something that kicks in during deployment or during a system's actual use. And you were talking about all of the tables and diagrams in the paper and one of these is in section 3.3 and it has 17 different rows of safeguards and monitoring techniques that are in active use.

Gregory Allen

Can you walk us through some of these? Just folks, I think most people are aware that there is like an AI safety team at most of the frontier labs. But like, what are these people doing all day and what kind of tools do they have available to them? Can you kind of make that a little bit more tangible for folks?

Stephen Casper

So we won't talk about all 17 right now, but you know, if someone wants to get all the details, you should go check out the report. But we can go through some of the highlights or some of the techniques that are the most prominent or useful, ubiquitous or like kind of, you know, basic, or the ones that are really firmly established in the risk management literature. And we can do so by kind of paralleling the discussion we had a little bit earlier where we talked through the model development and deployment stages. So if you don't mind, we could start by talking about data curation.

Gregory Allen

That's exactly what I was hoping you would do.

Stephen Casper

Which kicks in before you even initialize the model. Right. You can start doing AI safety for a system before you have the system in existence. So data curation based offenses are obviously pretty useful and pretty common and pretty straightforward. Like I was mentioning earlier, if you're going to train an AI system on the whole Internet, or almost the whole Internet, it might do you well to get rid of certain documents from your training data set. Like things about anthrax or things about hot wiring cars, or things about cyber offense.

Gregory Allen

Yeah. So just like to make this a tangible analogy, this is is the data set from which the machine learning model is going to learn. So it's like going to school. And this is the textbook. And if you rip out pages from the textbook, it won't learn that stuff. So maybe it will learn from the gardening subreddit, but it won't learn from the Al Qaeda training manual. Right. About how to make various kinds of weapons and tactics for evading detection, et cetera, et cetera. Fair to say.

Stephen Casper

Yeah, great way to think about it. And there are some more details that are actually related to some open research questions about what models can infer or easily learn or be adapted to, even if they might not have trained on it. But now we're very much in the realm of things that confuse me as someone who works on this every day.

Gregory Allen

That's something like, I've learned medicine, so haven't I also learned about bioweapons, whether you wanted me to or not, or whether or not you actually included the chapter on bioweap.

Stephen Casper

Yeah, exactly. And there definitely seem to be some domain specific dynamics here. But consider this an open problem for the nerds.

Gregory Allen

Okay? And at a lab, is it accurate to say that like on the data curation team there is an AI safety person, or is it more accurate to say, like there's an AI safety team that is like nagging the data curation team about things they should do just to think about organizational dynamics?

Stephen Casper

I suspect both of these things are probably the case. You know, I don't know the details about what exactly is going on within organizations and they probably. I don't think most companies make exactly these details public for strategic opacity reasons and for like, why would we tell you reasons, but it's probably a mix of both. Right? Like, you know, data set based methods are things that, you know, dedicated safety people are obviously interested in, but they're things that obviously need to be implemented by, you know, the people who really specialize in the data craze of scraping and cleaning. We can jump into the training algorithm part or the post training fine tuning stage. There are a lot of different types of safeguards or safeguards techniques that happen here. Some of them are just implicit or built into the ways that we try to train systems to be helpful and harmless. If I'm going to train an AI system on a million documents full of chat formatted examples of a model being helpful and harmless, you know, I'm kind of implicitly like, you know, not teaching it bad things or like maybe helping it forget the bad things that I'm not actively training it on.

Gregory Allen

And you're talking about post training fine tuning here. Right?

Stephen Casper

So like when I go from a model of Internet text to a chat system that's able to help a user. But there's some other pretty interesting techniques that kind of happen at the fine tuning stage and they're very related. But one of these techniques is like known as adversarial training, which is very, very ubiquitous and it's a much more targeted way of trying to get rid of specific failure modes that a system may be exhibiting. And the idea behind adversarial training is to find examples that elicit failure. So find prompts that elicit bad behavior from the model and then use those prompts to train the model to not do the bad thing. So an example of this, you know, a few years ago when there was like this viral exploit that people found for GPT 3.5 in which they got instructions for making napalm by saying that my grandma used to work at an napalm factory and she used to sing me the instructions when I fall asleep and I miss her so much. Can you pretend to be my Grandma? And then ChatGPT 3.5 would happily comply. Right, like this is a previous example.

