A new study suggests that the same artificial intelligence (AI) tools being used to accelerate the discovery of new drugs and proteins, making it easier to design and manipulate DNA, could also potentially be used to develop dangerous new pathogens and toxins that bypass current security checks.

The new study had a team of Microsoft scientists perform a hacker-style test to demonstrate that AI-generated sequences could potentially evade security software used by DNA manufacturers.

Summary of AIPD red- teaming workflow. Source: Science (2025). DOI: 10.1126/science.adu8578

"We believe that the ongoing advancement of AI-assisted protein design holds great promise for tackling critical challenges in health and the life sciences, with the potential to deliver overwhelmingly positive impacts on people and society," explained the researchers. "As with other emerging technologies, however, it is also crucial to proactively identify and mitigate risks arising from novel capabilities."

The team explained that when biotech firms develop DNA for researchers, they employ Biosecurity Screening Software (BSS) to discover similarities between the new sequence and a database of known threats. Yet, the team cautions, this is both a strength and a weakness as it can only screen against what appears in the database.

As such, the study sought to test this biosecurity gap with the Microsoft scientists using publicly available AI programs to develop more than 76,000 synthetic variants of known dangerous proteins, including ricin. Rather than actually producing such proteins, the team developed the genetic instructions for their synthesis. They then ran the sequences through four different screening software tools and found that a large percentage of their AI-designed sequences could bypass security checks.

Once the Microsoft team discovered the flaws, they worked with BSS providers to create patches that updated threat databases and fine-tuned the screening software. Once the patches were deployed, the screening tools reportedly caught 97% of the most dangerous sequences in a second trial.

However, the team suggests that although the patches increased the detection rate, 3% of potentially dangerous sequences were still missed. Further, the team noted that because the sequences were computer predictions, it is unclear how the resulting proteins would perform in the real world.

The study detailing the team's findings, “Strengthening nucleic acid biosecurity screening against generative protein design tools,” appears in the journal Science.