[LLM use: Workshopped over weeks by multiple team members with LLM use across research, drafting, and editing. Unclear whether the final text exceeds the Forum's 10% threshold.]
This is the companion post to our Frontier Biodefense Fellowship announcement. The short post covers the practical details. This one explains why we think a biodefense fellowship focused on defense-in-depth is particularly impactful now.
What follows is a synthesis of recent thinking by people who have been building this agenda for years, particularly Coefficient Giving's biosecurity team and researchers & practitioners in the network around them.
We are explaining our reasoning in four parts. Global catastrophic biological risk (GCBR) is mostly engineered, and possibly growing because of AI. Prevention at the source is not enough. The defense-in-depth agenda is tractable, and severely neglected as a response. And we are in, or quickly heading into, a transitional period where work in this field is unusually high-leverage.
GCBR is primarily not about natural pandemics because naturally arising diseases optimise for evolutionary fitness, not for killing everyone. That humanity has already existed for hundreds of thousands of years bounds how high a natural extinction risk we should expect. Andrew Snyder-Beattie puts more than 99% of biological x-risk on engineered rather than natural threats. State weapons programmes have explored parts of this design space already, with tools much less capable than what exists today.
The likely reason why historically biological attacks have been rare is that the people who wanted to cause them mostly lacked the technical capability. AI is changing this fast. Snyder-Beattie estimates in the same resource as above that now most of the risk from engineered pandemics comes from non-state actors because AI closes their capability gap faster than anyone else's.
Concrete examples for bio uplift are accumulating. Evo 2, a DNA foundation model, can design functional novel genomes at the scale of small bacteria.
AIxBio advances are likely to favour offense over defense. Designing a novel pathogen is computationally cheap and gets cheaper as models improve. Building defensive infrastructure is not: an AI-assisted actor might design a novel pathogen in weeks, deploying respirators to a country's critical workers takes months, air filtration infrastructure takes years.
Model evaluations & safeguard, or DNA synthesis screening are important and should certainly be strengthened. But prevention has to succeed every time, while an attacker may only need to succeed once. Given the current state of jailbreaking, fine-tuning model safeguards, and open-weights proliferation, achieving a prevention failure rate low enough to be safe on its own looks hard. Defense-in-depth needs to be in place before prevention fails, because most of its measures cannot be figured out & built quickly afterwards.
Tractability comes largely from a physical asymmetry. The space of possible engineered pathogens is incredibly large. The space of physical pathways by which a pathogen can enter a human body, (ingestion, inhalation, and skin contact), is small. Defending these pathways is likely possible without predicting the pathogens.
Most catastrophic risk runs through respiratory transmission, because that pathway is hardest to block. The four pillars of defense-in-depth (PPE, biohardened environments, pathogen-agnostic detection, and rapid medical countermeasures) concentrate on this pathway.
Adding to the tractability is that existing equipment (like respirators, PAPRs, far UV, good air filtration, etc). may already be sufficient to protect individuals or households even from severe threats. But it’s still a hard problem to scale that protection during a crisis, making sure that engineering, logistics, and policymaking works. Chris Bakerlee has sketched ten concrete projects to help with this. Because many of these projects not only need researchers, we are excited about strong operators joining the fellowship.
And the field lacks people. Bakerlee estimates that around 160 people work full-time on biological xrisk. Potentially fewer than 30 work specifically on defense-in-depth. With numbers that small, a single cohort of at least 20 fellows working on the most tractable problems could greatly expand the capacity of the field.
A sufficiently advanced and aligned AI might eventually fully automate biodefenses. A misaligned superintelligence could make biodefense irrelevant against far larger problems. We are in neither of those worlds yet, but we are heading into a period when defense-in-depth may matter a lot.
For example, Carl Shulman has argued that AGI-driven industrial abundance would eventually let humanity build the equivalent of We expect the window to be somewhere between the next 3 and 15 years. Getting defenses in place before the window closes we therefore see as unusually concentrated in the next years.
These assumption about the transitional period are heavily intertwined with AI safety. We don’t see working on biodefense as a separate bet from AI safety, but more as a hedge for scenarios where AI is a major vector in our threat models. As Clatterbuck and Maas argue, short AI timelines do not write off non-AI work that contributes to the AI transition going well.
You can find the full mentor roster on the fellowship page. We are not aware of any other program where someone interested in working on biodefense can join this concentration of leading researchers and practitioners from leading organisations at this point in their career. We’re incredibly grateful that the people actively building the biodefense agenda are willing to give new talent their time.
There are various things we are uncertain about, we're listing some important ones here.
Applications are open at fellowship.bio. The deadline is June 7 (Anywhere on Earth). The