Gregory Allen

Yeah, yeah. So it's like this is a prompt injection exploit where you're saying I won't teach you how to make napalm if you just ask me how to make napalm, but if you tell me about your grandma, suddenly I'll do that thing. And now what you're saying is that example is now part of the training data set or at least the fine tuning training data set.

Stephen Casper

Yeah. So we will find examples like this that trip the system up or the model up and then train it to do the right thing instead of the wrong thing that it might normally do. And there are so many different ways of adversarial attacking systems. Like it's kind of an untaxonomizable discipline.

Gregory Allen

Yeah. It's like a infinite surface area of attack. The creativity of the different kinds of prompt, inject prompt.

Stephen Casper

There's so many professionals right now, Luke, whose entire job and job description is just like, you know, red team. These models interact with these models and play with them and use, you know, every trick in the book that you care to use in order to get bad behavior out of them.

Gregory Allen

So it's like, you know, I used.

Stephen Casper

To work with lots of these people when I was at the UK Security Institute.

Gregory Allen

I see. And I'm, and I'm rooting for these folks and they're doing very important work. But I do think it's like worth just thinking about the difficulty of involving humans in this Task because you know, in the case of ChatGPT, you're talking about 800 million weekly average users. So if your team of red teamers is like a thousand people, right, they've got to type in these prompts by hand to help create a fine tuning data set. And it's not that their work is useless, it's actually extremely useful. But you know, trying to create stuff that operates at scale and at the surface area of ATT and CK is a real big challenge.

Stephen Casper

Yeah. And as you might imagine, because of this asymmetry between the testing effort and the risk surface after a system is deployed, it is very, very typical for a system fee to be deployed alongside some sort of risk assessment report from their developer, only for the next day for news to hit social media about new exploits that people found. This is pretty common. But that's not to say that adversarial training is, you know, always doomed to be something that, you know, you know, doesn't quite fix. These, these, these failure modes that spark up in a day or two because we are getting better at it. I think. Recently the UK Security Institute, this was after I left but like a month ago, I want to say, released their Frontier Trends report where they talked about how over the space of, I think almost a year or just, just months, I think when it took their best efforts from about minutes early on, you know, with some, you know, safeguards from like early 2025, early 2024 to now, it taking them more like 12 hours with their wow to break systems. So, so progress and progress is being.

Gregory Allen

Made here which is, yeah, really raising the barriers to entry for malicious behavior.

Stephen Casper

And it's largely suspected to just be coming from like finding more adversarial examples and training on more of them. And one of the reasons that, you know, companies trying to safeguard their models are finding more of them is because of the development and integration of language model assisted or language model automated methods for finding exploits.

Gregory Allen

Oh, very interesting. Continue.

Stephen Casper

Okay, so one more note on training based methods or fine tuning based methods for making systems safer. There's this paradigm called machine unlearning, which is kind of fun, kind of interesting because usually when we train AI systems to be safe and helpful and harmless, we give them examples of things that they should do or we give them rewards when they do good or bad things. Machine unlearning is a field all about taking examples of bad stuff and actively suppressing that type of knowledge or that type of behavior in AI systems. And the science of unlearning has made some Cool progress in the past few years. And we're able to have unlearning algorithms that seem like pretty legitimate defenses that you can kind of stack into a multi layered defense strategy. And I can tell you an example of how one type of unlearning algorithm works, although this isn't the most popular one in practice. But a certain family of unlearning algorithms focus on noising or fuzzing out a model's internal representations upon encountering text or a document from some sort of illicit or banned topic or field. So imagine that you, your brain had undergone an unlearning algorithm like this, an imperfect thought experiment. Experiment. But you can, you can imagine it and imagine that you know the process operating on your brain tried to unlearn your knowledge of illegal drugs. So if you had undergone this process, these methods aren't perfect. But what it would ideally look like is that you'd be able to go out throughout your normal day and have all the normal conversations you normally have that don't involve illegal drugs. But if then someone asked you about like meth or heroin, like, imagine what it would be like for your whole brain to, to like fuzz or for you to instantly get really drunk or something and then just start babbling nonsense. Like, this is from the model's perspective, kind of like how an example of one of these techniques work. And there are again, there are many other types of learning algorithms, but the idea behind all of them is a common one.

Gregory Allen

Okay, now this is, I've never heard of this and this is so interesting. So wait, like, what does the actual training data set look like? This, because I'm used to the fine tuning being like, tell me how to make meth and hide it from my parents. And then it's says, I'm sorry, I can't help you. And that is now in the fine tuning data set is that example. And the sorry, I can't help you is the other part of the example. But what you're saying is like, tell me how to make meth and then a bunch of gobbledygook is the example. Is that right? And you do this a million times and you put it in the fine tuning data set and suddenly you can make the AI stupid anytime drugs come up.

Stephen Casper

Yeah, all the details depend on the algorithm. And unfortunately I'm a bad person to ask about this because I work on this stuff that too much so I'm almost unable to simplify. But the key to doing an unlearning is that instead of just taking a model and a data set of good stuff. You take a model, a data set of good stuff, and a data set of bad stuff, and instead of just training to do the good stuff, you train it to preserve the good stuff while also stripping away or suppressing in some way, shape or form the bad stuff. And that bad stuff might be copyrighted material. Sometimes that bad stuff might be harmful material related to crime. Sometimes that copy that bad stuff might be child sexual abuse material sometimes. Or proxies for it. Obviously not the real stuff.

Gregory Allen

Although actually I think this is one area where changing the law in a counterintuitive way can actually be beneficial. Because I mentioned before how it's illegal to even possess this stuff. But some jurisdictions are creating exceptions for AI companies to create repositories of child sexual abuse material just so they can include it in the training data set as like never produce this. So they get like sort of special exemption to possess this. Admittedly tragic that it even exists material, but they're using it to create the detector and they're using it to keep it from actually reaching end users. And not everywhere has done that. But I do think it's. It goes to show that like, thinking about what is actually going to lead to the best outcome for society might include some sort of counterintuitive changes to the law. Sure.

Stephen Casper

Should we step to the system integration stage, please? And this is a really crucial stage for safeguards. But it's also a very simple stage to describe.

Gregory Allen

It's the control F stage, basically.

Stephen Casper

Yeah, basically you can use like human keyword detection anytime it comes out. Exactly. This would totally work. But the point is there are many things you can do. There are many things you can build around a system in order to monitor what it's doing or block certain harmful things that it might be doing. Block inputs to a system that might be bad. To block outputs of a system that might be bad. The simplest way to think about this and the most ubiquitous and key example of system based interventions that we see all the time are just like the content filters I mentioned. If you are an AI developer and AI developers do do this, when you deploy a system, you might want to put like a hate speech filter in between the model and the messages that it sends to the user. Because you might not want that model to be used for automating hate speech, or you might want to put some sort of other like filter or monitoring system between the model and the user. So maybe you can detect if that user's up to something bad or if that user might need Help because they're going through an episode or might be talking about self harm or something like this. So there's, there's just so much you can do so simply and so effectively to, you know, spot things that might be risky and filter things that might be.

Gregory Allen

And it's worth thinking about this in the context of scale, at AI scale, because AI is massively computationally intensive. You know, if you think about answering a Google search query is fractions of a penny, Whereas answering a ChatGPT query might be like nine pennies, which when you're doing 700 million weekly average users, these are monstrously expensive things. And so it's not just, you know, can we think about safety interventions that work? Can we think about safety interventions that have a high return on investment? And so just putting like a keyword checker on the output box is so much less computationally intensive than putting an AI checker on the output box where like you have one LLM grading the outputs of another LLM. Now maybe that's worth doing as an intervention, but the point is like, there's a bunch of different types of interventions that we can muster and the companies that are actually serving customers have to think about, you know, what is the return on investment of all these different interventions. And I think your point here is that at the systems integration stage, at the deployment stage, there's a lot of different types of interventions we could do, some of which are pretty low cost, pretty high return on investment.

Stephen Casper

Yeah, well, lots of things that are immensely useful, even that aren't very computationally expensive. But if you think about this from a deployer developer's perspective, there are really three things when you're thinking about a filter that you really want to achieve. You want there to be a high likelihood that bad stuff is caught. You want there to be a low likelihood of that benign stuff is accidentally flagged as bad. And you want the whole process to be very efficient. And honestly, the main open technical problems related to doing filtering well are more ones about balancing efficiency with effectiveness and less ones about just raw effectiveness. And don't get me wrong, red teamers, the professionals are capable still of designing attacks to get nasty systems to do nasty things that are usually able to get past one or multiple layers of filtering, but the vast majority of things can be caught by effective filters. Making filters cheaper is a big priority. That is not to say that developers and model developers and deployers should not be expected to do expensive filtering, but lowering the barrier, lowering the cost is kind of good from everyone's perspective. If we're able to make more progress on this.

Gregory Allen

And something that the UK AI Security Institute is working on, something that the US Casey is working on is thinking about how do we make meaningful interventions cheaper and easier to implement for a range of different actors, not just the tech goliaths, but also startups, how do we sort of give them a starter package of safety interventions? So that was a tour de force, other types of interventions. But is there any more that you want to highlight?

Stephen Casper

The last main thing that's discussed in section 3.3 pertains to the ecosystem monitoring step in the lifecycle or the post deployment step in the lifecycle, where there are some pretty useful machine learning based techniques that can help us understand more about what's going on or can help us ask questions like what is this piece of data and where did it come from? Or what is this openly released model and where did it come from and who's been using it? So you'll have techniques for like watermarking, right? And you can watermark images with subtle pixel wise patterns, for example, and can encode information about it coming from an AI system. Or you can watermark text with distinct vocabulary biases that can be statistically detected if you look at enough of the text. You can also watermark models, which doesn't get talked about a lot. But if you openly release models with their parameters available for anyone to download, you can watermark into individual instances of those models as well. And then finally, the last thing I was going to make sure to.

Gregory Allen

I have a guess as to how you watermark models, but it's interesting enough you want to just walk us through how that would work.

Stephen Casper

There are some different ways. You could think of ways of watermarking models as splitting into two categories. One way of watermarking, it is designed to be detected from looking at the model's parameters. Imagine I take a model and it has like a 10 billion parameters, and then I just take a subset of those parameters and I upweight them a little bit or download a little bit of them. And I do that for one version of the model, and then for another instance of the model I do the same thing but with a different perturbation. This can allow someone who kind of knows all the perturbations that were applied, like the model releaser. It can allow them to go find that model later on in the world if it pops up somewhere interesting or if it's implicated in something bad, it can help them identify an individual instance of a model. And doing this kind of as Described is very easy. But doing this in a way that resists being undetectable after the model has been fine tuned a little bit. That's an interesting open problem. And there are other ways of watermarking models that are designed to be detected by their outputs, not detected by actually looking at their weights. So you could actually identify models when you only have black box or only have query access to them sometimes in the wild.

Gregory Allen

And that would be something like you put in your fine tuning trading data set, 1,000 examples of, you input this number and it always outputs this other number. And so then when you're accessing it in the wild and you input that number, you see the output, you're pretty.

Stephen Casper

Yeah, that would be like a passphrase or like style of detecting this kind of thing or watermarking a model. For any nerds listening, this is also very closely related to the literature on backdoors and trojans and models. But any non nerds don't need to worry about that.

Gregory Allen

Well, we're all nerds here. There's many. Some of us are policy nerds as opposed to technical nerds. Fabulous. Well, that was a real tour de force. But I want to emphasize for those listening that like, there's just three more step levels down of nuance, but it's all explained in that same very accessible style sort of wherever you are in your current level of technical understanding. So I really endorse folks who are trying to get smart on what AI safety looks like in practice, when what can be done, under what circumstances it tends to work, under what circumstances it tends to break down. There's a lot in here about technical safeguards that's meaningful. I want to ask both of you though. You know, I used to work at a rocket launch company, Blue Origin, the company where, you know, Jeff Bezos sent himself into space. They're doing a lot of other important things too. And it was a big deal for us to get what was called as 91-Hz-9100 certification. So this was the aerospace system safety standard that is really important in America. And there it wasn't just the technical safeguards. There was also procedural and management safeguards. Like do you have a chief safety officer if the CEO says dang it, launch and the chief safety officer says it's not safe to launch? Like who wins that argument in the org chart kind of a thing? So there was a bunch of stuff about that in that management safety standard. Is there anything either of you want to sort of comment that we can say about the state of the art, the state of the field, not just in the technical safeguards, but in the procedural process. Managerial art of AI safety and security.

Stephen Casper

We can start talking a little bit about something I alluded to earlier and how different types of incidents or categories of incidents and preventing them might be more bottlenecked by open technical challenges versus what I said earlier, like risk governance challenges or closing the gap between the state of the art and the state of practice. And I can comment on this, actually different comments for different types of models. So I want to say one thing for closed models, proprietary ones whose parameters are held private by the company who owns them. And I want to say another thing about open models whose parameters can be downloaded by anyone on the Internet. So what I'll say about closed models first is that right now, for the reasons that were described earlier, there's a very rich technical toolkit for making them safe. It is increasingly becoming the case that open models aren't that hard to safeguard against egregious failures if you are using state of the art techniques and if you are willing to sometimes do the thing that might be less efficient but more effective, like we talked about earlier. And that's because model deployers of a closed model control all the points of access to it. It's their system and they can put multiple layers of defenses in and around that system that can't be trivially circumvented or removed unless someone literally hacks their system or something. If you throw the kitchen sink of safeguards at a closed way system like this, empirically it is not impossible, but it is very, very hard to get them to do very, very bad things without at least someone noticing them. When it comes to open models, it really does. We might be getting to a point, and for some domains of risk we have probably already surpassed this point, where our main bottlenecks are not about open technical problems involving safeguards, which is, I think, a point to drive home pretty strongly. And our bottlenecks might instead be ones that involve risk management and risk governance. So for example, if I mentioned earlier the ChatGPT sycophancy kind of scenario that played out last year in this spring and summer of 2025, and with the benefit of hindsight, we can look at many, many ways this kind of thing could have been prevented using like user monitoring, or using a better trained model, or using filters on the outputs of a model like this, but we just didn't. OpenAI's risk management team, for all the effort that they put into safety, didn't realize this Was, was a potential issue or didn't have really evaluations that were up to the challenge of spotting it beforehand. Also last year we've had a series of incidents involving like, Grok, right? Grok praising Hitler, Grok being very aggressively not politically neutral. More recently, Grok undressing thousands of people per hour a few weeks ago. And again, these types of failures aren't hard to mitigate if you're using best practices. Like it's, it's kind of hard for, well, lots of people that I know who work on the same type of research as me. You know, it's frustrating to look at failures like this sometimes because they're not that, like, academically interesting.

Gregory Allen

Right.

Stephen Casper

Like failures like this chat GPT sycophancy incident or, you know, GROK praising Nazis. These issues were caused and fixed by fine tuning models and prompting them differently, which is a science that we kind of got pretty good at in 2023. And, you know, most of the interesting academic questions we kind of closed the book on by the end of 2023.

Gregory Allen

This is really interesting because I remember in the AI debate, you, you often encounter this, oh my gosh, AI is a black box. Right. And the way in which that neural networks are a black box claim was used in the debate and how that's evolved between 2015 and 2025 is so interesting because a lot of times you say like, well, how can you make it safe if it's a black box, et cetera, et cetera. And I think one thing that for people who've been participating in this debate for a long time, it is interesting to hear from you. When you see these major incidents, to not have the mental model of AI is a black box. It's so tough to wrestle with these types of challenges. You see challenges, and not all of them, but many of them. You're like, I know how to fix that. If you gave me time, money and authority, that would never happen again. I think that's such an interesting change from what the debate looked like five years ago, 10 years ago.

Stephen Casper

I would even say a year ago.

Gregory Allen

Even a year. That's so interesting because AI safety, you would say, has come so far in just a year.

Stephen Casper

Yeah. Like I mentioned earlier, the recent UK Security Institute report and I kind of talked about how it went from them taking the minutes to like 10 or 12 hours.

Gregory Allen

Yeah, that's interesting. Thanks for saying that.

Steven Clare

Yeah. Just to come in on this, I think, you know, Cass's section or the risk management section more broadly was one of the sections, I think Working as lead writer across the report, I learned the most from. Because I feel like just as you were saying, this story of just making a lot of progress, incremental progress, was kind of hidden or was much less prominent than sort of some of the really dramatic stories about risks or harms from AI systems. And so I kind of came out of the section. Of course the models can still be jailbroken with enough effort. So there are still incidents. But there was a lot of reasons to be optimistic, I think, about the technical safety side.

Gregory Allen

The news tends to have kind of a negative bias. Right. Looking at the bad incidents. So one of my kind of takeaways here is that there may be a bit of a little under coverage of how much good news we've had in the AI safety community over the past year and people might need to like reset their mental model about what is possible under what circumstances.

Stephen Casper

Oh wait, you gotta let me say the bad thing though.

Gregory Allen

Oh yeah, please correct it immediately. Yeah.

Stephen Casper

Because I started by talking about like closed models.

Gregory Allen

Yeah.

Stephen Casper

But then I think the takeaway is a little bit different for open models with parameters that anyone can download. And as you might imagine, this is a lot harder because these are things that are kind of harder to track. So ecosystem monitoring is more difficult. Difficult. These are things, these, these open models, open systems, any external safeguard to them can be trivially disabled by anyone who downloads it. And meanwhile, like any sort of model based safeguards, those can also be like trained away or edited away. If someone is able to, you know, change the model enough or train the.

Gregory Allen

Model enough, fine tuning it to praise Hitler is as difficult as fine tuning it to not praise Hitler. I mean they're sort of equivalent challenges.

Stephen Casper

So if anyone, if you're listening to this podcast right now and you're at your laptop, I invite you to do something. Go open a tab, go to Hugging face. The world's the website which is the world's largest repository and sharing model, model sharing platform. For open models. Go to the models tab, go to the search bar and type in the word uncensored or the word abliterated. And what you will find with these two queries about this point in time is that I think There are roughly 8,000 models that you can, you can pull up with these two queries that have been specifically downloaded, fine tuned and re uploaded by a certain part of the machine learning community in order to lack any sort of model based safeguards. So these systems, at least by design, are things that are supposed to help you automate writing hate speech. If you asked it to or give you instructions for how to commit crimes.

Gregory Allen

Or create pornography or child sex abuse material.

Stephen Casper

By design, they tell you to do, do that kind of stuff too. There's a certain type of libertarian communities behind this.

Gregory Allen

I mean, this is because we talked about a lot of the progress is in raising the barriers to doing malicious things. Right. I can jailbreak this model with a prompt injection attack in 3 minutes versus maybe I can pull it off after 12 hours. But if the open source community exists as an end run around all those safeguards, then maybe the barriers aren't really being raised in a meaningful way.

Stephen Casper

Yeah, it's a tough challenge, right? Like kind of like you said with.

Gregory Allen

Open, with open models, Sorry, I do need to intervene here. That there are real benefits to the open source community that this report is, I think, honest about, while we're still honest about these challenges that it presents as well.

Stephen Casper

Yeah, let me say a little bit about both of these things. So with open models, because they can be arbitrarily modified, there's no more notion of like making the system airtight or making the system something that is guaranteed to, to be safe. That kind of goes out the window. And all we can try to do are these mitigation techniques that make it harder to adversarially fine tune this model to do something bad. And this is an area of genuine big open problems. Open model risk management is a wide open research domain right now. And so it's kind of a dual bottleneck to open model safety. There's open research problems and then there's also the same kind of gap between the state of the art and the state of practice with closed models of as I said earlier. Okay, but now let me pull the pin and talk about how open models are good, because open models are really, really valuable in some ways and so.

Gregory Allen

Far, including for the safety community.

Stephen Casper

About them, including for the safety community. So the two nicest things in my perspective that come from open models, and the report discusses this, is that they diffuse power and influence. They make it so that it's not just a few companies that control the AI space entirely and they also enable lots of really beneficial research, like safety research. People like me probably wouldn't have a job if it weren't for open models out there. And I personally think this is no longer a scientific opinion of mine. But personally I think that it's hard to overstate how important and good these things are. And I also personally kind of find it hard to imagine a very positive future for AI in which these things are not at play. But like we were talking about earlier, that comes with a lot of risks. You know, something that I say a lot about open models is that they're simultaneously wonderful and terrible. But we shouldn't worry too much about debating whether they're wonderful or terrible, because most importantly, they are inevitable and they cross borders inevitably, too. So it's not like one jurisdiction can even control the open models within its own borders. So there's a lot of progress to be made on the technical and institutional side when it comes to managing risk from open models.

Gregory Allen

I think it's very well put, Stephen.

Steven Clare

Yeah, just maybe following up on one thing Cass is building to there. One of the lessons of the report is that our technical safeguards have made a lot of progress and we can prevent many instances of misuse or malfunctions, but they have to be applied. Right. And you mentioned the organizational risk management organizations have to decide to implement these safeguards and invest in monitoring their systems. And right now we have a diverse, vibrant AI ecosystem. And I think it's fair to say that because of some of the incidents Cass was alluding to, they are inconsistently applied. And so we also talk in the report about organizational risk management, and we discuss how, I think at least 12 companies now have published frontier safety frameworks that describe sort of what practices they're going to implement as they build more and more capable models. And this is, I think, very admirable and provides a lot of transparency on what they're doing internally. But there's also a lot of variation across these frameworks, even in terms of the risks they cover or pay attention to, and in how sort of, as an organization, they're set up to manage risks as they develop more capable models. And this is potentially quite good because we, again, have a lot of uncertainty over what is most effective and how to sort of balance access to systems and safety. And we're going to learn a lot from seeing this diversity of approaches, but especially maybe if we start seeing some of these more severe risks, manifesting that diversity across the ecosystem could also introduce vulnerabilities if these safeguards are inconsistently applied.

Gregory Allen

Great. So this is the AI Policy podcast. And so I want to conclude with a discussion of policy. So in an interview with Transformer, Yoshua Bengio said, quote, the pace of advances is still much greater than the pace of. Of progress and how we can manage those risks and mitigate them. And that, I think, puts the ball. Hand. Puts the ball in the hands of the policymakers. So what do you want Policymakers to take away from this report. It doesn't explicitly make policy recommendations, but maybe in your personal capacity, what would you say should be policymakers top priorities in the coming years?

Steven Clare

I think one thing we've talked about a lot in this podcast is sort of like 2025 was a year where we really started to feel the impacts broadly of these general purpose AI systems. And yet it's still the case that the current systems are the worst they'll ever be in terms of capabilities.

Gregory Allen

They're not going to get dumber. No. Yeah.

Steven Clare

And of course there's a lot of uncertainty around exactly what the sort of trajectory of future capability increases look like. And we lay out some of those scenarios. But companies are investing many, many billions of dollars in a big bet on the capabilities are going to keep getting better and the systems are going to get more useful and have a bigger impact on our economy and our daily lives and our governance systems and sort of broadly across society. And so I think like, you know, regardless of where you stand on various policy questions, I think a priority for policymakers is like trying to understand better this situation, potentially quite wild situation that we're in. And so in terms of that could involve building more capacity to engage with AI companies and not feel sort of overwhelmed by the technical complexity of the systems. It could also involve sort of trying to address the evidence dilemma by generating more evidence. So here we could sort of be investing in better evaluations that tell us more about how systems will behave in deployment, or thinking about transparency requirements that reduce to sort of information asymmetries between people in labs who have a lot more access to leading models and a lot more information about development processes and the rest of us. But I think the last section of the report is this section on resilience, which is also new this year. And here we're sort of thinking about, well, AI systems are, here they're affecting people's lives. What do we need to do as a society to better prepare for those impacts, to sort of monitor and respond to incidents, to harden various systems against potentially expanding cyber attacks, preparing workforces for AI disruption? Potentially. Although there's a lot of uncertainty, I think there could be a lot of gains to be sort of made from thinking about, okay, what are the systems that we want to have in place in a society where AI is diffused very widely. And in some cases this will also be beneficial for widespread adoption and building trust in AI systems and actually getting people to use them more and realizing the economic and scientific benefits from them.

Gregory Allen

Great, Cass. Anything you want to add?

Stephen Casper

I will a little bit. Steven and I, when we were wargaming for the podcast, we kind of split up our answers and I have a few things to add that are kind of from my perspective as someone who works on the technical safeguards. So I wanted to say four things about what I think are the most important things for policy because people to understand about the current state of technical safeguards and monitoring for models. The first thing is that no techniques that we have are currently perfect. There's holes in everything. But by layering more defenses together we are able to make failure modes, or at least the egregious ones, go down pretty drastically. The second thing is what I was saying earlier about closed models. Now there's a pretty rich toolkit for safeguarding closed models and. And I think we're starting to get to a point where many of our failure modes are more due to failures of risk governance than failures of the state of the art technical safeguards. The third thing is what I was saying for open models, that with open models there are simultaneously big open questions involving safeguards for people like me to be addressing soon and big gaps between the state of the art and the state of practice. But the fourth thing, the last thing that I wanted to say, and I think that personally I think this is the most important thing that I came here to say or from my point of view, and that is that for every type of failure mode that an AI system could exhibit, every bad thing that a system can do, there will always exist a point at which continuing to improve the state of the art on technical safeguards is going to have diminishing returns and really stop helping very much because the risks that this model poses are the bad things that it doesn't in practice, this become dominated by human failures or institutional failures. An example to think about here is the Grok undressing scandal that flared up and peaked a little bit less than a month ago, I think.

Gregory Allen

Yeah, we covered it on this podcast.

Stephen Casper

Yeah, I remember. It was a great episode. And there are so many ways to think about how this could have been outright prevented. And most of them, kind of like I was saying earlier, aren't interesting machine learning methods or aren't things that are remotely difficult to do. The reason this was an issue is because Elon, Musk and Xai did not make it a priority to prevent this kind of thing. Or maybe they kind of wanted it to happen. And when it comes to failure modes like this, there's nothing that more technical research is going to do to help us fix it.

Gregory Allen

Yeah. And hence, as Yoshua said, the ball is in the hands of the policymakers.

Stephen Casper

Yeah. Like machine, we can't save you. Machine learning. People can't do everything, can't make things safe on their own. And we're really getting to a point in time in which policy action is like, it's kind of the time the rubber's hitting the road, it seems.

Gregory Allen

That's great. Well, gentlemen, I learned an extraordinary amount from this document, which I know had many, many hands, but you two of the most important pairs of hands and certainly resulted in a document that I can genuinely endorse. As somebody who reads a lot of stuff and often encounters stuff where I don't actually increase my knowledge set based on the new thing I read. I learned a lot of new stuff in reading this document and I also learned a lot of stuff in this conversation. So thank you both for coming on the AI Policy Podcast.

Steven Clare

Thank you for having us, Greg.

Stephen Casper

Thanks, Greg.

Gregory Allen

All right, that concludes this episode of the AI Policy Podcast. Thank you so much for listening. I will be off to India next week for the India AI Impact Summit and we will be potting live from New Delhi. Thanks for listening to this episode of the AI Policy Podcast. If you like what you heard, there's an easy way for you to help us. Please give us a five star review on your favorite podcast platform and subscribe and tell your friends. It really helps when you spread the word. This podcast was produced by Sarah Baker, Sadie McCullough and Matt Mann. See you next time.